1449582 - Assertion failure: IsIdle(oldState), at /home/worker/workspace/build/src/xpcom/glue/PLDHashTable.h:132

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase

Testcase found while fuzzing esr52 rev d61516b059c1.

rax = 0x0000000000625d50   rdx = 0x00007f9f95e83403
rcx = 0x00007f9f90f5d2dd   rbx = 0x00007f9f72b373f0
rsi = 0x00007f9f9122c770   rdi = 0x00007f9f9122b540
rbp = 0x00007ffcc54fe7d0   rsp = 0x00007ffcc54fe7c0
r8 = 0x00007f9f9122c770    r9 = 0x00007f9f987e1c00
r10 = 0x0000000000000012   r11 = 0x0000000000000000
r12 = 0x00007f9f72b373f0   r13 = 0x00007ffcc54fe810
r14 = 0x0000000000000000   r15 = 0x00007f9f72b3b950
rip = 0x00007f9f92a5a0c4
OS|Linux|0.0.0 Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|Checker::StartWriteOp|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/PLDHashTable.h:d61516b059c1|132|0x0
0|1|libxul.so|PLDHashTable::Remove|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/PLDHashTable.cpp:d61516b059c1|36|0x5
0|2|libxul.so|nsDOMAttributeMap::DropAttribute|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/nsTHashtable.h:d61516b059c1|171|0xb
0|3|libxul.so|mozilla::dom::Element::UnsetAttr|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/Element.cpp:d61516b059c1|2716|0xe
0|4|libxul.so|nsGenericHTMLElement::UnsetAttr|hg:hg.mozilla.org/releases/mozilla-esr52:dom/html/nsGenericHTMLElement.cpp:d61516b059c1|876|0x12
0|5|libxul.so|mozilla::dom::HTMLSharedElement::UnsetAttr|hg:hg.mozilla.org/releases/mozilla-esr52:dom/html/HTMLSharedElement.cpp:d61516b059c1|263|0x5
0|6|libxul.so|nsDOMAttributeMap::BlastSubtreeToPieces|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsDocument.cpp:d61516b059c1|7187|0xf
0|7|libxul.so|nsDOMAttributeMap::BlastSubtreeToPieces|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsDocument.cpp:d61516b059c1|7197|0x5
0|8|libxul.so|nsIDocument::AdoptNode|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsDocument.cpp:d61516b059c1|7357|0x8
0|9|libxul.so|nsDocument::AdoptNode|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsDocument.cpp:d61516b059c1|7211|0x16
0|10|libxul.so|AdoptNodeIntoOwnerDoc|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsINode.cpp:d61516b059c1|1539|0x14
0|11|libxul.so|nsINode::ReplaceOrInsertBefore|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsINode.cpp:d61516b059c1|2427|0xf
0|12|libxul.so|mozilla::dom::NodeBinding::appendChild|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsINode.h:d61516b059c1|1850|0x12
0|13|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/releases/mozilla-esr52:dom/bindings/BindingUtils.cpp:d61516b059c1|2904|0x9
0|14|libxul.so|js::CallJSNative|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jscntxtinlines.h:d61516b059c1|239|0x9
0|15|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|459|0xf
0|16|libxul.so|js::jit::DoCallFallback|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/BaselineIC.cpp:d61516b059c1|6020|0x13
0|17|||||0x32c1806a7111
0|18|||||0x7f9f72bc32f8
0|19|libxul.so|js::jit::IonCannon|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/Ion.cpp:d61516b059c1|2855|0x3a
0|20|libxul.so||||0x3550880
0|21|libnspr4.so|PR_SetThreadPrivate|hg:hg.mozilla.org/releases/mozilla-esr52:nsprpub/pr/src/threads/prtpd.c:d61516b059c1|187|0x13
0|22|libxul.so|NS_LogAddRef|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/base/nsTraceRefcnt.cpp:d61516b059c1|1016|0x5
0|23|libxul.so||||0x3b06f30
0|24|libxul.so|_fini|||0x1d1c7b0
0|25|libxul.so|mozilla::dom::ScriptSettingsStack::Push|hg:hg.mozilla.org/releases/mozilla-esr52:mfbt/ThreadLocal.h:d61516b059c1|198|0xc
0|26|libxul.so|mozilla::dom::AutoJSAPI::InitInternal|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/ScriptSettings.cpp:d61516b059c1|368|0x5
0|27|libxul.so|_fini|||0x1d1cb98
0|28|libxul.so|js::ThisThread::GetId|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/threading/posix/Thread.cpp:d61516b059c1|134|0x5
0|29|libxul.so|js::CurrentThreadCanAccessRuntime|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Runtime.cpp:d61516b059c1|896|0x1d
0|30|libxul.so|js::jit::OptimizationInfo::compilerWarmUpThreshold|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/Ion.h:d61516b059c1|199|0x8
0|31|libxul.so|js::jit::OptimizationLevelInfo::levelForScript|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/IonOptimizationLevels.cpp:d61516b059c1|168|0x5
0|32|libxul.so|js::jit::Compile|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/Ion.cpp:d61516b059c1|2465|0x10
0|33|libxul.so|JS::Value::toObject|hg:hg.mozilla.org/releases/mozilla-esr52:js/public/Value.h:d61516b059c1|657|0x5
0|34|libxul.so|js::jit::CanEnter|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jit/Ion.cpp:d61516b059c1|2602|0xb
0|35|libxul.so|js::RunScript|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|385|0xb
0|36|libnspr4.so|PR_GetThreadPrivate|hg:hg.mozilla.org/releases/mozilla-esr52:nsprpub/pr/src/threads/prtpd.c:d61516b059c1|204|0x5
0|37|libxul.so|mozilla::dom::Event::QueryInterface|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/Event.cpp:d61516b059c1|139|0xf
0|38|libxul.so|mozilla::dom::MutationEvent::QueryInterface|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/MutationEvent.cpp:d61516b059c1|25|0x5
0|39|libxul.so|mozilla::Vector<JS::Value, 8ul, js::TempAllocPolicy>::~Vector|hg:hg.mozilla.org/releases/mozilla-esr52:mfbt/ReentrancyGuard.h:d61516b059c1|44|0x5
0|40|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|477|0xb
0|41|libxul.so|_fini|||0x1d08ed8
0|42|libxul.so|js::Call|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|523|0x5
0|43|libxul.so|JS::Call|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jsapi.cpp:d61516b059c1|2828|0x20
0|44|libxul.so|mozilla::net::RequestContext::RemoveBlockingTransaction|hg:hg.mozilla.org/releases/mozilla-esr52:netwerk/base/RequestContextService.cpp:d61516b059c1|74|0x3
0|45|libxul.so|mozilla::dom::EventListener::HandleEvent|hg:hg.mozilla.org/releases/mozilla-esr52:obj-firefox/dom/bindings/EventListenerBinding.cpp:d61516b059c1|48|0xc
0|46|libxul.so|mozilla::net::RequestContext::RemoveBlockingTransaction|hg:hg.mozilla.org/releases/mozilla-esr52:netwerk/base/RequestContextService.cpp:d61516b059c1|74|0x3
0|47|libxul.so|JS::Value::toObject|hg:hg.mozilla.org/releases/mozilla-esr52:js/public/Value.h:d61516b059c1|657|0x5
0|48|libxul.so|mozilla::dom::TryToOuterize|hg:hg.mozilla.org/releases/mozilla-esr52:dom/bindings/BindingUtils.h:d61516b059c1|943|0x8
0|49|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|hg:hg.mozilla.org/releases/mozilla-esr52:obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:d61516b059c1|64|0x1c
0|50|libxul.so|RefPtr<xpc::ErrorReport>::~RefPtr|hg:hg.mozilla.org/releases/mozilla-esr52:mfbt/RefPtr.h:d61516b059c1|80|0x2

Comment 1

[Andrew McCreight [:mccr8]]

That stack has a lot of weird stuff going on.

Comment 2

[Florian Quèze [:florian]]

Here is another stack: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=220616366&repo=try&lineNumber=1137

08:25:03 INFO - GECKO(809) | Assertion failure: IsIdle(oldState), at /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.h:137
08:26:38 INFO - GECKO(809) | #01: <name omitted> [xpcom/ds/PLDHashTable.cpp:572]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #02: mozilla::dom::TabGroup::AddDocument(nsTSubstring<char> const&, nsIDocument*) [dom/base/TabGroup.cpp:143]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #03: nsIDocument::SetScopeObject(nsIGlobalObject*) [mfbt/AlreadyAddRefed.h:145]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #04: nsIDocument::SetScriptGlobalObject(nsIScriptGlobalObject*) [dom/base/nsDocument.cpp:4423]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #05: nsGlobalWindowOuter::SetNewDocument(nsIDocument*, nsISupports*, bool) [dom/base/nsGlobalWindowOuter.cpp:1895]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #06: nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) [layout/base/nsDocumentViewer.cpp:970]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #07: nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) [layout/base/nsDocumentViewer.cpp:716]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #08: nsDocShell::SetupNewViewer(nsIContentViewer*) [docshell/base/nsDocShell.cpp:8451]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #09: nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) [docshell/base/nsDocShell.cpp:6346]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #10: nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) [docshell/base/nsDocShell.cpp:7197]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #11: nsDocShell::EnsureContentViewer() [xpcom/base/nsCOMPtr.h:839]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #12: nsDocShell::GetDocument(nsIDocument**) [docshell/base/nsDocShell.cpp:4745]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #13: nsDOMWindowList::EnsureFresh() [xpcom/base/nsCOMPtr.h:823]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #14: nsDOMWindowList::GetLength() [dom/base/nsDOMWindowList.cpp:46]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #15: mozilla::GetTabSizes(nsGlobalWindowOuter*, nsTabSizes*) [toolkit/components/perfmonitoring/PerformanceUtils.cpp:75]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #16: mozilla::GetTabSizes(nsGlobalWindowOuter*, nsTabSizes*) [toolkit/components/perfmonitoring/PerformanceUtils.cpp:0]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #17: mozilla::CollectMemoryInfo(nsCOMPtr<nsPIDOMWindowOuter> const&, RefPtr<mozilla::AbstractThread> const&) [toolkit/components/perfmonitoring/PerformanceUtils.cpp:91]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #18: mozilla::dom::DocGroup::ReportPerformanceInfo() [mfbt/RefPtr.h:296]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #19: mozilla::CollectPerformanceInfo() [xpcom/ds/nsTArray.h:344]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #20: mozilla::dom::ContentChild::RecvRequestPerformanceMetrics(nsID const&) [dom/ipc/ContentChild.cpp:0]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #21: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) [ipc/glue/ProtocolUtils.h:375]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #22: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) [ipc/glue/MessageChannel.h:650]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #23: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) [ipc/glue/MessageChannel.cpp:2086]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #24: mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) [ipc/glue/MessageChannel.cpp:0]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #25: mozilla::ipc::MessageChannel::MessageTask::Run() [xpcom/threads/Monitor.h:33]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #26: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1144]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #27: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/threads/nsThreadUtils.cpp:468]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #28: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:86]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #29: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:583]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #30: nsBaseAppShell::Run() [widget/nsBaseAppShell.cpp:139]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #31: nsAppShell::Run() [widget/cocoa/nsAppShell.mm:745]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #32: XRE_RunAppShell() [toolkit/xre/nsEmbedFunctions.cpp:915]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #33: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:238]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #34: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:583]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #35: XRE_InitChildProcess(int, char**, XREChildData const*) [toolkit/xre/nsEmbedFunctions.cpp:757]
08:26:38 INFO -
08:26:38 INFO - GECKO(809) | #36: main [ipc/contentproc/plugin-container.cpp:49]

Comment 3

[Tarek Ziadé (:tarek)]

Do we really want GetLength() to create an empty document (via EnsureFresh) ?

https://searchfox.org/mozilla-central/source/dom/base/nsDOMWindowList.cpp#44

The goal of GetLength() is to get the size of the list so if it's empty maybe we could avoid creating a document?
OTHO this logic has been there for ages so I am not sure what is the appropriate fix.

but we should avoid creating new documents just when we want to count the existing ones

adding Baku for advice

Comment 4

[Intermittent Failures Robot]

4 failures in 2627 pushes (0.002 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1
• mozilla-inbound: 3

Platform breakdown:

• linux32: 1
• linux64: 3

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1449582&startday=2019-01-07&endday=2019-01-13&tree=all

Comment 5

[Andrea Marchesini [:baku]]

The issue here is that we write into the hashtable while reading. The reading happens here:

https://searchfox.org/mozilla-central/rev/c43240cef5829b8a2dec118faff8a5e1fec6ae1b/toolkit/components/perfmonitoring/PerformanceUtils.cpp#47-49

https://searchfox.org/mozilla-central/rev/c43240cef5829b8a2dec118faff8a5e1fec6ae1b/dom/base/TabGroup.cpp#141

It's not trivial to know if we can remove the nsDOMWindowList::EnsureFresh() call in nsDOMWindowList::GetLength().
An easy fix is to change PerformanceUtils.cpp to create an array of nsTArray<RefPtr> docGroups (or raw pointers) and use them out of the iterator.

Comment 6

[Tarek Ziadé (:tarek)]

Thanks a lot Andrea for the investigation ! I will work on a patch

Comment 7

[Tarek Ziadé (:tarek)]

Will work on Bug 1519861 since this one is the same kind of failure but unrelated to the one triggered by about:performance

Comment 8

[Tarek Ziadé (:tarek)]

Sorry, I meant bug 1519038

Comment 9

[Intermittent Failures Robot]

1 failures in 2378 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• try: 1

Platform breakdown:

• linux32: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1449582&startday=2019-01-14&endday=2019-01-20&tree=all

Comment 10

[Intermittent Failures Robot]

1 failures in 3031 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform breakdown:

• linux64: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1449582&startday=2019-04-22&endday=2019-04-28&tree=all

Comment 11

[Intermittent Failures Robot]

1 failures in 4439 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform breakdown:

• windows10-64: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1449582&startday=2019-07-29&endday=2019-08-04&tree=all

Comment 12

[Olli Pettay [:smaug][bugs@pettay.fi]]

FWIW, looks like this bug contains many different cases when IsIdle(oldState) is triggered. Those can be totally unrelated.

Comment 13

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20210224100119-b3eb91f0b5a7
mozilla-central 20200226092757-7f41334e1044

Comment 14

[Andrew McCreight [:mccr8]]

I couldn't reproduce this locally.

Comment 15

[Intermittent Failures Robot]

7 failures in 3537 pushes (0.002 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-central: 3
• autoland: 4

Platform and build breakdown:

• windows10-32-2004-qr: 1
  • debug: 1
• macosx1015-64-qr: 2
  • debug: 2
• windows10-64-2004-qr: 4
  • debug: 4

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1449582&startday=2022-08-29&endday=2022-09-04&tree=all