Closed
Bug 1419802
Opened 7 years ago
Closed 6 years ago
Assertion failure: ObserverCount() == mEarlyRunners.Length() (observers, except pending selection scrolls, should have been unregistered), at /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1185
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | wontfix |
| firefox60 | --- | wontfix |
| firefox61 | --- | wontfix |
| firefox62 | --- | fixed |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 5378dcb45044.
==31186==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9884d72968 bp 0x7ffd38988370 sp 0x7ffd38988340 T0)
==31186==The signal is caused by a WRITE memory access.
==31186==Hint: address points to the zero page.
#0 0x7f9884d72967 in nsRefreshDriver::~nsRefreshDriver() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1182:3
#1 0x7f9884d72cad in nsRefreshDriver::~nsRefreshDriver() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1181:1
#2 0x7f9880de7369 in mozilla::layers::TransactionIdAllocator::Release() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/TransactionIdAllocator.h:21:3
#3 0x7f98830a533f in RefPtr<nsRefreshDriver>::operator=(decltype(nullptr)) /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:168:5
#4 0x7f9884efed1e in nsPresContext::~nsPresContext() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:421:3
#5 0x7f9884f0e43d in nsRootPresContext::~nsRootPresContext() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:3197:1
#6 0x7f987eec7866 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
#7 0x7f987eec6d5c in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
#8 0x7f987eece628 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925:3
#9 0x7f987eecdd7f in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9
#10 0x7f987eecda54 in nsCycleCollector::ShutdownCollect() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3687:10
#11 0x7f987eed1f03 in nsCycleCollector_shutdown(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4373:23
#12 0x7f987f088dfc in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:973:3
#13 0x7f9887c09c19 in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:224:3
#14 0x7f987fc023a5 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:108:5
#15 0x7f9887c0a414 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:707:16
#16 0x4ec36e in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#17 0x4ec5c9 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280:18
#18 0x7f989e33582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#19 0x41e424 in _start (/home/forb1dden/builds/mc-asan-debug/firefox+0x41e424)Flags: in-testsuite?
|
||
Updated•7 years ago
|
Priority: -- → P3
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
|
Reporter | |
Comment 3•6 years ago
|
||
Additional testcase.
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 7•6 years ago
|
||
The leftover "observer" is the "view manager flush is scheduled" bit. I think it's fine to leave that bit set.
| Comment hidden (mozreview-request) |
|
||
Comment 9•6 years ago
|
||
Hmm, does the ScheduleViewManagerFlush call happen during PresShell::Destroy? That seems rather undesirable if it might restart timers (in nsRefreshDriver::EnsureTimerStarted and/or PresShell::ScheduleViewManagerFlush). Maybe it would be better to return early in PresShell::ScheduleViewManagerFlush instead if IsDestroying() is true?
Flags: needinfo?(emilio)
| Comment hidden (mozreview-request) |
|
|
||
Comment 12•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8979474 [details] Bug 1419802: Bailout from ScheduleViewManagerFlush if already destroying the shell. https://reviewboard.mozilla.org/r/245642/#review252250
Attachment #8979474 -
Flags: review?(mats) → review+
|
||
Comment 13•6 years ago
|
||
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/autoland/rev/91c6df51ea61 Bailout from ScheduleViewManagerFlush if already destroying the shell. r=mats
|
||
Comment 14•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/91c6df51ea61
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
||
Comment 15•6 years ago
|
||
I don't think we need to backport this, but feel free to change the status and request approval if you feel strongly otherwise.
status-firefox60:
--- → wontfix
status-firefox61:
--- → wontfix
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•