Closed Bug 1547895 Opened 5 years ago Closed 3 years ago

Assertion failure: aTerminated || mDocument->GetReadyStateEnum() == Document::READYSTATE_LOADING (Bad readyState), at /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1431

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox68 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- wontfix
firefox89 --- fixed

People

(Reporter: jkratzer, Assigned: hsivonen)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(2 files, 1 obsolete file)

testcase.html
248 bytes, text/html
Details
Bug 1547895 - Make nsHtml5Parser::Terminate() mark the parser as document.close()d.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev bbca68b2af26.

Assertion failure: aTerminated || mDocument->GetReadyStateEnum() == Document::READYSTATE_LOADING (Bad readyState), at /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1431

rax = 0x0000560f7bbfde20 rdx = 0x0000000000000000
rcx = 0x00007fde143bdb9e rbx = 0x00007fddebd41000
rsi = 0x00007fde1f5318b0 rdi = 0x00007fde1f530680
rbp = 0x00007ffc3aa12400 rsp = 0x00007ffc3aa123e0
r8 = 0x00007fde1f5318b0 r9 = 0x00007fde206b3740
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007fddebd41040 r13 = 0x0000000000000000
r14 = 0x0000000000000000 r15 = 0x0000000000000000
rip = 0x00007fde0f92cea0
OS|Linux|0.0.0 Linux 4.19.13-coreos #1 SMP Mon Jan 7 23:51:04 -00 2019 x86_64
CPU|amd64|family 6 model 79 stepping 1|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsContentSink::DidBuildModelImpl(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentSink.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|1429|0x3
0|1|libxul.so|nsXMLContentSink::DidBuildModel(bool)|hg:hg.mozilla.org/mozilla-central:dom/xml/nsXMLContentSink.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|251|0x9
0|2|libxul.so|nsParser::DidBuildModel(nsresult)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|454|0x6
0|3|libxul.so|nsParser::ResumeParse(bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|1008|0xc
0|4|libxul.so|nsParser::ContinueInterruptedParsing()|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|601|0x16
0|5|libxul.so|mozilla::detail::RunnableMethodImpl<nsXMLContentSink*, void (nsXMLContentSink::)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|1174|0x13
0|6|libxul.so|nsThread::ProcessNextEvent(bool, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|1180|0x15
0|7|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|486|0x11
0|8|libxul.so|nsThread::Shutdown()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|882|0xd
0|9|libxul.so|mozilla::net::BackgroundFileSaver::NotifySaveComplete()|hg:hg.mozilla.org/mozilla-central:netwerk/base/BackgroundFileSaver.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|739|0x12
0|10|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::net::BackgroundFileSaver*, nsresult (mozilla::net::BackgroundFileSaver::)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|1174|0x13
0|11|libxul.so|nsThread::ProcessNextEvent(bool, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|1180|0x15
0|12|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|486|0x11
0|13|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|88|0xa
0|14|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|315|0x17
0|15|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|290|0x8
0|16|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|137|0xd
0|17|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|270|0xe
0|18|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|4571|0x11
0|19|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|4709|0x8
0|20|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|4790|0x5
0|21|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|212|0x22
0|22|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|291|0xd
0|23|libc-2.27.so||||0x21b97
0|24|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:bbca68b2af262ffbbf2e3a2d2e77a16c999f479a|184|0x5

Flags: in-testsuite?

Hi Alphan, as you did investigation on a similar bug 1423202, could you please help with this as well?

Flags: needinfo?(alchen)
Priority: -- → P2

I will take a look next week.

Flags: needinfo?(alchen)
Attached file testcase.html

Update test case.

Attachment #9061559 - Attachment is obsolete: true

Hi Henri, might be of interest?

Flags: needinfo?(hsivonen)

I'll take a look with a recording incorporating newer patches.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224215151-69be3221f49a.

Whiteboard: [bugmon:confirmed]
See Also: → 1423202

Fun. We have reasons not to drop not to call DropParserAndPerfHint(); right away when nsHtml5TreeOpExecutor::DidBuildModel() starts. Yet, we also don't want nsHtml5TreeOpExecutor::DidBuildModel() to be re-entered.

Perhaps the easiest way to deal with this problem would be to set mDocumentClosed = true; at the start of nsHtml5TreeOpExecutor::DidBuildModel() to make subsequent document.close() return early.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=a231a7a79afe099c225584096cae37369d474c88

Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen)
Pushed by hsivonen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b1de5998d854
Make nsHtml5Parser::Terminate() mark the parser as document.close()d. r=edgar

https://hg.mozilla.org/mozilla-central/rev/b1de5998d854

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox89: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

:hsivonen, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(hsivonen)

Sorry, wrong needinfo because of a bug in the bot.

Flags: needinfo?(hsivonen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: