2041104 - Assertion failure: IsInitialDocument() || mReadyState == READYSTATE_INTERACTIVE, at checkouts/gecko/dom/base/Document.cpp:8772

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Tyson Smith [:tsmith]]

Found with m-c 20260320-9d9636476778 (--enable-debug)

This was found by visiting a live website with a debug build.

STR:

• Launch browser and visit site

This issue was triggered by visiting http://savageworldwide.com.my/. A Pernosco session is available here: https://pernos.co/debug/eZQ2t30IwHVbx4Zbsg-Osg/index.html

Assertion failure: IsInitialDocument() || mReadyState == READYSTATE_INTERACTIVE, at checkouts/gecko/dom/base/Document.cpp:8772

#0 0x7fffe7b8572b in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fffe7b8572b in mozilla::dom::Document::UnblockDOMContentLoaded() /builds/worker/workspace/obj-build/dom/base/./../../../../checkouts/gecko/dom/base/Document.cpp:8772:3
#2 0x7fffeb6ad281 in mozilla::dom::ScriptLoader::MaybeRemovedDeferRequests() /builds/worker/workspace/obj-build/dom/script/./../../../../checkouts/gecko/dom/script/ScriptLoader.cpp:5323:16
#3 0x7fffeb68b52d in mozilla::dom::ScriptLoader::ProcessPendingRequests(bool) /builds/worker/workspace/obj-build/dom/script/./../../../../checkouts/gecko/dom/script/ScriptLoader.cpp:4316:7
#4 0x7fffe745ecca in operator()<StoreCopyPassByConstLRef<mozilla::wr::WebRenderAPI::RemoteTextureWaitType> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1070:18
#5 0x7fffe745ecca in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9), StoreCopyPassByConstLRef<mozilla::wr::WebRenderAPI::RemoteTextureWaitType> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
#6 0x7fffe745ecca in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9), StoreCopyPassByConstLRef<mozilla::wr::WebRenderAPI::RemoteTextureWaitType> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95:14
#7 0x7fffe745ecca in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WebRenderAPI::RemoteTextureWaitType> > &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1740:14
#8 0x7fffe745ecca in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1069:9), std::tuple<StoreCopyPassByConstLRef<mozilla::wr::WebRenderAPI::RemoteTextureWaitType> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/tuple:1751:14
#9 0x7fffe745ecca in apply<mozilla::wr::WebRenderAPI, void (mozilla::wr::WebRenderAPI::*)(mozilla::wr::WebRenderAPI::RemoteTextureWaitType)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1068:12
#10 0x7fffe745ecca in mozilla::detail::RunnableMethodImpl<mozilla::PresShell*, void (mozilla::PresShell::*)(bool), true, (mozilla::RunnableKind)0, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1119:13
#11 0x7fffe64f20d7 in mozilla::RunnableTask::Run() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:719:16
#12 0x7fffe64f04c2 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1358:20
#13 0x7fffe64ef147 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1181:15
#14 0x7fffe64ef5c5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:655:36
#15 0x7fffe64fa916 in operator() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:347:37
#16 0x7fffe64fa916 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:536:5
#17 0x7fffe650f623 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThread.cpp:1179:16
#18 0x7fffe651511f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:472:10
#19 0x7fffe6633557 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessagePump.cpp:83:21
#20 0x7fffe658b581 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#21 0x7fffe658b581 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#22 0x7fffeb90d048 in nsBaseAppShell::Run() /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/nsBaseAppShell.cpp:151:27
#23 0x7fffeb9df014 in nsAppShell::Run() /builds/worker/workspace/obj-build/widget/gtk/./../../../../checkouts/gecko/widget/gtk/nsAppShell.cpp:575:33
#24 0x7fffeca5652b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:20
#25 0x7fffe6634404 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessagePump.cpp:233:9
#26 0x7fffe658b581 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#27 0x7fffe658b581 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#28 0x7fffeca55c86 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:590:34
#29 0x5555555da25c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:466:22

Comment 1

[Hsin-Yi Tsai (she/her)[:hsinyi]]

Hi Vincent, the assertion was added in the about:blank bug that you may want to take a look at this. Thanks.

Comment 2

[Vincent Hilla [:vhilla]]

Attachment: claude-crashtest.html

Interesting.

During a sync load, the page does document.write() and document.close(). So ShouldForceInitialSyncLoad would still be true and we get to doStopDocumentLoad. We have some code to suppress the load event in this nested case, which silently sets readyState complete, some other place clears mSkipLoadEventAfterClose. The page also wrote some script to the document that blocks load and once it asynchronously unblocks, we try to fire load (or rather: DCL), this time with mSkipLoadEventAfterClose being false and readyState complete.

I'll work on a fix.

---

Attached crashtest from claude reproduces. It's analysis:

• Trigger: load handler firing during sync initial about:blank calls document.open() (→ IsInitialButExplicitlyOpened + mSkipLoadEventAfterClose=true), document.write('<script defer src=...>') (→ ScriptLoader::AddDeferRequest calls BlockDOMContentLoaded, counter=2), document.close().
• Inside Close(): DidBuildModelImpl sets READYSTATE_INTERACTIVE, then EndLoad runs (clears mDidCallBeginLoad, DCL counter→1, silent return), then DropParserAndPerfHint → DoUnblockOnload. With mDidCallBeginLoad=false, ShouldForceInitialSyncLoad() returns true → forces unblock despite mOnloadBlockCount>0 → DocLoaderIsEmpty (nsDocLoader.cpp:876) sets READYSTATE_COMPLETE; load skipped because SkipLoadEventAfterClose() returns (and resets) true at line 881.
• Crash: defer script later finishes → ScriptLoader::ProcessPendingRequests → MaybeRemovedDeferRequests (line 4316) → UnblockDOMContentLoaded → assert fires (mInitialStatus=IsInitialButExplicitlyOpened, mReadyState=COMPLETE).
• Why force is the regression: without it, doc stays at INTERACTIVE through Close(). When the defer script lands, ProcessPendingRequests calls MaybeRemovedDeferRequests (assert passes at INTERACTIVE) before UnblockOnload(true) at line 4328 advances to COMPLETE. Force inverts that ordering.

Comment 3

[Vincent Hilla [:vhilla]]

ShouldForceInitialSyncLoad should check IsInitialDocument() and that would suffice to fix this crash.

But I wonder whether we shouldn't clear mSkipLoadEventAfterClose in general. In practice, mIsLoadingDocument would be false and when we clear mSkipLoadEventAfterClose, we also clear mDocumentOpenedButNotLoaded. So I guess the setup is fine, unless ShouldForceInitialSyncLoad() causes readyState to advance past INTERACTIVE before DOMContentLoaded fires.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 2020300

Comment 5

[Vincent Hilla [:vhilla]]

Attachment: Bug 2041104 - Don't force initial sync load after document.open(). r?farre,hsivonen

Comment 6

[Pulsebot]

Pushed by vhilla@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/5d3d62e80a28
https://hg.mozilla.org/integration/autoland/rev/c4e39339af6e
Don't force initial sync load after document.open(). r=hsivonen

Comment 7

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/60125 for changes under testing/web-platform/tests

Comment 8

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/c4e39339af6e

Comment 9

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot