Open Bug 1509341 Opened 6 years ago Updated 2 years ago

Crash in mozilla::CycleCollectedJSContext::CleanupIDBTransactions [from HTMLImageElement]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

People

(Reporter: jya, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

spawned from bug 1443429 comment 10.

as seen in crash report:
https://crash-stats.mozilla.com/report/index/bceaa402-e381-498a-9dd2-948cc0181121

there's quite a few in the past 7 days (though they have been there regularly)

Here we have HTMLImageElement::LoadSelectedImage doing JS things while in stable state which it shouldn't.
bz, jib, from https://github.com/whatwg/html/issues/4188 I get the impression you're already looking at this?
Flags: needinfo?(jib)
Flags: needinfo?(bzbarsky)
Priority: -- → P2
Flags: needinfo?(jib)
I cc'ed some people, but I'd wait for bz to advise on this one.
Wait, is this about media element or image element? Different folks I think.
This is not really related to https://github.com/whatwg/html/issues/4188 except insofar as there's the question of what "stable state" means and what invariants it should have.

> doing JS things while in stable state which it shouldn't

Well, when should it do it, exactly?  We have parts of our security infrastructure implemented in JS, and we're explicitly doing the loads in stable state on purpose.  What says that you can't run JS (and note this is not even page JS!) in stable state?

Bug 893916 is kinda related, but again we're not really in an "unsafe" state here; the point of being in stable state is that you can do stuff without worrying about upsetting complicated stateful algorithms, because there should be nothing like that in progress when you reach stable state.

What's really failing is the !mDoingStableStates assert in CycleCollectedJSContext::CleanupIDBTransactions.  But I don't know enough about our stable state setup to comment intelligently about whether that assert makes sense.
Flags: needinfo?(bzbarsky) → needinfo?(bugs)
The issue with running JS in stable state is that if we run random JS, we end up accidentally running also JS which end up doing something with the web page.
One of the stacks for example triggered GC which caused somehow https://searchfox.org/mozilla-central/source/dom/base/nsGlobalWindowInner.cpp#7348 get to be called, so microtask and promises got handled... and that means anything can start to happen.

But what did I propose for now to catch the worst issues ... reading IRC
(1) prevent all microtasks while dealing with stable state. Just queue the tasks and trigger microtask check point right afterwards
(2) explicitly prevent any DOM event dispatch
(3) assert hard that main event loop doesn't spin during stable state.

This would still let use JS implemented content policies.
Flags: needinfo?(bugs)
Component: DOM → DOM: Core & HTML
Keywords: crash
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.