Closed Bug 1181595 Opened 8 years ago Closed 8 years ago

crash in mozilla::dom::MessagePort::RemoveDocFromBFCache()

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Version:
41 Branch
Platform:
Unspecified
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox41 --- fixed
firefox42 --- fixed
firefox43 --- fixed

People

(Reporter: tracy, Assigned: baku)

References

Details

(Keywords: crash, topcrash-win)

Crash Data

Attachments

(2 files)

mc2.patch
721 bytes, patch
smaug
: review+
kglazko
: approval-mozilla-aurora+
Details | Diff | Splinter Review
crash.patch
780 bytes, patch
smaug
: review+
ritu
: approval-mozilla-aurora+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-7031611a-073b-40ef-913d-41e0f2150703.
=============================================================

This first appeared on Nightly builds of 2015061803. It ramped up in volume once merged to Aurora with builds from 2015063003
Blocks: 911972
Flags: needinfo?(amarchesini)
null pointer + offset crash?
looks like so.
Attached patch mc2.patchSplinter Review 
Flags: needinfo?(amarchesini)

        Attachment #8631115 -
        Flags: review?(bugs)

        Attachment #8631115 -
        Flags: review?(bugs) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ce51b85a39bc
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox42:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42

    
    

    
  
Can you please uplift to aurora?

          status-firefox41:
          --- → affected

    
    

    
  
Comment on attachment 8631115 [details] [diff] [review]
mc2.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/MessageChannel
[User impact if declined]: a crash
[Describe test coverage new/current, TreeHerder]: none. it's very racy.
[Risks and why]: none. the patch replaces a MOZ_ASSERT() with a if(..) return;
[String/UUID change made/needed]: none.

        Attachment #8631115 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8631115 [details] [diff] [review]
mc2.patch

Minimal risk, the patch replaces a MOZ_ASSERT() with a if(..) return; and is not causing issues on m-c.

        Attachment #8631115 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
I would say yes. (Or a new bug; I don't care which)

In those crash reports, it is not |window| that is null. It is |this| that is null, which means that |mPort| is null here:

bool
MessagePortChild::RecvReceiveData(nsTArray<MessagePortMessage>&& aMessages)
{
  MOZ_ASSERT(mPort);
  mPort->MessagesReceived(aMessages);
  return true;
}

    
    

    
  
What I suspect is happening here is:

1. port1 is sending data
2. port2.close() -> we set mPort to null in the actor
3. port2 receives data before that the close() operation is managed by the MessagePortService.
Status: RESOLVED → REOPENED
Flags: needinfo?(amarchesini)
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached patch
          
          
        crash.patchSplinter Review
      

    


  

        Attachment #8648058 -
        Flags: review?(bugs)

    
  
Blocks: 1195584

    
    

    
  
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

I would have opened a new bug for this patch. Easier to track what has been fixed and where.

        Attachment #8648058 -
        Flags: review?(bugs) → review+

    
    

    
  
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/Channel
[User impact if declined]: a crash can happen
[Describe test coverage new/current, TreeHerder]: race condition
[Risks and why]: no risk. We just add a if() check.
[String/UUID change made/needed]: none

        Attachment #8648058 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Only aurora? This crash signature is seen on beta as well. (v41 has become beta in the time since comment 6)

          status-firefox41:
          fixedaffected

          status-firefox42:
          fixedaffected

    
    

    
  
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/Channel
[User impact if declined]: a crash can happen
[Describe test coverage new/current, TreeHerder]: race condition hard to reproduce.
[Risks and why]: none 
[String/UUID change made/needed]: none

        Attachment #8648058 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

Crash fix, let's uplift to Aurora and Beta.

        Attachment #8648058 -
        Flags: approval-mozilla-beta?

        Attachment #8648058 -
        Flags: approval-mozilla-beta+

        Attachment #8648058 -
        Flags: approval-mozilla-aurora?

        Attachment #8648058 -
        Flags: approval-mozilla-aurora+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6411f2fcd3ec
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago

          status-firefox43:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: mozilla42 → mozilla43

          You need to log in
          before you can comment on or make changes to this bug.