1423202 - Assertion failure: aTerminated || mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_LOADING (Bad readyState), at /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1543

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase

Testcase found while fuzzing mozilla-central rev b4cef8d1dff0.

==24028==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe6f4fbe0a6 bp 0x7fff0eda87b0 sp 0x7fff0eda8790 T0)
==24028==The signal is caused by a WRITE memory access.
==24028==Hint: address points to the zero page.
    #0 0x7fe6f4fbe0a5 in nsContentSink::DidBuildModelImpl(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1541:5
    #1 0x7fe6f4230f7a in nsHtml5TreeOpExecutor::DidBuildModel(bool) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:169:3
    #2 0x7fe6f423285a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:527:7
    #3 0x7fe6f423c7e4 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #4 0x7fe6f277dfb9 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #5 0x7fe6f27b51bc in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #6 0x7fe6f27d7938 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #7 0x7fe6f33da8b3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #8 0x7fe6f33207a8 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7fe6f332062c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
    #10 0x7fe6f838fc8a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #11 0x7fe6fb884f80 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:865:22
    #12 0x7fe6f33db515 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:269:9
    #13 0x7fe6f33207a8 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #14 0x7fe6f332062c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
    #15 0x7fe6fb8846de in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #16 0x4ef336 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #17 0x4ef5be in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280:18
    #18 0x7fe7120c382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

Comment 1

[Hsin-Yi Tsai (she/her)[:hsinyi]]

Alphan has been investigated code in nsContentSink. He may be able to tell us what's up here.

Comment 2

[Alphan Chen [:alchen]]

Try to run attachment 8934540 [details].
mDocument->GetReadyStateEnum() is READYSTATE_COMPLETE.

Assertion failure: aTerminated || mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_LOADING (Bad readyState), at .../gecko-cinnabar/dom/base/nsContentSink.cpp:1545


Also found another assertion failure:
ASSERTION: Bad readystate: 'mDocument->IsXULDocument() || mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_INTERACTIVE || (mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_UNINITIALIZED && NS_IsAboutBlank(mDocument->GetDocumentURI()))', file .../layout/base/nsDocumentViewer.cpp, line 1035

In this case, mDocument->GetReadyStateEnum() is READYSTATE_COMPLETE.


I think this may not related to nsContentSink itself.

Comment 3

[Alphan Chen [:alchen]]

(In reply to Alphan Chen [:alchen] from comment #2)
> 
> 
> Also found another assertion failure:
> ASSERTION: Bad readystate: 'mDocument->IsXULDocument() ||
> mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_INTERACTIVE ||
> (mDocument->GetReadyStateEnum() == nsIDocument::READYSTATE_UNINITIALIZED &&
> NS_IsAboutBlank(mDocument->GetDocumentURI()))', file
> .../layout/base/nsDocumentViewer.cpp, line 1035
> 
> In this case, mDocument->GetReadyStateEnum() is READYSTATE_COMPLETE.
Sorry, the value should be READYSTATE_LOADING.

Comment 4

[Alphan Chen [:alchen]]

It is a nasty loop in the attachment 8934540 [details].
Look like the behavior of nsDocument doesn't complete before starting another document load.
Will try to find out the root cause later.

Comment 5

[Alphan Chen [:alchen]]

Update the latest finding.

In my local side, I saw the following error before the assertion happening.
JavaScript error: file:///home/alphan/Downloads/1208-fuzzy-bug/trigger.html, line 18: NetworkError: A network error occurred.

After removing "XHR.send();", the test can run more than 10 minutes without error.

Comment 6

[Alphan Chen [:alchen]]

The symptom will also be gone if I remove "o2.submit()" from function "frameLoad_1()."

Comment 7

[Henri Sivonen (:hsivonen)]

jkratzer, I can't repro this. Does this repro for you?

Comment 8

[Jason Kratzer [:jkratzer]]

(In reply to Henri Sivonen (:hsivonen) from comment #7)

jkratzer, I can't repro this. Does this repro for you?

I cannot. I tried to reproduce it using mozilla-central rev 32d6a3f1f83c (20200320095353) which is the oldest available build on taskcluster. I think we can probably close this for now.

Comment 9

[Henri Sivonen (:hsivonen)]

Thanks.