Closed
Bug 1143842
Opened 10 years ago
Closed 10 years ago
B2G Email crash: Compartment mismatch in TCPSocketChild
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1176542
People
(Reporter: gwagner, Unassigned)
Details
STR on current trunk with debug gecko:
Open B2G email app and do some heavy scrolling
Program received signal SIGSEGV, Segmentation fault.
JSAutoCompartment::JSAutoCompartment (this=0xbe8f0c00, cx=<optimized out>, target=<optimized out>) at ../../../js/src/jsapi.cpp:868
868 cx_->enterCompartment(target->compartment());
(gdb) bt
#0 JSAutoCompartment::JSAutoCompartment (this=0xbe8f0c00, cx=<optimized out>, target=<optimized out>) at ../../../js/src/jsapi.cpp:868
#1 0xb5301ad4 in IPC::DeserializeArrayBuffer (aObj=aObj@entry=(JSObject * const) 0xb1a93030 Cannot access memory at address 0x0, aBuffer=..., aVal=..., aVal@entry=$jsval(-nan(0xfff8200000000)))
at ../../../dom/network/TCPSocketChild.cpp:29
#2 0xb5302b1e in mozilla::dom::TCPSocketChild::RecvCallback (this=0xb18a3e40, aType=..., aData=..., aReadyState=...) at ../../../dom/network/TCPSocketChild.cpp:165
#3 0xb48c9e80 in mozilla::net::PTCPSocketChild::OnMessageReceived (this=0xb18a3e40, __msg=...) at PTCPSocketChild.cpp:351
#4 0xb4947932 in mozilla::dom::PContentChild::OnMessageReceived (this=0xb3853318, __msg=...) at PContentChild.cpp:4777
#5 0xb481307c in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=0xb3853348, aMsg=...) at ../../../ipc/glue/MessageChannel.cpp:1216
#6 0xb4818498 in mozilla::ipc::MessageChannel::DispatchMessage (this=this@entry=0xb3853348, aMsg=...) at ../../../ipc/glue/MessageChannel.cpp:1143
#7 0xb481cf4c in mozilla::ipc::MessageChannel::OnMaybeDequeueOne (this=0xb3853348) at ../../../ipc/glue/MessageChannel.cpp:1127
#8 0xb460fd48 in DispatchToMethod<FdWatcher, void (FdWatcher::*)()> (method=(void (FdWatcher::*)(FdWatcher * const)) 0xb481ceb9 <mozilla::ipc::MessageChannel::OnMaybeDequeueOne()>, obj=<optimized out>, arg=...)
at ../../../ipc/chromium/src/base/tuple.h:383
#9 RunnableMethod<FdWatcher, void (FdWatcher::*)(), Tuple0>::Run (this=<optimized out>) at ../../../ipc/chromium/src/base/task.h:310
#10 0xb48140de in Run (this=<optimized out>) at ../../dist/include/mozilla/ipc/MessageChannel.h:445
#11 mozilla::ipc::MessageChannel::DequeueTask::Run (this=<optimized out>) at ../../dist/include/mozilla/ipc/MessageChannel.h:462
#12 0xb480462c in MessageLoop::RunTask (this=0xbe8f1058, task=0xad8a1938) at ../../../ipc/chromium/src/base/message_loop.cc:361
#13 0xb4807762 in MessageLoop::DeferOrRunPendingTask (this=<optimized out>, pending_task=...) at ../../../ipc/chromium/src/base/message_loop.cc:369
#14 0xb4809538 in DoWork (this=<optimized out>) at ../../../ipc/chromium/src/base/message_loop.cc:456
#15 MessageLoop::DoWork (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:435
#16 0xb48116f6 in mozilla::ipc::DoWorkRunnable::Run (this=<optimized out>) at ../../../ipc/glue/MessagePump.cpp:233
#17 0xb464bb4c in nsThread::ProcessNextEvent (this=0xb385b240, aMayWait=<optimized out>, aResult=0xbe8f0eff) at ../../../xpcom/threads/nsThread.cpp:855
#18 0xb46617c8 in NS_ProcessNextEvent (aThread=0xb385b240, aMayWait=aMayWait@entry=true) at /Volumes/mac/moz/ib2g/xpcom/glue/nsThreadUtils.cpp:265
#19 0xb4819b36 in mozilla::ipc::MessagePump::Run (this=0xb38075c8, aDelegate=0xbe8f1058) at ../../../ipc/glue/MessagePump.cpp:140
#20 0xb4805618 in MessageLoop::RunInternal (this=this@entry=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:233
#21 0xb4805632 in RunHandler (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:226
#22 MessageLoop::Run (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:200
#23 0xb54e4932 in nsBaseAppShell::Run (this=0xb216bc20) at ../../widget/nsBaseAppShell.cpp:164
#24 0xb595c14c in XRE_RunAppShell () at ../../../toolkit/xre/nsEmbedFunctions.cpp:743
#25 0xb4819c1a in mozilla::ipc::MessagePumpForChildProcess::Run (this=0xb38075c8, aDelegate=0xbe8f1058) at ../../../ipc/glue/MessagePump.cpp:272
#26 0xb4805618 in MessageLoop::RunInternal (this=this@entry=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:233
#27 0xb4805632 in RunHandler (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:226
#28 MessageLoop::Run (this=this@entry=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:200
#29 0xb595c0ae in XRE_InitChildProcess (aArgc=<optimized out>, aArgv=<optimized out>, aGMPLoader=<optimized out>) at ../../../toolkit/xre/nsEmbedFunctions.cpp:580
#30 0xb6fc287c in content_process_main (argc=6, argv=0xbe8f1b54) at ../../../ipc/app/../contentproc/plugin-container.cpp:211
#31 0xb6ee54a4 in __libc_init (raw_args=0xbe8f1b50, onexit=<optimized out>, slingshot=0xb6fc28dd <main(int, char**)>, structors=<optimized out>) at bionic/libc/bionic/libc_init_dynamic.cpp:112
Reporter | ||
Comment 1•10 years ago
|
||
(gdb) p *this
$5 = {<mozilla::net::PTCPSocketChild> = {<mozilla::ipc::IProtocol> = {<mozilla::ipc::MessageListener> = {<mozilla::ipc::HasResultCodes> = {<No data fields>}, <mozilla::SupportsWeakPtr<mozilla::ipc::MessageListener>> = {mSelfReferencingWeakPtr = {mRef = {mPtr = 0xb0fa3360}}},
_vptr.MessageListener = 0xb6b51bf0 <vtable for mozilla::dom::TCPSocketChild+8>}, <No data fields>}, <mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>> = {
_vptr.IProtocolManager = 0xb6b51cbc <vtable for mozilla::dom::TCPSocketChild+212>}, mChannel = 0xb3853348, mManager = 0xb3832ce8, mId = -4,
mState = mozilla::net::PTCPSocket::__Null}, <mozilla::dom::TCPSocketChildBase> = {<nsITCPSocketChild> = {<nsISupports> = {
_vptr.nsISupports = 0xb6b51cf8 <vtable for mozilla::dom::TCPSocketChild+272>}, <No data fields>}, static _cycleCollectorGlobal = {
<nsXPCOMCycleCollectionParticipant> = {<nsScriptObjectTracer> = {<nsCycleCollectionParticipant> = {
_vptr.nsCycleCollectionParticipant = 0xb6b51988 <vtable for mozilla::dom::TCPSocketChildBase::cycleCollection+8>, mMightSkip = false}, <No data fields>}, <No data fields>}, <No data fields>},
mRefCnt = {mRefCntAndFlags = 12}, _mOwningThread = {mThread = 0xb384d000}, mSocket = {mRawPtr = 0xaeb4ebf0}, mIPCOpen = true}, mWindowObj = (JSObject *) 0xb1a93030 Cannot access memory at address 0x0,
mHost = {<nsAString_internal> = {mData = 0xb6617d42 <gNullChar> u"", mLength = 0, mFlags = 1}, <No data fields>}, mPort = 0}
Reporter | ||
Comment 2•10 years ago
|
||
Jason, is TCPSocketChild owned by the necko team?
Flags: needinfo?(jduell.mcbugs)
Reporter | ||
Comment 3•10 years ago
|
||
Reproducible within 5 min.
Comment 4•10 years ago
|
||
Hasn't jdm hacked TCPSocket lately?
Comment 5•10 years ago
|
||
TCPSocket is sort of owned by necko. We may need some help here as most of our code doesn't deal with compartments, so I suspect it's the DOM-y parts of things that are wonky here. JDM and Honza know this code (but honza is out sick, so I'm going with jdm for now--but he may be busy).
Flags: needinfo?(jduell.mcbugs) → needinfo?(josh)
Comment 6•10 years ago
|
||
Is mWindowObject a real value? Is it set from TCPSocketChild::SendOpen or TCPSocketChild::SetSocketAndWindow?
Flags: needinfo?(josh)
Reporter | ||
Comment 7•10 years ago
|
||
Probably dupe of bug 1137512?
Reporter | ||
Comment 8•10 years ago
|
||
(gdb) p *mWindowObj
$6 = {<js::gc::Cell> = {<No data fields>}, group_ = 0x0, static MaxTagBits = 3, static ITER_CLASS_NFIXED_SLOTS = 1, static MAX_BYTE_SIZE = 144}
Reporter | ||
Comment 9•10 years ago
|
||
its pretty easy to reproduce. Let me know if you need anything from gdb
Comment 10•10 years ago
|
||
Figuring out what's going on in the functions I mentioned in comment 6 would be valuable. Do you know if this reproduces in a desktop build?
Reporter | ||
Comment 11•10 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #10)
> Figuring out what's going on in the functions I mentioned in comment 6 would
> be valuable. Do you know if this reproduces in a desktop build?
Its coming from SendOpen.
Flags: needinfo?(josh)
Reporter | ||
Comment 12•10 years ago
|
||
We don't hit the inner-window-dstroyed case in JS. I checked this.
In the log I see:
04-01 16:31:28.798 5271 5320 I Gecko : [BrowserBox] error {"msg":"Error: [1] Socket timed out!"}
04-01 16:31:28.808 5271 5320 I Gecko : [ImapClient] normalized-error {"error":"Error: [1] Socket timed out!","errorName":"Error","errorMessage":"[1] Socket timed out!","errorStack":"s.prototype._onTimeout@app://email.gaiamobile.org/js/ext/composite/configurator.js:1745:17\n","socketLevelError":null,"protocolLevelError":null,"reportAs":"unknown"}
04-01 16:31:28.818 5271 5320 I Gecko : [ImapClient] connect-error {"error":"unknown"}
Maybe related?
Reporter | ||
Comment 13•10 years ago
|
||
We call sendOpen more than once with the same window. Maybe thats the key?
Comment 14•10 years ago
|
||
Just to confirm, that's SendOpen multiple times on the same TCPSocketChild object?
Flags: needinfo?(josh)
Reporter | ||
Comment 15•10 years ago
|
||
This is probably bug 1137512?
Reporter | ||
Updated•10 years ago
|
Component: DOM → WebRTC: Audio/Video
Reporter | ||
Updated•10 years ago
|
Component: WebRTC: Audio/Video → DOM
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•