Closed
Bug 1235183
Opened 8 years ago
Closed 8 years ago
Assertion failure: !mDoingStableStates, at xpcom/base/CycleCollectedJSRuntime.cpp:1057
Categories
(Core :: Audio/Video: Playback, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla50
People
(Reporter: unmobile+mozbugs, Assigned: jwwang)
References
Details
(Whiteboard: dom-triaged)
Crash Data
Attachments
(6 files, 1 obsolete file)
22.72 KB,
patch
|
Details | Diff | Splinter Review | |
58 bytes,
text/x-review-board-request
|
cpearce
:
review+
|
Details |
58 bytes,
text/x-review-board-request
|
cpearce
:
review+
|
Details |
58 bytes,
text/x-review-board-request
|
cpearce
:
review+
|
Details |
58 bytes,
text/x-review-board-request
|
cpearce
:
review+
|
Details |
58 bytes,
text/x-review-board-request
|
cpearce
:
review+
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36 Steps to reproduce: Running packaged iceweasel 43.0.1-1 from Debian Experimental on Debian Sid. Using the NoScript add-on (up to date, AFAIK) 1. Browse to http://www.theatlantic.com/magazine/archive/2016/01/the-great-republican-revolt/419118/ 2. Temporarily enable scripts from cdn.theatlantic.com from address bar drop-down menu Actual results: Assertion failure, as follows: Assertion failure: !mDoingStableStates, at /tmp/buildd/iceweasel-43.0.1/xpcom/base/CycleCollectedJSRuntime.cpp:1057 #01: ???[/usr/lib/iceweasel/libxul.so +0xdc94e8] #02: ???[/usr/lib/iceweasel/libxul.so +0x9d2c60] #03: NS_InvokeByIndex[/usr/lib/iceweasel/libxul.so +0x9dc443] #04: ???[/usr/lib/iceweasel/libxul.so +0xdd6a7b] #05: ???[/usr/lib/iceweasel/libxul.so +0xddd950] #06: ???[/usr/lib/iceweasel/libxul.so +0x25b06a6] #07: ???[/usr/lib/iceweasel/libxul.so +0x25a3bad] #08: ???[/usr/lib/iceweasel/libxul.so +0x25b0341] #09: ???[/usr/lib/iceweasel/libxul.so +0x25b0603] #10: ???[/usr/lib/iceweasel/libxul.so +0x25b0d43] #11: ???[/usr/lib/iceweasel/libxul.so +0x271ed18] #12: ??? (???:???) In gdb, I get the following from this: Program received signal SIGSEGV, Segmentation fault. mozilla::CycleCollectedJSRuntime::ProcessMetastableStateQueue (this=this@entry=0x7fffe6889800, aRecursionDepth=<optimized out>) at /tmp/buildd/iceweasel-43.0.1/xpcom/base/CycleCollectedJSRuntime.cpp:1057 1057 /tmp/buildd/iceweasel-43.0.1/xpcom/base/CycleCollectedJSRuntime.cpp: No such file or directory. (gdb) bt #0 mozilla::CycleCollectedJSRuntime::ProcessMetastableStateQueue (this=this@entry=0x7fffe6889800, aRecursionDepth=<optimized out>) at /tmp/buildd/iceweasel-43.0.1/xpcom/base/CycleCollectedJSRuntime.cpp:1057 #1 0x00007ffff26ff63d in mozilla::CycleCollectedJSRuntime::AfterProcessTask (this=0x7fffe6889800, aRecursionDepth=<optimized out>) at /tmp/buildd/iceweasel-43.0.1/xpcom/base/CycleCollectedJSRuntime.cpp:1091 #2 0x00007ffff2b2c4e8 in XPCJSRuntime::AfterProcessTask (this=0x7fffe6889800, aNewRecursionDepth=2) at /tmp/buildd/iceweasel-43.0.1/js/xpconnect/src/XPCJSRuntime.cpp:3638 #3 0x00007ffff2735c60 in nsThread::ProcessNextEvent (this=0x7ffff6b70940, aMayWait=<optimized out>, aResult=0x7fffffff9ef8) at /tmp/buildd/iceweasel-43.0.1/xpcom/threads/nsThread.cpp:965 #4 0x00007ffff273f443 in NS_InvokeByIndex (that=<optimized out>, methodIndex=<optimized out>, paramCount=<optimized out>, params=<optimized out>) at /tmp/buildd/iceweasel-43.0.1/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:176 #5 0x00007ffff2b39a7b in CallMethodHelper::Invoke (this=0x7fffffff9e98) at /tmp/buildd/iceweasel-43.0.1/js/xpconnect/src/XPCWrappedNative.cpp:2095 #6 CallMethodHelper::Call (this=0x7fffffff9e98) at /tmp/buildd/iceweasel-43.0.1/js/xpconnect/src/XPCWrappedNative.cpp:1415 #7 XPCWrappedNative::CallMethod (ccx=..., mode=mode@entry=XPCWrappedNative::CALL_METHOD) at /tmp/buildd/iceweasel-43.0.1/js/xpconnect/src/XPCWrappedNative.cpp:1382 #8 0x00007ffff2b40950 in XPC_WN_CallMethod (cx=0x7fffdc314800, argc=1, vp=0x7fffd8c1a318) at /tmp/buildd/iceweasel-43.0.1/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1145 #9 0x00007ffff43136a6 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7fffdc314800) at /tmp/buildd/iceweasel-43.0.1/js/src/jscntxtinlines.h:235 #10 js::Invoke (cx=0x7fffdc314800, args=..., construct=<optimized out>) at /tmp/buildd/iceweasel-43.0.1/js/src/vm/Interpreter.cpp:765 #11 0x00007ffff4306bad in Interpret (cx=0x7fffdc314800, state=...) at /tmp/buildd/iceweasel-43.0.1/js/src/vm/Interpreter.cpp:3068 #12 0x00007ffff4313341 in js::RunScript (cx=cx@entry=0x7fffdc314800, state=...) at /tmp/buildd/iceweasel-43.0.1/js/src/vm/Interpreter.cpp:706 #13 0x00007ffff4313603 in js::Invoke (cx=cx@entry=0x7fffdc314800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /tmp/buildd/iceweasel-43.0.1/js/src/vm/Interpreter.cpp:783 #14 0x00007ffff4313d43 in js::Invoke (cx=cx@entry=0x7fffdc314800, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0x7fffffffadf0, rval=..., rval@entry=...) at /tmp/buildd/iceweasel-43.0.1/js/src/vm/Interpreter.cpp:820 #15 0x00007ffff4481d18 in js::jit::DoCallFallback (cx=0x7fffdc314800, frame=0x7fffffffae78, stub_=0x7fff9e144358, argc=2, vp=0x7fffffffade0, res=...) at /tmp/buildd/iceweasel-43.0.1/js/src/jit/BaselineIC.cpp:8900 #16 0x00007ffff7fd3b90 in ?? () #17 0x00007fff99ff1fb8 in ?? () #18 0x00007fffffffad98 in ?? () #19 0x00007fffffffaeb8 in ?? () #20 0xfff9000000000000 in ?? () #21 0x00007ffff686c6a0 in js::jit::DoSpreadCallFallbackInfo () from /usr/lib/iceweasel/libxul.so #22 0x00007fffd8d53b80 in ?? () #23 0x00007fffe69617c3 in ?? () [snip more unsymbolized addresses] #54 0x00007fffffffaf00 in ?? () #55 0x0000000000000000 in ?? () Expected results: Page reloads with additional JS enabled
Reporter | ||
Updated•8 years ago
|
Component: Untriaged → XPCOM
OS: Unspecified → Linux
Product: Firefox → Core
Hardware: Unspecified → x86_64
Reporter | ||
Comment 1•8 years ago
|
||
On advice of KWierso on IRC, set to Core :: XPCOM, adding CC to khuey and froydnj
Reporter | ||
Comment 2•8 years ago
|
||
Just tried on "Build identifier: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.5.0" and the crash did not reproduce.
Updated•8 years ago
|
OS: Linux → All
Hardware: x86_64 → All
Assignee: nobody → khuey
The problem here is that the HTMLMediaElement code runs at a point where it's not safe to spin the event loop. It then does a bunch of processing and calls into Necko, which eventually calls into addons (via the observer service), one of which spins the event loop and triggers an assertion in CycleCollectedJSRuntime. This is sort of a bandaid, in that it only fixes a code path where Necko is *known* to call into addons that spin the event loop. Calling AsyncOpen triggers other observer service notifications that *could* call into addons that spin the event loop. I'm not sure whether the long term solution here is to simply not open channels in this situation or what, but I think we should take this patch.
Attachment #8703895 -
Flags: review?(jduell.mcbugs)
Oh, and there was previous discussion of this in bug 1191713, which I couldn't find earlier.
Comment 6•8 years ago
|
||
Comment on attachment 8703895 [details] [diff] [review] Patch Review of attachment 8703895 [details] [diff] [review]: ----------------------------------------------------------------- IRC chat about this patch: jcduell: khuey: looking at https://bugzilla.mozilla.org/show_bug.cgi?id=1235183. So even with this patch we’ll still call on-opening-request, which I was hoping was only used by Firebug (we added the flag for firebug some few years ago because it needed to be called back synchronously from within AsyncOpen(), IIRC because of some temporary variable or something like that). But for some reasons it's gotten popular--there are now 95 addons in mxr that are hooking this: jduell: https://mxr.mozilla.org/addons/search?string=on-opening-request jduell: khuey: How awful will things be if some users have these addons and we wind up being in JS-land despite this patch? Is the right fix to stop necko channels from being opened during this state? khuey: jduell: if we just end up in JS land it's not a huge deal, if the addon spins the event loop there we'll crash khuey: in the same way we're crashing today jduell: khuey: ok, if you’re good with that, I’ll +r khuey: jduell: my plan is to take this fix, and if that ever becomes an issue, deal with it then
Attachment #8703895 -
Flags: review?(jduell.mcbugs) → review+
Comment on attachment 8703895 [details] [diff] [review] Patch Unfortunately the other things are a problem. I think we need to fix this in HTMLMediaElement.
Attachment #8703895 -
Attachment is obsolete: true
(Picking cpearce semirandomly) We need to defer the actual Necko calls (e.g. NS_NewChannel) in HTMLMediaElement::LoadResource when it's called from a stable state (i.e. via SelectResourceWrapper). Is that safe? The motivation for this is that we *cannot* spin the event loop from stable state, and Necko calls into a bunch of addons under NS_NewChannel that unfortunately do :/
Assignee: khuey → nobody
Component: XPCOM → DOM
Flags: needinfo?(cpearce)
Updated•8 years ago
|
Whiteboard: dom-triaged
Comment 9•8 years ago
|
||
In theory, we can run HTMLMediaElement::LoadResource() in a new runnable, provided it captures all the JS-modifiable state that it needs before exiting the synchronous section.
Flags: needinfo?(cpearce)
Comment 10•8 years ago
|
||
The issue can be found in Seamonkey 2.40 too: # seamonkey & [5] 14841 (seamonkey-bin:14848): Gtk-WARNING **: Theme directory of theme oxygen has no size field (seamonkey-bin:14848): Gtk-WARNING **: Theme directory of theme oxygen has no size field enigmail.js: Registered components Assertion failure: !mDoingStableStates, at /home/abuild/rpmbuild/BUILD/seamonkey/mozilla/xpcom/base/CycleCollectedJSRuntime.cpp:1057 #01: ???[/usr/lib64/seamonkey/libxul.so +0x1056524] #02: ???[/usr/lib64/seamonkey/libxul.so +0xc89615] #03: NS_InvokeByIndex[/usr/lib64/seamonkey/libxul.so +0xc911fe] #04: ???[/usr/lib64/seamonkey/libxul.so +0x10640ba] #05: ???[/usr/lib64/seamonkey/libxul.so +0x1069b00] #06: ??? (???:???)
Reporter | ||
Comment 12•8 years ago
|
||
Seen on Firefox 46.0.1 (Debian packaged 46.0.1-1) on Linux x86_64
Version: 43 Branch → 46 Branch
Comment 13•8 years ago
|
||
Ever since 46.0.1 this seems to have become a regular issue for me for some reason, happens about once a day when opening a gfycat link on both Windows and Linux, but didn't at all before hand.
Crash Signature: [@ mozilla::CycleCollectedJSRuntime::ProcessMetastableStateQueue]
Comment 14•8 years ago
|
||
I have exactly the same behaviour. It seems to be worse on Linux, but maybe because I use Windows less.
Comment 15•8 years ago
|
||
We've had 600+ occurrences of this in the past week.
Comment 17•8 years ago
|
||
Is it already clear, which add-ons trigger this bug? Since I disabled most of my add-ons I never saw this bug again. Testing is a bit time-consuming, because sometimes you have to wait some hours until you see the bug. So for testing 5 add-ons you may need 5 days.
Comment 18•8 years ago
|
||
I suspect Reddit Enhancement Suite, since this has occurred in reddit a couple of times specifically when expanding the inline image viewer. Haven't yet been able to accurately detect if it happens only on specific links, as the crash doesn't always occur. I also suspect it might be Disconnect, Privacy Badger and uBlock Origin, as when expanding those elements one of these addons might be trying to block something from the domain where the element comes from. It's possible that these assumptions are entirely wrong as I'm but a novice in this field. But I'll try to disable these mentioned addons one by one to see if the behaviour remains.
Comment 19•8 years ago
|
||
ajones, could you perhaps try to find someone to take a look at this? See https://bugzilla.mozilla.org/show_bug.cgi?id=1235183&mark=7-9#c7
Flags: needinfo?(ajones)
Updated•8 years ago
|
Component: DOM → Audio/Video: Playback
Priority: -- → P1
Assignee | ||
Comment 20•8 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) (Away until 6/13) from comment #8) > The motivation for this is that we *cannot* spin the event loop from stable > state Is that true all the time or only after xpcom-shutdown starts?
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(khuey)
All the time. "Stable state" in the HTML spec is supposed to guarantee that no script can run, which means we can't execute arbitrary nsIRunnables.
Flags: needinfo?(khuey)
Assignee | ||
Comment 22•8 years ago
|
||
It is a bit tricky to move the entire LoadResource() to a new runnable. It should be safer to move the call to NS_NewChannel() to a new runnable because it is just about implementation details. I will give it a try.
Yes, that should be fine. The problem is that NS_NewChannel calls into addon script, which can do crazy things. So deferring that from stable state should be sufficient. Thanks for looking into this.
Assignee | ||
Comment 24•8 years ago
|
||
Hi Phil, Can you try if this patch fix the problem (which applied to c2da34d96746)? Thanks.
Assignee: nobody → jwwang
Flags: needinfo?(unmobile+mozbugs)
Assignee | ||
Comment 25•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/60962/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/60962/
Attachment #8765715 -
Flags: review?(cpearce)
Attachment #8765716 -
Flags: review?(cpearce)
Attachment #8765717 -
Flags: review?(cpearce)
Attachment #8765718 -
Flags: review?(cpearce)
Assignee | ||
Comment 26•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/60964/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/60964/
Assignee | ||
Comment 27•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/60966/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/60966/
Assignee | ||
Comment 28•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/60968/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/60968/
Assignee | ||
Comment 29•8 years ago
|
||
try looks green: https://treeherder.mozilla.org/#/jobs?repo=try&revision=461b65af5a53
Updated•8 years ago
|
Attachment #8765715 -
Flags: review?(cpearce) → review+
Comment 30•8 years ago
|
||
Comment on attachment 8765715 [details] Bug 1235183. Part 1 - fix coding styles. https://reviewboard.mozilla.org/r/60962/#review57984
Updated•8 years ago
|
Attachment #8765716 -
Flags: review?(cpearce) → review+
Comment 31•8 years ago
|
||
Comment on attachment 8765716 [details] Bug 1235183. Part 2 - remove unnecessary null-checks. https://reviewboard.mozilla.org/r/60964/#review57986
Comment 32•8 years ago
|
||
Comment on attachment 8765717 [details] Bug 1235183. Part 3 - move mChannel to ChannelLoader so it will be easier to create the channel asynchronously. https://reviewboard.mozilla.org/r/60966/#review57988
Attachment #8765717 -
Flags: review?(cpearce) → review+
Comment 33•8 years ago
|
||
Comment on attachment 8765718 [details] Bug 1235183. Part 4 - create channel asynchronously. https://reviewboard.mozilla.org/r/60968/#review57990
Attachment #8765718 -
Flags: review?(cpearce) → review+
Reporter | ||
Comment 34•8 years ago
|
||
Running on Firefox 47.0 with NoScript 2.9.0.12rc1, the site I originally offered as a repro case doesn't crash any more. So, testing the patched version against that won't be directly informative. Same on Youtube as linked from some of the dupes. Some page with targeted scripts to trigger this exact issue would make testing much easier.
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(unmobile+mozbugs)
Assignee | ||
Comment 35•8 years ago
|
||
https://treeherder.mozilla.org/logviewer.html#?job_id=22992495&repo=try#L6176 Hit an assertion when running dom/media/test/crashtests/459439-1.html. stack: [1833] ###!!! ASSERTION: Not loading during source selection?: 'mNetworkState == NETWORK_LOADING', file /builds/slave/try-lx-d-000000000000000000000/build/src/dom/html/HTMLMediaElement.cpp, line 960 #01: mozilla::dom::HTMLMediaElement::NoSupportedMediaSourceError [dom/html/HTMLMediaElement.cpp:959] #02: mozilla::dom::HTMLMediaElement::ChannelLoader::LoadInternal [dom/html/HTMLMediaElement.cpp:518] This is because an empty string [1] is not a valid URI. Therefore [2] LoadResource() won't be called to cancel the existing |mChannelLoader|. We need to cancel the existing |mChannelLoader| in AbortExistingLoads() as well. [1] https://hg.mozilla.org/mozilla-central/file/e45890951ce77c3df05575bd54072b9f300d77b0/dom/media/test/crashtests/459439-1.html#l27 [2] https://hg.mozilla.org/mozilla-central/file/e45890951ce77c3df05575bd54072b9f300d77b0/dom/html/HTMLMediaElement.cpp#l956
Assignee | ||
Comment 36•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/61166/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/61166/
Attachment #8766159 -
Flags: review?(cpearce)
Updated•8 years ago
|
Attachment #8766159 -
Flags: review?(cpearce) → review+
Comment 37•8 years ago
|
||
Comment on attachment 8766159 [details] Bug 1235183. Part 5 - per comment 35, cancel existing |mChannelLoader| in AbortExistingLoads(). https://reviewboard.mozilla.org/r/61166/#review58028
Comment 38•8 years ago
|
||
I'm not sure this helps, but it happened often when: * browsing reddit, using reddit enhancement suite extension, click to load a video from streamable.com, or a gif from gfycat (not sure if both, or just one anymore - I have been avoiding this as the crashes are extremely frustrating) * loading www.bancobest.pt
Comment 39•8 years ago
|
||
Pushed by jwwang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/87ff4b8ecd9a Part 1 - fix coding styles. r=cpearce https://hg.mozilla.org/integration/autoland/rev/c88734b5bf9b Part 2 - remove unnecessary null-checks. r=cpearce https://hg.mozilla.org/integration/autoland/rev/f03f55222c0d Part 3 - move mChannel to ChannelLoader so it will be easier to create the channel asynchronously. r=cpearce https://hg.mozilla.org/integration/autoland/rev/d80a90575e2d Part 4 - create channel asynchronously. r=cpearce https://hg.mozilla.org/integration/autoland/rev/9eea8021987a Part 5 - per comment 35, cancel existing |mChannelLoader| in AbortExistingLoads(). r=cpearce
Comment 40•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/87ff4b8ecd9a https://hg.mozilla.org/mozilla-central/rev/c88734b5bf9b https://hg.mozilla.org/mozilla-central/rev/f03f55222c0d https://hg.mozilla.org/mozilla-central/rev/d80a90575e2d https://hg.mozilla.org/mozilla-central/rev/9eea8021987a
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Comment 41•8 years ago
|
||
Crash volume for signature 'mozilla::CycleCollectedJSRuntime::ProcessMetastableStateQueue': - nightly (version 50): 2 crashes from 2016-06-06. - aurora (version 49): 17 crashes from 2016-06-07. - beta (version 48): 223 crashes from 2016-06-06. - release (version 47): 2449 crashes from 2016-05-31. - esr (version 45): 149 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 1 0 0 0 1 0 0 - aurora 2 5 2 3 5 0 0 - beta 33 26 18 24 44 61 14 - release 311 270 372 380 400 416 163 - esr 3 1 9 30 26 21 9 Affected platforms: Windows, Mac OS X, Linux
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox-esr45:
--- → affected
Updated•8 years ago
|
Flags: needinfo?(ajones)
Comment 42•8 years ago
|
||
Wasn't this bug supposed to be fixed in v50? I'm still getting it. https://crash-stats.mozilla.com/report/index/08497341-310e-44b9-9656-bd5d22161119
Flags: needinfo?(jwwang)
Assignee | ||
Comment 43•8 years ago
|
||
(In reply to ReggX from comment #42) > Wasn't this bug supposed to be fixed in v50? I'm still getting it. > > https://crash-stats.mozilla.com/report/index/08497341-310e-44b9-9656- > bd5d22161119 It looks like there are still other callsites spinning the event loop in the stable state. However, I can't tell which from the call stack. Maybe a DOM or JS peer should check this issue.
Flags: needinfo?(jwwang) → needinfo?(bugs)
Comment 44•8 years ago
|
||
I filed another bug recently. https://crash-stats.mozilla.com/report/index/08497341-310e-44b9-9656-bd5d22161119 doesn't seem to be unfortunately too useful.
Flags: needinfo?(bugs)
Comment 45•8 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #44) > I filed another bug recently. > > > https://crash-stats.mozilla.com/report/index/08497341-310e-44b9-9656- > bd5d22161119 doesn't seem to be unfortunately too useful. Bug number?
You need to log in
before you can comment on or make changes to this bug.
Description
•