Open
Bug 1781795
Opened 2 years ago
Updated 1 year ago
Hit MOZ_CRASH(mozilla::LinkedList<mozilla::dom::ContentParent>::~LinkedList() [T = mozilla::dom::ContentParent] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/inc
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
NEW
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev b2f38ca819ab (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ GNOME_ACCESSIBILITY=1 python -m fuzzfetch --build b2f38ca819ab --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(mozilla::LinkedList<mozilla::dom::ContentParent>::~LinkedList() [T = mozilla::dom::ContentParent] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/inc
==3654270==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f8a18417cc0 bp 0x7ffd151f49a0 sp 0x7ffd151f4990 T3654270)
==3654270==The signal is caused by a READ memory access.
==3654270==Hint: address points to the zero page.
#0 0x7f8a18417cc0 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f8a18417cc0 in operator mozilla::ComputedStyle * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
#2 0x7f8a18417cc0 in Style /layout/generic/nsIFrame.h:801:41
#3 0x7f8a18417cc0 in nsLayoutUtils::AddBoxesForFrame(nsIFrame*, nsLayoutUtils::BoxCallback*) /layout/base/nsLayoutUtils.cpp:3580:29
#4 0x7f8a18417ce7 in nsLayoutUtils::AddBoxesForFrame(nsIFrame*, nsLayoutUtils::BoxCallback*) /layout/base/nsLayoutUtils.cpp:3583:5
#5 0x7f8a18418575 in GetAllInFlowBoxes /layout/base/nsLayoutUtils.cpp:3605:5
#6 0x7f8a18418575 in GetAllInFlowRects /layout/base/nsLayoutUtils.cpp:3762:3
#7 0x7f8a18418575 in nsLayoutUtils::GetAllInFlowRectsUnion(nsIFrame*, nsIFrame const*, unsigned int) /layout/base/nsLayoutUtils.cpp:3802:3
#8 0x7f8a19b187d6 in mozilla::a11y::LocalAccessible::RelativeBounds(nsIFrame**) const /accessible/generic/LocalAccessible.cpp:693:24
#9 0x7f8a19b31d44 in mozilla::a11y::HTMLSelectOptionAccessible::RelativeBounds(nsIFrame**) const /accessible/html/HTMLSelectAccessible.cpp:221:35
#10 0x7f8a19b188c7 in mozilla::a11y::LocalAccessible::BoundsInAppUnits() const /accessible/generic/LocalAccessible.cpp:716:27
#11 0x7f8a19b18b38 in mozilla::a11y::LocalAccessible::Bounds() const /accessible/generic/LocalAccessible.cpp:743:7
#12 0x7f8a19b31beb in mozilla::a11y::HTMLSelectOptionAccessible::NativeState() const /accessible/html/HTMLSelectAccessible.cpp:197:40
#13 0x7f8a19b1a537 in mozilla::a11y::LocalAccessible::State() /accessible/generic/LocalAccessible.cpp:1450:20
#14 0x7f8a19b31b78 in mozilla::a11y::HTMLSelectOptionAccessible::NativeState() const /accessible/html/HTMLSelectAccessible.cpp:166:34
#15 0x7f8a19b1a537 in mozilla::a11y::LocalAccessible::State() /accessible/generic/LocalAccessible.cpp:1450:20
#16 0x7f8a19aabb3f in mozilla::a11y::AccTextChangeEvent::AccTextChangeEvent(mozilla::a11y::LocalAccessible*, int, nsTSubstring<char16_t> const&, bool, mozilla::a11y::EIsFromUserInput) /accessible/base/AccEvent.cpp:99:20
#17 0x7f8a19ab8367 in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /accessible/base/NotificationController.cpp:299:38
#18 0x7f8a19ab874b in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::LocalAccessible*, bool) /accessible/base/EventTree.cpp:87:21
#19 0x7f8a19b039d0 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::LocalAccessible*) /accessible/generic/DocAccessible.cpp:2062:6
#20 0x7f8a19affac4 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /accessible/generic/DocAccessible.cpp:2091:5
#21 0x7f8a19affb3a in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /accessible/generic/DocAccessible.cpp:2097:5
#22 0x7f8a14d4b75b in operator() /dom/base/MutationObservers.cpp:168:3
#23 0x7f8a14d4b75b in nsINode* ForEachAncestorObserver<mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool)::$_13>(nsINode*, mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool)::$_13&) /dom/base/MutationObservers.cpp:63:9
#24 0x7f8a14d21512 in Notify<IsRemoval::Yes, ShouldAssert::No, (lambda at /dom/base/MutationObservers.cpp:168:3), (lambda at /dom/base/MutationObservers.cpp:168:3)> /dom/base/MutationObservers.cpp:93:19
#25 0x7f8a14d21512 in mozilla::dom::MutationObservers::NotifyNativeAnonymousChildListChange(nsIContent*, bool) /dom/base/MutationObservers.cpp:172:5
#26 0x7f8a14c7ae5f in mozilla::dom::Element::UnbindFromTree(bool) /dom/base/Element.cpp:1917:7
#27 0x7f8a17c4bfb4 in nsXMLElement::UnbindFromTree(bool) /dom/xml/nsXMLElement.cpp:51:12
#28 0x7f8a1853f5f8 in nsIFrame::DestroyAnonymousContent(nsPresContext*, already_AddRefed<nsIContent>&&) /layout/generic/nsIFrame.cpp:274:14
#29 0x7f8a18404039 in nsIFrame::AutoPostDestroyData::~AutoPostDestroyData() /layout/generic/nsIFrame.h:655:9
#30 0x7f8a184da1bf in Destroy /layout/generic/nsIFrame.h:673:3
#31 0x7f8a184da1bf in nsFrameList::DestroyFrame(nsIFrame*) /layout/generic/nsFrameList.cpp:120:11
#32 0x7f8a185bdf10 in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsPlaceholderFrame.cpp:188:11
#33 0x7f8a185a41ab in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsLineBox.cpp:387:14
#34 0x7f8a1847d82b in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsBlockFrame.cpp:480:3
#35 0x7f8a184d9f19 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#36 0x7f8a1847e009 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#37 0x7f8a184d9f19 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#38 0x7f8a1847e009 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#39 0x7f8a184d9f19 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#40 0x7f8a1847e009 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#41 0x7f8a184d9f19 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#42 0x7f8a1847e009 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#43 0x7f8a184d9f19 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#44 0x7f8a1847e009 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#45 0x7f8a1849c0c5 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsBlockFrame.cpp:6390:20
#46 0x7f8a1849a5a4 in DoRemoveFrame /layout/generic/nsBlockFrame.h:557:5
#47 0x7f8a1849a5a4 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /layout/generic/nsBlockFrame.cpp:5689:5
#48 0x7f8a183e103f in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /layout/base/nsCSSFrameConstructor.cpp:7752:5
#49 0x7f8a183d8489 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:8726:7
#50 0x7f8a183e1b87 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /layout/base/nsCSSFrameConstructor.cpp
#51 0x7f8a183d841f in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:8715:16
#52 0x7f8a1839cd00 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /layout/base/RestyleManager.cpp:1571:25
#53 0x7f8a183a3ad4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3123:9
#54 0x7f8a1837c9b0 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3203:3
#55 0x7f8a1837c0d6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4330:39
#56 0x7f8a1834131c in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2551:22
#57 0x7f8a1834a130 in TickDriver /layout/base/nsRefreshDriver.cpp:375:13
#58 0x7f8a1834a130 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:353:7
#59 0x7f8a1834a033 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:369:5
#60 0x7f8a18349d00 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:896:5
#61 0x7f8a1834936a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:810:5
#62 0x7f8a18348d55 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:731:5
#63 0x7f8a1834898a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:594:14
#64 0x7f8a1834859c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:551:9
#65 0x7f8a1783933b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
#66 0x7f8a17abb386 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#67 0x7f8a13ead2a4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6326:32
#68 0x7f8a13e3fe91 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1749:25
#69 0x7f8a13e3c9e5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1674:9
#70 0x7f8a13e3d586 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1474:3
#71 0x7f8a13e3e911 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1572:14
#72 0x7f8a13281d7e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#73 0x7f8a1325a4a9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#74 0x7f8a13259033 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#75 0x7f8a132592a3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#76 0x7f8a13285649 in operator() /xpcom/threads/TaskController.cpp:190:37
#77 0x7f8a13285649 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#78 0x7f8a1326eeef in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#79 0x7f8a132754fd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#80 0x7f8a17d7eff8 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /dom/xhr/XMLHttpRequestMainThread.cpp:3073:29)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#81 0x7f8a17d7eff8 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&) /dom/xhr/XMLHttpRequestMainThread.cpp:3072:10
#82 0x7f8a17d7defa in mozilla::dom::XMLHttpRequestMainThread::Send(mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /dom/xhr/XMLHttpRequestMainThread.cpp
#83 0x7f8a15d00d9f in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XMLHttpRequestBinding.cpp:1349:24
#84 0x7f8a1624101c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3285:13
#85 0x7f8a1b750df0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
#86 0x7f8a1b75064a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:505:12
#87 0x7f8a1b747b07 in CallFromStack /js/src/vm/Interpreter.cpp:577:10
#88 0x7f8a1b747b07 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3325:16
#89 0x7f8a1b73ef92 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
#90 0x7f8a1b750546 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:537:13
#91 0x7f8a1b751b18 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:604:8
#92 0x7f8a1a404401 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#93 0x7f8a15ff83c0 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
#94 0x7f8a14db9f42 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
#95 0x7f8a14db9ce4 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:167:29
#96 0x7f8a14a8e252 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6479:38
#97 0x7f8a14dcbb2a in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:903:44
#98 0x7f8a14db7840 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
#99 0x7f8a14db7de9 in Notify /dom/base/TimeoutExecutor.cpp:246:5
#100 0x7f8a14db7de9 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp
#101 0x7f8a13293a6c in operator() /xpcom/threads/nsTimerImpl.cpp:656:44
#102 0x7f8a13293a6c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
#103 0x7f8a13293a6c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#104 0x7f8a13293a6c in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
#105 0x7f8a13293a6c in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
#106 0x7f8a13293a6c in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:654:22
#107 0x7f8a13262f6e in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:365:11
#108 0x7f8a1328450d in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
#109 0x7f8a1327ec41 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
#110 0x7f8a13281d7e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#111 0x7f8a1325a4a9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#112 0x7f8a13259033 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#113 0x7f8a132592a3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#114 0x7f8a13285649 in operator() /xpcom/threads/TaskController.cpp:190:37
#115 0x7f8a13285649 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#116 0x7f8a1326eeef in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#117 0x7f8a132754fd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#118 0x7f8a13e458c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#119 0x7f8a13d6aca7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#120 0x7f8a13d6abb2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#121 0x7f8a13d6abb2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#122 0x7f8a180192c8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#123 0x7f8a1a1446db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
#124 0x7f8a13e4680a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#125 0x7f8a13d6aca7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#126 0x7f8a13d6abb2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#127 0x7f8a13d6abb2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#128 0x7f8a1a143cfc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
#129 0x55f390ac2120 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#130 0x55f390ac2120 in main /browser/app/nsBrowserApp.cpp:346:18
#131 0x7f8a299ca082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#132 0x55f390a97ecc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15ecc) (BuildId: 0c4e9a144c714c06ab3dcbf1f3855efd1b5bff93)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
==3654270==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220727093731-b2f38ca819ab.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 3c400600dbb22fbc2ff9acdf175d9bdf663c09df (20210728094336)
End: b2f38ca819abdcc61dcd6451707cac2f5861b9e3 (20220727093731)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
| Comment hidden (Intermittent Failures Robot) |
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
The severity field is not set for this bug.
:Jamie, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jteh)
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
|
|
||
Comment 10•1 year ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Comment 11•1 year ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•