Closed Bug 1260441 Opened 4 years ago Closed 4 years ago

Crash at reboot on mc: SIGSEGV 0xb535210a in InterpreterFrameIterator (activation=0x0, this=0xbec32754) at ../../../gecko/js/src/vm/Stack.h:1640

Categories

(Core :: Storage: IndexedDB, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: gerard-majax, Assigned: gerard-majax)

References

Details

(Whiteboard: fixed-in-pine)

Attachments

(1 file, 1 obsolete file)

Program received signal SIGSEGV, Segmentation fault.
0xb535210a in InterpreterFrameIterator (activation=0x0, this=0xbec32754) at ../../../gecko/js/src/vm/Stack.h:1640
1640	        sp_(nullptr)
(gdb) bt
#0  0xb535210a in InterpreterFrameIterator (activation=0x0, this=0xbec32754) at ../../../gecko/js/src/vm/Stack.h:1640
#1  Data (principals=0x0, debuggerEvalOption=js::FrameIter::FOLLOW_DEBUGGER_EVAL_PREV_LINK, contextOption=js::FrameIter::CURRENT_CONTEXT, savedOption=js::FrameIter::STOP_AT_SAVED, cx=0x0, this=0xbec32738)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/js/src/vm/Stack.cpp:613
#2  js::FrameIter::FrameIter (this=0xbec32738, cx=0x0, savedOption=js::FrameIter::STOP_AT_SAVED) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/js/src/vm/Stack.cpp:635
#3  0xb523d23a in NonBuiltinFrameIter (opt=js::FrameIter::STOP_AT_SAVED, cx=0x0, this=0xbec32738) at ../../../gecko/js/src/vm/Stack.h:1972
#4  JS::DescribeScriptedCaller (cx=cx@entry=0x0, filename=filename@entry=0xbec329a8, lineno=0xaf293c3c, column=0xaf293c40) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/js/src/jsapi.cpp:6263
#5  0xb4216730 in nsJSUtils::GetCallingLocation (aContext=aContext@entry=0x0, aFilename=..., aLineno=<optimized out>, aColumn=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/base/nsJSUtils.cpp:54
#6  0xb4865566 in CaptureCaller (aColumn=<optimized out>, aLineNo=<optimized out>, aFilename=..., aCx=0x0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBRequest.cpp:196
#7  mozilla::dom::IDBRequest::Create (aCx=aCx@entry=0x0, aDatabase=0xaf108160, aTransaction=aTransaction@entry=0xaee6de50) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBRequest.cpp:123
#8  0xb4865738 in mozilla::dom::IDBRequest::Create (aCx=aCx@entry=0x0, aSourceAsObjectStore=aSourceAsObjectStore@entry=0xafa5f800, aDatabase=<optimized out>, aTransaction=0xaee6de50)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBRequest.cpp:141
#9  0xb486576e in mozilla::dom::(anonymous namespace)::GenerateRequest (aCx=aCx@entry=0x0, aObjectStore=aObjectStore@entry=0xafa5f800) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBObjectStore.cpp:208
#10 0xb4867414 in mozilla::dom::IDBObjectStore::OpenCursorInternal (this=0xafa5f800, aKeysOnly=aKeysOnly@entry=false, aCx=aCx@entry=0x0, aRange=..., aDirection=aDirection@entry=mozilla::dom::Prev, aRv=...)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBObjectStore.cpp:2141
#11 0xb464eec4 in OpenCursor (aRv=..., aDirection=mozilla::dom::Prev, this=<optimized out>) at ../../dist/include/mozilla/dom/IDBObjectStore.h:271
#12 mozilla::dom::FirstRevisionIdCallback::Run (this=0xad5c52e0, aDb=<optimized out>, aStatus=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/datastore/DataStoreService.cpp:413
#13 0xb464edc8 in mozilla::dom::DataStoreDB::HandleEvent (this=0xad9deac0, aEvent=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/datastore/DataStoreDB.cpp:192
#14 0xb467559a in mozilla::EventListenerManager::HandleEventSubType (this=this@entry=0xad5fd1c0, aListener=<optimized out>, aListener@entry=0xaf1f3c08, aDOMEvent=0xad9e7610, aCurrentTarget=aCurrentTarget@entry=0xaf1f3b80)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventListenerManager.cpp:1099
#15 0xb4675806 in mozilla::EventListenerManager::HandleEventInternal (this=0xad5fd1c0, aPresContext=<optimized out>, aEvent=0xaf220d80, aDOMEvent=aDOMEvent@entry=0xbec33034, aCurrentTarget=aCurrentTarget@entry=0xaf1f3b80, 
    aEventStatus=aEventStatus@entry=0xbec33038) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventListenerManager.cpp:1270
#16 0xb4666d42 in HandleEvent (aEventStatus=0xbec33038, aCurrentTarget=0xaf1f3b80, aDOMEvent=0xbec33034, aEvent=<optimized out>, aPresContext=<optimized out>, this=<optimized out>) at ../../dist/include/mozilla/EventListenerManager.h:350
#17 mozilla::EventTargetChainItem::HandleEvent (this=<optimized out>, aVisitor=..., aCd=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:267
#18 0xb4666f5e in mozilla::EventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:369
#19 0xb466a8e8 in mozilla::EventDispatcher::Dispatch (aTarget=<optimized out>, aPresContext=aPresContext@entry=0x0, aEvent=aEvent@entry=0xaf220d80, aDOMEvent=aDOMEvent@entry=0xad9e7610, aEventStatus=0xbec330dc, aCallback=0x0, aTargets=0x0)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:701
#20 0xb466ab1a in mozilla::EventDispatcher::DispatchDOMEvent (aTarget=0xaf1f3b80, aEvent=<optimized out>, aDOMEvent=0xad9e7610, aPresContext=0x0, aEventStatus=0xbec330dc)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:770
#21 0xb466ab42 in mozilla::DOMEventTargetHelper::DispatchEvent (this=<optimized out>, aEvent=0xad9e7610, aRetVal=0xbec3316c) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/DOMEventTargetHelper.cpp:253
#22 0xb4868a46 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent (aResultHelper=aResultHelper@entry=0xbec331f4, aEvent=0xad9e7610) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/ActorsChild.cpp:811
#23 0xb4868b1e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse (this=this@entry=0xad9e8940, aResponse=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/ActorsChild.cpp:1315
#24 0xb486bc4e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__ (this=0xad9e8940, aResponse=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/ActorsChild.cpp:1374
#25 0xb3e9cde2 in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived (this=0xad9e8948, msg__=...) at PBackgroundIDBFactoryRequestChild.cpp:176
#26 0xb3e1cfa0 in mozilla::ipc::PBackgroundChild::OnMessageReceived (this=0xaeae3c00, msg__=...) at PBackgroundChild.cpp:1721
#27 0xb3df9d2e in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=0xaeae3c38, aMsg=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessageChannel.cpp:1630
#28 0xb3dfed84 in mozilla::ipc::MessageChannel::DispatchMessage (this=this@entry=0xaeae3c38, aMsg=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessageChannel.cpp:1568
#29 0xb3dffa92 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne (this=0xaeae3c38) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessageChannel.cpp:1535
#30 0xb3de622e in MessageLoop::RunTask (this=0xb1cc71a0, task=0xaf2d5fd0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:364
#31 0xb3de8e6c in MessageLoop::DeferOrRunPendingTask (this=<optimized out>, pending_task=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:372
#32 0xb3deab36 in MessageLoop::DoWork (this=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:459
#33 0xb3df6556 in mozilla::ipc::DoWorkRunnable::Run (this=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessagePump.cpp:222
#34 0xb3c751f0 in nsThread::ProcessNextEvent (this=0xb6a02550, aMayWait=<optimized out>, aResult=0xbec334f7) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/xpcom/threads/nsThread.cpp:994
#35 0xb3c8631c in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/xpcom/glue/nsThreadUtils.cpp:297
#36 0xb3df6e60 in mozilla::ipc::MessagePump::Run (this=0xb6a55460, aDelegate=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessagePump.cpp:97
#37 0xb3de626e in RunHandler (this=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:227
#38 MessageLoop::Run (this=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:201
#39 0xb49764aa in nsBaseAppShell::Run (this=0xaff0b520) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/widget/nsBaseAppShell.cpp:156
#40 0xb4d228aa in nsAppStartup::Run (this=0xb055d310) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/toolkit/components/startup/nsAppStartup.cpp:281
#41 0xb4d46634 in XREMain::XRE_mainRun (this=this@entry=0xbec33668) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4342
#42 0xb4d468c0 in XREMain::XRE_main (this=this@entry=0xbec33668, argc=argc@entry=1, argv=argv@entry=0xb6a2b0d0, aAppData=aAppData@entry=0xb6f99d60 <_ZL8sAppData>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4439
#43 0xb4d46a9e in XRE_main (argc=1, argv=0xb6a2b0d0, aAppData=0xb6f99d60 <_ZL8sAppData>, aFlags=<optimized out>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4545
#44 0xb6f7bae6 in do_main (argc=argc@entry=1, argv=argv@entry=0xb6a2b0d0) at ../../../gecko/b2g/app/nsBrowserApp.cpp:167
#45 0xb6f7bc08 in b2g_main (argc=1, argv=<optimized out>) at ../../../gecko/b2g/app/nsBrowserApp.cpp:299
#46 0xb6f7b980 in RunProcesses (aReservedFds=..., argv=0xbec34954, argc=1) at ../../../gecko/b2g/app/B2GLoader.cpp:233
#47 main (argc=1, argv=0xbec34954) at ../../../gecko/b2g/app/B2GLoader.cpp:300
STR:
 1. Boot B2G sucessfully
 2. Reboot

Expected:
 Boots properly

Actual:
 Crash as documented above.

I have checked, this is not because of time skew.
Code has been changed by bug 1257422 and/or bug 1257725 and/or bug 1257335
Boris, do you see anything obvious within the stack?
Flags: needinfo?(bzbarsky)
> #10 0xb4867414 in mozilla::dom::IDBObjectStore::OpenCursorInternal (this=0xafa5f800, aKeysOnly=aKeysOnly@entry=false, aCx=aCx@entry=0x0, aRange=..., aDirection=aDirection@entry=mozilla::dom::Prev, aRv=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBObjectStore.cpp:2141

is being changed by Bug 1257725 part 5.
With some debug printf:
> 03-29 11:28:38.269 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 1 aCx=0xb1cd93d0
> 03-29 11:28:38.269 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 2 aCx=0xb1cd93d0
> 03-29 11:28:38.269 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 3 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 1 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 2 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 3 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 1 aCx=0x0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 2 aCx=0x0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 3 aCx=0x0
aCx is being passed as a null pointer explicitely in https://dxr.mozilla.org/mozilla-central/source/dom/indexedDB/IDBObjectStore.h#270 and this matches the stack.
As far as I can tell, we are entering with aCx == nullptr AND aRange.isUndefined() == true. This is exactly what is expected by bug 1257422 part 1.
Attached patch workaround (obsolete) — Splinter Review
So, as much as I could read, sending null aCx is something we do on purpose. My guess up to now is the call path reaches Create() around line 123 which gets call site infos from the js context. And since we are in a case without a context, then this makes no sense/cannot be extracted. Hence this simple workaround.

So far, this makes my device booting as expected.
Flags: needinfo?(khuey)
Comment on attachment 8735897 [details] [diff] [review]
workaround

>diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp
>index beeefeb..5739c25 100644
>--- a/dom/indexedDB/IDBRequest.cpp
>+++ b/dom/indexedDB/IDBRequest.cpp
>@@ -120,7 +120,9 @@ IDBRequest::Create(JSContext* aCx,
>   aDatabase->AssertIsOnOwningThread();
> 
>   RefPtr<IDBRequest> request = new IDBRequest(aDatabase);
>-  CaptureCaller(aCx, request->mFilename, &request->mLineNo, &request->mColumn);
>+  if (aCx) {
>+    CaptureCaller(aCx, request->mFilename, &request->mLineNo, &request->mColumn);
>+  }
> 
>   request->mTransaction = aTransaction;
>   request->SetScriptOwner(aDatabase->GetScriptOwner());
Attachment #8735897 - Attachment is patch: true
Flags: needinfo?(khuey)
Component: JavaScript Engine → DOM: IndexedDB
Comment on attachment 8735897 [details] [diff] [review]
workaround

Seems fine. Is this the only thing that blows up?
Attachment #8735897 - Flags: review+
Given that we're now using aCx for something other than key parsing, the whole "pass null" thing is just wrong.  We should stop doing that.  Instead, we should change the one OpenCursor signature that does not take a JSContext to take one, and change its one caller to put an AutoJSAPI on the stack....
Flags: needinfo?(bzbarsky)
(In reply to Boris Zbarsky [:bz] from comment #11)
> Given that we're now using aCx for something other than key parsing, the
> whole "pass null" thing is just wrong.  We should stop doing that.  Instead,
> we should change the one OpenCursor signature that does not take a JSContext
> to take one, and change its one caller to put an AutoJSAPI on the stack....

Thanks, I'll do this.
Duplicate of this bug: 1259646
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

https://reviewboard.mozilla.org/r/43197/#review39773

::: dom/datastore/DataStoreService.cpp:32
(Diff revision 1)
>  #include "mozilla/dom/IDBTransaction.h"
>  #include "mozilla/dom/PermissionMessageUtils.h"
>  #include "mozilla/dom/Promise.h"
>  #include "mozilla/unused.h"
>  
> +#include "jsapi.h"

You don't need that here.  What you do need is mozilla/dom/ScriptSettings.h

::: dom/indexedDB/IDBObjectStore.h:271
(Diff revision 1)
> +             IDBCursorDirection aDirection,
>               ErrorResult& aRv)
>    {
>      AssertIsOnOwningThread();
>  
> -    return OpenCursorInternal(/* aKeysOnly */ false, nullptr,
> +    return OpenCursorInternal(/* aKeysOnly */ false, aCx,

Please remove the comments on OpenCursorInternal that claim passing null aCx is acceptable.  Also, please change the assert at the beginning of OpenCursorInternal to just MOZ_ASSERT(aCx).

r=me with those fixed.
Attachment #8736276 - Flags: review?(bzbarsky) → review+
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/43197/diff/1-2/
https://reviewboard.mozilla.org/r/43197/#review39773

That should be all good, do you mind checking for the MOZ_ASSERT(), I want to be sure I correctly understood your point ?
Just to be extra cautious for MOZ_ASSERT() change.
Flags: needinfo?(bzbarsky)
No, that doesn't address my comments about the assertion in OpenCursorInternal... instead it for some reason removes the assert on aDatabase in a totally different function.
Flags: needinfo?(bzbarsky)
I'm talking about the MOZ_ASSERT_IF(!aCx, aRange.isUndefined()); in IDBObjectStore::OpenCursorInternal which should become just MOZ_ASSERT(aCx).
Right, makes more sense :)
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/43197/diff/2-3/
That last one should be good
Flags: needinfo?(bzbarsky)
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

This patch works for me on aries-l.
MOZ_ASSERT_IF(aCx) won't even compile in a debug build.  You want, again, MOZ_ASSERT(aCx).
Flags: needinfo?(bzbarsky)
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/43197/diff/3-4/
(In reply to Boris Zbarsky [:bz] from comment #25)
> MOZ_ASSERT_IF(aCx) won't even compile in a debug build.  You want, again,
> MOZ_ASSERT(aCx).

Sorry, now with only MOZ_ASSERT(aCx).
I guess it's a good illustration that one needs to be careful and not in a hurry when doing patches. I'll land after try completes.
Assignee: nobody → lissyx+mozillians
Attachment #8735897 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/5ba4fe816a39
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.