Closed Bug 1699223 Opened 4 years ago Closed 4 years ago

Hit MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:44

Categories

(Core :: DOM: Navigation, defect, P3)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1661862
Tracking Flags:
Tracking Status
firefox88 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

Found while fuzzing mozilla-central rev 9ad67cd4d216 (built with --enable-debug).

A pernosco session for this issue can be found at the following:
https://pernos.co/debug/2SpN8-NhX5s3rstQoevOaA/index.html

Hit MOZ_CRASH(mozilla::LinkedList<js::ParseTask>::~LinkedList() [T = js::ParseTask] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:44

    #0 0x7f60d638a696 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
    #1 0x7f60d638a696 in mozilla::LinkedList<js::ParseTask>::~LinkedList() /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:440:7
    #2 0x7f60d6389db1 in js::GlobalHelperThreadState::~GlobalHelperThreadState() /builds/worker/checkouts/gecko/js/src/vm/HelperThreadState.h:71:7
    #3 0x7f60d636bb7f in js_delete<js::GlobalHelperThreadState> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:573:9
    #4 0x7f60d636bb7f in DestroyHelperThreadsState /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:98:3
    #5 0x7f60d636bb7f in JS_ShutDown() /builds/worker/checkouts/gecko/js/src/vm/Initialization.cpp:236:3
    #6 0x7f60d0077953 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:729:5
    #7 0x7f60d5fad26c in XRE_TermEmbedding() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:212:3
    #8 0x7f60d096b2de in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
    #9 0x7f60d5fad962 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:737:16
    #10 0x55f1d3dd7fb6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #11 0x55f1d3dd7fb6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #12 0x7f60e51ad0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x55f1d3db5d5c in _start (/home/worker/builds/m-c-20210313214649-fuzzing-debug/firefox-bin+0x14d5c)
Component: IPC → JavaScript Engine

The linked Pernosco session has "Hit MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory]" so I'm not sure what the discrepancy is.

Because the Pernosco trace hits MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory], it's best evaluated there for now. I'm re-summarying the bug because that's the information we have now.

Component: JavaScript Engine → DOM: Navigation
Summary: Hit MOZ_CRASH(mozilla::LinkedList<js::ParseTask>::~LinkedList() [T = js::ParseTask] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:44 → Hit MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:44

Resolving as likely a duplicate of nsSHistory bug 1661862. I will share this bug's Pernosco session for this issue in that bug.

Severity: -- → S4
Status: NEW → RESOLVED
Closed: 4 years ago
Priority: -- → P3
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.