Closed
Bug 1419802
Opened 7 years ago
Closed 6 years ago
Assertion failure: ObserverCount() == mEarlyRunners.Length() (observers, except pending selection scrolls, should have been unregistered), at /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1185
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | wontfix |
firefox60 | --- | wontfix |
firefox61 | --- | wontfix |
firefox62 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 5378dcb45044. ==31186==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9884d72968 bp 0x7ffd38988370 sp 0x7ffd38988340 T0) ==31186==The signal is caused by a WRITE memory access. ==31186==Hint: address points to the zero page. #0 0x7f9884d72967 in nsRefreshDriver::~nsRefreshDriver() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1182:3 #1 0x7f9884d72cad in nsRefreshDriver::~nsRefreshDriver() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1181:1 #2 0x7f9880de7369 in mozilla::layers::TransactionIdAllocator::Release() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/TransactionIdAllocator.h:21:3 #3 0x7f98830a533f in RefPtr<nsRefreshDriver>::operator=(decltype(nullptr)) /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:168:5 #4 0x7f9884efed1e in nsPresContext::~nsPresContext() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:421:3 #5 0x7f9884f0e43d in nsRootPresContext::~nsRootPresContext() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:3197:1 #6 0x7f987eec7866 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25 #7 0x7f987eec6d5c in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3 #8 0x7f987eece628 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925:3 #9 0x7f987eecdd7f in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9 #10 0x7f987eecda54 in nsCycleCollector::ShutdownCollect() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3687:10 #11 0x7f987eed1f03 in nsCycleCollector_shutdown(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4373:23 #12 0x7f987f088dfc in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:973:3 #13 0x7f9887c09c19 in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:224:3 #14 0x7f987fc023a5 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:108:5 #15 0x7f9887c0a414 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:707:16 #16 0x4ec36e in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #17 0x4ec5c9 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280:18 #18 0x7f989e33582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #19 0x41e424 in _start (/home/forb1dden/builds/mc-asan-debug/firefox+0x41e424)
Flags: in-testsuite?
Updated•7 years ago
|
Priority: -- → P3
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Reporter | ||
Comment 3•6 years ago
|
||
Additional testcase.
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(emilio)
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Assignee | ||
Comment 7•6 years ago
|
||
The leftover "observer" is the "view manager flush is scheduled" bit. I think it's fine to leave that bit set.
Comment hidden (mozreview-request) |
Comment 9•6 years ago
|
||
Hmm, does the ScheduleViewManagerFlush call happen during PresShell::Destroy? That seems rather undesirable if it might restart timers (in nsRefreshDriver::EnsureTimerStarted and/or PresShell::ScheduleViewManagerFlush). Maybe it would be better to return early in PresShell::ScheduleViewManagerFlush instead if IsDestroying() is true?
Flags: needinfo?(emilio)
Comment hidden (mozreview-request) |
Comment 12•6 years ago
|
||
mozreview-review |
Comment on attachment 8979474 [details] Bug 1419802: Bailout from ScheduleViewManagerFlush if already destroying the shell. https://reviewboard.mozilla.org/r/245642/#review252250
Attachment #8979474 -
Flags: review?(mats) → review+
Comment 13•6 years ago
|
||
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/autoland/rev/91c6df51ea61 Bailout from ScheduleViewManagerFlush if already destroying the shell. r=mats
Comment 14•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/91c6df51ea61
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment 15•6 years ago
|
||
I don't think we need to backport this, but feel free to change the status and request approval if you feel strongly otherwise.
status-firefox60:
--- → wontfix
status-firefox61:
--- → wontfix
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•