Closed
Bug 1441131
Opened 6 years ago
Closed 6 years ago
Crash in mozilla::ipc::MessageChannel::Send | mozilla::dom::PContentParent::SendDataStorageRemove
Categories
(Core :: Security: PSM, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | - | disabled |
firefox61 | --- | fixed |
People
(Reporter: valentin, Assigned: bagder)
References
Details
(Keywords: crash, Whiteboard: [trr])
Crash Data
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
valentin
:
review+
jcristau
:
approval-mozilla-beta-
|
Details |
This bug was filed from the Socorro interface and is report bp-e618d262-9dea-47cc-8c19-f5f9f0180226. ============================================================= Crashes on: MOZ_RELEASE_ASSERT(mWorkerThread == GetCurrentVirtualThread()) (not on worker thread!) Top 10 frames of crashing thread: 0 libxul.so mozilla::ipc::MessageChannel::Send [clone .cold.462] 1 libxul.so mozilla::dom::PContentParent::SendDataStorageRemove ipc/ipdl/PContentParent.cpp:1411 2 libxul.so mozilla::DataStorage::Remove security/manager/ssl/DataStorage.cpp:795 3 libxul.so mozilla::net::TRRService::IsTRRBlacklisted netwerk/dns/TRRService.cpp:400 4 libxul.so nsHostResolver::TrrLookup netwerk/dns/nsHostResolver.cpp:1104 5 libxul.so nsHostResolver::NameLookup [clone .cold.41] 6 libxul.so nsHostResolver::ResolveHost 7 libxul.so nsDNSService::AsyncResolveExtendedNative 8 libxul.so mozilla::net::nsSocketTransport::ResolveHost 9 libxul.so mozilla::net::nsSocketTransport::OnSocketEvent =============================================================
Comment 1•6 years ago
|
||
:catalinb: when you have time give this a look
Flags: needinfo?(catalin.badea392)
Updated•6 years ago
|
Priority: -- → P2
Comment 2•6 years ago
|
||
(In reply to Valentin Gosu [:valentin] from comment #0) > This bug was filed from the Socorro interface and is > report bp-e618d262-9dea-47cc-8c19-f5f9f0180226. > ============================================================= > > Crashes on: > MOZ_RELEASE_ASSERT(mWorkerThread == GetCurrentVirtualThread()) (not on > worker thread!) > > Top 10 frames of crashing thread: > > 0 libxul.so mozilla::ipc::MessageChannel::Send [clone .cold.462] > 1 libxul.so mozilla::dom::PContentParent::SendDataStorageRemove > ipc/ipdl/PContentParent.cpp:1411 > 2 libxul.so mozilla::DataStorage::Remove > security/manager/ssl/DataStorage.cpp:795 > 3 libxul.so mozilla::net::TRRService::IsTRRBlacklisted > netwerk/dns/TRRService.cpp:400 > 4 libxul.so nsHostResolver::TrrLookup netwerk/dns/nsHostResolver.cpp:1104 > 5 libxul.so nsHostResolver::NameLookup [clone .cold.41] > 6 libxul.so nsHostResolver::ResolveHost > 7 libxul.so nsDNSService::AsyncResolveExtendedNative > 8 libxul.so mozilla::net::nsSocketTransport::ResolveHost > 9 libxul.so mozilla::net::nsSocketTransport::OnSocketEvent > > ============================================================= Why is this a service workers bug?
Flags: needinfo?(catalin.badea392) → needinfo?(valentin.gosu)
Reporter | ||
Comment 3•6 years ago
|
||
Oh, sorry, I filed this in a rush, and saw ContentParent + worker thread and thought "service worker" :)
Component: DOM: Service Workers → Security: PSM
Flags: needinfo?(valentin.gosu)
Comment 4•6 years ago
|
||
Adding a Mac signature which seems to be the same issue.
Crash Signature: [@ mozilla::ipc::MessageChannel::Send | mozilla::dom::PContentParent::SendDataStorageRemove] → [@ mozilla::ipc::MessageChannel::Send | mozilla::dom::PContentParent::SendDataStorageRemove]
[@ mozilla::ipc::MessageChannel::CxxStackFrame::CxxStackFrame | mozilla::ipc::MessageChannel::Send | mozilla::dom::PContentParent::SendDataStorageRemove ]
Reporter | ||
Comment 5•6 years ago
|
||
This happens a few times a day, usually after a long period of inactivity. To reproduce set network.trr.mode;0 and network.trr.uri;https://dns.cloudflare.com/.well-known/dns-query It is odd that this happens, since DataStorage is supposed to be thread safe - here it is called on the socket thread.
Blocks: 1434852
Flags: needinfo?(dkeeler)
Maybe there's a thread restriction on sending IPC messages now? Ehsan, any ideas?
Flags: needinfo?(dkeeler) → needinfo?(ehsan)
Assignee | ||
Comment 7•6 years ago
|
||
This one has gotten me into nice restart-loops twice now this evening. I run TRR mode 2 with the cloudflare server. This is my latest one: https://crash-stats.mozilla.com/report/index/75f9b90b-43f0-4a00-a3c5-8a4de0180308
Assignee | ||
Updated•6 years ago
|
Whiteboard: [trr]
Comment 8•6 years ago
|
||
daniel is going to proxy the Remove call to the main thread. I bet that will resolve this.
Comment hidden (mozreview-request) |
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → daniel
Reporter | ||
Comment 10•6 years ago
|
||
mozreview-review |
Comment on attachment 8958098 [details] bug 1441131 - TRR: proxy storage removal to the mainthread https://reviewboard.mozilla.org/r/227050/#review232776 ::: netwerk/dns/TRRService.cpp:362 (Diff revision 1) > + , mService(aService), mHashkey(aHashkey), mType(aType) > + { } > + > + NS_IMETHOD Run() override > + { > + mService->mTRRBLStorage->Remove(mHashkey, mType); I haven't looked throught all the code paths, but it seems that it is possible that mTRRBLStorage could be null here. Either check if it is null, or have the runnable hold a ref to mTRRBLStorage instead (which I prefer) ::: netwerk/dns/TRRService.cpp:362 (Diff revision 1) > + , mService(aService), mHashkey(aHashkey), mType(aType) > + { } > + > + NS_IMETHOD Run() override > + { > + mService->mTRRBLStorage->Remove(mHashkey, mType); I don't see any way mTRRBLStorage would be null here, which is good, but I don't know if this will be true in the future. We could instead have the runnable keep a ref to the storage instead. Your call. ::: netwerk/dns/TRRService.cpp:438 (Diff revision 1) > LOG(("Host [%s] is TRR blacklisted\n", nsCString(aHost).get())); > return true; > } else { > // the blacklisted entry has expired > + if (!NS_IsMainThread()) { > + NS_DispatchToMainThread(new ProxyStorageRemove(this, hashkey, How about nsCOMPtr<nsIRunnable> runnable = NS_NewRunnableFunction("proxyStorageRemove", [mTRRBLStorage, hashKey, privateBrowsing]() { mTRRBLStorage->Remove(mHashkey, privateBrowsing ? DataStorage_Private : DataStorage_Persistent); }) if (!NS_IsMainThread()) { NS_DispatchToMainThread(runnable); } else { runnable->Run(); } This way we keep all the code right here, and we don't need to make the member public.
Attachment #8958098 -
Flags: review?(valentin.gosu) → review+
Reporter | ||
Comment 11•6 years ago
|
||
(In reply to Valentin Gosu [:valentin] from comment #10) > > I don't see any way mTRRBLStorage would be null here, which is good, but I > don't know if this will be true in the future. > We could instead have the runnable keep a ref to the storage instead. Your > call. Ignore these comments :) I wrote them before I thought of using NS_NewRunnableFunction, and they didn't get deleted from mozreview after :)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 13•6 years ago
|
||
mozreview-review-reply |
Comment on attachment 8958098 [details] bug 1441131 - TRR: proxy storage removal to the mainthread https://reviewboard.mozilla.org/r/227050/#review232776 > How about > > nsCOMPtr<nsIRunnable> runnable = NS_NewRunnableFunction("proxyStorageRemove", [mTRRBLStorage, hashKey, privateBrowsing]() { > mTRRBLStorage->Remove(mHashkey, privateBrowsing ? DataStorage_Private : DataStorage_Persistent); > }) > if (!NS_IsMainThread()) { > NS_DispatchToMainThread(runnable); > } else { > runnable->Run(); > } > > This way we keep all the code right here, and we don't need to make the member public. That's an excellent suggestion. I've pushed an update using this approach now.
Comment 14•6 years ago
|
||
hg error in cmd: hg push -r tip ssh://hg.mozilla.org/integration/autoland: pushing to ssh://hg.mozilla.org/integration/autoland searching for changes remote: adding changesets remote: adding manifests remote: adding file changes remote: added 1 changesets with 1 changes to 1 files remote: remote: remote: ************************** ERROR **************************** remote: Rev 2359a21defd5 needs "Bug N" or "No bug" in the commit message. remote: Daniel Stenberg <daniel@haxx.se> remote: bug-1441131 TRR: proxy storage removal to the mainthread r=valentin remote: remote: MozReview-Commit-ID: K4Ar0RbSRzS remote: ************************************************************* remote: remote: remote: transaction abort! remote: rollback completed remote: pretxnchangegroup.c_commitmessage hook failed abort: push failed on remote
Comment hidden (mozreview-request) |
Comment 16•6 years ago
|
||
Pushed by daniel@haxx.se: https://hg.mozilla.org/integration/autoland/rev/4660a81a0228 TRR: proxy storage removal to the mainthread r=valentin
Comment 17•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4660a81a0228
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment 18•6 years ago
|
||
Sorry I was too late to respond here, looks like this was resolved before I got a chance to look at it...
Flags: needinfo?(ehsan)
Comment 19•6 years ago
|
||
Does this need a Beta approval request for 60?
Assignee | ||
Comment 20•6 years ago
|
||
Comment on attachment 8958098 [details] bug 1441131 - TRR: proxy storage removal to the mainthread Approval Request Comment [Feature/Bug causing the regression]: Bug 1441131 [User impact if declined]: minor, this bug is only triggered for users who manually enable trr via about:config [Is this code covered by automated tests?]: no [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: [List of other uplifts needed for the feature/fix]: [Is the change risky?]: no [Why is the change risky/not risky?]: it has been verify used in nightly for a while with no further crashes detected [String changes made/needed]:
Flags: needinfo?(daniel)
Attachment #8958098 -
Flags: approval-mozilla-beta?
Comment 21•6 years ago
|
||
Sounds like beta doesn't need this.
Updated•6 years ago
|
Attachment #8958098 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment 22•6 years ago
|
||
[Tracking Requested - why for this release]: This crash signature is still showing up in FF60/beta. Could the fix be uplifted? Signature report for mozilla::ipc::MessageChannel::CxxStackFrame::CxxStackFrame | mozilla::ipc::MessageChannel::Send | mozilla::dom::PContentParent::SendDataStorageRemove Showing results from 14 days ago 406 Results Windows 10 237 58.4% OS X 10.13 101 24.9% OS X 10.12 33 8.1% Windows 7 27 6.7% Windows 8.1 5 1.2% OS X 10.10 2 0.5% Windows 8 1 0.2% Firefox 60.0b11 156 45.1% 36 Firefox 60.0b10 149 43.1% 37 Firefox 60.0b12 21 6.1% 9 Firefox 60.0b9 18 5.2% 2 Firefox 60.0b8 2 0.6% 2 amd64 376 92.6% x86 30 7.4% 99770424-971a-428d-a697-5613c0180413 2018-04-13 22:35:30 Firefox 60.0b12 20180412172954 Mac OS X EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 0x0 2018-04-13 19:52:33 97434f42-815a-4c2b-8c5b-275110180413 2018-04-13 22:28:14 Firefox 60.0b12 20180412172954 Windows NT EXCEPTION_BREAKPOINT 0x7ffe502d85b7 2018-04-13 16:14:05 71de442d-24e7-4a15-ba36-a222e0180413 2018-04-13 21:52:51 Firefox 60.0b12 20180412172954 Windows NT EXCEPTION_BREAKPOINT 0x7ffe608385b7 2018-04-13 16:14:05 1e98f9ff-c8d5-44a9-94a6-a64ad0180413 2018-04-13 21:52:25 Firefox 60.0b12 20180412172954 Windows NT EXCEPTION_BREAKPOINT 0x7ffe608385b7 2018-04-13 16:14:05 9cfcc0b8-acff-483e-b3fa-4b8c30180413 2018-04-13 20:55:56 Firefox 60.0b11 20180409184545 Mac OS X EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 0x0 2018-04-13 20:53:47 1b9def9b-1fb0-4454-8068-554590180413 2018-04-13 20:53:57 Firefox 60.0b10 20180404171943 Mac OS X EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 0x0 2018-04-09
tracking-firefox60:
--- → ?
Flags: needinfo?(daniel)
Assignee | ||
Comment 23•6 years ago
|
||
Well, the bug (I created) is only triggered by TRR which is only enabled by pref and we don't really tell people to use or try TRR on Firefox 60 (we've fixed a whole range of TRR bugs in 61 since). So an easy way to avoid this crash in 60 is just to not use TRR and instead upgrade to 61 if you want to play with TRR. In addition, the fix for this problem wasn't enough for 61 either. This crash changed signature and is since 61 now known bug 1450630.
Flags: needinfo?(daniel)
Comment 24•6 years ago
|
||
The crashes in 60 seem to come from few installs with TRR manually enabled. I think they get to keep both pieces.
You need to log in
before you can comment on or make changes to this bug.
Description
•