Open Bug 1429550 Opened 2 years ago Updated 1 year ago

Assertion failure: !nsContentUtils::IsInStableOrMetaStableState(), at /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:640

Categories

(Core :: Audio/Video: Playback, defect, P3)

59 Branch
defect

Tracking

()

Tracking Status
firefox59 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase-wanted)

Attachments

(2 files)

Found while fuzzing mozilla-central rev e4de69553e3f.  I don't currently have a testcase but will update if one is found.

OS|Linux|0.0.0 Linux 4.4.0-1041-aws #50-Ubuntu SMP Wed Nov 15 22:18:17 UTC 2017 x86_64
CPU|amd64|family 6 model 63 stepping 2|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:e4de69553e3f|745|0x18
0|1|libxul.so|mozilla::layers::FocusTarget::FocusTarget|hg:hg.mozilla.org/mozilla-central:gfx/layers/apz/src/FocusTarget.cpp:e4de69553e3f|85|0x22
0|2|libxul.so|mozilla::PresShell::Paint|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:e4de69553e3f|6367|0x5
0|3|libxul.so|mozilla::dom::TabChild::RecvRenderLayers|hg:hg.mozilla.org/mozilla-central:dom/ipc/TabChild.cpp:e4de69553e3f|2778|0x1f
0|4|libxul.so|mozilla::dom::TabChild::ForcePaint|hg:hg.mozilla.org/mozilla-central:dom/ipc/TabChild.cpp:e4de69553e3f|3581|0x13
0|5|libxul.so|InterruptCallback|hg:hg.mozilla.org/mozilla-central:dom/ipc/ProcessHangMonitor.cpp:e4de69553e3f|346|0x14
0|6|libxul.so|InvokeInterruptCallback|hg:hg.mozilla.org/mozilla-central:js/src/vm/Runtime.cpp:e4de69553e3f|534|0x5
0|7|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e4de69553e3f|2133|0x5
0|8|libxul.so|js::RunScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e4de69553e3f|423|0xb
0|9|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e4de69553e3f|495|0xf
0|10|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e4de69553e3f|522|0xd
0|11|libxul.so|js::Call|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e4de69553e3f|541|0x5
0|12|libxul.so|JS_CallFunctionValue|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:e4de69553e3f|2970|0xf
0|13|libxul.so|nsXPCWrappedJSClass::CallMethod|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCWrappedJSClass.cpp:e4de69553e3f|1317|0x5
0|14|libxul.so|PrepareAndDispatch|hg:hg.mozilla.org/mozilla-central:xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:e4de69553e3f|120|0x16
0|15|libxul.so|SharedStub|||0x5b
0|16|libxul.so|nsComponentManagerImpl::CreateInstanceByContractID|hg:hg.mozilla.org/mozilla-central:xpcom/components/nsComponentManager.cpp:e4de69553e3f|1086|0x1d
0|17|libxul.so|nsCreateInstanceByContractID::operator()|hg:hg.mozilla.org/mozilla-central:xpcom/components/nsComponentManagerUtils.cpp:e4de69553e3f|197|0xa
0|18|libxul.so|mozilla::dom::WebVTTListener::LoadResource|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCOMPtr.h:e4de69553e3f|1250|0x6
0|19|libxul.so|mozilla::dom::HTMLTrackElement::LoadResource|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLTrackElement.cpp:e4de69553e3f|337|0x5
0|20|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::HTMLTrackElement*, void (mozilla::dom::HTMLTrackElement::*)(), true, (mozilla::RunnableKind)0u>::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|1142|0x13
0|21|libxul.so|mozilla::CycleCollectedJSContext::ProcessStableStateQueue|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:e4de69553e3f|308|0x11
0|22|libxul.so|mozilla::CycleCollectedJSContext::AfterProcessTask|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:e4de69553e3f|368|0x8
0|23|libxul.so|XPCJSContext::AfterProcessTask|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSContext.cpp:e4de69553e3f|1252|0xb
0|24|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1056|0x9
0|25|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|26|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|27|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|28|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|29|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|30|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|31|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|32|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|33|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|34|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|35|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|36|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|37|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|38|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|39|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|40|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|41|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|42|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|43|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|44|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|45|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|46|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|47|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|48|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|49|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|50|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|51|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|52|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|53|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|54|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|55|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|56|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|57|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|58|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|59|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|60|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|61|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|62|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|63|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|64|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|65|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|66|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|67|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|68|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|69|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|70|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|71|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|72|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|73|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|74|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|75|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|76|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|77|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|78|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|79|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|80|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|81|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|82|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|83|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|84|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|85|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|86|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|87|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|88|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|89|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|90|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|91|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|92|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|93|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|94|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|95|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
0|96|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e4de69553e3f|1040|0x15
0|97|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e4de69553e3f|517|0x11
0|98|libxul.so|nsThread::Shutdown|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:e4de69553e3f|323|0xd
0|99|libxul.so|mozilla::MediaStreamGraphShutdownThreadRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/media/GraphDriver.cpp:e4de69553e3f|140|0x15
0|100|libxul.so|mozilla::EventTargetWrapper::Runner::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:e4de69553e3f|150|0x6
0|101|libxul.so|mozilla::SchedulerGroup::Runnable::Run|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:e4de69553e3f|395|0x1c
Hey Bevis, do you have an idea how that assert could trigger given this stack?
Flags: needinfo?(btseng)
This is an issue in HTMLTrackElement::LoadResource. It does stuff during stable state it shouldn't.
Blocks: 1281418
Component: DOM: Events → DOM: Core & HTML
Flags: needinfo?(btseng) → needinfo?(bechen)
Component: DOM: Core & HTML → Audio/Video: Playback
Priority: -- → P3
stack 16 |nsComponentManagerImpl::CreateInstanceByContractID|components/nsComponentManager.cpp:e4de69553e3f|1086|0x1d

https://searchfox.org/mozilla-central/source/dom/media/WebVTTListener.cpp#58
WebVTTListener::LoadResource() just create a js instance then

stack 5 |InterruptCallback|ipc/ProcessHangMonitor.cpp:e4de69553e3f|346|0x14

https://searchfox.org/mozilla-central/source/dom/ipc/ProcessHangMonitor.cpp#325-349
if (forcePaint) {
  RefPtr<TabChild> tabChild = TabChild::FindTabChild(forcePaintTab);

stack 4 |TabChild::ForcePaint|hg:hg.mozilla.org/mozilla-central:dom/ipc/TabChild.cpp:e4de69553e3f|3581|0x13

====

Look like the TabChild::ForcePaint fire the event.
Maybe we should modify HangMonitorChild::InterruptCallback()?
Flags: needinfo?(bechen)
Hmm, it is possible that we shouldn't interrupt when chrome JS is running. 
Perhaps mccr8 has some opinion here, or know who might have.
Flags: needinfo?(continuation)
(In reply to Olli Pettay [:smaug] (please try to find other reviewers for non-web components patches) from comment #4)
> Hmm, it is possible that we shouldn't interrupt when chrome JS is running. 
> Perhaps mccr8 has some opinion here, or know who might have.

I'm not sure what this meta stable thing is. JS isn't supposed to be run during painting, but I guess this event dispatch thing doesn't run JS? Disabling tab switch painting while chrome is running would reduce its effectiveness, though we could in theory address problems there ourselves. Is this WebVTT code really never going to run from content?

I'm somewhat familiar with this mechanism (it was added in bug 1279086). mconley might be, too.
Flags: needinfo?(continuation)
See Also: → 1453584
Is there any test case for this issue?
Flags: needinfo?(jkratzer)
Attached file harness.html
Flags: needinfo?(jkratzer)
Attached file testcase.html
In order to reproduce the issue, the attached testcases must be accessed via a local webserver and the harness.html used as a starting point.

Steps to reproduce (using ffpuppet):
1.  python -m SimpleHTTPServer & # in the testcase directory
2.  python -m ffpuppet --xvfb -d -l log ~/firefox/firefox http://localhost:8000/harness.html

FFPuppet can be found at the following URL:
https://github.com/MozillaSecurity/ffpuppet
Please note, the testcase also requires the following prefs file which can be loaded via ffpuppet via the -p option:
https://github.com/MozillaSecurity/fuzzdata/blob/master/settings/firefox/prefs-default-e10s.js
You need to log in before you can comment on or make changes to this bug.