Closed
Bug 1123840
Opened 9 years ago
Closed 9 years ago
crash in libsystem_platform.dylib@0x51e0
Categories
(Core :: Networking: Cache, defect)
Tracking
()
VERIFIED
FIXED
mozilla38
People
(Reporter: BenWa, Assigned: mayhemer)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
984 bytes,
patch
|
mayhemer
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-bc11fe31-0e93-4f6d-9322-b69c62150120. ============================================================= Reproducible for me on page: http://www.newscientist.com/article/dn26813-epic-cosmic-radio-burst-finally-seen-in-real-time.html I saw someone run into this. I think it was :gps
|
Reporter | |
Comment 1•9 years ago
|
||
[Tracking Requested - why for this release]: Reproducible crash
status-firefox38:
--- → affected
tracking-firefox38:
--- → ?
|
|
Reporter | |
Comment 2•9 years ago
|
||
:mayhemer can you triage this to the right person? It's reproducible so it should be easy.
Flags: needinfo?(honzab.moz)
|
||
Comment 3•9 years ago
|
||
I worked around it by clearing out my cache. I suspect the "read from cache" code path is buggy. My crashes were https://crash-stats.mozilla.com/report/index/e057151c-4485-4f72-b13c-d62142150119 and https://crash-stats.mozilla.com/report/index/afd7d0b7-4483-4fc4-a503-196122150119
|
|
Reporter | |
Comment 4•9 years ago
|
||
Ok, I'll leave things on my cache so that I can test builds.
|
Assignee | |
Comment 5•9 years ago
|
||
This is my code. Taking now.
Assignee: nobody → honzab.moz
Flags: needinfo?(honzab.moz)
|
|
Assignee | |
Comment 6•9 years ago
|
||
Benoit, do you have flash installed? Any other things I should try to change/install to reproduce? Simply going to the page, restart, navigating again doesn't crash for me (Nightly debug).
Flags: needinfo?(bgirard)
|
|
Reporter | |
Comment 7•9 years ago
|
||
I have flash 16.0.0.257 & Adblock installed. Just hitting the pages crashes for me.
Flags: needinfo?(bgirard)
|
|
Reporter | |
Comment 8•9 years ago
|
||
Ok well it seems the crash is no longer reproducible for me.
|
|
Assignee | |
Comment 9•9 years ago
|
||
gps, any way to reproduce? anybody, if you are able to repro, please run with logging: NSPR_LOG_MODULES=timestamp,nsHttp:4,cache2:5 Thanks.
Flags: needinfo?(gps)
|
|
||
Comment 10•9 years ago
|
||
I blew away my cache. But it appears BenWa hasn't.
Flags: needinfo?(gps) → needinfo?(bgirard)
|
|
Assignee | |
Comment 11•9 years ago
|
||
So, happened to me few times. Logging changes timing so, could not get a log. I decided to attach a debugger, but after download of sources (me, one idiot!) I cannot reproduce any longer. Will occasionally re-try.
|
|
Assignee | |
Comment 12•9 years ago
|
||
And I think I have a theory. There is reinsert of a callback with intention to put it to the same place as it was before (InsertElementAt(i)). But when the array were altered because of re-entrancy, we may have fewer elements in the array and the i will point past the end+1. I may simply add a check and insert at max(end,i). It's not at all critical to put the callback at the same place.
|
||
Updated•9 years ago
|
|
|
Reporter | |
Comment 13•9 years ago
|
||
I'll run the log if I can reproduce it again.
Flags: needinfo?(bgirard)
|
|
Assignee | |
Comment 16•9 years ago
|
||
For explanation see comment 12. I unfortunately don't have STR to check this is the fix. I can crash on the two reported URLs, but not when I want to check... Murphy's law... https://treeherder.mozilla.org/#/jobs?repo=try&revision=4d187a373858
Attachment #8552645 -
Flags: review?(michal.novotny)
|
||
Comment 17•9 years ago
|
||
I seem to have reproduced this by going to my Google Drive page and right clicking on a file. The URL: https://drive.google.com/a/mozilla.com/#my-drive (of course, I was logged in as me) The crash report: https://crash-stats.mozilla.com/report/index/7a0f21fe-2b21-4f50-8712-18ad12150121
|
|
Assignee | |
Updated•9 years ago
|
Status: NEW → ASSIGNED
|
||
Comment 18•9 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #12) > And I think I have a theory. There is reinsert of a callback with intention > to put it to the same place as it was before (InsertElementAt(i)). But when > the array were altered because of re-entrancy, we may have fewer elements in > the array and the i will point past the end+1. Is it OK when we skip some callback or process some callback twice in the while loop in InvokeCallbacks()? This will happen when the array is changed while InvokeCallback() is called.
Flags: needinfo?(honzab.moz)
|
|
Assignee | |
Comment 19•9 years ago
|
||
(In reply to Michal Novotny (:michal) from comment #18) > (In reply to Honza Bambas (:mayhemer) from comment #12) > > And I think I have a theory. There is reinsert of a callback with intention > > to put it to the same place as it was before (InsertElementAt(i)). But when > > the array were altered because of re-entrancy, we may have fewer elements in > > the array and the i will point past the end+1. > > Is it OK when we skip some callback or process some callback twice in the > while loop in InvokeCallbacks()? This will happen when the array is changed > while InvokeCallback() is called. I first remove a callback (under the lock), then process it, when it needs to be called again, I readd it back (now faulty code) to be re-invoked on the next callbacks invocation loop. InvokeCallback() opens the lock and other thread (or the same via reentry) may modify the array (remove from it). We cannot skip a callback since I'm trying to put the reverted callback at the place it was. That will not leave any earlier added callback behind. We cannot call a callback more then once during the same loop, we also cannot skip during the same loop (as explained above). It's OK to check on the callback on next call, we do it all the time as I can see in the logs, and it's OK, since the callback will not invoke until some preconditins are met (I think the most obvious case is the "wait for complete entry" state, which should be cached, if performance is considered.) Does that answer the question?
Flags: needinfo?(honzab.moz)
|
|
||
Updated•9 years ago
|
Attachment #8552645 -
Flags: review?(michal.novotny) → review+
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 20•9 years ago
|
||
Thanks. Fixed osx/lnx build problem.
Attachment #8553337 -
Flags: review+
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8552645 -
Attachment is obsolete: true
|
||
Comment 21•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/098d965662be
Keywords: checkin-needed
|
||
Comment 22•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/098d965662be
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
||
Comment 23•9 years ago
|
||
Socorro [1] shows zero crashes with this exact signature over the past 4 weeks, and, since no one reports this still happening, I'm closing it. [1] - https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=28&signature=libsystem_platform.dylib%400x51e0#tab-sigsummary
You need to log in
before you can comment on or make changes to this bug.
Description
•