Closed
Bug 1424220
Opened 7 years ago
Closed 6 years ago
Crash in nsHtml5TreeOpExecutor::RunScript
Categories
(Core :: DOM: HTML Parser, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | --- | wontfix |
| firefox59 | --- | fixed |
People
(Reporter: philipp, Assigned: hsivonen)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is report bp-32d12c86-4e43-4fc0-91d8-789160171208. ============================================================= Top 10 frames of crashing thread: 0 xul.dll nsHtml5TreeOpExecutor::RunScript parser/html/nsHtml5TreeOpExecutor.cpp:731 1 xul.dll nsHtml5TreeOperation::Perform parser/html/nsHtml5TreeOperation.cpp:986 2 xul.dll nsHtml5TreeOpExecutor::RunFlushLoop parser/html/nsHtml5TreeOpExecutor.cpp:492 3 xul.dll nsHtml5ExecutorReflusher::Run parser/html/nsHtml5TreeOpExecutor.cpp:56 4 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:396 5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1037 6 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:97 7 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:301 8 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:319 9 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:299 ============================================================= this crash signature seems to be regressing across platforms in 58 with "MOZ_RELEASE_ASSERT(mFlushState == eNotFlushing) (Tried to run script while flushing.)"
|
Assignee | |
Comment 1•7 years ago
|
||
So the parser has decided that the script is either a defer script or an async script, but after we've created a DOM element for the script and QIed it to nsIScriptElement, both GetScriptDeferred() and GetScriptAsync() returned false. It would be great to have steps to reproduce...
|
|
Assignee | |
Comment 2•7 years ago
|
||
Fortunately, the crash is very low volume. Still, it's odd that all the crashes are on Windows. One should expect this to be a cross-platform crash.
|
|
Assignee | |
Comment 3•7 years ago
|
||
(In reply to Henri Sivonen (:hsivonen) from comment #2) > Fortunately, the crash is very low volume. Still, it's odd that all the > crashes are on Windows. One should expect this to be a cross-platform crash. Maybe the MOZ_CRASH signature is different elsewhere?
|
|
Assignee | |
Comment 4•7 years ago
|
||
Single Linux crash with the same assertion but lacking stack trace: https://crash-stats.mozilla.com/report/index/9f485da0-11cd-4851-b6c6-282500171204
|
|
Assignee | |
Comment 5•7 years ago
|
||
Note to self: mCurrentHtmlScriptIsAsyncOrDefer is not part of snapshotted tree builder state on the assumption that snapshots are taken always at the end of a non-defer, non-async script. But should it always be set to false when restoring a snapshot?
|
||
Updated•7 years ago
|
Priority: -- → P2
|
||
Updated•6 years ago
|
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8942710 -
Flags: review?(bugs)
|
|
Assignee | |
Comment 7•6 years ago
|
||
The deletions of blank lines in the patch are artifacts of clang-format.
|
||
Comment 8•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8942710 [details] Bug 1424220 - Set mCurrentHtmlScriptIsAsyncOrDefer to false when restoring tree builder state. https://reviewboard.mozilla.org/r/212976/#review218798
Attachment #8942710 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Pushed by hsivonen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1565e46c8479 Set mCurrentHtmlScriptIsAsyncOrDefer to false when restoring tree builder state. r=smaug
|
|
Assignee | |
Comment 10•6 years ago
|
||
https://hg.mozilla.org/projects/htmlparser/rev/efc0c1019018bf7433d0e1553052c21cb471aafc Mozilla bug 1424220 - Set mCurrentHtmlScriptIsAsyncOrDefer to false when restoring tree builder state. r=smaug.
|
||
Comment 11•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1565e46c8479
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
||
Comment 12•6 years ago
|
||
Crash volume for 58 doesn't look high enough to warrant consideration as a dot release ride-along, so calling this wontfix for 58. Feel free to set it back to affected and nominate for mozilla-release approval if you feel strongly otherwise, however.
You need to log in
before you can comment on or make changes to this bug.
Description
•