Open Bug 1690804 Opened 4 years ago Updated 3 years ago

Assertion failure: sOpenPopupSpamCount == 0, at /builds/worker/checkouts/gecko/dom/base/PopupBlocker.cpp:413

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox87

---

affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 2 obsolete files)

testcase.zip 4 years ago Jason Kratzer [:jkratzer] 8.57 KB, application/zip		Details
testcase.zip 4 years ago Jason Kratzer [:jkratzer] 8.87 KB, application/zip		Details
testcase.zip 4 years ago Jason Kratzer [:jkratzer] 8.85 KB, application/zip		Details

Jason Kratzer [:jkratzer]

Reporter

Description

•

4 years ago

Attached file testcase.zip (obsolete) — Details

Testcase found while fuzzing mozilla-central rev 32690d048b75 (built with --enable-debug).

Assertion failure: sOpenPopupSpamCount == 0, at /builds/worker/checkouts/gecko/dom/base/PopupBlocker.cpp:413

    #0 0x7f12babbfefd in mozilla::dom::PopupBlocker::Shutdown() /builds/worker/checkouts/gecko/dom/base/PopupBlocker.cpp:383:3
    #1 0x7f12bdd550ec in nsLayoutStatics::Shutdown() /builds/worker/checkouts/gecko/layout/build/nsLayoutStatics.cpp:317:3
    #2 0x7f12bdd55039 in Release /builds/worker/checkouts/gecko/layout/build/nsLayoutStatics.h:44:31
    #3 0x7f12bdd55039 in Shutdown /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:119:3
    #4 0x7f12bdd55039 in nsLayoutModuleDtor() /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:253:3
    #5 0x7f12b8ec36e9 in nsComponentManagerImpl::Shutdown() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:857:3
    #6 0x7f12b8f362c8 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:732:55
    #7 0x7f12bee31a1c in XRE_TermEmbedding() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:212:3
    #8 0x7f12b98174be in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
    #9 0x7f12bee32112 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:737:16
    #10 0x556bdb368f76 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #11 0x556bdb368f76 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:306:18
    #12 0x7f12cdf680b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Flags: in-testsuite?

Comment hidden (obsolete)

Jason Kratzer [:jkratzer]

Reporter

Comment 2

•

4 years ago

Attached file testcase.zip (obsolete) — Details

Attachment #9201165 - Attachment is obsolete: true

Jason Kratzer [:jkratzer]

Reporter

Updated

•

4 years ago

Whiteboard: [bugmon:confirmed] → [bugmon:confirm]

Jason Kratzer [:jkratzer]

Reporter

Comment 3

•

4 years ago

Attached file testcase.zip — Details

Attachment #9201254 - Attachment is obsolete: true

Hiroyuki Ikezoe (:hiro)

Updated

•

4 years ago

Component: Layout → DOM: Core & HTML

Jens Stutte [:jstutte]

Comment 4

•

4 years ago

Hi Edgar, that assertion has been introduced by bug 1588720, so hoping this gives you some useful information.

Flags: needinfo?(echen)

Regressed by: 1588720

BMO Automation

Updated

•

4 years ago

Has Regression Range: --- → yes

Edgar Chen [:edgar]

Comment 5

•

4 years ago

It seems like BrowsingContext somehow doesn't cleanup the IsPopupSpam field when detaching or releasing. I tried to reproduce it, but did not hit the assertion.

Jason, does this happen when closing the browser or tab? Do you have pernosco session? Thanks.

Flags: needinfo?(echen) → needinfo?(jkratzer)

Hiroyuki Ikezoe (:hiro)

Comment 6

•

4 years ago

FWIW, I tried to reproduce on my Linux box, it sometimes happens when the document in question is closed, but it's a bit hard to notice since even if the assertion happens, the browser process keep running the script in question, I missed the assertions at the first glance.

Bugmon [:jkratzer for issues]

Comment 7

•

4 years ago

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210224215151-69be3221f49a.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 7a5cb26a2d518e9cfaf512ba9a06239b573d7f0e (20200227033937)
End: 32690d048b75cc54ead9118c98333d5442d2c6be (20210204093834)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Jason Kratzer [:jkratzer]

Reporter

Comment 8

•

4 years ago

(In reply to Edgar Chen [:edgar] from comment #5)

It seems like BrowsingContext somehow doesn't cleanup the IsPopupSpam field when detaching or releasing. I tried to reproduce it, but did not hit the assertion.

Jason, does this happen when closing the browser or tab? Do you have pernosco session? Thanks.

Edgar, this does appear to be a shutdown crash. I am trying to get a pernosco session for this issue but I'm having some difficulty as this seems to be a timing related issue and the required non optimized -o0 build under rr is significantly slower. I will add it here if and when I manage to get a recording.

Flags: needinfo?(jkratzer)

Jens Stutte [:jstutte]

Severity: -- → S3

Comment hidden (Intermittent Failures Robot)

Marco Castelluccio [:marco]

Updated

•

4 years ago

Keywords: regression

Jason Kratzer [:jkratzer]

Reporter

Updated

•

3 years ago

No longer blocks: domino

Depends on: domino

Jason Kratzer [:jkratzer]

Reporter

Updated

•

3 years ago

Blocks: domino

No longer depends on: domino

You need to log in before you can comment on or make changes to this bug.