1863177 - Crash in [@ nsHtml5TreeOpExecutor::MoveOpsFrom] due to failure in MOZ_RELEASE_ASSERT(mFlushState == eNotFlushing) (Ops added to mOpQueue during tree op execution.)

Status: RESOLVED FIXED

(Core :: DOM: HTML Parser, defect)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/f0cf4f21-928a-4ec5-a7a6-6ada60231101

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(mFlushState == eNotFlushing) (Ops added to mOpQueue during tree op execution.)

Top 10 frames of crashing thread:

0  xul.dll  nsHtml5TreeOpExecutor::MoveOpsFrom  parser/html/nsHtml5TreeOpExecutor.cpp:1066
1  xul.dll  nsHtml5Speculation::FlushToSink  parser/html/nsHtml5Speculation.cpp:31
1  xul.dll  nsHtml5StreamParser::ContinueAfterScriptsOrEncodingCommitment  parser/html/nsHtml5StreamParser.cpp:2716
2  xul.dll  nsHtml5TreeOpExecutor::FlushSpeculativeLoads  parser/html/nsHtml5TreeOpExecutor.cpp:532
3  xul.dll  nsHtml5LoadFlusher::Run  parser/html/nsHtml5StreamParser.cpp:187
4  xul.dll  mozilla::RunnableTask::Run  xpcom/threads/TaskController.cpp:549
4  xul.dll  mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal  xpcom/threads/TaskController.cpp:876
5  xul.dll  mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal  xpcom/threads/TaskController.cpp:699
5  xul.dll  mozilla::TaskController::ProcessPendingMTTask  xpcom/threads/TaskController.cpp:485
6  xul.dll  mozilla::TaskController::TaskController::<lambda_6>::operator const  xpcom/threads/TaskController.cpp:214

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2023-09-25
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 8 out of 10 crashes happened on null or near null memory address

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::DOM: HTML Parser' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Daniel Holbert [:dholbert]]

FWIW, there seems to have been a spike of 8 crashes all from a single user here, based on submission time and hardware/OS metadata in the crash report. (All of those eight are for some local web service on 127.0.0.1, too -- not a public website.)

Comment 3

[Andrew McCreight [:mccr8]]

Low crash volume.

Comment 4

[Mayank Bansal]

Bug 1942907 has a fuzz testcase that produces the same signature.

Comment 5

[Sean Feng [:sefeng211]]

Henri should look this one I think

Comment 6

[Henri Sivonen (:hsivonen)]

(In reply to Mayank Bansal from comment #4)

Bug 1942907 has a fuzz testcase that produces the same signature.

Meaningfully different stack, though, which makes this somewhat more concerning.

(In reply to Sean Feng [:sefeng211] from comment #5)

Henri should look this one I think

Yes. Moving to a non-needinfo todo list.

Comment 7

[Henri Sivonen (:hsivonen)]

Attachment: Bug 1863177 - Avoid a release assert when speculative load flush is attempted from a nested event loop. r?smaug!

Comment 8

[Pulsebot]

Pushed by hsivonen@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/bffa28e28fdb
https://hg.mozilla.org/integration/autoland/rev/6409fe60589a
Avoid a release assert when speculative load flush is attempted from a nested event loop. r=smaug

Comment 9

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/6409fe60589a