Closed Bug 1649209 Opened 4 years ago Closed 2 years ago

paintWorklet Assertion failure: isEmpty() (failing this assertion means this LinkedList's creator is buggy: it should have removed all this list's elements before the list's destruction), at .../obj-build/dist/include/mozilla/LinkedList.h:440

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox80 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
prefs.js
(deleted), application/x-javascript
Details
Attached file testcase.html (deleted) —

Testcase found while fuzzing mozilla-central rev 921a30cac33b (built with --enable-debug).

Assertion failure: isEmpty() (failing this assertion means this LinkedList's creator is buggy: it should have removed all this list's elements before the list's destruction), at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:440

rax = 0x00007fdd84c87ea3   rdx = 0x0000000000000000
rcx = 0x0000559bef559a58   rbx = 0x00007fdd894ff100
rsi = 0x00007fdd971e78b0   rdi = 0x00007fdd971e6680
rbp = 0x00007ffec542d9d0   rsp = 0x00007ffec542d9c0
r8 = 0x00007fdd971e78b0    r9 = 0x00007fdd9834d780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x00007fdd971e5718   r13 = 0x0000000000000104
r14 = 0x00007fdd971ea628   r15 = 0x0000559bf0442620
rip = 0x00007fdd7d1f4aeb
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::LinkedList<nsThread>::~LinkedList()|hg:hg.mozilla.org/mozilla-central:mfbt/LinkedList.h:921a30cac33b6d0760f318b6f1a2e3ce1bd687cc|437|0x29
0|1|libc.so.6||||0x43041
0|2|firefox-bin||||0xcdac0
0|3|firefox-bin|_GLOBAL__sub_I_FuzzerTracePC.cpp|hg:hg.mozilla.org/mozilla-central:tools/fuzzing/libfuzzer/FuzzerTracePC.cpp:921a30cac33b6d0760f318b6f1a2e3ce1bd687cc|0|0xe2
0|4|||||0x7ffec542db10
0|5|libc.so.6||||0x4313a
0|6|firefox-bin||||0xcdac0
0|7|libc.so.6||||0x21b9e
0|8|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:921a30cac33b6d0760f318b6f1a2e3ce1bd687cc|253|0x17
Flags: in-testsuite?
Attached file prefs.js (deleted) —

It is a LinkedList<nsThread> and this is about worklets, so moving to a hopefully more appropriate component and CC'ing relevant people.

Component: CSS Parsing and Computation → XPCOM

That's an assert we hit on many kinds of leaks. Honestly, the assertion should be removed. But I'd guess that some worklet stuff isn't cleaning up threads properly. This could also be an issue with the teardown that the fuzz testing harness does.

The paintWorklet thread code is a stop-gap until the worklet script actually runs on the paint thread.
There are no plans to ship this code.

Severity: normal → S4
Component: XPCOM → DOM: Core & HTML
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1612773
Summary: Assertion failure: isEmpty() (failing this assertion means this LinkedList's creator is buggy: it should have removed all this list's elements before the list's destruction), at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:440 → paintWorklet Assertion failure: isEmpty() (failing this assertion means this LinkedList's creator is buggy: it should have removed all this list's elements before the list's destruction), at .../obj-build/dist/include/mozilla/LinkedList.h:440
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200629154604-31fb4a2a6912. Failed to bisect testcase (Start build crashes!): > Start: 9525f0cc6ca1bae213239c542b7a6642f05c1f8e (20190702093550) > End: 921a30cac33b6d0760f318b6f1a2e3ce1bd687cc (20200629094229) > BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Paint worklets are some CSS thingie

Component: DOM: Core & HTML → CSS Parsing and Computation

The signature for this failure will probably change as a result of https://bugzilla.mozilla.org/show_bug.cgi?id=1661798.

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201205093858-7ce95b6cde26) but not with tip (mozilla-central 20211203213802-92df9c655be5.)
The bug appears to have been fixed in the following build range:

Start: d0526849e7c37d124bc9aa03d1164ad0f2e22f30 (20210614215343)
End: 4ea8353218d01cce050a3332a99593a9ca99092f (20210614215413)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d0526849e7c37d124bc9aa03d1164ad0f2e22f30&tochange=4ea8353218d01cce050a3332a99593a9ca99092f
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

The test case no longer reproduce the issue for me. Can we close this?

Flags: needinfo?(jkratzer)
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: