Closed Bug 1181595 Opened 9 years ago Closed 9 years ago

crash in mozilla::dom::MessagePort::RemoveDocFromBFCache()

Categories

(Core :: DOM: Content Processes, defect)

41 Branch
Unspecified
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox41 --- fixed
firefox42 --- fixed
firefox43 --- fixed

People

(Reporter: tracy, Assigned: baku)

References

Details

(Keywords: crash, topcrash-win)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is report bp-7031611a-073b-40ef-913d-41e0f2150703. ============================================================= This first appeared on Nightly builds of 2015061803. It ramped up in volume once merged to Aurora with builds from 2015063003
Blocks: 911972
Flags: needinfo?(amarchesini)
null pointer + offset crash?
looks like so.
Attached patch mc2.patchSplinter Review
Flags: needinfo?(amarchesini)
Attachment #8631115 - Flags: review?(bugs)
Attachment #8631115 - Flags: review?(bugs) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Can you please uplift to aurora?
Comment on attachment 8631115 [details] [diff] [review] mc2.patch Approval Request Comment [Feature/regressing bug #]: MessagePort/MessageChannel [User impact if declined]: a crash [Describe test coverage new/current, TreeHerder]: none. it's very racy. [Risks and why]: none. the patch replaces a MOZ_ASSERT() with a if(..) return; [String/UUID change made/needed]: none.
Attachment #8631115 - Flags: approval-mozilla-aurora?
Comment on attachment 8631115 [details] [diff] [review] mc2.patch Minimal risk, the patch replaces a MOZ_ASSERT() with a if(..) return; and is not causing issues on m-c.
Attachment #8631115 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
I would say yes. (Or a new bug; I don't care which) In those crash reports, it is not |window| that is null. It is |this| that is null, which means that |mPort| is null here: bool MessagePortChild::RecvReceiveData(nsTArray<MessagePortMessage>&& aMessages) { MOZ_ASSERT(mPort); mPort->MessagesReceived(aMessages); return true; }
What I suspect is happening here is: 1. port1 is sending data 2. port2.close() -> we set mPort to null in the actor 3. port2 receives data before that the close() operation is managed by the MessagePortService.
Status: RESOLVED → REOPENED
Flags: needinfo?(amarchesini)
Resolution: FIXED → ---
Attached patch crash.patchSplinter Review
Attachment #8648058 - Flags: review?(bugs)
Blocks: 1195584
Comment on attachment 8648058 [details] [diff] [review] crash.patch I would have opened a new bug for this patch. Easier to track what has been fixed and where.
Attachment #8648058 - Flags: review?(bugs) → review+
Comment on attachment 8648058 [details] [diff] [review] crash.patch Approval Request Comment [Feature/regressing bug #]: MessagePort/Channel [User impact if declined]: a crash can happen [Describe test coverage new/current, TreeHerder]: race condition [Risks and why]: no risk. We just add a if() check. [String/UUID change made/needed]: none
Attachment #8648058 - Flags: approval-mozilla-aurora?
Only aurora? This crash signature is seen on beta as well. (v41 has become beta in the time since comment 6)
Comment on attachment 8648058 [details] [diff] [review] crash.patch Approval Request Comment [Feature/regressing bug #]: MessagePort/Channel [User impact if declined]: a crash can happen [Describe test coverage new/current, TreeHerder]: race condition hard to reproduce. [Risks and why]: none [String/UUID change made/needed]: none
Attachment #8648058 - Flags: approval-mozilla-beta?
Comment on attachment 8648058 [details] [diff] [review] crash.patch Crash fix, let's uplift to Aurora and Beta.
Attachment #8648058 - Flags: approval-mozilla-beta?
Attachment #8648058 - Flags: approval-mozilla-beta+
Attachment #8648058 - Flags: approval-mozilla-aurora?
Attachment #8648058 - Flags: approval-mozilla-aurora+
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Target Milestone: mozilla42 → mozilla43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: