Closed
Bug 1116867
Opened 9 years ago
Closed 9 years ago
nsIProgressEventSink not javascript compatible
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: mccr8, Assigned: mcmanus)
References
Details
Attachments
(2 files, 3 obsolete files)
1. Make sure e10s is enabled. 2. Open the browser console. 3. Navigate to www.google.com in the main browser window. I tried this same thing in my regular Nightly session, and nothing obviously bad happened, so maybe it is just an overly strict assertion.
Updated•9 years ago
|
Component: Networking → Networking: HTTP
Comment 1•9 years ago
|
||
Could you check what the actual status value is that's asserting?
Assignee | ||
Comment 2•9 years ago
|
||
so this is wfm with a debug build from this morning's m-c on linux64 - using e10s and both http:// and https:// versions of google. is this still an issue? can you provide the info from comment 1?
Flags: needinfo?(continuation)
Reporter | ||
Comment 3•9 years ago
|
||
Now I get this instead: Assertion failure: progress <= progressMax (unexpected progress values), at /Users/amccreight/mc/netwerk/protocol/http/HttpChannelChild.cpp:544 #01: mozilla::net::HttpChannelChild::RecvOnTransportAndData(tag_nsresult const&, tag_nsresult const&, unsigned long long const&, unsigned long long const&, nsCString const&, unsigned long long const&, unsigned int const&)[/Users/amccreight/mc/obj-dbg.noindex/dist/NightlyDebug.app/Contents/MacOS/XUL +0x314f03] #02: mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&)[/Users/amccreight/mc/obj-dbg.noindex/dist/NightlyDebug.app/Contents/MacOS/XUL +0x64e528] #03: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)[/Users/amccreight/mc/obj-dbg.noindex/dist/NightlyDebug.app/Contents/MacOS/XUL +0x577d87] #04: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)[/Users/amccreight/mc/obj-dbg.noindex/dist/NightlyDebug.app/Contents/MacOS/XUL +0x46bb20] #05: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&)[/Users/amccreight/mc/obj-dbg.noindex/dist/NightlyDebug.app/Contents/MacOS/XUL +0x46a811] #06: mozilla::ipc::MessageChannel::OnMaybeDequeueOne()[/Users/amccreight/mc/obj-dbg.noindex/dist/NightlyDebug.app/Contents/MacOS/XUL +0x46583f]
Flags: needinfo?(continuation)
Reporter | ||
Comment 4•9 years ago
|
||
The values of those variables are progress = 14827 and progressMax = 0, at least through two tries of it.
Reporter | ||
Updated•9 years ago
|
Summary: [e10s] Assertion failure: status == nsresult::NS_NET_STATUS_RECEIVING_FROM || status == nsresult::NS_NET_STATUS_READING → [e10s] Assertion failure when loading page with browser console open
Reporter | ||
Comment 5•9 years ago
|
||
Same thing happens with techcrunch.com, cnn.com, and a few other random sites I tried loading.
Reporter | ||
Comment 6•9 years ago
|
||
Though the values were different for "progress".
Comment 7•9 years ago
|
||
Patrick, what's the significance of this bug? Should we be tracking it for e10s?
Flags: needinfo?(mcmanus)
Assignee | ||
Comment 8•9 years ago
|
||
jason is probably in a better place with the ipdl code to answer the question.. valentin has a repro in 1117442 that he's working.
Flags: needinfo?(mcmanus) → needinfo?(jduell.mcbugs)
I am not able to reproduce any issues (comment 0 or comment 3) with the linux 64 nightly debug build (2015-01-05). I tested in e10s mode on the same sites mentioned. It is likely a related fix landed as part of bug 1115976, but this landed on 2015-01-03, which confuses me, since comment 3 is from 2015-01-05. Andrew, do you still see this even in the latest debug nightly?
Flags: needinfo?(continuation)
Reporter | ||
Comment 10•9 years ago
|
||
I downloaded firefox-37.0a1.en-US.debug-mac64.dmg from here: ftp://ftp.mozilla.org/pub/firefox/nightly/2015-01-06-mozilla-central-debug/ (there's no OSX nightly for 1-7 yet for some reason) and I can reproduce it, in a fresh profile, with e10s enabled. My steps to reproduce: 1. Hit shift-command-J to open the Browser Console. 2. Click over to the address bar in the main window. 3. Type "google.com" and hit enter.
Flags: needinfo?(continuation)
Assignee | ||
Comment 11•9 years ago
|
||
#6 mozilla::net::HttpChannelChild::DoOnProgress (this=0x7fffdb8de000, aRequest=0x7fffdb8de088, progress=30275, progressMax=0) at ../../../../gecko-dev/netwerk/protocol/http/HttpChannelChild.cpp:544
Okay, I am able to reproduce this now. What happens is that the Network Monitor code (which is used when the Browser Console is open) intercepts onProgress for its own purposes, and then forwards the message along to the original onProgress listener. Usually, this works correctly. However, if |progressMax| is 0xFFFFFFFFFFFFFFFF (the "unknown" value), things get messed up since we are now going C++ -> JS -> C++, and JS can't safely represent integers that large, so it ends up getting forced to 0 when leaving JS. I tried clamping the value down to Number.MAX_SAFE_INTEGER, and this does fix the assertion and crash. However, I see that are some C++ cases where we check for exactly UINT64_MAX. Is there some secret way I can force the JS -> C++ XPCOM conversion to allow JS to pass UINT64_MAX safely?
Assignee | ||
Comment 13•9 years ago
|
||
thanks jryans. So nsIProgressEventSink is a broken interface, at least for JS. I think we should update it to use a new constant nsIProgressEventSink::MAX_PROGRESS_UNKNOWN that is set to 2^53 - 1 and change each of the ~10 C++ implementations to use that instead of UINT64_MAX That ought to fix the problem
Assignee | ||
Comment 14•9 years ago
|
||
this isn't really an e10s problem.. we see it in e10s because of an assert in the message marshalling code for onProgress().. but the root of it is that when OnProgress, which is a scriptable interface, goes through js a sentinel value is out of range of MAX_SAFE_INTEGER.. so it can't really use the interface correctly.
Summary: [e10s] Assertion failure when loading page with browser console open → nsIProgressEventSink not javascript compatible
No longer depends on: 1117442
Assignee | ||
Comment 16•9 years ago
|
||
I'm going to put this at the top of my queue, but it isn't going to happen before the branch to ff38 next week. However the problem is long standing. We might want to consider working around any new code on 37 that triggers the issue. (or is it not new code? and we only notice it because people have e10s enabled on nightly?)
Reporter | ||
Comment 17•9 years ago
|
||
I've been using e10s for a number of months, and I only noticed this particular problem recently. (I work around it by not opening the console until after the page opens, which isn't too bad because I have to not open the console after the page closes due to another unrelated bug...)
(In reply to Patrick McManus [:mcmanus] from comment #16) > I'm going to put this at the top of my queue, but it isn't going to happen > before the branch to ff38 next week. However the problem is long standing. > We might want to consider working around any new code on 37 that triggers > the issue. In bug 731318, we added code to net monitor which triggers this issue if the Browser Console or DevTools toolbox is open. This landed in 37. > (or is it not new code? and we only notice it because people have e10s > enabled on nightly?) It's a crash on e10s because HttpChannelChild uses MOZ_ASSERT[1], which forces a crash. The same problem happens without e10s, but it's only an NS_WARNING[2]. [1]: https://hg.mozilla.org/mozilla-central/annotate/b3f84cf78dc2/netwerk/protocol/http/HttpChannelChild.cpp#l544 [2]: https://hg.mozilla.org/mozilla-central/annotate/b3f84cf78dc2/netwerk/protocol/http/nsHttpChannel.cpp#l5799
Assignee | ||
Comment 19•9 years ago
|
||
cool. so 731318 exposes a latent bug. we need to choose between backing that out of 37, or backporting the fix of the long time bug (which is going to have to include a breaking idl change) onto aurora. what do you think?
(In reply to Patrick McManus [:mcmanus] from comment #19) > cool. so 731318 exposes a latent bug. > > we need to choose between backing that out of 37, or backporting the fix of > the long time bug (which is going to have to include a breaking idl change) > onto aurora. > > what do you think? I was hoping to construct a safe way to disable for e10s only, but since the merge is on Monday, it's probably best to back out bug 731318. I'll do this now.
Blocks: 731318
Assignee | ||
Comment 21•9 years ago
|
||
thanks jryans. Actually, this isn't really an e10s thing. only e10s throws the assert, so we notice it more there, but the single process code path is also going to corrupt maxProgress when it goes through js boundaries - it will just happen silently. The code in places like docshell that checks uint_max64 will do the wrong thing in those cases.
Assignee | ||
Comment 22•9 years ago
|
||
These scriptable interfaces use uint_64 arguments with sentinel values of UINT64_MAX. However, UINT64_MAX exceeds MAX_SAFE_NUMBER and cannot be gatewayed to/from javascript - so they cannot be used correctly. Change them to use signed 64 bit numbers and -1 as the sentinnel. C++ implementations ought to be enough to audit as the special value could never be used correctly in JS anyhow - also audited OnProgressChange() uses for downstream use of this data.
Attachment #8547685 -
Flags: review?(honzab.moz)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Assignee | ||
Comment 23•9 years ago
|
||
Comment on attachment 8547685 [details] [diff] [review] make nsIProgressEventSink and nsITransportEventSink safely scriptable Review of attachment 8547685 [details] [diff] [review]: ----------------------------------------------------------------- honza, I'll have bz r the xhr bits after the necko side gets squared away.
Assignee | ||
Comment 24•9 years ago
|
||
Attachment #8547689 -
Flags: review?(honzab.moz)
Assignee | ||
Comment 25•9 years ago
|
||
/r/2361 - bug 1116867 - make nsIProgressEventSink and nsITransportEventSink safely scriptable r=mayhemer Pull down this commit: hg pull review -r 24652fa8a6703951d3b8e91fcbc03b69a7c86263
Assignee | ||
Comment 26•9 years ago
|
||
I put this in reviewboard too.. maybe you want to experiment with using that. nick and I have been using it successfully for larger patches. Doesn't matter to me which way we go.
(In reply to Patrick McManus [:mcmanus] from comment #22) > These scriptable interfaces use uint_64 arguments with sentinel values > of UINT64_MAX. However, UINT64_MAX exceeds MAX_SAFE_NUMBER and cannot > be gatewayed to/from javascript JS uses the term MAX_SAFE_INTEGER not MAX_SAFE_NUMBER, probably best to use the same terminology.
Assignee | ||
Comment 28•9 years ago
|
||
/r/2361 - bug 1116867 - make nsIProgressEventSink and nsITransportEventSink safely scriptable r=mayhemer Pull down this commit: hg pull review -r 8c4c1a72203118935fa4d4637229b1b1bbfbdbda
Assignee | ||
Comment 29•9 years ago
|
||
These scriptable interfaces use uint_64 arguments with sentinel values of UINT64_MAX. However, UINT64_MAX exceeds MAX_SAFE_NUMBER and cannot be gatewayed to/from javascript - so they cannot be used correctly. Change them to use signed 64 bit numbers and -1 as the sentinnel. C++ implementations ought to be enough to audit as the special value could never be used correctly in JS anyhow - also audited OnProgressChange() uses for downstream use of this data.
Attachment #8547721 -
Flags: review?(honzab.moz)
Assignee | ||
Updated•9 years ago
|
Attachment #8547685 -
Attachment is obsolete: true
Attachment #8547685 -
Flags: review?(honzab.moz)
Assignee | ||
Comment 30•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1f68fc12ece7 (you can see in the diff on the try run that I changed a printf specifier in one of the C++ tests.. that's the only change)
Comment 31•9 years ago
|
||
https://reviewboard.mozilla.org/r/2361/#review1699 ::: dom/base/nsXMLHttpRequest.cpp (Diff revision 2) > loaded -= headerSize; We can well get to loaded < 0 here, but out of scope of this bug. ::: embedding/components/webbrowserpersist/nsWebBrowserPersist.cpp (Diff revision 2) > uint64_t(aProgressMax), mTotalCurrentProgress, mTotalMaxProgress); Here are some weird casts left.. ::: netwerk/protocol/http/nsHttpPipeline.h (Diff revision 2) > - uint64_t mSendingToProgress; > + int64_t mSendingToProgress; indent ::: netwerk/test/TestPageLoad.cpp (Diff revision 2) > - // PR_snprintf(buf, sizeof(buf), "%llu/%llu\n", progress, progressMax); > + // PR_snprintf(buf, sizeof(buf), "%ld/%ld\n", progress, progressMax); lld ? ::: uriloader/base/nsDocLoader.cpp (Diff revision 2) > progressDelta = int64_t(aProgress) - oldCurrentProgress; no need to cast ::: dom/base/nsXMLHttpRequest.cpp (Diff revision 2) > + (size_u64 <= 9007199254740991ULL) ? static_cast<int64_t>(size_u64) : -1; Isn't there a define? if not, can you please create one in some "net.h" or so? ::: embedding/components/webbrowserpersist/nsWebBrowserPersist.cpp (Diff revision 2) > mEventSink->OnProgress(request, ctxt, aProgress, aProgressMax); And this still uses unsigned ::: netwerk/protocol/http/HttpChannelChild.cpp (Diff revision 2) > - MOZ_ASSERT(progress <= progressMax, "unexpected progress values"); > + MOZ_ASSERT((progressMax == -1) || (progress <= progressMax), If you find some way to split this assert so that we know the progressMax value, I'd love that ::: netwerk/protocol/http/HttpChannelChild.cpp (Diff revision 2) > - uint64_t progressMax(uint64_t(mOwner->GetResponseHead()->ContentLength())); > + int64_t progress = aOffset + uint64_t(aCount); aCount's already uint64
Comment 32•9 years ago
|
||
https://reviewboard.mozilla.org/r/2361/#review1705 Ship It!
Comment 33•9 years ago
|
||
Patrick, is there any difference between the board patch and the regular bz patch?
Assignee | ||
Comment 34•9 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #33) > Patrick, is there any difference between the board patch and the regular bz > patch? nope. I'll clear the regular bz one.
Assignee | ||
Updated•9 years ago
|
Attachment #8547721 -
Flags: review?(honzab.moz)
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(jduell.mcbugs)
Assignee | ||
Updated•9 years ago
|
Attachment #8547721 -
Attachment is obsolete: true
Assignee | ||
Comment 35•9 years ago
|
||
https://reviewboard.mozilla.org/r/2361/#review1733 > And this still uses unsigned I can't figure this comment out.. OnProgress is changed by this patch to take unsigned
Assignee | ||
Comment 36•9 years ago
|
||
https://reviewboard.mozilla.org/r/2359/#review1735 bz can you look at (at least) the xhr part?
Assignee | ||
Comment 37•9 years ago
|
||
Comment on attachment 8547689 [details]
MozReview Request: bz://1116867/mcmanus
honza, I wasn't sure if you meant to r+ the last version (cause it said ship it) or cancel it or what.. nick had some problem with reviewboard setting flags earlier today adding to the confusion.
So I'm leaving r? set for the new rev. Actually it lets you see the interdiff which is the one place reviewboard does way better than spliter imo
Attachment #8547689 -
Flags: review?(bzbarsky)
Updated•9 years ago
|
Attachment #8547689 -
Flags: review?(bzbarsky) → review+
Comment 38•9 years ago
|
||
https://reviewboard.mozilla.org/r/2359/#review1753 So I was worried about binary extensions, but the good news is that testing an int64_t for equality against UINT64_MAX is the same as testing it for equality against -1, both in terms of machine code and C/C++ integer promotion behavior. So there should be pretty minimal fallout, if any. ::: dom/base/nsXMLHttpRequest.cpp (Diff revision 2) > + (size_u64 <= 9007199254740991ULL) ? static_cast<int64_t>(size_u64) : -1; I would prefer we had an actual constant for MAX_SAFE_JS_INTEGER or JS_MAX_SAFE_INTEGER or whatever somewhere, either in jsapi headers (probably preferred) or at least somewhere in mfbt or something. Then we could also static_assert things like the value being < INT64_MAX. ::: netwerk/base/public/nsITransport.idl (Diff revision 2) > - * unknown, 0xFFFFFFFF will be passed. > + * unknown, -1 will be passed. tbd max_safe The "tbd" comment here should go away, right? ::: netwerk/protocol/file/nsFileChannel.cpp (Diff revision 2) > + if (avail <= 9007199254740991ULL) { Yeah, this is why I'd prefer a named constant. ::: netwerk/protocol/ftp/nsFtpConnectionThread.cpp (Diff revision 2) > - , mFileSize(UINT64_MAX) > + , mFileSize(9007199254740991ULL) // MAX_SAFE_NUMBER Named constant. ::: netwerk/protocol/http/nsHttpTransaction.cpp (Diff revision 2) > + mRequestSize = (size_u64 <= 9007199254740991ULL) ? static_cast<int64_t>(size_u64) : -1; Named constant. r=me with the nits fixed.
Assignee | ||
Updated•9 years ago
|
Attachment #8547689 -
Flags: review+
Assignee | ||
Comment 39•9 years ago
|
||
/r/2361 - bug 1116867 - make nsIProgressEventSink and nsITransportEventSink safely scriptable r=mayhemer r=bz Pull down this commit: hg pull review -r 7238b3125f1f3c327465592f7f096903928aaf18
Comment 40•9 years ago
|
||
Comment on attachment 8547689 [details] MozReview Request: bz://1116867/mcmanus I got lost between the patches. But this one seems to be the r+comments I've already made before (comment 31).
Attachment #8547689 -
Flags: review?(honzab.moz) → review+
Assignee | ||
Comment 41•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/91e1a0afee55
Comment 42•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/91e1a0afee55
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Assignee | ||
Comment 43•9 years ago
|
||
Attachment #8547689 -
Attachment is obsolete: true
Attachment #8619001 -
Flags: review+
Assignee | ||
Comment 44•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•