Closed Bug 1143842 Opened 10 years ago Closed 10 years ago

B2G Email crash: Compartment mismatch in TCPSocketChild

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1176542

People

(Reporter: gwagner, Unassigned)

Details

STR on current trunk with debug gecko: Open B2G email app and do some heavy scrolling Program received signal SIGSEGV, Segmentation fault. JSAutoCompartment::JSAutoCompartment (this=0xbe8f0c00, cx=<optimized out>, target=<optimized out>) at ../../../js/src/jsapi.cpp:868 868 cx_->enterCompartment(target->compartment()); (gdb) bt #0 JSAutoCompartment::JSAutoCompartment (this=0xbe8f0c00, cx=<optimized out>, target=<optimized out>) at ../../../js/src/jsapi.cpp:868 #1 0xb5301ad4 in IPC::DeserializeArrayBuffer (aObj=aObj@entry=(JSObject * const) 0xb1a93030 Cannot access memory at address 0x0, aBuffer=..., aVal=..., aVal@entry=$jsval(-nan(0xfff8200000000))) at ../../../dom/network/TCPSocketChild.cpp:29 #2 0xb5302b1e in mozilla::dom::TCPSocketChild::RecvCallback (this=0xb18a3e40, aType=..., aData=..., aReadyState=...) at ../../../dom/network/TCPSocketChild.cpp:165 #3 0xb48c9e80 in mozilla::net::PTCPSocketChild::OnMessageReceived (this=0xb18a3e40, __msg=...) at PTCPSocketChild.cpp:351 #4 0xb4947932 in mozilla::dom::PContentChild::OnMessageReceived (this=0xb3853318, __msg=...) at PContentChild.cpp:4777 #5 0xb481307c in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=0xb3853348, aMsg=...) at ../../../ipc/glue/MessageChannel.cpp:1216 #6 0xb4818498 in mozilla::ipc::MessageChannel::DispatchMessage (this=this@entry=0xb3853348, aMsg=...) at ../../../ipc/glue/MessageChannel.cpp:1143 #7 0xb481cf4c in mozilla::ipc::MessageChannel::OnMaybeDequeueOne (this=0xb3853348) at ../../../ipc/glue/MessageChannel.cpp:1127 #8 0xb460fd48 in DispatchToMethod<FdWatcher, void (FdWatcher::*)()> (method=(void (FdWatcher::*)(FdWatcher * const)) 0xb481ceb9 <mozilla::ipc::MessageChannel::OnMaybeDequeueOne()>, obj=<optimized out>, arg=...) at ../../../ipc/chromium/src/base/tuple.h:383 #9 RunnableMethod<FdWatcher, void (FdWatcher::*)(), Tuple0>::Run (this=<optimized out>) at ../../../ipc/chromium/src/base/task.h:310 #10 0xb48140de in Run (this=<optimized out>) at ../../dist/include/mozilla/ipc/MessageChannel.h:445 #11 mozilla::ipc::MessageChannel::DequeueTask::Run (this=<optimized out>) at ../../dist/include/mozilla/ipc/MessageChannel.h:462 #12 0xb480462c in MessageLoop::RunTask (this=0xbe8f1058, task=0xad8a1938) at ../../../ipc/chromium/src/base/message_loop.cc:361 #13 0xb4807762 in MessageLoop::DeferOrRunPendingTask (this=<optimized out>, pending_task=...) at ../../../ipc/chromium/src/base/message_loop.cc:369 #14 0xb4809538 in DoWork (this=<optimized out>) at ../../../ipc/chromium/src/base/message_loop.cc:456 #15 MessageLoop::DoWork (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:435 #16 0xb48116f6 in mozilla::ipc::DoWorkRunnable::Run (this=<optimized out>) at ../../../ipc/glue/MessagePump.cpp:233 #17 0xb464bb4c in nsThread::ProcessNextEvent (this=0xb385b240, aMayWait=<optimized out>, aResult=0xbe8f0eff) at ../../../xpcom/threads/nsThread.cpp:855 #18 0xb46617c8 in NS_ProcessNextEvent (aThread=0xb385b240, aMayWait=aMayWait@entry=true) at /Volumes/mac/moz/ib2g/xpcom/glue/nsThreadUtils.cpp:265 #19 0xb4819b36 in mozilla::ipc::MessagePump::Run (this=0xb38075c8, aDelegate=0xbe8f1058) at ../../../ipc/glue/MessagePump.cpp:140 #20 0xb4805618 in MessageLoop::RunInternal (this=this@entry=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:233 #21 0xb4805632 in RunHandler (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:226 #22 MessageLoop::Run (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:200 #23 0xb54e4932 in nsBaseAppShell::Run (this=0xb216bc20) at ../../widget/nsBaseAppShell.cpp:164 #24 0xb595c14c in XRE_RunAppShell () at ../../../toolkit/xre/nsEmbedFunctions.cpp:743 #25 0xb4819c1a in mozilla::ipc::MessagePumpForChildProcess::Run (this=0xb38075c8, aDelegate=0xbe8f1058) at ../../../ipc/glue/MessagePump.cpp:272 #26 0xb4805618 in MessageLoop::RunInternal (this=this@entry=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:233 #27 0xb4805632 in RunHandler (this=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:226 #28 MessageLoop::Run (this=this@entry=0xbe8f1058) at ../../../ipc/chromium/src/base/message_loop.cc:200 #29 0xb595c0ae in XRE_InitChildProcess (aArgc=<optimized out>, aArgv=<optimized out>, aGMPLoader=<optimized out>) at ../../../toolkit/xre/nsEmbedFunctions.cpp:580 #30 0xb6fc287c in content_process_main (argc=6, argv=0xbe8f1b54) at ../../../ipc/app/../contentproc/plugin-container.cpp:211 #31 0xb6ee54a4 in __libc_init (raw_args=0xbe8f1b50, onexit=<optimized out>, slingshot=0xb6fc28dd <main(int, char**)>, structors=<optimized out>) at bionic/libc/bionic/libc_init_dynamic.cpp:112
(gdb) p *this $5 = {<mozilla::net::PTCPSocketChild> = {<mozilla::ipc::IProtocol> = {<mozilla::ipc::MessageListener> = {<mozilla::ipc::HasResultCodes> = {<No data fields>}, <mozilla::SupportsWeakPtr<mozilla::ipc::MessageListener>> = {mSelfReferencingWeakPtr = {mRef = {mPtr = 0xb0fa3360}}}, _vptr.MessageListener = 0xb6b51bf0 <vtable for mozilla::dom::TCPSocketChild+8>}, <No data fields>}, <mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>> = { _vptr.IProtocolManager = 0xb6b51cbc <vtable for mozilla::dom::TCPSocketChild+212>}, mChannel = 0xb3853348, mManager = 0xb3832ce8, mId = -4, mState = mozilla::net::PTCPSocket::__Null}, <mozilla::dom::TCPSocketChildBase> = {<nsITCPSocketChild> = {<nsISupports> = { _vptr.nsISupports = 0xb6b51cf8 <vtable for mozilla::dom::TCPSocketChild+272>}, <No data fields>}, static _cycleCollectorGlobal = { <nsXPCOMCycleCollectionParticipant> = {<nsScriptObjectTracer> = {<nsCycleCollectionParticipant> = { _vptr.nsCycleCollectionParticipant = 0xb6b51988 <vtable for mozilla::dom::TCPSocketChildBase::cycleCollection+8>, mMightSkip = false}, <No data fields>}, <No data fields>}, <No data fields>}, mRefCnt = {mRefCntAndFlags = 12}, _mOwningThread = {mThread = 0xb384d000}, mSocket = {mRawPtr = 0xaeb4ebf0}, mIPCOpen = true}, mWindowObj = (JSObject *) 0xb1a93030 Cannot access memory at address 0x0, mHost = {<nsAString_internal> = {mData = 0xb6617d42 <gNullChar> u"", mLength = 0, mFlags = 1}, <No data fields>}, mPort = 0}
Jason, is TCPSocketChild owned by the necko team?
Flags: needinfo?(jduell.mcbugs)
Reproducible within 5 min.
Hasn't jdm hacked TCPSocket lately?
TCPSocket is sort of owned by necko. We may need some help here as most of our code doesn't deal with compartments, so I suspect it's the DOM-y parts of things that are wonky here. JDM and Honza know this code (but honza is out sick, so I'm going with jdm for now--but he may be busy).
Flags: needinfo?(jduell.mcbugs) → needinfo?(josh)
Is mWindowObject a real value? Is it set from TCPSocketChild::SendOpen or TCPSocketChild::SetSocketAndWindow?
Flags: needinfo?(josh)
Probably dupe of bug 1137512?
(gdb) p *mWindowObj $6 = {<js::gc::Cell> = {<No data fields>}, group_ = 0x0, static MaxTagBits = 3, static ITER_CLASS_NFIXED_SLOTS = 1, static MAX_BYTE_SIZE = 144}
its pretty easy to reproduce. Let me know if you need anything from gdb
Figuring out what's going on in the functions I mentioned in comment 6 would be valuable. Do you know if this reproduces in a desktop build?
(In reply to Josh Matthews [:jdm] from comment #10) > Figuring out what's going on in the functions I mentioned in comment 6 would > be valuable. Do you know if this reproduces in a desktop build? Its coming from SendOpen.
Flags: needinfo?(josh)
We don't hit the inner-window-dstroyed case in JS. I checked this. In the log I see: 04-01 16:31:28.798 5271 5320 I Gecko : [BrowserBox] error {"msg":"Error: [1] Socket timed out!"} 04-01 16:31:28.808 5271 5320 I Gecko : [ImapClient] normalized-error {"error":"Error: [1] Socket timed out!","errorName":"Error","errorMessage":"[1] Socket timed out!","errorStack":"s.prototype._onTimeout@app://email.gaiamobile.org/js/ext/composite/configurator.js:1745:17\n","socketLevelError":null,"protocolLevelError":null,"reportAs":"unknown"} 04-01 16:31:28.818 5271 5320 I Gecko : [ImapClient] connect-error {"error":"unknown"} Maybe related?
We call sendOpen more than once with the same window. Maybe thats the key?
Just to confirm, that's SendOpen multiple times on the same TCPSocketChild object?
Flags: needinfo?(josh)
This is probably bug 1137512?
Component: DOM → WebRTC: Audio/Video
Component: WebRTC: Audio/Video → DOM
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.