Closed Bug 1649451 Opened 4 years ago Closed 2 years ago

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315

Categories

(Core :: WebVR, defect)

Product:
Core
Component:
WebVR
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1619923
Tracking Flags:
Tracking Status
firefox80 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(1 file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (deleted) —

Testcase found while fuzzing mozilla-central rev adc328596e28 (built with --enable-debug).

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:315

rax = 0x00007fbae85ffb27   rdx = 0x0000000000000000
rcx = 0x0000557f0249fa58   rbx = 0x0000557f03edac50
rsi = 0x00007fbafaaee8b0   rdi = 0x00007fbafaaed680
rbp = 0x00007ffdfe7a6120   rsp = 0x00007ffdfe7a6120
r8 = 0x00007fbafaaee8b0    r9 = 0x00007fbafbc54780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x00007ffdfe7a61d8   r13 = 0xfff9800000000000
r14 = 0x00007ffdfe7a61e0   r15 = 0x00007ffdfe7a6190
rip = 0x00007fbae3e6111f
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|RefPtr<mozilla::dom::XRWebGLLayer>::operator->() const|hg:hg.mozilla.org/mozilla-central:mfbt/RefPtr.h:adc328596e28636b03fabe701ec6a4d07054e5af|314|0x29
0|1|libxul.so|mozilla::dom::XRSession::UpdateRenderState(mozilla::dom::XRRenderStateInit const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/vr/XRSession.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|188|0x10
0|2|libxul.so|mozilla::dom::XRSession_Binding::updateRenderState(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:3c1f969b4eeb890bc67798b816a32f8fa70273e70cca6cc71f90a0baffc35934db52f316e69762d0fd6efec44f49cc2ecb9b1fb12e02258777efe7a82bb28f06/dom/bindings/WebXRBinding.cpp:|5468|0xb
0|3|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|3219|0x21
0|4|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|484|0x12
0|5|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|576|0xe
0|6|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|639|0x10
0|7|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|643|0xa
0|8|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|456|0xb
0|9|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|611|0x8
0|10|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|639|0x10
0|11|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|656|0xb
0|12|libxul.so|js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/SelfHosting.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1689|0x1a
0|13|libxul.so|AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/AsyncFunction.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|128|0x11
0|14|libxul.so|PromiseReactionJob(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:js/src/builtin/Promise.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1852|0x42
0|15|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|484|0x12
0|16|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|576|0xe
0|17|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|639|0x10
0|18|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|656|0xb
0|19|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|2846|0x23
0|20|libxul.so|mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:30de989a0be01a566d978da9934fc47a7a1d7e19d87d32dc4bcdab5e85996b3194b6f3bfead795c2ed5279934ac82cd340f2e1afd77a1304954d050c6fc1f374/dom/bindings/PromiseBinding.cpp:|28|0xf
0|21|libxul.so|mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:09cbe7f9e1409cd4cca288356b597724157d7f93ab5efbaede65be8bf535e6469c7590bf6c7211a89f760ea37ac901f3d1d5fcbeb89c9dfc80643c98c831255f/dist/include/mozilla/dom/PromiseBinding.h:|91|0x1e
0|22|libxul.so|mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|209|0x41
0|23|libxul.so|mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|644|0x14
0|24|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1090|0x5
0|25|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1279|0x15
0|26|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|355|0xb
0|27|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|557|0x19
0|28|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1054|0x5
0|29|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1148|0x1c
0|30|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|6034|0x17
0|31|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|5503|0xb
0|32|libxul.so|non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|0|0x10
0|33|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1331|0x2b
0|34|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|937|0x28
0|35|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|757|0xe
0|36|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|640|0x12
0|37|libxul.so|non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|0|0xd
0|38|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|615|0x14
0|39|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|522|0xe
0|40|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|10744|0x1c
0|41|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|10676|0x8
0|42|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|7310|0xd
0|43|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:adc328596e28636b03fabe701ec6a4d07054e5af|1238|0x17
0|44|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|146|0x11
0|45|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|1234|0xe
0|46|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|504|0xc
0|47|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|87|0x7
0|48|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|316|0x17
0|49|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|291|0x8
0|50|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|137|0xd
0|51|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|913|0xe
0|52|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|237|0x5
0|53|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|316|0x17
0|54|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:adc328596e28636b03fabe701ec6a4d07054e5af|291|0x8
0|55|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|744|0x5
0|56|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|56|0x11
0|57|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:adc328596e28636b03fabe701ec6a4d07054e5af|303|0x20
0|58|libc.so.6||||0x21b97
0|59|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:adc328596e28636b03fabe701ec6a4d07054e5af|253|0x17
Flags: in-testsuite?
Keywords: bugmon
Whiteboard: [bugmon:confirm] → [bugmon:confirmed]
Bugmon Analysis: Unable to reproduce bug using the following builds: > mozilla-central 20200630144559-933c9f34edfa > mozilla-central 20200630020930-79d69f36a220 Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1619923
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: