Closed Bug 1364570 Opened 3 years ago Closed 3 years ago

Assertion failure: !sRunningDispatcher || mAccessValid

Categories

(Core :: Networking, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox55 --- fixed

People

(Reporter: aosmond, Assigned: billm)

Details

(Whiteboard: [necko-active])

Attachments

(2 files)

Attached file debug output log
Assertion failure: !sRunningDispatcher || mAccessValid, at /home/aosmond/dev/gecko-dev/obj-x86_64-pc-linux-gnu-notwr/dist/include/mozilla/SchedulerGroup.h:58

From gdb:

#0  0x00007f1b3796075d in nanosleep () at ../sysdeps/unix/syscall-template.S:84
#1  0x00007f1b379606aa in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#2  0x00007f1b2b5b6a66 in ah_crap_handler (signum=signum@entry=11) at /home/aosmond/dev/gecko-dev/toolkit/xre/nsSigHandlers.cpp:103
#3  0x00007f1b2b5b6aa6 in child_ah_crap_handler (signum=11) at /home/aosmond/dev/gecko-dev/toolkit/xre/nsSigHandlers.cpp:115
#4  0x00007f1b2bdef008 in js::UnixExceptionHandler (signum=11, info=0x7ffdeedab330, context=0x7ffdeedab200)
    at /home/aosmond/dev/gecko-dev/js/src/ds/MemoryProtectionExceptionHandler.cpp:267
#5  0x00007f1b2c1ae0b9 in WasmFaultHandler<(Signal)0> (signum=11, info=0x7ffdeedab330, context=0x7ffdeedab200)
    at /home/aosmond/dev/gecko-dev/js/src/wasm/WasmSignalHandlers.cpp:1298
#6  <signal handler called>
#7  mozilla::SchedulerGroup::ValidateAccess (this=<optimized out>) at /home/aosmond/dev/gecko-dev/obj-x86_64-pc-linux-gnu-notwr/dist/include/mozilla/SchedulerGroup.h:58
#8  mozilla::dom::DocGroup::ValidateAccess (this=<optimized out>) at /home/aosmond/dev/gecko-dev/obj-x86_64-pc-linux-gnu-notwr/dist/include/mozilla/dom/DocGroup.h:95
#9  nsDocument::GetEventTargetParent (this=<optimized out>, aVisitor=...) at /home/aosmond/dev/gecko-dev/dom/base/nsDocument.cpp:7994
#10 0x00007f1b29105ef5 in mozilla::EventTargetChainItem::GetEventTargetParent (this=this@entry=0x7f1b0c506080, aVisitor=...)
    at /home/aosmond/dev/gecko-dev/dom/events/EventDispatcher.cpp:389
#11 0x00007f1b291177a5 in mozilla::EventDispatcher::Dispatch (aTarget=aTarget@entry=0x7f1b027675c0, aPresContext=aPresContext@entry=0x0, aEvent=aEvent@entry=
    0x7f1b07758c40, aDOMEvent=aDOMEvent@entry=0x7f1b07758be0, aEventStatus=aEventStatus@entry=0x7ffdeedab9dc, aCallback=aCallback@entry=0x0, aTargets=0x0)
    at /home/aosmond/dev/gecko-dev/dom/events/EventDispatcher.cpp:790
#12 0x00007f1b29117d07 in mozilla::EventDispatcher::DispatchDOMEvent (aTarget=aTarget@entry=0x7f1b027675c0, aEvent=aEvent@entry=0x0, 
    aDOMEvent=aDOMEvent@entry=0x7f1b07758be0, aPresContext=aPresContext@entry=0x0, aEventStatus=aEventStatus@entry=0x7ffdeedab9dc)
    at /home/aosmond/dev/gecko-dev/dom/events/EventDispatcher.cpp:892
#13 0x00007f1b28434d2e in nsINode::DispatchEvent (this=0x7f1b027675c0, aEvent=0x7f1b07758be0, aRetVal=0x7ffdeedabaa0)
    at /home/aosmond/dev/gecko-dev/dom/base/nsINode.cpp:1337
#14 0x00007f1b281f7b53 in nsContentUtils::DispatchEvent (aDoc=<optimized out>, aTarget=<optimized out>, aEventName=..., aCanBubble=aCanBubble@entry=false, 
    aCancelable=aCancelable@entry=false, aTrusted=aTrusted@entry=true, aDefaultAction=0x0, aOnlyChromeDispatch=false)
    at /home/aosmond/dev/gecko-dev/dom/base/nsContentUtils.cpp:4346
#15 0x00007f1b281f7bc0 in nsContentUtils::DispatchTrustedEvent (aDoc=<optimized out>, aTarget=<optimized out>, aEventName=..., aCanBubble=aCanBubble@entry=false, 
    aCancelable=aCancelable@entry=false, aDefaultAction=aDefaultAction@entry=0x0) at /home/aosmond/dev/gecko-dev/dom/base/nsContentUtils.cpp:4315
#16 0x00007f1b27cc8f3c in nsPrefetchService::DispatchEvent (this=<optimized out>, node=node@entry=0x7f1afe9dd200, aSuccess=true)
    at /home/aosmond/dev/gecko-dev/uriloader/prefetch/nsPrefetchService.cpp:503
#17 0x00007f1b27cd6d3f in nsPrefetchNode::OnStopRequest (this=0x7f1afe9dd200, aRequest=<optimized out>, aContext=<optimized out>, aStatus=-2142568446)
    at /home/aosmond/dev/gecko-dev/uriloader/prefetch/nsPrefetchService.cpp:287
#18 0x00007f1b2722deef in mozilla::net::HttpChannelChild::DoOnStopRequest (this=this@entry=0x7f1af4067000, aRequest=aRequest@entry=0x7f1af4067080, 
    aChannelStatus=nsresult::NS_OK, aContext=0x0) at /home/aosmond/dev/gecko-dev/netwerk/protocol/http/HttpChannelChild.cpp:1112
#19 0x00007f1b27245948 in mozilla::net::HttpChannelChild::OnStopRequest (this=0x7f1af4067000, channelStatus=@0x7f1aeac7b750: nsresult::NS_OK, timing=...)
    at /home/aosmond/dev/gecko-dev/netwerk/protocol/http/HttpChannelChild.cpp:1043
#20 0x00007f1b272696eb in mozilla::net::StopRequestEvent::Run (this=<optimized out>) at /home/aosmond/dev/gecko-dev/netwerk/protocol/http/HttpChannelChild.cpp:892
#21 0x00007f1b271f5808 in mozilla::net::ChannelEventQueue::RunOrEnqueue (this=0x7f1aea4ffb00, aCallback=0x7f1aeac7b740, aAssertionWhenNotQueued=false)
    at /home/aosmond/dev/gecko-dev/obj-x86_64-pc-linux-gnu-notwr/dist/include/mozilla/net/ChannelEventQueue.h:180
#22 0x00007f1b2723b535 in mozilla::net::HttpChannelChild::RecvOnStopRequest (this=0x7f1af4067000, channelStatus=<optimized out>, timing=...)
    at /home/aosmond/dev/gecko-dev/netwerk/protocol/http/HttpChannelChild.cpp:915
#23 0x00007f1b27562014 in mozilla::net::PHttpChannelChild::OnMessageReceived (this=0x7f1af4067000, msg__=...)
    at /home/aosmond/dev/gecko-dev/obj-x86_64-pc-linux-gnu-notwr/ipc/ipdl/PHttpChannelChild.cpp:726
#24 0x00007f1b27a1d42a in mozilla::dom::PContentChild::OnMessageReceived (this=0x7f1b37426020, msg__=...)
    at /home/aosmond/dev/gecko-dev/obj-x86_64-pc-linux-gnu-notwr/ipc/ipdl/PContentChild.cpp:5601
#25 0x00007f1b27421f57 in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=this@entry=0x7f1b37426140, aMsg=...)
    at /home/aosmond/dev/gecko-dev/ipc/glue/MessageChannel.cpp:2040
#26 0x00007f1b2742e3c2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (this=this@entry=0x7f1b37426140, 
    aMsg=aMsg@entry=<unknown type in /home/aosmond/dev/gecko-dev/obj-x86_64-pc-linux-gnu-notwr/dist/bin/libxul.so, CU 0x31cd69c, DIE 0x32bd127>)
    at /home/aosmond/dev/gecko-dev/ipc/glue/MessageChannel.cpp:1975
#27 0x00007f1b274304f7 in mozilla::ipc::MessageChannel::RunMessage (this=0x7f1b37426140, aTask=...) at /home/aosmond/dev/gecko-dev/ipc/glue/MessageChannel.cpp:1844
#28 0x00007f1b27430761 in mozilla::ipc::MessageChannel::MessageTask::Run (this=0x7f1ae99fa020) at /home/aosmond/dev/gecko-dev/ipc/glue/MessageChannel.cpp:1877
#29 0x00007f1b26ddce66 in mozilla::SchedulerGroup::Runnable::Run (this=0x7f1aeb1c5500) at /home/aosmond/dev/gecko-dev/xpcom/threads/SchedulerGroup.cpp:370
#30 0x00007f1b26dff02f in nsThread::ProcessNextEvent (this=0x7f1b2447ee80, aMayWait=<optimized out>, aResult=0x7ffdeedac747)
    at /home/aosmond/dev/gecko-dev/xpcom/threads/nsThread.cpp:1270
#31 0x00007f1b26e033a0 in NS_ProcessNextEvent (aThread=aThread@entry=0x7f1b2447ee80, aMayWait=aMayWait@entry=false)
    at /home/aosmond/dev/gecko-dev/xpcom/threads/nsThreadUtils.cpp:393
#32 0x00007f1b27428b0a in mozilla::ipc::MessagePump::Run (this=this@entry=0x7f1b374d2290, aDelegate=aDelegate@entry=0x7ffdeedacaa0)
    at /home/aosmond/dev/gecko-dev/ipc/glue/MessagePump.cpp:96
#33 0x00007f1b27428d7a in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x7f1b374d2290, aDelegate=0x7ffdeedacaa0)
    at /home/aosmond/dev/gecko-dev/ipc/glue/MessagePump.cpp:301
#34 0x00007f1b273a621d in MessageLoop::RunInternal (this=this@entry=0x7ffdeedacaa0) at /home/aosmond/dev/gecko-dev/ipc/chromium/src/base/message_loop.cc:238
#35 0x00007f1b273a6241 in MessageLoop::RunHandler (this=this@entry=0x7ffdeedacaa0) at /home/aosmond/dev/gecko-dev/ipc/chromium/src/base/message_loop.cc:231
#36 0x00007f1b273a644e in MessageLoop::Run (this=0x7ffdeedacaa0) at /home/aosmond/dev/gecko-dev/ipc/chromium/src/base/message_loop.cc:211
#37 0x00007f1b29d84873 in nsBaseAppShell::Run (this=0x7f1b1c4506d0) at /home/aosmond/dev/gecko-dev/widget/nsBaseAppShell.cpp:156
#38 0x00007f1b2b5b3ed4 in XRE_RunAppShell () at /home/aosmond/dev/gecko-dev/toolkit/xre/nsEmbedFunctions.cpp:893
#39 0x00007f1b27428c8d in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x7f1b374d2290, aDelegate=0x7ffdeedacaa0)
    at /home/aosmond/dev/gecko-dev/ipc/glue/MessagePump.cpp:269
#40 0x00007f1b273a621d in MessageLoop::RunInternal (this=this@entry=0x7ffdeedacaa0) at /home/aosmond/dev/gecko-dev/ipc/chromium/src/base/message_loop.cc:238
#41 0x00007f1b273a6241 in MessageLoop::RunHandler (this=this@entry=0x7ffdeedacaa0) at /home/aosmond/dev/gecko-dev/ipc/chromium/src/base/message_loop.cc:231
#42 0x00007f1b273a644e in MessageLoop::Run (this=this@entry=0x7ffdeedacaa0) at /home/aosmond/dev/gecko-dev/ipc/chromium/src/base/message_loop.cc:211
#43 0x00007f1b2b5b4e04 in XRE_InitChildProcess (aArgc=13, aArgv=0x7ffdeedacde8, aChildData=<optimized out>)
    at /home/aosmond/dev/gecko-dev/toolkit/xre/nsEmbedFunctions.cpp:709
#44 0x00007f1b2b5c2ba5 in mozilla::BootstrapImpl::XRE_InitChildProcess (this=<optimized out>, argc=<optimized out>, argv=<optimized out>, aChildData=<optimized out>)
    at /home/aosmond/dev/gecko-dev/toolkit/xre/Bootstrap.cpp:65
#45 0x0000000000405e3f in content_process_main (bootstrap=0x7f1b374b70a8, argc=15, argc@entry=16, argv=argv@entry=0x7ffdeedacde8)
    at /home/aosmond/dev/gecko-dev/browser/app/../../ipc/contentproc/plugin-container.cpp:64
#46 0x000000000040619e in main (argc=16, argv=0x7ffdeedacde8, envp=0x7ffdeedace70) at /home/aosmond/dev/gecko-dev/browser/app/nsBrowserApp.cpp:285
This was reproduced off mozilla-central hg rev 96b36c5f527d, debug build.

STR:
1) Set dom.ipc.processCount to 1.
2) Open 4 tabs and browse to cbc.ca, thestar.com, nationalpost.com and images.google.ca.
3) Cycled quickly between the tabs until a crash occurred. Have also observed it on closing tabs.

Not a super high reproduce rate, but enough that I have done it a half dozen times today on different builds.
I had seen this assertion before when I tried to label runnables as SystemGroup in HttpChannelChild. But, we don't use SystemGroup in HttpChannelChild anymore, instead, we only label runnables if we can get a valid event target by |nsContentUtils::GetEventTargetByLoadInfo|.

I think this bug should have something to to with labeling in HttpChannelChild.
:billm, could you take a look at this assertion? Thanks.
Flags: needinfo?(wmccloskey)
Assignee: nobody → wmccloskey
Flags: needinfo?(wmccloskey)
Flags: needinfo?(wmccloskey)
Duplicate of this bug: 1365184
another url to reproduce is 

Load -> https://online.citi.com/US/login.do?JFP_TOKEN=2017TCBC --Note that is of course not the original reported url but found out even with this fictive token the crash is reproducible
Whiteboard: [necko-active]
Attached patch patchSplinter Review
I wasn't able to reproduce this, but I think I know what's going on. The commit message and the patch have some explanation.
Flags: needinfo?(wmccloskey)
Attachment #8869629 - Flags: review?(bzbarsky)
Comment on attachment 8869629 [details] [diff] [review]
patch

We should really recheck the IsInComposedDoc() right before the actual dispatch, because the contract for this stuff is that if you remove the node before getting onload/onerror you don't get the events.

Past that, people are certainly supposed to be listening for these events; we added them at the explicit request of prefetch consumers like Amazon.  But I agree that the extra trip through the event loop shouldn't be a big deal in practice.

r=me if we recheck the IsInComposedDoc() bit when the AsyncEventDispatcher runnable runs, before firing the event.  I wonder whether we can just add a "check that we're still in the doc" boolean arg to AsyncEventDispatcher..
Attachment #8869629 - Flags: review?(bzbarsky) → review+
Pushed by wmccloskey@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/eeb73d8c0542
Dispatch link prefetch events asynchronously to avoid DocGroup mismatches (r=bz)
Pushed by wmccloskey@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b67b7ae74a45
Dispatch link prefetch events asynchronously to avoid DocGroup mismatches (r=bz)
https://hg.mozilla.org/mozilla-central/rev/b67b7ae74a45
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.