Bug 1227307

Summary: nodejs-electron: constexpr _Tp& std::_Optional_base_impl<_Tp, _Dp>::_M_get() [with _Tp = content::DocumentAssociatedData; _Dp = std::_Optional_base<content::DocumentAssociatedData, false, false>]: Assertion 'this->_M_is_engaged()' failed.
Product: [openSUSE] openSUSE.org Reporter: Bruno Pitrus <brunopitrus>
Component: 3rd party softwareAssignee: Bruno Pitrus <brunopitrus>
Status: RESOLVED FIXED QA Contact: E-mail List <screening-team-bugs>
Severity: Major    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: x86-64   
OS: Fedora   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bruno Pitrus 2024-07-02 17:53:45 UTC 
Found when running vscode tests on OBS on Fedora 40:

https://build.opensuse.org/package/live_build_log/home:dziobian:gulgul-ultron:19/code/Fedora_40/x86_64
Comment 1 Bruno Pitrus 2024-07-04 04:26:22 UTC 
Stack trace:

#0  __GI___pthread_kill (threadid=139977486034304, signo=signo@entry=6) at pthread_kill.c:83
#1  0x00007f4f14c518ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#2  0x00007f4f14c398ff in __GI_abort () at abort.c:79
#3  0x00007f4f14fd45d0 in std::__glibcxx_assert_fail (file=file@entry=0x55bc2023cbbf "/usr/include/c++/13/optional", line=line@entry=479, 
    function=function@entry=0x55bc20480fc8 "constexpr _Tp& std::_Optional_base_impl<_Tp, _Dp>::_M_get() [with _Tp = content::DocumentAssociatedData; _Dp = std::_Optional_base<content::DocumentAssociatedData, false, false>]", 
    condition=condition@entry=0x55bc2023cba9 "this->_M_is_engaged()") at ../../../../../libstdc++-v3/src/c++11/assert_fail.cc:41
#4  0x000055bc1b2dcab7 in std::_Optional_base_impl<content::DocumentAssociatedData, std::_Optional_base<content::DocumentAssociatedData, false, false> >::_M_get (this=<optimized out>)
    at ../../third_party/blink/renderer/core/frame/local_dom_window.cc:234419055
#5  std::_Optional_base_impl<content::DocumentAssociatedData, std::_Optional_base<content::DocumentAssociatedData, false, false> >::_M_get (this=0x10f4003679d0) at /usr/include/c++/13/optional:477
#6  std::optional<content::DocumentAssociatedData>::operator-> (this=0x10f4003679d0) at /usr/include/c++/13/optional:968
#7  content::RenderFrameHostImpl::RemoveDocumentService (document_service=<optimized out>, this=0x10f400366800) at ../../content/browser/renderer_host/render_frame_host_impl.cc:6662
#8  content::internal::DocumentServiceBase::~DocumentServiceBase (this=<optimized out>, this=<optimized out>) at ../../content/public/browser/document_service_internal.cc:19
#9  0x000055bc1abff03b in content::DocumentService<blink::mojom::AnchorElementInteractionHost>::~DocumentService (this=<optimized out>, this=<optimized out>) at ../../content/public/browser/document_service.h:90
#10 content::AnchorElementInteractionHostImpl::~AnchorElementInteractionHostImpl (this=<optimized out>, this=<optimized out>) at ../../content/browser/preloading/anchor_element_interaction_host_impl.h:17
#11 content::AnchorElementInteractionHostImpl::~AnchorElementInteractionHostImpl (this=<optimized out>, this=<optimized out>) at ../../content/browser/preloading/anchor_element_interaction_host_impl.h:17
#12 0x000055bc1ac59c82 in content::DocumentAssociatedData::RemoveAllServices (this=this@entry=0x10f4003679d0) at ../../content/browser/renderer_host/document_associated_data.cc:56
#13 0x000055bc1ac9e927 in content::DocumentAssociatedData::~DocumentAssociatedData (this=<optimized out>, this=<optimized out>) at ../../content/browser/renderer_host/document_associated_data.cc:61
#14 0x000055bc1adf1857 in std::_Optional_payload_base<content::DocumentAssociatedData>::_M_destroy (this=0x10f4003679d0) at /usr/include/c++/13/optional:287
#15 std::_Optional_payload_base<content::DocumentAssociatedData>::_M_reset (this=0x10f4003679d0) at /usr/include/c++/13/optional:318
#16 std::_Optional_base_impl<content::DocumentAssociatedData, std::_Optional_base<content::DocumentAssociatedData, false, false> >::_M_reset (this=0x10f4003679d0)
    at ../../third_party/blink/renderer/core/frame/local_dom_window.cc:234591591
#17 std::optional<content::DocumentAssociatedData>::emplace<content::RenderFrameHostImpl&, base::TokenType<blink::DocumentTokenTypeMarker> const&> (this=0x10f4003679d0)
    at ../../third_party/blink/renderer/core/frame/local_dom_window.cc:234591587
#18 content::RenderFrameHostImpl::DidCommitNavigationInternal (this=this@entry=0x10f400366800, navigation_request=..., params=..., same_document_params=...) at ../../content/browser/renderer_host/render_frame_host_impl.cc:13263
#19 0x000055bc1adf5a62 in content::RenderFrameHostImpl::DidCommitNavigation (this=0x10f400366800, committing_navigation_request=<optimized out>, params=..., interface_params=...)
    at ../../content/browser/renderer_host/render_frame_host_impl.cc:14118
#20 0x000055bc1ad97379 in base::internal::FunctorTraits<void (content::RenderFrameHostImpl::*)(content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>)>::Invoke<void (content::RenderFrameHostImpl::*)(content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>), content::RenderFrameHostImpl*, content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams> > (
    receiver_ptr=<optimized out>, method=<optimized out>) at ../../base/functional/bind_internal.h:710
#21 base::internal::InvokeHelper<false, void, 0ul, 1ul>::MakeItSo<void (content::RenderFrameHostImpl::*)(content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>), std::tuple<base::internal::UnretainedWrapper<content::RenderFrameHostImpl, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>, base::internal::UnretainedWrapper<content::NavigationRequest, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0> >, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams> > (bound=..., functor=<optimized out>) at ../../base/functional/bind_internal.h:860
#22 base::internal::Invoker<base::internal::BindState<void (content::RenderFrameHostImpl::*)(content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>), base::internal::UnretainedWrapper<content::RenderFrameHostImpl, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>, base::internal::UnretainedWrapper<content::NavigationRequest, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0> >, void (mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>)>::RunImpl<void (content::RenderFrameHostImpl::*)(content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>), std::tuple<base::internal::UnretainedWrapper<content::RenderFrameHostImpl, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>, base::internal::UnretainedWrapper<content::NavigationRequest, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0> >, 0ul, 1ul>(void (content::RenderFrameHostImpl::*&&)(content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>), std::tuple<base::internal::UnretainedWrapper<content::RenderFrameHostImpl, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>, base::internal::UnretainedWrapper<content::NavigationRequest, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0> >&&, std::integer_sequence<unsigned long, 0ul, 1ul>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>&&, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>&&) (unbound_args#1=..., unbound_args#0=..., bound=..., functor=<optimized out>) at ../../base/functional/bind_internal.h:991
#23 base::internal::Invoker<base::internal::BindState<void (content::RenderFrameHostImpl::*)(content::NavigationRequest*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>), base::internal::UnretainedWrapper<content::RenderFrameHostImpl, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>, base::internal::UnretainedWrapper<content::NavigationRequest, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0> >, void (mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>)>::RunOnce(base::internal::BindStateBase*, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>&&, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>&&) (base=0x10f401b77d90, unbound_args#0=..., 
    unbound_args#1=...) at ../../base/functional/bind_internal.h:904
#24 0x000055bc199731bf in base::OnceCallback<void (mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>)>::Run(mojo::StructPtr<content::mojom::DidCommitProvisionalLoadParams>, mojo::StructPtr<content::mojom::DidCommitProvisionalLoadInterfaceParams>) && (args#1=..., args#0=..., this=0x10f400814e08) at ../../base/functional/callback_internal.h:146
#25 content::mojom::NavigationClient_CommitNavigation_ForwardToCallback::Accept (this=0x10f400814e00, message=0x7fffc6158a10) at gen/content/common/navigation_client.mojom.cc:1160
#26 0x000055bc1b89196a in mojo::InterfaceEndpointClient::HandleValidatedMessage (this=<optimized out>, message=0x7fffc6158a10) at ../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:1016
#27 0x000055bc1b884be6 in mojo::MessageDispatcher::Accept (this=this@entry=0x10f401b3e268, message=message@entry=0x7fffc6158a10) at ../../mojo/public/cpp/bindings/lib/message_dispatcher.cc:43
#28 0x000055bc1b884c50 in mojo::InterfaceEndpointClient::HandleIncomingMessage (this=0x10f401b3e180, message=0x7fffc6158a10) at ../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:706
#29 0x000055bc1bc2c7de in IPC::ChannelAssociatedGroupController::AcceptOnEndpointThread (this=0x10f401438100, message=..., scoped_urgent_message_notification=...) at ../../ipc/ipc_mojo_bootstrap.cc:1180
#30 0x000055bc1bc24e76 in base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification)>::Invoke<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification), scoped_refptr<IPC::ChannelAssociatedGroupController>, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification> (receiver_ptr=..., 
    method=<optimized out>) at ../../base/functional/bind_internal.h:710
#31 base::internal::InvokeHelper<false, void, 0, 1, 2>::MakeItSo<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification), std::tuple<scoped_refptr<IPC::ChannelAssociatedGroupController>, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification> > (bound=..., functor=<optimized out>) at ../../base/functional/bind_internal.h:860
#32 base::internal::Invoker<base::internal::BindState<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification), scoped_refptr<IPC::ChannelAssociatedGroupController>, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification>, void()>::RunImpl<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification), std::tuple<scoped_refptr<IPC::ChannelAssociatedGroupController>, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification>, 0, 1, 2> (bound=..., functor=<optimized out>) at ../../base/functional/bind_internal.h:991
#33 base::internal::Invoker<base::internal::BindState<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification), scoped_refptr<IPC::ChannelAssociatedGroupController>, mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification>, void()>::RunOnce(base::internal::BindStateBase *) (base=<optimized out>) at ../../base/functional/bind_internal.h:904
#34 0x000055bc1fc8d972 in base::OnceCallback<void ()>::Run() && (this=0x11400234c78) at ../../base/functional/callback.h:156
#35 base::TaskAnnotator::RunTaskImpl(base::PendingTask&) [clone .isra.0] (pending_task=..., this=<optimized out>) at ../../base/task/common/task_annotator.cc:201
#36 0x000055bc1b79e067 in base::TaskAnnotator::RunTask<base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*)::<lambda(perfetto::EventContext&)> > (pending_task=..., event_name=..., 
    this=<optimized out>) at ../../base/task/common/task_annotator.h:89
#37 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl (continuation_lazy_now=0x7fffc6158bf0, this=0x114002aea80) at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:478
#38 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork (this=0x114002aea80) at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:343
#39 0x000055bc1b79fa96 in base::MessagePumpGlib::HandleDispatch (this=0x1140024a8c0) at ../../base/message_loop/message_pump_glib.cc:646
#40 base::(anonymous namespace)::WorkSourceDispatch (source=<optimized out>, unused_func=<optimized out>, unused_data=<optimized out>) at ../../base/message_loop/message_pump_glib.cc:274
#41 0x00007f4f1a02be5c in g_main_dispatch (context=0x11400270f00) at ../glib/gmain.c:3476
#42 g_main_context_dispatch_unlocked (context=0x11400270f00) at ../glib/gmain.c:4284
#43 0x00007f4f1a086f68 in g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x11400270f00, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4349
#44 0x00007f4f1a029ad3 in g_main_context_iteration (context=0x11400270f00, may_block=0) at ../glib/gmain.c:4414
#45 0x000055bc1b79fc3b in base::MessagePumpGlib::Run (this=0x1140024a8c0, delegate=<optimized out>) at ../../base/message_loop/message_pump_glib.cc:680
#46 0x000055bc1b7927c1 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run (this=0x114002aea80, application_tasks_allowed=<optimized out>, timeout=...)
    at ../../base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:646
#47 0x000055bc1b792aba in base::RunLoop::Run (location=..., this=0x10f400a46680) at ../../base/run_loop.cc:134
#48 base::RunLoop::Run (this=0x10f400a46680, location=...) at ../../base/run_loop.cc:106
#49 0x000055bc1a7cdc60 in content::BrowserMainLoop::RunMainMessageLoop (this=<optimized out>) at ../../content/browser/browser_main_loop.cc:1096
#50 content::BrowserMainLoop::RunMainMessageLoop (this=<optimized out>) at ../../content/browser/browser_main_loop.cc:1075
#51 content::BrowserMainRunnerImpl::Run (this=0x10f40000c3c0) at ../../content/browser/browser_main_runner_impl.cc:158
#52 0x000055bc190415ed in content::BrowserMain (parameters=...) at ../../content/browser/browser_main.cc:34
#53 content::RunBrowserProcessMain (delegate=<optimized out>, main_function_params=...) at ../../content/app/content_main_runner_impl.cc:712
#54 content::ContentMainRunnerImpl::RunBrowser (this=this@entry=0x1140023d500, main_params=..., start_minimal_browser=<optimized out>) at ../../content/app/content_main_runner_impl.cc:1299
#55 0x000055bc190441c4 in content::ContentMainRunnerImpl::Run (this=0x1140023d500) at /usr/include/c++/13/bits/unique_ptr.h:197
#56 0x000055bc18c79fa7 in content::RunContentProcess (content_main_runner=0x1140023d500, params=...) at ../../content/app/content_main.cc:334
#57 content::ContentMain (params=...) at ../../content/app/content_main.cc:347
#58 main (argc=argc@entry=19, argv=argv@entry=0x7fffc6159f58) at ../../electron/shell/app/electron_main_linux.cc:45
#59 0x00007f4f14c3b14a in __libc_start_call_main (main=main@entry=0x55bc18c79ce0 <main(int, char**)>, argc=argc@entry=19, argv=argv@entry=0x7fffc6159f58) at ../sysdeps/nptl/libc_start_call_main.h:58
#60 0x00007f4f14c3b20b in __libc_start_main_impl (main=0x55bc18c79ce0 <main(int, char**)>, argc=19, argv=0x7fffc6159f58, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffc6159f48)
    at ../csu/libc-start.c:360
#61 0x000055bc18c91b45 in _start ()
Comment 2 Bruno Pitrus 2024-07-18 15:26:34 UTC 
fixed in RenderFrameHostImpl-use-after-free.patc