Closed Bug 1439212 Opened 2 years ago Closed 2 years ago

Crash in mozilla::dom::ServiceWorkerRegistrationWorkerThread::ShowNotification

Categories

(Core :: DOM: Service Workers, defect, critical)

Unspecified
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: calixte, Assigned: bkelly)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is
report bp-8e3ef789-5f6b-4fb9-be08-bab380180218.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::ServiceWorkerRegistrationWorkerThread::ShowNotification dom/serviceworkers/ServiceWorkerRegistrationImpl.cpp:999
1 xul.dll mozilla::dom::ServiceWorkerRegistrationBinding::showNotification dom/bindings/ServiceWorkerRegistrationBinding.cpp:458
2 xul.dll mozilla::dom::ServiceWorkerRegistrationBinding::showNotification_promiseWrapper dom/bindings/ServiceWorkerRegistrationBinding.cpp:472
3 xul.dll mozilla::dom::GenericPromiseReturningBindingMethod dom/bindings/BindingUtils.cpp:3073
4 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:473
5 xul.dll Interpret js/src/vm/Interpreter.cpp:3096
6 xul.dll js::RunScript js/src/vm/Interpreter.cpp:423
7 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:495
8 xul.dll PromiseReactionJob js/src/builtin/Promise.cpp:1237
9 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:473

=============================================================

There is 1 crash in nightly 60 with buildid 20180217220052. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1434701.

[1] https://hg.mozilla.org/mozilla-central/rev?node=1538099138c1
Flags: needinfo?(bkelly)
Looks like this crash has been around for a while.  I don't think its related to bug 1434701, but I can fix it anyway.
Assignee: nobody → bkelly
Blocks: ServiceWorkers-stability
No longer blocks: 1434701
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
The crash reports all have very low addresses indicative of a nullptr deref.  I'm pretty sure this is a promise reaction firing after we clear the mWorkerPrivate in  ReleaseListener().  Lets just check for this and reject with invalid state error in this case.
Attachment #8952215 - Flags: review?(bugmail)
Attachment #8952215 - Flags: review?(bugmail) → review+
Pushed by bkelly@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1874ac39b41c
Make ServiceWorkerRegistrationWorkerThread::ShowNotification() check for nullptr mWorkerPrivate. r=asuth
https://hg.mozilla.org/mozilla-central/rev/1874ac39b41c
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.