Open Bug 963996 Opened 10 years ago Updated 2 years ago

Startup crash at nsContentUtils::IsCallerChrome

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: cjones, Unassigned)

Details

(Whiteboard: [rr])

Attachments

(1 file)

Full backtrace
15.95 KB, text/plain
Details 
This is in an --enable-profiling build of gecko-dev SHA1 41e8ad9c6f7192354d9ccfbf76579db2ab3ddc69.  Abbreviated backtrace

(gdb) bt
#0  AsmJSFaultHandler (signum=11, info=0xbfffa20c, context=0xbfffa28c)
    at /home/cjones/rr/mozilla-central/js/src/../../js/src/jit/AsmJSSignalHandlers.cpp:914
#1  <signal handler called>
#2  0x4376ea6d in nsContentUtils::IsCallerChrome ()
    at /home/cjones/rr/mozilla-central/content/base/src/nsContentUtils.cpp:1758
#3  0x436d62db in mozilla::dom::workers::WorkerPrivate::GetLoadInfo (
    aCx=0x4041d200, aWindow=0x0, aParent=0x0, aScriptURL=..., 
    aIsChromeWorker=true, aLoadInfo=0xbfffa860)
    at /home/cjones/rr/mozilla-central/dom/workers/WorkerPrivate.cpp:3789
#4  0x436d70d3 in mozilla::dom::workers::WorkerPrivate::Constructor (
    aGlobal=..., aScriptURL=..., aIsChromeWorker=true, 
    aWorkerType=mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::WorkerTypeDedicated, aSharedWorkerName=..., 
    aLoadInfo=0x0, aRv=...)
    at /home/cjones/rr/mozilla-central/dom/workers/WorkerPrivate.cpp:3678
#5  0x436d7294 in mozilla::dom::workers::ChromeWorkerPrivate::Constructor (
    aGlobal=..., aScriptURL=..., aRv=...)
    at /home/cjones/rr/mozilla-central/dom/workers/WorkerPrivate.cpp:3637
#6  0x43453680 in mozilla::dom::ChromeWorkerBinding::_constructor (
    cx=0x4041d200, argc=1, vp=0x4699c568)
    at /home/cjones/rr/ff-prof/dom/bindings/WorkerBinding.cpp:67
#7  0x445c48f3 in CallJSNative (args=<synthetic pointer>, native=
    0x43453583 <mozilla::dom::ChromeWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*)>, cx=0x4041d200)
    at /home/cjones/rr/mozilla-central/js/src/../../js/src/jscntxtinlines.h:220
#8  CallJSNativeConstructor (args=<synthetic pointer>, native=
    0x43453583 <mozilla::dom::ChromeWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*)>, cx=0x4041d200)
    at /home/cjones/rr/mozilla-central/js/src/../../js/src/jscntxtinlines.h:253
...

(there are 86 stack frames).  It appears that there's some kind of race condition with workers and securitymanager startup.

I have the crash saved in a deterministic trace, so can repro 100% reliably.
aWindow and aParent are both null..  I'm pretty interested in what's further up the stack.  What's creating this worker, exactly, that's not a window or another worker, and at what point in startup is this code being run?
Most likely a JSM/component.
That looks like shutdown, not startup per se, right?  Presumably we've already shut down nsContentUtils, so the MOZ_ASSERT(ssm) in WorkerPrivate::GetLoadInfo failed too, but this is an opt build.

Kinda curious what this JS code is that runs at xpcom shutdown and tries to start workers...
> That looks like shutdown, not startup per se, right?  Presumably we've already shut down nsContentUtils, so the MOZ_ASSERT(ssm) in WorkerPrivate::GetLoadInfo failed too, but this is an opt build.

Ah, yes.  The duration that FF runs is short, a few seconds, so I just assumed a startup bug.

> Kinda curious what this JS code is that runs at xpcom shutdown and tries to start workers...

Is there a way to tell by poking at something in the backtrace?  Or something else that can be described in gdb-ese ;).
Try "call DumpJSStack()"?
Er, except in an opt build that might not work.  If this is an opt build, you want to poke at cx->fp() and its script/filename/lineno etc manually...
A system update ruined my saved trace, and now I can't reproduce this crash anymore. Grr!!  Will come back to this if it pops up again.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: