(In reply to Tyson Smith [:tsmith] from comment #1) > A Pernosco session is available here: https://pernos.co/debug/2KcvHyKOR-YkYtLrvo3Rhw/index.html Thanks for the link to the Pernosco session, I was going to ask you if you had one that we could use to more easily dig into this :-) Based on a quick look to the Pernosco session: - the crash is triggered because, in that call to MatchPattern::Init, [AtomSet::Get<PERMITTED_SCHEMES>()` is returning a nullptr and so permittesSchemes would be unexpectedly set to nullptr](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#253) when we then use it [a few lines later when we call `permittedSchemes->Contains(scheme)`](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#280) - [AtomSet::Get<PERMITTED_SCHEMES>() is keeping a RefPtr for the AtomSet internally when it is called for the first time, and it does pass it to ClearOnShutdown to free it as part of the XPCOM shutdown flow](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.h#80-90) - I looked in the permosco session for when we have feeze that `static RefPtr<AtomSet> sMatcher` in that same process, and I did notice that it was being done (as expected) during the XPCOM shutdown and so it seems that we got that last call to `MatchPattern::Init` after we were already shutting down - Looking to the JSRuntime call stack in the last call to `MatchPattern::Init` it looks that we are loading a manifest, and it is being called from [here](https://searchfox.org/mozilla-central/source/toolkit/components/extensions/Extension.jsm#1258) (and likely originated from [XPInstall.jsm's loadManifestFromWebManifest](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/mozapps/extensions/internal/XPIInstall.jsm#454), the stack trace (got by calling `DumpJSStack()` from the Pernosco session while that last call is being executed) is the following: ``` (pernosco) call DumpJSStack() 0 loadManifest() ["resource://gre/modules/Extension.jsm":1258:26] 1 InterpretGeneratorResume(gen = "[object Object]", val = "[object Object],", kind = ""next"") ["self-hosted":1480:33] 2 AsyncFunctionNext(val = "[object Object],") ["self-hosted":690:26] this = [object Object] ```
Bug 1699298 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Tyson Smith [:tsmith] from comment #1) > A Pernosco session is available here: https://pernos.co/debug/2KcvHyKOR-YkYtLrvo3Rhw/index.html Thanks for the link to the Pernosco session, I was going to ask you if you had one that we could use to more easily dig into this :-) Based on a quick look to the Pernosco session: - the crash is triggered because, in that call to MatchPattern::Init, [`AtomSet::Get<PERMITTED_SCHEMES>()` is returning a nullptr and so permittesSchemes would be unexpectedly set to nullptr](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#253) when we then use it [a few lines later when we call `permittedSchemes->Contains(scheme)`](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#280) - [AtomSet::Get<PERMITTED_SCHEMES>() is keeping a RefPtr for the AtomSet internally when it is called for the first time, and it does pass it to ClearOnShutdown to free it as part of the XPCOM shutdown flow](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.h#80-90) - I looked in the permosco session for when we have feeze that `static RefPtr<AtomSet> sMatcher` in that same process, and I did notice that it was being done (as expected) during the XPCOM shutdown and so it seems that we got that last call to `MatchPattern::Init` after we were already shutting down - Looking to the JSRuntime call stack in the last call to `MatchPattern::Init` it looks that we are loading a manifest, and it is being called from [here](https://searchfox.org/mozilla-central/source/toolkit/components/extensions/Extension.jsm#1258) (and likely originated from [XPInstall.jsm's loadManifestFromWebManifest](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/mozapps/extensions/internal/XPIInstall.jsm#454), the stack trace (got by calling `DumpJSStack()` from the Pernosco session while that last call is being executed) is the following: ``` (pernosco) call DumpJSStack() 0 loadManifest() ["resource://gre/modules/Extension.jsm":1258:26] 1 InterpretGeneratorResume(gen = "[object Object]", val = "[object Object],", kind = ""next"") ["self-hosted":1480:33] 2 AsyncFunctionNext(val = "[object Object],") ["self-hosted":690:26] this = [object Object] ```
(In reply to Tyson Smith [:tsmith] from comment #1) > A Pernosco session is available here: https://pernos.co/debug/2KcvHyKOR-YkYtLrvo3Rhw/index.html Thanks for the link to the Pernosco session, I was going to ask you if you had one that we could use to more easily dig into this :-) Based on a quick look to the Pernosco session: - the crash is triggered because, in that call to MatchPattern::Init, [`AtomSet::Get<PERMITTED_SCHEMES>()` is returning a nullptr and so permittesSchemes would be unexpectedly set to nullptr](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#253) when we then use it [a few lines later when we call `permittedSchemes->Contains(scheme)`](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#280) - [AtomSet::Get<PERMITTED_SCHEMES>() is keeping a RefPtr for the AtomSet internally when it is called for the first time, and it does pass it to ClearOnShutdown to free it as part of the XPCOM shutdown flow](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.h#80-90) - I looked in the permosco session for when we have feeze that `static RefPtr<AtomSet> sMatcher` in that same process, and I did notice that it was being done (as expected) during the XPCOM shutdown and so it seems that we got that last call to `MatchPattern::Init` after we were already shutting down - Looking to the JSRuntime call stack in the last call to `MatchPattern::Init` it looks that we are loading a manifest, and it is being called from [here](https://searchfox.org/mozilla-central/source/toolkit/components/extensions/Extension.jsm#1258) (and likely originated from [XPInstall.jsm's loadManifestFromWebManifest](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/mozapps/extensions/internal/XPIInstall.jsm#454), the stack trace (got by calling `DumpJSStack()` from the Pernosco session while that last call is being executed) is the following ([permalink to the loadManifest line that triggers the call](https://searchfox.org/mozilla-central/rev/4e87b5392eafe1f1d49017e76f7317b06ec0b1d8/toolkit/components/extensions/Extension.jsm#1258 )): ``` (pernosco) call DumpJSStack() 0 loadManifest() ["resource://gre/modules/Extension.jsm":1258:26] 1 InterpretGeneratorResume(gen = "[object Object]", val = "[object Object],", kind = ""next"") ["self-hosted":1480:33] 2 AsyncFunctionNext(val = "[object Object],") ["self-hosted":690:26] this = [object Object] ```
(In reply to Tyson Smith [:tsmith] from comment #1) > A Pernosco session is available here: https://pernos.co/debug/2KcvHyKOR-YkYtLrvo3Rhw/index.html Thanks for the link to the Pernosco session, I was going to ask you if you had one that we could use to more easily dig into this :-) Based on a quick look to the Pernosco session: - the crash is triggered because, in that call to MatchPattern::Init, [`AtomSet::Get<PERMITTED_SCHEMES>()` is returning a nullptr and so permittesSchemes would be unexpectedly set to nullptr](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#253) when we then use it [a few lines later when we call `permittedSchemes->Contains(scheme)`](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.cpp#280) - [AtomSet::Get<PERMITTED_SCHEMES>() is keeping a RefPtr for the AtomSet internally when it is called for the first time, and it does pass it to ClearOnShutdown to free it as part of the XPCOM shutdown flow](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/components/extensions/MatchPattern.h#80-90) - I looked in the pernosco session for when we are destroying that `static RefPtr<AtomSet> sMatcher` in that same process, and I did notice that it was being done (as expected) during the XPCOM shutdown and so it seems that we got that last call to `MatchPattern::Init` after we were already shutting down - Looking to the JSRuntime call stack in the last call to `MatchPattern::Init` it looks that we are loading a manifest, and it is being called from [here](https://searchfox.org/mozilla-central/source/toolkit/components/extensions/Extension.jsm#1258) (and likely originated from [XPInstall.jsm's loadManifestFromWebManifest](https://searchfox.org/mozilla-central/rev/f07a609a76136ef779c65185165ff5ac513cc172/toolkit/mozapps/extensions/internal/XPIInstall.jsm#454), the stack trace (got by calling `DumpJSStack()` from the Pernosco session while that last call is being executed) is the following ([permalink to the loadManifest line that triggers the call](https://searchfox.org/mozilla-central/rev/4e87b5392eafe1f1d49017e76f7317b06ec0b1d8/toolkit/components/extensions/Extension.jsm#1258 )): ``` (pernosco) call DumpJSStack() 0 loadManifest() ["resource://gre/modules/Extension.jsm":1258:26] 1 InterpretGeneratorResume(gen = "[object Object]", val = "[object Object],", kind = ""next"") ["self-hosted":1480:33] 2 AsyncFunctionNext(val = "[object Object],") ["self-hosted":690:26] this = [object Object] ```