Closed Bug 1253199 Opened 8 years ago Closed 8 years ago

Assertion failure: globalObject, at dom/messagechannel/MessagePort.cpp:93

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox47 --- fixed
firefox48 --- fixed

People

(Reporter: bc, Assigned: baku)

References

Details

(Keywords: assertion, regression)

Attachments

(2 files, 1 obsolete file)

crash report Linux x86_64
159.46 KB, text/plain
Details
mp.patch
716 bytes, patch
smaug
: review+
ritu
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
1. Install Spider
   http://bclary.com/projects/spider/spider-0.1.0.3-sm+tb+fx+an+fn.xpi

2. Load url in debug build using Spider
   firefox -spider -start -quit -url 'https://www.flickr.com/search/?text=portland'

3. Assertion failure: globalObject, at dom/messagechannel/MessagePort.cpp:93
   Nightly/47 Linux, Windows. OSX not tested.

Assertion added in bug 1250572 which is also pointed to by mozregression.

Note this is common in Bughunter (over 370 urls so far). Many of the urls are Google Maps urls. I didn't post them since they may contain PII.

I can't reproduce this without Spider so it may be an invalid bug caused by inappropriate usage in Spider itself. If so, if you can give me a hint on what Spider shouldn't be doing, I'd appreciate it.
This is from the minidump stackwalk output from Bughunter.
Assignee: nobody → amarchesini
Whiteboard: btpp-followup-2016-03-10
Yes, I'm working on this. today I and bc spoke on IRC about how to reproduce this issue.
I'm not able to reproduce it. Can you upload a full backtrace please?
I wonder if that happens on shutdown or if it's connected with CC/GC.
Flags: needinfo?(bob)
From a quick code inspection, looks like the assertion may easily fire if MessagePort is used from an already closed Window.
Attached patch mp.patch (obsolete) — Splinter Review 
smaug, good catch!
Flags: needinfo?(bob)
Attachment #8728924 - Flags: review?(bugs)
Could you explain the seemingly unrelated UpdateMustKeepAlive change?

And did you test this case? How do other browsers work when using MessagePort when their owner global has gone away? Though I'm mainly worried that did we end up changing behavior in bug 1250572?
I don't see how we changed behavior. Also before, if the window goes away, globalObject is null and we end up showing a warning and exit.

About the other change, we call MessagePort::UpdateMustKeepAlive() only if the dispatching of the message succeeds. But maybe this is the last message that we want to dispatch, and in this case we should stop to keep alive the MessagePort object:

https://mxr.mozilla.org/mozilla-central/source/dom/messagechannel/MessagePort.cpp#914
(In reply to Andrea Marchesini (:baku) from comment #8)
> I don't see how we changed behavior. Also before, if the window goes away,
> globalObject is null and we end up showing a warning and exit.
s/exit/return/ I think ;)
But you mean we had the same behavior before, right?


> About the other change, we call MessagePort::UpdateMustKeepAlive() only if
> the dispatching of the message succeeds. But maybe this is the last message
> that we want to dispatch, and in this case we should stop to keep alive the
> MessagePort object:
Ok, so is this a leak fix? Do we need that fix on branches. Leaks can cause horrible user experience.
Why we need that fix in this bug?
> But you mean we had the same behavior before, right?

Yes, because previously the code was (at some point):

if (!globalObject || !jsapi.init(globalObject)) {
  return NS_ERROR_FAILURE;
}

> Why we need that fix in this bug?

I'll file a separate bug for this.
Attached patch mp.patchSplinter Review 

        Attachment #8728924 -
        Attachment is obsolete: true

        Attachment #8728924 -
        Flags: review?(bugs)

        Attachment #8728942 -
        Flags: review?(bugs)

        Attachment #8728942 -
        Flags: review?(bugs) → review+

    
    

    
  
But could you test what other browsers do with MessagePorts coming from windows which have been deleted.

    
    

    
  
Since it is worrisome if the code path is actually executed rather often in the web pages.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/85efbcc510b3
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox48:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48

    
    

    
  
Please request Aurora approval on this when you get a chance.
Flags: needinfo?(amarchesini)

    
    

    
  
Comment on attachment 8728942 [details] [diff] [review]
mp.patch

Approval Request Comment
[Feature/regressing bug #]: bug 1250572
[User impact if declined]: An assertion in debug builds
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: none
[String/UUID change made/needed]: none
Flags: needinfo?(amarchesini)

        Attachment #8728942 -
        Flags: approval-mozilla-aurora?
Whiteboard: btpp-followup-2016-03-10

    
    

    
  
Hi Baku, Smaug, Overholt: I am bit concerned about this patch. We just removed the assert without any additional error handling. Is that a safe path to take? I am sure the assert was put into place for a reason.
Flags: needinfo?(overholt)
Flags: needinfo?(bugs)
Flags: needinfo?(amarchesini)

    
    

    
  
We removed a misplaced assertion.
(and assertions aren't error handling, they are just to assert something works as expected, but by default don't have any affect to release builds).
Flags: needinfo?(bugs)

    
    

    
  
Ritu, I added the assertion at the beginning, then I wrote the patch to remove it. Here why:

MessagePort has a completely custom life-time management. It can survive at its window (just for a little while) when dispatching messages (PostMessageRunnable keeps it alive). MessagePort::GetParentObject() is DOMEventTargetHelper::GetParentObject(). When the window is closing (and maybe also for other reasons) we call DOMEventTargetHelper::DisconnectFromOwner(), this nullify DOMEventTargetHelper::mParentObject. From that point GetParentObject() returns a nullptr.

If in the meantime we have a PostMessageRunnable runnable that is already be scheduled, when PostMessageRunnable::Run() is executed, it will have a nullptr from mPort->GetParentObject().

This is totally fine because the next line is:

    if (!globalObject || !jsapi.Init(globalObject)) {                                                            
      return NS_ERROR_FAILURE;
    }

and we stop the dispatching of that message.

The assert was there because I didn't consider this race condition when I wrote that code initially.
Flags: needinfo?(amarchesini)
Flags: needinfo?(overholt)

    
    

    
  
(In reply to Andrea Marchesini (:baku) from comment #21)
> Ritu, I added the assertion at the beginning, then I wrote the patch to
> remove it. Here why:
> 
> MessagePort has a completely custom life-time management. It can survive at
> its window (just for a little while) when dispatching messages
> (PostMessageRunnable keeps it alive). MessagePort::GetParentObject() is
> DOMEventTargetHelper::GetParentObject(). When the window is closing (and
> maybe also for other reasons) we call
> DOMEventTargetHelper::DisconnectFromOwner(), this nullify
> DOMEventTargetHelper::mParentObject. From that point GetParentObject()
> returns a nullptr.
> 
> If in the meantime we have a PostMessageRunnable runnable that is already be
> scheduled, when PostMessageRunnable::Run() is executed, it will have a
> nullptr from mPort->GetParentObject().
> 
> This is totally fine because the next line is:
> 
>     if (!globalObject || !jsapi.Init(globalObject)) {                       
> 
>       return NS_ERROR_FAILURE;
>     }
> 
> and we stop the dispatching of that message.
> 
> The assert was there because I didn't consider this race condition when I
> wrote that code initially.

Thanks Baku for a detailed reply. It was mostly obvious but I still did not connect the dots. :( I review 20+ uplifts some days and blame it on fatigue. I appreciate a prompt reply, will approve it now.

    
    

    
  
Comment on attachment 8728942 [details] [diff] [review]
mp.patch

Removing an assert that is not needed, Aurora47+

        Attachment #8728942 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: