crash in mozilla::dom::MessagePort::RemoveDocFromBFCache()

RESOLVED FIXED in Firefox 41

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: tracy, Assigned: baku)

Tracking

({crash, topcrash-win})

41 Branch
mozilla43
Unspecified
Windows NT
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox41 fixed, firefox42 fixed, firefox43 fixed)

Details

(crash signature)

Attachments

(2 attachments)

This bug was filed from the Socorro interface and is 
report bp-7031611a-073b-40ef-913d-41e0f2150703.
=============================================================

This first appeared on Nightly builds of 2015061803. It ramped up in volume once merged to Aurora with builds from 2015063003
Blocks: 911972
Flags: needinfo?(amarchesini)
null pointer + offset crash?
looks like so.
Posted patch mc2.patchSplinter Review
Flags: needinfo?(amarchesini)
Attachment #8631115 - Flags: review?(bugs)
Attachment #8631115 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/ce51b85a39bc
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Can you please uplift to aurora?
Comment on attachment 8631115 [details] [diff] [review]
mc2.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/MessageChannel
[User impact if declined]: a crash
[Describe test coverage new/current, TreeHerder]: none. it's very racy.
[Risks and why]: none. the patch replaces a MOZ_ASSERT() with a if(..) return;
[String/UUID change made/needed]: none.
Attachment #8631115 - Flags: approval-mozilla-aurora?
Comment on attachment 8631115 [details] [diff] [review]
mc2.patch

Minimal risk, the patch replaces a MOZ_ASSERT() with a if(..) return; and is not causing issues on m-c.
Attachment #8631115 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
I would say yes. (Or a new bug; I don't care which)

In those crash reports, it is not |window| that is null. It is |this| that is null, which means that |mPort| is null here:

bool
MessagePortChild::RecvReceiveData(nsTArray<MessagePortMessage>&& aMessages)
{
  MOZ_ASSERT(mPort);
  mPort->MessagesReceived(aMessages);
  return true;
}
What I suspect is happening here is:

1. port1 is sending data
2. port2.close() -> we set mPort to null in the actor
3. port2 receives data before that the close() operation is managed by the MessagePortService.
Status: RESOLVED → REOPENED
Flags: needinfo?(amarchesini)
Resolution: FIXED → ---
Posted patch crash.patchSplinter Review
Attachment #8648058 - Flags: review?(bugs)
Blocks: 1195584
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

I would have opened a new bug for this patch. Easier to track what has been fixed and where.
Attachment #8648058 - Flags: review?(bugs) → review+
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/Channel
[User impact if declined]: a crash can happen
[Describe test coverage new/current, TreeHerder]: race condition
[Risks and why]: no risk. We just add a if() check.
[String/UUID change made/needed]: none
Attachment #8648058 - Flags: approval-mozilla-aurora?
Only aurora? This crash signature is seen on beta as well. (v41 has become beta in the time since comment 6)
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/Channel
[User impact if declined]: a crash can happen
[Describe test coverage new/current, TreeHerder]: race condition hard to reproduce.
[Risks and why]: none 
[String/UUID change made/needed]: none
Attachment #8648058 - Flags: approval-mozilla-beta?
Comment on attachment 8648058 [details] [diff] [review]
crash.patch

Crash fix, let's uplift to Aurora and Beta.
Attachment #8648058 - Flags: approval-mozilla-beta?
Attachment #8648058 - Flags: approval-mozilla-beta+
Attachment #8648058 - Flags: approval-mozilla-aurora?
Attachment #8648058 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/6411f2fcd3ec
Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → FIXED
Duplicate of this bug: 1195584
Duplicate of this bug: 1189791
Target Milestone: mozilla42 → mozilla43
You need to log in before you can comment on or make changes to this bug.