Open
Bug 1509341
Opened 6 years ago
Updated 2 years ago
Crash in mozilla::CycleCollectedJSContext::CleanupIDBTransactions [from HTMLImageElement]
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
NEW
People
(Reporter: jya, Unassigned)
References
Details
(Keywords: crash, regression)
Crash Data
spawned from bug 1443429 comment 10.
as seen in crash report:
https://crash-stats.mozilla.com/report/index/bceaa402-e381-498a-9dd2-948cc0181121
there's quite a few in the past 7 days (though they have been there regularly)
Here we have HTMLImageElement::LoadSelectedImage doing JS things while in stable state which it shouldn't.
Comment 1•6 years ago
|
||
bz, jib, from https://github.com/whatwg/html/issues/4188 I get the impression you're already looking at this?
Flags: needinfo?(jib)
Flags: needinfo?(bzbarsky)
Priority: -- → P2
Updated•6 years ago
|
Flags: needinfo?(jib)
Comment 2•6 years ago
|
||
I cc'ed some people, but I'd wait for bz to advise on this one.
Comment 3•6 years ago
|
||
Wait, is this about media element or image element? Different folks I think.
Comment 4•6 years ago
|
||
This is not really related to https://github.com/whatwg/html/issues/4188 except insofar as there's the question of what "stable state" means and what invariants it should have.
> doing JS things while in stable state which it shouldn't
Well, when should it do it, exactly? We have parts of our security infrastructure implemented in JS, and we're explicitly doing the loads in stable state on purpose. What says that you can't run JS (and note this is not even page JS!) in stable state?
Bug 893916 is kinda related, but again we're not really in an "unsafe" state here; the point of being in stable state is that you can do stuff without worrying about upsetting complicated stateful algorithms, because there should be nothing like that in progress when you reach stable state.
What's really failing is the !mDoingStableStates assert in CycleCollectedJSContext::CleanupIDBTransactions. But I don't know enough about our stable state setup to comment intelligently about whether that assert makes sense.
Flags: needinfo?(bzbarsky) → needinfo?(bugs)
Comment 5•6 years ago
|
||
The issue with running JS in stable state is that if we run random JS, we end up accidentally running also JS which end up doing something with the web page.
One of the stacks for example triggered GC which caused somehow https://searchfox.org/mozilla-central/source/dom/base/nsGlobalWindowInner.cpp#7348 get to be called, so microtask and promises got handled... and that means anything can start to happen.
But what did I propose for now to catch the worst issues ... reading IRC
(1) prevent all microtasks while dealing with stable state. Just queue the tasks and trigger microtask check point right afterwards
(2) explicitly prevent any DOM event dispatch
(3) assert hard that main event loop doesn't spin during stable state.
This would still let use JS implemented content policies.
Flags: needinfo?(bugs)
Comment 6•6 years ago
|
||
IRC from last Friday: https://mozilla.logbot.info/developers/20181123#c15648456
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•