Closed
Bug 1396368
Opened 6 years ago
Closed 6 years ago
Crash in nsPIDOMWindowInner::UpdateWebSocketCount
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox55 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | fixed |
People
(Reporter: philipp, Assigned: farre)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(2 files)
|
5.83 KB,
patch
|
bkelly
:
review+
|
Details | Diff | Splinter Review |
|
1.24 KB,
patch
|
bkelly
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-ad49ef3c-5afe-41dd-b74c-28e700170903. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll nsPIDOMWindowInner::UpdateWebSocketCount(int) dom/base/nsGlobalWindow.cpp:4513 1 xul.dll mozilla::dom::WebSocket::DisconnectFromOwner() dom/base/WebSocket.cpp:1494 2 xul.dll nsGlobalWindow::DisconnectEventTargetObjects() dom/base/nsGlobalWindow.cpp:1882 3 xul.dll nsGlobalWindow::~nsGlobalWindow() dom/base/nsGlobalWindow.cpp:1762 4 xul.dll nsGlobalWindow::`scalar deleting destructor'(unsigned int) 5 xul.dll nsGlobalWindow::DeleteCycleCollectable() dom/base/nsGlobalWindow.cpp:2232 6 xul.dll SnowWhiteKiller::~SnowWhiteKiller() xpcom/base/nsCycleCollector.cpp:2695 7 xul.dll nsCycleCollector::FreeSnowWhite(bool) xpcom/base/nsCycleCollector.cpp:2883 8 xul.dll AsyncFreeSnowWhite::Run() js/xpconnect/src/XPCJSRuntime.cpp:125 9 xul.dll IdleRunnableWrapper::Run() xpcom/threads/nsThreadUtils.cpp:345 10 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1039 11 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:97 12 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:301 13 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:319 14 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:299 15 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:158 16 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:230 17 xul.dll XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:866 18 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:269 19 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:319 20 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:299 21 xul.dll XRE_InitChildProcess(int, char** const, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:691 22 firefox.exe content_process_main(mozilla::Bootstrap*, int, char** const) ipc/contentproc/plugin-container.cpp:63 23 firefox.exe NS_internal_main(int, char**, char**) browser/app/nsBrowserApp.cpp:285 24 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:115 25 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253 26 kernel32.dll BaseThreadInitThunk 27 ntdll.dll RtlUserThreadStart these cross-platform crash reports started occurring after 57.0a1 build 20170902100317. most of them show MOZ_RELEASE_ASSERT(aDelta > 0 || ((aDelta + counter) < counter)) that got added with bug 1393056.
|
||
Updated•6 years ago
|
Flags: needinfo?(afarre)
|
Assignee | |
Comment 1•6 years ago
|
||
Had a chat about this on IRC, and I believe that this could have to do with the unlinking of windos. I'm trying to update mTopInnerWindow when this happens and see if that solves the issue.
Assignee: nobody → afarre
Flags: needinfo?(afarre)
|
||
Comment 2•6 years ago
|
||
I'm fairly randomly able to reproduce it over the last two days: - https://crash-stats.mozilla.com/report/index/e69bf7d9-872a-4e97-813b-7ae100170905#tab-details - https://crash-stats.mozilla.com/report/index/55442f15-cacd-4154-bf03-006bb0170904 - https://crash-stats.mozilla.com/report/index/9c94a256-0c2c-4bc4-a424-23e990170905 It's not very consistent, but I got it when opening https://news.ycombinator.com/ a couple times. It happens right after loading a new URL (not necessarily in a new tab). I see a flash of the layout of the new page and then crash.
|
||
Comment 3•6 years ago
|
||
This crash correlates to a single nightly build (20170902100317). Looks like bug 1393056 fixed this. (100.0% in signature vs 00.08% overall) moz_crash_reason = MOZ_RELEASE_ASSERT(aDelta > 0 || ((aDelta + counter) < counter)) (100.0% in signature vs 02.18% overall) build_id = 20170902100317
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 4•6 years ago
|
||
Sorry, that correlation info was incorrect. The main report list has signatures in it on other days.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
|
|
Assignee | |
Comment 5•6 years ago
|
||
I'm having a hard time reproducing it. This patch assumes that the problem is unlinking mTopInnerWindow before decrementing the count of WebSockets and fixes it by counting WebSockets (and gUM, actually) both locally on the current window and on mTopInnerWindow. This is then used to decrement the count on mTomInnerWindow when unlinking. Since I can't repro, we'll have to see if the asserts go away after this fix. Try run pending: https://treeherder.mozilla.org/#/jobs?repo=try&revision=27af0434e0ea3996b76f8beebc1e13419e0ab14a&selectedJob=128905765
Attachment #8905034 -
Flags: review?(bkelly)
|
||
Comment 6•6 years ago
|
||
Comment on attachment 8905034 [details] [diff] [review] 0001-Bug-1396368-Update-mTopInnerWindow-before-unlinking-.patch Review of attachment 8905034 [details] [diff] [review]: ----------------------------------------------------------------- Looks reasonable I guess.
Attachment #8905034 -
Flags: review?(bkelly) → review+
Pushed by afarre@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/9b169fc8b1a7 Update mTopInnerWindow before unlinking it. r=bkelly
Pushed by afarre@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/49fb9d357501 Follow up fix: Fixed Windows build error. CLOSED TREE
|
|
||
Comment 9•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9b169fc8b1a7 https://hg.mozilla.org/mozilla-central/rev/49fb9d357501
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
|
|
||
Comment 10•6 years ago
|
||
This crash signature is still showing up. E.g. it's the #5 Windows topcrash in Nightly 20170910100150. I will reopen.
Status: RESOLVED → REOPENED
Flags: needinfo?(afarre)
Resolution: FIXED → ---
|
|
Assignee | |
Comment 11•6 years ago
|
||
Yep, still on it, still no way to reproduce.
Flags: needinfo?(afarre)
|
||
Comment 12•6 years ago
|
||
I managed to reproduce the crash 2 times ([1], [2]) with the same url [3] but it doesn't crash every time. [1] https://crash-stats.mozilla.com/report/index/817e5e4c-105a-4edf-8183-c90d10170912 [2] https://crash-stats.mozilla.com/report/index/246268f8-33e3-458f-848c-5b7420170912 [3] http://ewatchseries.to/episode/rick_and_morty_s3_e7.html
|
|
Assignee | |
Comment 13•6 years ago
|
||
Updated the current window when unlinking, when only mTopInnerWindow should've been considered.
Attachment #8907057 -
Flags: review?(bkelly)
|
|
||
Updated•6 years ago
|
Attachment #8907057 -
Flags: review?(bkelly) → review+
|
||
Comment 14•6 years ago
|
||
Pushed by afarre@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0cbbb59b5e61 Update WebSocket count on top inner window when unlinking. r=bkelly
|
|
||
Comment 15•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/0cbbb59b5e61
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
|
||
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•