Open Bug 1704908 Opened 4 years ago Updated 2 years ago

Assertion failure: mAllocatedPointers.IsEmpty() (Some pres arena objects were not freed), at src/layout/base/PresShell.cpp:909

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr91 --- affected
firefox89 --- wontfix
firefox96 --- wontfix
firefox97 --- affected
firefox98 --- affected

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: assertion)

Found while fuzzing m-c 20210331-142544e13e29 (--enable-debug --enable-fuzzing)

A reliable test case is not available. A Pernosco session will be added shortly.

Assertion failure: mAllocatedPointers.IsEmpty() (Some pres arena objects were not freed), at src/layout/base/PresShell.cpp:909

#0 0x7f8871f56fc2 in mozilla::PresShell::~PresShell() src/layout/base/PresShell.cpp:908:3
#1 0x7f8871f567d0 in mozilla::PresShell::Release() src/layout/base/PresShell.cpp:889:1
#2 0x7f887219bdbc in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#3 0x7f887219bdbc in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#4 0x7f887219bdbc in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#5 0x7f887219bdbc in ~nsHideViewer src/layout/generic/nsSubDocumentFrame.cpp:843:7
#6 0x7f887219bdbc in nsHideViewer::~nsHideViewer() src/layout/generic/nsSubDocumentFrame.cpp:843:7
#7 0x7f886d5635c7 in mozilla::Runnable::Release() src/xpcom/threads/nsThreadUtils.cpp:68:1
#8 0x7f886f05462f in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:427:7
#9 0x7f886f05462f in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:696:5
#10 0x7f886f05462f in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5572:14
#11 0x7f8871fd3299 in ~nsAutoScriptBlocker /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:3476:28
#12 0x7f8871fd3299 in nsDocumentViewer::Destroy() src/layout/base/nsDocumentViewer.cpp:1789:1
#13 0x7f8872f826b2 in nsDocShell::Destroy() src/docshell/base/nsDocShell.cpp:4653:21
#14 0x7f8873296c30 in nsWebBrowser::SetDocShell(nsDocShell*) src/toolkit/components/browser/nsWebBrowser.cpp:1128:18
#15 0x7f8873296175 in nsWebBrowser::InternalDestroy() src/toolkit/components/browser/nsWebBrowser.cpp:172:3
#16 0x7f8873299fec in Destroy src/toolkit/components/browser/nsWebBrowser.cpp:852:3
#17 0x7f8873299fec in non-virtual thunk to nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp
#18 0x7f887175b9f9 in mozilla::dom::BrowserChild::DestroyWindow() src/dom/ipc/BrowserChild.cpp:900:31
#19 0x7f887176a2d7 in mozilla::dom::BrowserChild::RecvDestroy() src/dom/ipc/BrowserChild.cpp:2471:3
#20 0x7f886e5d054e in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:6576:56
#21 0x7f886e03013b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8579:32
#22 0x7f886dea4d0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2154:25
#23 0x7f886dea11ed in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2078:9
#24 0x7f886dea2696 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1926:3
#25 0x7f886dea33db in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1957:13
#26 0x7f886d55a0ef in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:470:16
#27 0x7f886d558670 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:754:26
#28 0x7f886d5575d4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:609:15
#29 0x7f886d557787 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:393:36
#30 0x7f886d55dc86 in operator() src/xpcom/threads/TaskController.cpp:133:37
#31 0x7f886d55dc86 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#32 0x7f886d56f12d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1155:16
#33 0x7f886d5756ea in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#34 0x7f886deaa646 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#35 0x7f886de14cd3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#36 0x7f886de14bed in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#37 0x7f886de14bed in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#38 0x7f8871c764d8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#39 0x7f88734e90c3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
#40 0x7f886deab52c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#41 0x7f886de14cd3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#42 0x7f886de14bed in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#43 0x7f886de14bed in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#44 0x7f88734e8c93 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#45 0x556e015c3fb6 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#46 0x556e015c3fb6 in main src/browser/app/nsBrowserApp.cpp:309:18
#47 0x7f888258e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#48 0x556e015a1d5c in _start (/home/worker/builds/m-c-20210331092207-fuzzing-debug/firefox-bin+0x14d5c)

A Pernosco session is available here: https://pernos.co/debug/6jNxZxPUgY8TkV09PVYRdQ/index.html

This looks pretty bad but the pernosco session seems down... Tyson, do you have another by any chance? Sorry for the trouble :(

Flags: needinfo?(twsmith)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #2)

This looks pretty bad but the pernosco session seems down...

Should be good to go now.

Flags: needinfo?(twsmith)
Flags: needinfo?(emilio)

I played with the fuzzer test case a bit and managed to get it to start reducing but then began hitting bug 1668039. I'm not sure if it is related or not but it is now blocking further reduction.

An updated Pernosco session is available here: https://pernos.co/debug/Zt__juxvleQOdf_YKqk1jg/index.html (since the other one is pretty old).

You need to log in before you can comment on or make changes to this bug.