Closed
Bug 1181595
Opened 9 years ago
Closed 9 years ago
crash in mozilla::dom::MessagePort::RemoveDocFromBFCache()
Categories
(Core :: DOM: Content Processes, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
People
(Reporter: tracy, Assigned: baku)
References
Details
(Keywords: crash, topcrash-win)
Crash Data
Attachments
(2 files)
721 bytes,
patch
|
smaug
:
review+
kglazko
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
780 bytes,
patch
|
smaug
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-7031611a-073b-40ef-913d-41e0f2150703.
=============================================================
This first appeared on Nightly builds of 2015061803. It ramped up in volume once merged to Aurora with builds from 2015063003
Comment 1•9 years ago
|
||
null pointer + offset crash?
Comment 2•9 years ago
|
||
looks like so.
Assignee | ||
Comment 3•9 years ago
|
||
Flags: needinfo?(amarchesini)
Attachment #8631115 -
Flags: review?(bugs)
Updated•9 years ago
|
Attachment #8631115 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 4•9 years ago
|
||
Assignee: nobody → amarchesini
Comment 5•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox42:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Assignee | ||
Comment 7•9 years ago
|
||
Comment on attachment 8631115 [details] [diff] [review]
mc2.patch
Approval Request Comment
[Feature/regressing bug #]: MessagePort/MessageChannel
[User impact if declined]: a crash
[Describe test coverage new/current, TreeHerder]: none. it's very racy.
[Risks and why]: none. the patch replaces a MOZ_ASSERT() with a if(..) return;
[String/UUID change made/needed]: none.
Attachment #8631115 -
Flags: approval-mozilla-aurora?
Comment 8•9 years ago
|
||
Comment on attachment 8631115 [details] [diff] [review]
mc2.patch
Minimal risk, the patch replaces a MOZ_ASSERT() with a if(..) return; and is not causing issues on m-c.
Attachment #8631115 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 9•9 years ago
|
||
Comment 10•9 years ago
|
||
The signature still shows up in 41.0b1: https://crash-stats.mozilla.com/signature/?product=Firefox&version=41.0b1&signature=mozilla%3A%3Adom%3A%3AMessagePort%3A%3ARemoveDocFromBFCache%28%29&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1
Andrea, do we need to reopen this?
Flags: needinfo?(amarchesini)
Comment 11•9 years ago
|
||
I would say yes. (Or a new bug; I don't care which)
In those crash reports, it is not |window| that is null. It is |this| that is null, which means that |mPort| is null here:
bool
MessagePortChild::RecvReceiveData(nsTArray<MessagePortMessage>&& aMessages)
{
MOZ_ASSERT(mPort);
mPort->MessagesReceived(aMessages);
return true;
}
Assignee | ||
Comment 12•9 years ago
|
||
What I suspect is happening here is:
1. port1 is sending data
2. port2.close() -> we set mPort to null in the actor
3. port2 receives data before that the close() operation is managed by the MessagePortService.
Status: RESOLVED → REOPENED
Flags: needinfo?(amarchesini)
Resolution: FIXED → ---
Assignee | ||
Comment 13•9 years ago
|
||
Attachment #8648058 -
Flags: review?(bugs)
Comment 14•9 years ago
|
||
Comment on attachment 8648058 [details] [diff] [review]
crash.patch
I would have opened a new bug for this patch. Easier to track what has been fixed and where.
Attachment #8648058 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 15•9 years ago
|
||
Assignee | ||
Comment 16•9 years ago
|
||
Comment on attachment 8648058 [details] [diff] [review]
crash.patch
Approval Request Comment
[Feature/regressing bug #]: MessagePort/Channel
[User impact if declined]: a crash can happen
[Describe test coverage new/current, TreeHerder]: race condition
[Risks and why]: no risk. We just add a if() check.
[String/UUID change made/needed]: none
Attachment #8648058 -
Flags: approval-mozilla-aurora?
Comment 17•9 years ago
|
||
Only aurora? This crash signature is seen on beta as well. (v41 has become beta in the time since comment 6)
Assignee | ||
Comment 18•9 years ago
|
||
Comment on attachment 8648058 [details] [diff] [review]
crash.patch
Approval Request Comment
[Feature/regressing bug #]: MessagePort/Channel
[User impact if declined]: a crash can happen
[Describe test coverage new/current, TreeHerder]: race condition hard to reproduce.
[Risks and why]: none
[String/UUID change made/needed]: none
Attachment #8648058 -
Flags: approval-mozilla-beta?
Comment on attachment 8648058 [details] [diff] [review]
crash.patch
Crash fix, let's uplift to Aurora and Beta.
Attachment #8648058 -
Flags: approval-mozilla-beta?
Attachment #8648058 -
Flags: approval-mozilla-beta+
Attachment #8648058 -
Flags: approval-mozilla-aurora?
Attachment #8648058 -
Flags: approval-mozilla-aurora+
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Comment 23•9 years ago
|
||
Updated•9 years ago
|
Target Milestone: mozilla42 → mozilla43
Comment 24•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•