Closed Bug 1663693 Opened 5 years ago Closed 4 years ago

Assertion failure: aScriptGlobalObject || !mAnimationController || mAnimationController->IsPausedByType( SMILTimeContainer::PAUSE_PAGEHIDE | SMILTimeContainer::PAUSE_BEGIN) (Clearing window pointer while animations are unpaused), at /builds/worker/checkou

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox82 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
235 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev fb9c01b719fa (built with --enable-debug).

Assertion failure: aScriptGlobalObject || !mAnimationController || mAnimationController->IsPausedByType( SMILTimeContainer::PAUSE_PAGEHIDE | SMILTimeContainer::PAUSE_BEGIN) (Clearing window pointer while animations are unpaused), at /builds/worker/checkouts/gecko/dom/base/Document.cpp:6921

    #0 0x7fb3680aa9ed in mozilla::dom::Document::SetScriptGlobalObject(nsIScriptGlobalObject*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6916:3
    #1 0x7fb3680bc7d3 in mozilla::dom::Document::Destroy() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10603:3
    #2 0x7fb36abc6ee4 in nsDocumentViewer::Destroy() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1751:16
    #3 0x7fb36abce537 in nsDocumentViewer::Show() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2057:17
    #4 0x7fb36ac11d04 in nsPresContext::EnsureVisible() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:1654:25
    #5 0x7fb36ab60860 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3860:54
    #6 0x7fb36ab57bfb in UnsuppressPainting /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:3899:5
    #7 0x7fb36ab57bfb in mozilla::PresShell::sPaintSuppressionCallback(nsITimer*, void*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1937:19
    #8 0x7fb36638b491 in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:562:7
    #9 0x7fb36638b138 in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:251:11
    #10 0x7fb366377b92 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #11 0x7fb36637d4df in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #12 0x7fb36637b55a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #13 0x7fb36637a6b4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #14 0x7fb36637a867 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #15 0x7fb366382216 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
    #16 0x7fb366382216 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #17 0x7fb36639561f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #18 0x7fb36639afca in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #19 0x7fb366c92ff6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #20 0x7fb366c05c13 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #21 0x7fb366c05b2d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #22 0x7fb366c05b2d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #23 0x7fb36a897338 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #24 0x7fb36c06e543 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #25 0x7fb366c93db9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #26 0x7fb366c05c13 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #27 0x7fb366c05b2d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #28 0x7fb366c05b2d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #29 0x7fb36c06e128 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #30 0x55ba4411a957 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #31 0x55ba4411a957 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #32 0x7fb37b7a40b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #33 0x55ba440f8709 in _start (/home/worker/builds/m-c-20200904154303-fuzzing-debug/firefox-bin+0x17709)
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200908161332-10fc7701db1b. The bug appears to have been introduced in the following build range: > Start: 50cd5b35abaa087c6cd7e211a4ea6d9582ff9896 (20200826222257) > End: da1424ee1d1106d720c4542773dda1d9a4720e4b (20200826222451) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=50cd5b35abaa087c6cd7e211a4ea6d9582ff9896&tochange=da1424ee1d1106d720c4542773dda1d9a4720e4b

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: cd770c66b89f53c83418773cc81ba463b2248389 (20210126100354)
End: 435b1e208501b402c377018597db0173ad1a6cf5 (20210126102951)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cd770c66b89f53c83418773cc81ba463b2248389&tochange=435b1e208501b402c377018597db0173ad1a6cf5
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Closing this for now as our fuzzers stopped seeing this issue after bug 1685201 landed.

Status: NEW → RESOLVED
Closed: 4 years ago
Regressed by: 1643204
Resolution: --- → WORKSFORME
See Also: → 1685201
Has Regression Range: --- → yes
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: