Crash at reboot on mc: SIGSEGV 0xb535210a in InterpreterFrameIterator (activation=0x0, this=0xbec32754) at ../../../gecko/js/src/vm/Stack.h:1640

RESOLVED FIXED in Firefox 48

Status

()

defect
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gerard-majax, Assigned: gerard-majax)

Tracking

unspecified
mozilla48
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox48 fixed)

Details

(Whiteboard: fixed-in-pine)

Attachments

(1 attachment, 1 obsolete attachment)

Program received signal SIGSEGV, Segmentation fault.
0xb535210a in InterpreterFrameIterator (activation=0x0, this=0xbec32754) at ../../../gecko/js/src/vm/Stack.h:1640
1640	        sp_(nullptr)
(gdb) bt
#0  0xb535210a in InterpreterFrameIterator (activation=0x0, this=0xbec32754) at ../../../gecko/js/src/vm/Stack.h:1640
#1  Data (principals=0x0, debuggerEvalOption=js::FrameIter::FOLLOW_DEBUGGER_EVAL_PREV_LINK, contextOption=js::FrameIter::CURRENT_CONTEXT, savedOption=js::FrameIter::STOP_AT_SAVED, cx=0x0, this=0xbec32738)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/js/src/vm/Stack.cpp:613
#2  js::FrameIter::FrameIter (this=0xbec32738, cx=0x0, savedOption=js::FrameIter::STOP_AT_SAVED) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/js/src/vm/Stack.cpp:635
#3  0xb523d23a in NonBuiltinFrameIter (opt=js::FrameIter::STOP_AT_SAVED, cx=0x0, this=0xbec32738) at ../../../gecko/js/src/vm/Stack.h:1972
#4  JS::DescribeScriptedCaller (cx=cx@entry=0x0, filename=filename@entry=0xbec329a8, lineno=0xaf293c3c, column=0xaf293c40) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/js/src/jsapi.cpp:6263
#5  0xb4216730 in nsJSUtils::GetCallingLocation (aContext=aContext@entry=0x0, aFilename=..., aLineno=<optimized out>, aColumn=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/base/nsJSUtils.cpp:54
#6  0xb4865566 in CaptureCaller (aColumn=<optimized out>, aLineNo=<optimized out>, aFilename=..., aCx=0x0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBRequest.cpp:196
#7  mozilla::dom::IDBRequest::Create (aCx=aCx@entry=0x0, aDatabase=0xaf108160, aTransaction=aTransaction@entry=0xaee6de50) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBRequest.cpp:123
#8  0xb4865738 in mozilla::dom::IDBRequest::Create (aCx=aCx@entry=0x0, aSourceAsObjectStore=aSourceAsObjectStore@entry=0xafa5f800, aDatabase=<optimized out>, aTransaction=0xaee6de50)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBRequest.cpp:141
#9  0xb486576e in mozilla::dom::(anonymous namespace)::GenerateRequest (aCx=aCx@entry=0x0, aObjectStore=aObjectStore@entry=0xafa5f800) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBObjectStore.cpp:208
#10 0xb4867414 in mozilla::dom::IDBObjectStore::OpenCursorInternal (this=0xafa5f800, aKeysOnly=aKeysOnly@entry=false, aCx=aCx@entry=0x0, aRange=..., aDirection=aDirection@entry=mozilla::dom::Prev, aRv=...)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBObjectStore.cpp:2141
#11 0xb464eec4 in OpenCursor (aRv=..., aDirection=mozilla::dom::Prev, this=<optimized out>) at ../../dist/include/mozilla/dom/IDBObjectStore.h:271
#12 mozilla::dom::FirstRevisionIdCallback::Run (this=0xad5c52e0, aDb=<optimized out>, aStatus=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/datastore/DataStoreService.cpp:413
#13 0xb464edc8 in mozilla::dom::DataStoreDB::HandleEvent (this=0xad9deac0, aEvent=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/datastore/DataStoreDB.cpp:192
#14 0xb467559a in mozilla::EventListenerManager::HandleEventSubType (this=this@entry=0xad5fd1c0, aListener=<optimized out>, aListener@entry=0xaf1f3c08, aDOMEvent=0xad9e7610, aCurrentTarget=aCurrentTarget@entry=0xaf1f3b80)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventListenerManager.cpp:1099
#15 0xb4675806 in mozilla::EventListenerManager::HandleEventInternal (this=0xad5fd1c0, aPresContext=<optimized out>, aEvent=0xaf220d80, aDOMEvent=aDOMEvent@entry=0xbec33034, aCurrentTarget=aCurrentTarget@entry=0xaf1f3b80, 
    aEventStatus=aEventStatus@entry=0xbec33038) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventListenerManager.cpp:1270
#16 0xb4666d42 in HandleEvent (aEventStatus=0xbec33038, aCurrentTarget=0xaf1f3b80, aDOMEvent=0xbec33034, aEvent=<optimized out>, aPresContext=<optimized out>, this=<optimized out>) at ../../dist/include/mozilla/EventListenerManager.h:350
#17 mozilla::EventTargetChainItem::HandleEvent (this=<optimized out>, aVisitor=..., aCd=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:267
#18 0xb4666f5e in mozilla::EventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:369
#19 0xb466a8e8 in mozilla::EventDispatcher::Dispatch (aTarget=<optimized out>, aPresContext=aPresContext@entry=0x0, aEvent=aEvent@entry=0xaf220d80, aDOMEvent=aDOMEvent@entry=0xad9e7610, aEventStatus=0xbec330dc, aCallback=0x0, aTargets=0x0)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:701
#20 0xb466ab1a in mozilla::EventDispatcher::DispatchDOMEvent (aTarget=0xaf1f3b80, aEvent=<optimized out>, aDOMEvent=0xad9e7610, aPresContext=0x0, aEventStatus=0xbec330dc)
    at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/EventDispatcher.cpp:770
#21 0xb466ab42 in mozilla::DOMEventTargetHelper::DispatchEvent (this=<optimized out>, aEvent=0xad9e7610, aRetVal=0xbec3316c) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/events/DOMEventTargetHelper.cpp:253
#22 0xb4868a46 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent (aResultHelper=aResultHelper@entry=0xbec331f4, aEvent=0xad9e7610) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/ActorsChild.cpp:811
#23 0xb4868b1e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse (this=this@entry=0xad9e8940, aResponse=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/ActorsChild.cpp:1315
#24 0xb486bc4e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__ (this=0xad9e8940, aResponse=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/ActorsChild.cpp:1374
#25 0xb3e9cde2 in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived (this=0xad9e8948, msg__=...) at PBackgroundIDBFactoryRequestChild.cpp:176
#26 0xb3e1cfa0 in mozilla::ipc::PBackgroundChild::OnMessageReceived (this=0xaeae3c00, msg__=...) at PBackgroundChild.cpp:1721
#27 0xb3df9d2e in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=0xaeae3c38, aMsg=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessageChannel.cpp:1630
#28 0xb3dfed84 in mozilla::ipc::MessageChannel::DispatchMessage (this=this@entry=0xaeae3c38, aMsg=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessageChannel.cpp:1568
#29 0xb3dffa92 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne (this=0xaeae3c38) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessageChannel.cpp:1535
#30 0xb3de622e in MessageLoop::RunTask (this=0xb1cc71a0, task=0xaf2d5fd0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:364
#31 0xb3de8e6c in MessageLoop::DeferOrRunPendingTask (this=<optimized out>, pending_task=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:372
#32 0xb3deab36 in MessageLoop::DoWork (this=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:459
#33 0xb3df6556 in mozilla::ipc::DoWorkRunnable::Run (this=<optimized out>) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessagePump.cpp:222
#34 0xb3c751f0 in nsThread::ProcessNextEvent (this=0xb6a02550, aMayWait=<optimized out>, aResult=0xbec334f7) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/xpcom/threads/nsThread.cpp:994
#35 0xb3c8631c in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/xpcom/glue/nsThreadUtils.cpp:297
#36 0xb3df6e60 in mozilla::ipc::MessagePump::Run (this=0xb6a55460, aDelegate=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/glue/MessagePump.cpp:97
#37 0xb3de626e in RunHandler (this=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:227
#38 MessageLoop::Run (this=0xb1cc71a0) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/ipc/chromium/src/base/message_loop.cc:201
#39 0xb49764aa in nsBaseAppShell::Run (this=0xaff0b520) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/widget/nsBaseAppShell.cpp:156
#40 0xb4d228aa in nsAppStartup::Run (this=0xb055d310) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/toolkit/components/startup/nsAppStartup.cpp:281
#41 0xb4d46634 in XREMain::XRE_mainRun (this=this@entry=0xbec33668) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4342
#42 0xb4d468c0 in XREMain::XRE_main (this=this@entry=0xbec33668, argc=argc@entry=1, argv=argv@entry=0xb6a2b0d0, aAppData=aAppData@entry=0xb6f99d60 <_ZL8sAppData>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4439
#43 0xb4d46a9e in XRE_main (argc=1, argv=0xb6a2b0d0, aAppData=0xb6f99d60 <_ZL8sAppData>, aFlags=<optimized out>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4545
#44 0xb6f7bae6 in do_main (argc=argc@entry=1, argv=argv@entry=0xb6a2b0d0) at ../../../gecko/b2g/app/nsBrowserApp.cpp:167
#45 0xb6f7bc08 in b2g_main (argc=1, argv=<optimized out>) at ../../../gecko/b2g/app/nsBrowserApp.cpp:299
#46 0xb6f7b980 in RunProcesses (aReservedFds=..., argv=0xbec34954, argc=1) at ../../../gecko/b2g/app/B2GLoader.cpp:233
#47 main (argc=1, argv=0xbec34954) at ../../../gecko/b2g/app/B2GLoader.cpp:300
Assignee

Comment 1

3 years ago
STR:
 1. Boot B2G sucessfully
 2. Reboot

Expected:
 Boots properly

Actual:
 Crash as documented above.

I have checked, this is not because of time skew.
Assignee

Comment 2

3 years ago
Code has been changed by bug 1257422 and/or bug 1257725 and/or bug 1257335
Assignee

Comment 3

3 years ago
Boris, do you see anything obvious within the stack?
Flags: needinfo?(bzbarsky)
Assignee

Comment 4

3 years ago
> #10 0xb4867414 in mozilla::dom::IDBObjectStore::OpenCursorInternal (this=0xafa5f800, aKeysOnly=aKeysOnly@entry=false, aCx=aCx@entry=0x0, aRange=..., aDirection=aDirection@entry=mozilla::dom::Prev, aRv=...) at /home/alex/codaz/Mozilla/b2g/devices/XperiaZ3c/B2G/gecko/dom/indexedDB/IDBObjectStore.cpp:2141

is being changed by Bug 1257725 part 5.
Assignee

Comment 5

3 years ago
With some debug printf:
> 03-29 11:28:38.269 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 1 aCx=0xb1cd93d0
> 03-29 11:28:38.269 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 2 aCx=0xb1cd93d0
> 03-29 11:28:38.269 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 3 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 1 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 2 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 3 aCx=0xb1cd93d0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 1 aCx=0x0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 2 aCx=0x0
> 03-29 11:28:38.279 18216 18216 I Gecko   : XXXX !!!! IDBObjectStore::OpenCursorInternal(): 3 aCx=0x0
Assignee

Comment 6

3 years ago
aCx is being passed as a null pointer explicitely in https://dxr.mozilla.org/mozilla-central/source/dom/indexedDB/IDBObjectStore.h#270 and this matches the stack.
Assignee

Comment 7

3 years ago
As far as I can tell, we are entering with aCx == nullptr AND aRange.isUndefined() == true. This is exactly what is expected by bug 1257422 part 1.
Assignee

Comment 8

3 years ago
Posted patch workaround (obsolete) — Splinter Review
So, as much as I could read, sending null aCx is something we do on purpose. My guess up to now is the call path reaches Create() around line 123 which gets call site infos from the js context. And since we are in a case without a context, then this makes no sense/cannot be extracted. Hence this simple workaround.

So far, this makes my device booting as expected.
Flags: needinfo?(khuey)
Comment on attachment 8735897 [details] [diff] [review]
workaround

>diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp
>index beeefeb..5739c25 100644
>--- a/dom/indexedDB/IDBRequest.cpp
>+++ b/dom/indexedDB/IDBRequest.cpp
>@@ -120,7 +120,9 @@ IDBRequest::Create(JSContext* aCx,
>   aDatabase->AssertIsOnOwningThread();
> 
>   RefPtr<IDBRequest> request = new IDBRequest(aDatabase);
>-  CaptureCaller(aCx, request->mFilename, &request->mLineNo, &request->mColumn);
>+  if (aCx) {
>+    CaptureCaller(aCx, request->mFilename, &request->mLineNo, &request->mColumn);
>+  }
> 
>   request->mTransaction = aTransaction;
>   request->SetScriptOwner(aDatabase->GetScriptOwner());
Attachment #8735897 - Attachment is patch: true
Flags: needinfo?(khuey)
Component: JavaScript Engine → DOM: IndexedDB
Comment on attachment 8735897 [details] [diff] [review]
workaround

Seems fine. Is this the only thing that blows up?
Attachment #8735897 - Flags: review+
Given that we're now using aCx for something other than key parsing, the whole "pass null" thing is just wrong.  We should stop doing that.  Instead, we should change the one OpenCursor signature that does not take a JSContext to take one, and change its one caller to put an AutoJSAPI on the stack....
Flags: needinfo?(bzbarsky)
Assignee

Comment 12

3 years ago
(In reply to Boris Zbarsky [:bz] from comment #11)
> Given that we're now using aCx for something other than key parsing, the
> whole "pass null" thing is just wrong.  We should stop doing that.  Instead,
> we should change the one OpenCursor signature that does not take a JSContext
> to take one, and change its one caller to put an AutoJSAPI on the stack....

Thanks, I'll do this.
Duplicate of this bug: 1259646
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

https://reviewboard.mozilla.org/r/43197/#review39773

::: dom/datastore/DataStoreService.cpp:32
(Diff revision 1)
>  #include "mozilla/dom/IDBTransaction.h"
>  #include "mozilla/dom/PermissionMessageUtils.h"
>  #include "mozilla/dom/Promise.h"
>  #include "mozilla/unused.h"
>  
> +#include "jsapi.h"

You don't need that here.  What you do need is mozilla/dom/ScriptSettings.h

::: dom/indexedDB/IDBObjectStore.h:271
(Diff revision 1)
> +             IDBCursorDirection aDirection,
>               ErrorResult& aRv)
>    {
>      AssertIsOnOwningThread();
>  
> -    return OpenCursorInternal(/* aKeysOnly */ false, nullptr,
> +    return OpenCursorInternal(/* aKeysOnly */ false, aCx,

Please remove the comments on OpenCursorInternal that claim passing null aCx is acceptable.  Also, please change the assert at the beginning of OpenCursorInternal to just MOZ_ASSERT(aCx).

r=me with those fixed.
Attachment #8736276 - Flags: review?(bzbarsky) → review+
Assignee

Comment 16

3 years ago
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/43197/diff/1-2/
Assignee

Comment 17

3 years ago
https://reviewboard.mozilla.org/r/43197/#review39773

That should be all good, do you mind checking for the MOZ_ASSERT(), I want to be sure I correctly understood your point ?
Assignee

Comment 18

3 years ago
Just to be extra cautious for MOZ_ASSERT() change.
Flags: needinfo?(bzbarsky)
No, that doesn't address my comments about the assertion in OpenCursorInternal... instead it for some reason removes the assert on aDatabase in a totally different function.
Flags: needinfo?(bzbarsky)
I'm talking about the MOZ_ASSERT_IF(!aCx, aRange.isUndefined()); in IDBObjectStore::OpenCursorInternal which should become just MOZ_ASSERT(aCx).
Assignee

Comment 21

3 years ago
Right, makes more sense :)
Assignee

Comment 22

3 years ago
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/43197/diff/2-3/
Assignee

Comment 23

3 years ago
That last one should be good
Flags: needinfo?(bzbarsky)
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

This patch works for me on aries-l.
MOZ_ASSERT_IF(aCx) won't even compile in a debug build.  You want, again, MOZ_ASSERT(aCx).
Flags: needinfo?(bzbarsky)
Assignee

Comment 26

3 years ago
Comment on attachment 8736276 [details]
MozReview Request: Bug 1260441 - Never pass a null js context to OpenCursor() r?bz

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/43197/diff/3-4/
Assignee

Comment 27

3 years ago
(In reply to Boris Zbarsky [:bz] from comment #25)
> MOZ_ASSERT_IF(aCx) won't even compile in a debug build.  You want, again,
> MOZ_ASSERT(aCx).

Sorry, now with only MOZ_ASSERT(aCx).
Assignee

Comment 28

3 years ago
I guess it's a good illustration that one needs to be careful and not in a hurry when doing patches. I'll land after try completes.
Assignee

Updated

3 years ago
Assignee: nobody → lissyx+mozillians
Assignee

Updated

3 years ago
Attachment #8735897 - Attachment is obsolete: true

Comment 31

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/5ba4fe816a39
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.