Closed Bug 1183954 Opened 9 years ago Closed 9 years ago

"Hit MOZ_CRASH(nsStructuredCloneContainer not thread-safe)" with Notification from Worker

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla42
Tracking Flags:
Tracking Status
firefox40 --- unaffected
firefox41 + fixed
firefox42 --- fixed
firefox-esr38 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-v2.2r --- unaffected
b2g-master --- fixed

People

(Reporter: jruderman, Assigned: nsm)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage][b2g-adv-main2.5-])

Attachments

(5 files, 1 obsolete file)

testcase
123 bytes, text/html
Details
stack
4.39 KB, text/plain
Details
Fix Notification.data structured cloning on workers.
20.88 KB, patch
mccr8
: review+
robertbindar
: review+
Details | Diff | Splinter Review
don't leak
1.98 KB, patch
khuey
: review+
Details | Diff | Splinter Review
Patch for beta.
17.96 KB, patch
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file testcase 
In a debug build:

Hit MOZ_CRASH(nsStructuredCloneContainer not thread-safe) at dom/base/nsStructuredCloneContainer.cpp:25
Attached file stack 

    
    

    
  


  
Andrew, could you check the CC and Hold/DropJSObjects/ExposeActive for mData? This code runs on main thread and workers.

Robert for making sure I haven't broken any semantics.

        Attachment #8641295 -
        Flags: review?(continuation)

    
    

    
  
Comment on attachment 8641295 [details] [diff] [review]
Fix Notification.data structured cloning on workers.

Review of attachment 8641295 [details] [diff] [review]:
-----------------------------------------------------------------

The CC stuff looks good to me.

        Attachment #8641295 -
        Flags: review?(continuation) → review+

    
    

    
  
Comment on attachment 8641295 [details] [diff] [review]
Fix Notification.data structured cloning on workers.

Review of attachment 8641295 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks Nikhil! lgtm, if the tests are green we're good to go.

        Attachment #8641295 -
        Flags: review?(robertbindar) → review+

    
    

    
  
url:        https://hg.mozilla.org/integration/mozilla-inbound/rev/02652b4367625e2771366b18bf2e95753c240e26
changeset:  02652b4367625e2771366b18bf2e95753c240e26
user:       Nikhil Marathe <nsm.nikhil@gmail.com>
date:       Thu Jul 30 12:44:14 2015 -0700
description:
Bug 1183954 - Fix Notification.data structured cloning on workers. r=robertbindar,mccr8

Rather than store a non-thread-safe refcounted nsIStructuredCloneContainer, store the base64 representation.
Caches a jsval the first time an attempt to access data is made from content script.

    
    

    
  
Comment on attachment 8641295 [details] [diff] [review]
Fix Notification.data structured cloning on workers.

Approval Request Comment
[Feature/regressing bug #]: Bug 916893
[User impact if declined]: Crash when creating a Notification on worker with the data field set.
[Describe test coverage new/current, TreeHerder]: Added structured clone tests in dom/workers/
[Risks and why]: No risk to taking this patch.
[String/UUID change made/needed]: None.

        Attachment #8641295 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8642090 [details] [diff] [review]
Patch for aurora.

Approval Request Comment
[Feature/regressing bug #]: Bug 916893
[User impact if declined]: Crash when creating a Notification on worker with the data field set.
[Describe test coverage new/current, TreeHerder]: Added structured clone tests in dom/workers/
[Risks and why]: No risk to taking this patch.
[String/UUID change made/needed]: None.

        Attachment #8642090 -
        Flags: approval-mozilla-aurora?

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #11)
> And because of 'auto' hiding raw pointer usage we nicely leak here.
> https://treeherder.mozilla.org/logviewer.html#?job_id=12395451&repo=mozilla-
> inbound

Yeah, that's bad.  Wonder if we can use static analysis to catch these kinds of mistakes.

    
    

    
  
FYI, I'm about to land a fix for the leak.

    
    

    
  
Comment on attachment 8642151 [details] [diff] [review]
don't leak

Review of attachment 8642151 [details] [diff] [review]:
-----------------------------------------------------------------

Not that it matters, but r=me.

        Attachment #8642151 -
        Flags: review+

    
    

    
  
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #12)
> (In reply to Olli Pettay [:smaug] from comment #11)
> > And because of 'auto' hiding raw pointer usage we nicely leak here.
> > https://treeherder.mozilla.org/logviewer.html#?job_id=12395451&repo=mozilla-
> > inbound
> 
> Yeah, that's bad.  Wonder if we can use static analysis to catch these kinds
> of mistakes.

Perhaps provide a MakeRefPtr<> like MakeUnique<> and then have an analyzer enforce that for pointer types?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/02652b436762
https://hg.mozilla.org/mozilla-central/rev/7921dfab7eb3
Status: NEW → RESOLVED
Closed: 9 years ago

          status-b2g-master:
          --- → fixed

          status-firefox42:
          affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla42

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch for beta.Splinter Review
      

    


  
Updated to include leak fixes. Please see previous approval request.

        Attachment #8642090 -
        Attachment is obsolete: true

        Attachment #8642090 -
        Flags: approval-mozilla-aurora?

        Attachment #8642484 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8642484 [details] [diff] [review]
Patch for beta.

I think you meant beta as aurora is 42 (and fixed).

        Attachment #8642484 -
        Flags: approval-mozilla-aurora? → approval-mozilla-beta?

    
    

    
  
(In reply to Sylvestre Ledru [:sylvestre] from comment #19)
> Comment on attachment 8642484 [details] [diff] [review]
> Patch for aurora.
> 
> I think you meant beta as aurora is 42 (and fixed).

Well, I asked for approval before the branch. The previous comment still applies for beta approval.

    
    

    
  
Comment on attachment 8642484 [details] [diff] [review]
Patch for beta.

This really needs to  be uplifted. This patch should apply to beta too

        Attachment #8642484 -
        Attachment description: Patch for aurora. → Patch for beta.

    
    

    
  
Comment on attachment 8642484 [details] [diff] [review]
Patch for beta.

This patch has been in Nightly for over 2 weeks. Seems safe to uplift to Beta41.

        Attachment #8642484 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
When I reviewed the patch I noticed that it does have a UUID change. Jorge, in the past Sylvestre asked me to check with you on the UUID changes. Do you see a concern here?
Flags: needinfo?(jorge)

    
    

    
  
Looks okay to me.
Flags: needinfo?(jorge)
Whiteboard: [post-critsmash-triage]

    
  
Group: core-security → core-security-release
Group: core-security-release
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][b2g-adv-main2.5-]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: