Closed Bug 1442970 Opened 6 years ago Closed 6 years ago

Crash in mozilla::dom::ClientManager::~ClientManager

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Platform:
x86
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: ananuti, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is
report bp-63b9064e-0ebc-4579-86f5-0ead40180304.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::ClientManager::~ClientManager dom/clients/manager/ClientManager.cpp:75
1 xul.dll nsGlobalWindowInner::FreeInnerObjects dom/base/nsGlobalWindowInner.cpp:1372
2 xul.dll nsGlobalWindowOuter::DetachFromDocShell dom/base/nsGlobalWindowOuter.cpp:2218
3 xul.dll nsDocShell::Destroy docshell/base/nsDocShell.cpp:5542
4 xul.dll nsWebBrowser::SetDocShell toolkit/components/browser/nsWebBrowser.cpp:1712
5 xul.dll nsWebBrowser::InternalDestroy toolkit/components/browser/nsWebBrowser.cpp:95
6 xul.dll nsWebBrowser::Destroy toolkit/components/browser/nsWebBrowser.cpp:1306
7 xul.dll mozilla::dom::TabChild::DestroyWindow dom/ipc/TabChild.cpp:1073
8 xul.dll mozilla::dom::TabChild::RecvDestroy dom/ipc/TabChild.cpp:2500
9 xul.dll mozilla::dom::PBrowserChild::OnMessageReceived ipc/ipdl/PBrowserChild.cpp:4386

=============================================================

STR:

1. set dom.ipc.scheduler=true and restart
2. open https://www.wikipedia.org/
3. right click at English, select Inspect Element
4. close Developer Tools
5. [a] crash if click at English link OR
   [b] crash if open any website in newtab.
Unfortunately, bug 1435689 is removing the cooperative scheduler under meta bug 1434211.  The scheduler was also never supported beyond experimental interest, so I think this amounts to WONTFIX.

Restating the issue: ClientManager uses thread-local storage and has assertions about the expected invariants.  In this specific crash, nsGlobalWindowInner::FreeInnerObjects() is freeing its mClientSource which in turn nulls out its mManager.  If this was the last live reference to the given ClientManager, its destructor gets invoked and the assertion can trigger if that's not the thread it was instantiated on.  Presumably the TabChild::RecvDestroy message was not labeled, resulting in the message being processed on an inconsistent thread.
Severity: critical → normal
Status: NEW → RESOLVED
Closed: 6 years ago
Component: DOM: Content Processes → DOM: Service Workers
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.