Closed
Bug 1120285
Opened 9 years ago
Closed 9 years ago
crash with ProxyAccessible* in nsTArray_Impl<mozilla::dom::indexedDB::PBackgroundIDBCursorChild*, nsTArrayInfallibleAllocator>::Clear()
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: away, Assigned: tbsaunde)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
3.67 KB,
patch
|
davidb
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-4f5e5668-ac1e-4a0b-8eb9-01f4e2150110. ============================================================= The signature is misleading due to folding; it's actually an array of ProxyAccessible*. This began in build 20150110030201. Currently not super high volume but worth monitoring.
Comment 2•9 years ago
|
||
OK this should get top crash level attention (given bug 1120464 is a dupe).
Looks like the Win64 variant got a different (but equally misleading) signature.
Crash Signature: [@ nsTArray_Impl<mozilla::dom::indexedDB::PBackgroundIDBCursorChild*, nsTArrayInfallibleAllocator>::Clear()] → [@ nsTArray_Impl<mozilla::dom::indexedDB::PBackgroundIDBCursorChild*, nsTArrayInfallibleAllocator>::Clear()]
[@ nsTArray_Impl<nsINode*, nsTArrayInfallibleAllocator>::Clear()]
Assignee | ||
Comment 4•9 years ago
|
||
I need to run out for a while, but I believe the cause of this is bug 1113845 being incomplete. ProxyAccessible::Shutdown on the outerdoc doesn't fail, but we later go to shutdown the child doc we crash.
Assignee | ||
Comment 5•9 years ago
|
||
Attachment #8548373 -
Flags: review?(dbolter)
Comment 6•9 years ago
|
||
Comment on attachment 8548373 [details] [diff] [review] correctly shutdown outer doc accessible proxies Review of attachment 8548373 [details] [diff] [review]: ----------------------------------------------------------------- r=me because topcrash, but with some uncomfortable shifting in my seat. If you don't comment here I'll follow up IRL. ::: accessible/ipc/DocAccessibleParent.h @@ +48,5 @@ > + void Destroy(); > + virtual void ActorDestroy(ActorDestroyReason aWhy) MOZ_OVERRIDE > + { > + if (!mShutdown) > + Destroy(); Are you sure you need this check? When does it bite? ::: accessible/ipc/ProxyAccessible.cpp @@ +26,5 @@ > + } else { > + if (mChildren.Length() != 1) > + MOZ_CRASH("outer doc doesn't own adoc!"); > + > + static_cast<DocAccessibleParent*>(mChildren[0])->Destroy(); Hmmm... ah, right...
Attachment #8548373 -
Flags: review?(dbolter) → review+
Assignee | ||
Comment 7•9 years ago
|
||
> ::: accessible/ipc/DocAccessibleParent.h
> @@ +48,5 @@
> > + void Destroy();
> > + virtual void ActorDestroy(ActorDestroyReason aWhy) MOZ_OVERRIDE
> > + {
> > + if (!mShutdown)
> > + Destroy();
>
> Are you sure you need this check? When does it bite?
Consider the problem case where the outer doc gets a hide before the doc it owns is destroyed. In that case we know execute the guts of what was ActorDestroy when the outer doc is hidden. That means when the document is eventually destroyed there's nothing left to do.
Assignee | ||
Comment 8•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce39fe1d44c5
Comment 9•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ce39fe1d44c5
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Reporter | ||
Comment 10•9 years ago
|
||
comdat folding ftl
Crash Signature: [@ nsTArray_Impl<mozilla::dom::indexedDB::PBackgroundIDBCursorChild*, nsTArrayInfallibleAllocator>::Clear()]
[@ nsTArray_Impl<nsINode*, nsTArrayInfallibleAllocator>::Clear()] → [@ nsTArray_Impl<mozilla::dom::indexedDB::PBackgroundIDBCursorChild*, nsTArrayInfallibleAllocator>::Clear()]
[@ nsTArray_Impl<nsINode*, nsTArrayInfallibleAllocator>::Clear()]
[@ nsTArray_Impl<mozilla::net::nsHttpTransaction*, nsTArrayInfallibleAllocator…
Comment 11•9 years ago
|
||
(In reply to David Major [:dmajor] (UTC+13) from comment #10) > comdat folding ftl David, the "nsTArray_Impl<mozilla::layers::Layer*, nsTArrayInfallibleAllocator>::Clear()" signature is #5 on Dev Edition 37.0a2, do we need an uplift here or does the folding point to a different issue?
Flags: needinfo?(dmajor)
Assignee | ||
Comment 12•9 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #11) > (In reply to David Major [:dmajor] (UTC+13) from comment #10) > > comdat folding ftl > > David, the "nsTArray_Impl<mozilla::layers::Layer*, > nsTArrayInfallibleAllocator>::Clear()" signature is #5 on Dev Edition > 37.0a2, do we need an uplift here or does the folding point to a different > issue? I think we should just take bug 1123842 to handle that
Flags: needinfo?(dmajor)
Reporter | ||
Comment 13•9 years ago
|
||
This started on v37 nightlies so yeah it's on aurora now too. Sounds like bug 1123842 will do the trick.
You need to log in
before you can comment on or make changes to this bug.
Description
•