Assertion failure: ObserverCount() == mEarlyRunners.Length() (observers, except pending selection scrolls, should have been unregistered), at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1364
Categories
(Core :: Layout, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files, 1 obsolete file)
Found while fuzzing m-c 20230513-c2e4de2178a5 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
NOTE: The test case makes use of FuzzingFunctions.cycleCollect() which can be replaced with window.location.reload(true) but it is less reliable.
Assertion failure: ObserverCount() == mEarlyRunners.Length() (observers, except pending selection scrolls, should have been unregistered), at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1364
#0 0x7f48a86ef984 in nsRefreshDriver::~nsRefreshDriver() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1362:3
#1 0x7f48a86f012d in nsRefreshDriver::~nsRefreshDriver() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1360:37
#2 0x7f48a87e8cd9 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/layers/TransactionIdAllocator.h:23:3
#3 0x7f48a87e8cd9 in Release /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.h:356:36
#4 0x7f48a87e8cd9 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
#5 0x7f48a87e8cd9 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:420:36
#6 0x7f48a87e8cd9 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:73:7
#7 0x7f48a87e8cd9 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:188:5
#8 0x7f48a87e8cd9 in nsPresContext::Destroy() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:365:18
#9 0x7f48a87e8dee in nsPresContext::~nsPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:373:3
#10 0x7f48a87e960d in nsPresContext::~nsPresContext() /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:369:33
#11 0x7f48a2fd4c46 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2486:29
#12 0x7f48a2fc87df in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2473:7
#13 0x7f48a2fc7c15 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2663:3
#14 0x7f48a2fcc9d1 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3655:3
#15 0x7f48a2fcc53a in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3479:9
#16 0x7f48a2fceb6e in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3990:28
#17 0x7f48a4e5161e in nsJSContext::CycleCollectNow(mozilla::CCReason, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1423:3
#18 0x7f48a6166ff5 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:132:3
#19 0x7f48aa83be25 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13
#20 0x7f48aa83b7b3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12
#21 0x7f48aa84ce3b in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
#22 0x7f48aa84ce3b in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3395:16
#23 0x7f48aa83abdd in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
#24 0x7f48aa83e208 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:845:13
#25 0x7f48aa83e73f in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:877:10
#26 0x7f48aa939777 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:495:10
#27 0x7f48aa93997b in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:519:10
#28 0x7f48a4c96259 in mozilla::dom::JSExecutionContext::ExecScript() /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241:8
#29 0x7f48a810f235 in ExecuteCompiledScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2170:16
#30 0x7f48a810f235 in mozilla::dom::ScriptLoader::EvaluateScript(nsIGlobalObject*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2435:12
#31 0x7f48a810e48d in mozilla::dom::ScriptLoader::EvaluateScriptElement(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2239:10
#32 0x7f48a810addd in mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1880:10
#33 0x7f48a810939f in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, JS::loader::ScriptKind) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1318:10
#34 0x7f48a80ff9f0 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:943:10
#35 0x7f48a80ff588 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:134:18
#36 0x7f48a41547d8 in AttemptToExecute /builds/worker/workspace/obj-build/dist/include/nsIScriptElement.h:221:18
#37 0x7f48a41547d8 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:950:22
#38 0x7f48a415245b in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:741:7
#39 0x7f48a4159dd1 in nsHtml5ExecutorReflusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:80:16
#40 0x7f48a309c692 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#41 0x7f48a30a7157 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#42 0x7f48a30a235a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#43 0x7f48a30a0e37 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#44 0x7f48a30a11b5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#45 0x7f48a30aa706 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#46 0x7f48a30aa706 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#47 0x7f48a30c0aaa in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#48 0x7f48a30c70cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#49 0x7f48a3d0a055 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#50 0x7f48a3c2b951 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#51 0x7f48a3c2b951 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#52 0x7f48a8377108 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#53 0x7f48aa61364b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#54 0x7f48a3d0af06 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#55 0x7f48a3c2b951 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#56 0x7f48a3c2b951 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#57 0x7f48aa612f12 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#58 0x55f7f73d47a6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#59 0x55f7f73d47a6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#60 0x7f48b6c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#61 0x7f48b6c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#62 0x55f7f73aba28 in _start (/home/user/workspace/browsers/m-c-20230515151430-fuzzing-debug/firefox-bin+0x58a28) (BuildId: 6e3d83a384f55c2a9788fbb11ed6bce7e4c3a49d)
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Comment 2•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230515215623-a26e51291aca.
The bug appears to have been introduced in the following build range:
Start: ba5f6662ca8058d3e646c042c5bbaa8b0ef027ca (20230202172003)
End: 97a75b42cf6dbdd4ac05c2bbcf4872e1ba818af6 (20230202152647)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ba5f6662ca8058d3e646c042c5bbaa8b0ef027ca&tochange=97a75b42cf6dbdd4ac05c2bbcf4872e1ba818af6
|
||
Comment 3•1 year ago
|
||
:emilio does Bug 1813046 look like the regressor?
(mentioned in the pushlog from Comment 2)
|
||
Comment 4•1 year ago
|
||
It seems unlikely, but this crashes release builds in a different way... I can investigate
|
|
||
Comment 5•1 year ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
|
|
||
Comment 7•1 year ago
|
||
:dholbert could this be triaged for Priority/Severity?
Not sure about the regressor as mentioned in Comment 3
|
||
Comment 8•1 year ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #4)
[...] this crashes release builds in a different way... I can investigate
Here's a crash report for me in a release build of Nightly: bp-6001e809-185c-4d24-871c-d55df0230530
We're failing this diagnostic assert:
MOZ_DIAGNOSTIC_ASSERT(doc->IsStaticDocument() || doc->IsInitialDocument())
That's actually great news, since it's the signature in bug 1773099 that we've thus-far been confused about how to trigger. Maybe this fuzzer bug is getting lucky enough to provide an explanation for that crash volume.
|
|
||
Comment 9•1 year ago
|
||
As for the assertion: looking in pernosco, at the assertion failure ObserverCount() == mEarlyRunners.Length():
(1) ObserverCount() is returning 1, while mEarlyRunners.Length() is 0.
(2) ObserverCount()'s result of 1 is coming from here:
https://searchfox.org/mozilla-central/rev/ae292ebba6074601b33fa983dd4e01ce6a1ec4ac/layout/base/nsRefreshDriver.cpp#1843
sum += mViewManagerFlushIsPending;
(3) That variable is just a bool which gets set in nsRefreshDriver::ScheduleViewManagerFlush()
(4) We apparently never un-schedule that flush.
(and maybe that's related to why we end up crashing in release nightly builds?)
Keeping the needinfo open; need to dig a bit further to determine whether this feels S2 or S3 ish. Also still not clear what the regression source would've been, but I'm eying bug 1813960 with some suspicion, since it moved some stuff to PresShell, and this bug seems to be boil down to relationships between PresShell, nsPresContext, and nsRefreshDriver, at tear-down time.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
| Comment hidden (Intermittent Failures Robot) |
|
|
||
Comment 11•8 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20230513214225-c2e4de2178a5) but not with tip (mozilla-central 20240126214724-19005661ad78.)
The bug appears to have been fixed in the following build range:
Start: 82dfbdd770bc54674f82bae256dae683772884af (20240122155520)
End: 75c3c3ed6fe2c33aa435e3a099c5f18be4b4d8d2 (20240122183000)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=82dfbdd770bc54674f82bae256dae683772884af&tochange=75c3c3ed6fe2c33aa435e3a099c5f18be4b4d8d2
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Reporter | |
Updated•8 months ago
|
|
||
Updated•8 months ago
|
|
|
||
Comment 13•8 months ago
|
||
I'm taking a look at doing that.
I wasn't able to reproduce the bug from the crashtest harness, for whatever reason (using reload() as well as SpecialPowers.DOMWindowUtils.cycleCollect(), but I can reproduce the fatal-assert from comment 8 when crafting a mochitest based on the attached testcase. So I'm going that route, with a mochitest-serving-as-a-crashtest essentially.
|
|
||
Comment 14•8 months ago
|
||
|
||
Updated•7 months ago
|
|
||
Comment 15•7 months ago
|
||
|
||
Comment 16•7 months ago
|
||
| bugherder | ||
|
|
||
Updated•7 months ago
|
Description
•