Open Bug 1445438 Opened 6 years ago Updated 2 years ago

IPC: crash [@Hdr]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(1 file)

session.txt
255.94 KB, text/plain
Details 
==10394==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x7f93ceae88fb bp 0x7ffc6de57dc0 sp 0x7ffc6de57d80 T0)
==10394==The signal is caused by a READ memory access.
==10394==Hint: address points to the zero page.
    #0 0x7f93ceae88fa in Hdr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:507:32
    #1 0x7f93ceae88fa in Elements /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1019
    #2 0x7f93ceae88fa in IndexOf<imgRequestProxy *, nsDefaultComparator<RefPtr<imgRequestProxy>, imgRequestProxy *> > /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1168
    #3 0x7f93ceae88fa in RemoveElement<imgRequestProxy *, nsDefaultComparator<RefPtr<imgRequestProxy>, imgRequestProxy *> > /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1817
    #4 0x7f93ceae88fa in RemoveElement<imgRequestProxy *> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1831
    #5 0x7f93ceae88fa in imgCacheValidator::RemoveProxy(imgRequestProxy*) /builds/worker/workspace/build/src/image/imgLoader.cpp:2945
    #6 0x7f93ceb238b4 in RemoveFromOwner /builds/worker/workspace/build/src/image/imgRequestProxy.cpp:386:18
    #7 0x7f93ceb238b4 in imgRequestProxy::DoCancel(nsresult) /builds/worker/workspace/build/src/image/imgRequestProxy.cpp:530
    #8 0x7f93ceb44b28 in imgRequestProxy::imgCancelRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/imgRequestProxy.h:170:17
    #9 0x7f93cbf43ee0 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25
    #10 0x7f93cbf6d6a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #11 0x7f93cbf88c40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #12 0x7f93d336150c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1121:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #13 0x7f93d336150c in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1121
    #14 0x7f93d33ea72c in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1038:16
    #15 0x7f93d7f429a8 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:851:24
    #16 0x7f93d7f48325 in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:443:10
    #17 0x7f93d7f48325 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #18 0x7f93cedda0f9 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7183:21
    #19 0x7f93cedd8e2a in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5595:10
    #20 0x7f93cedd8e2a in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5570
    #21 0x7f93d0a311bf in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2296:56
    #22 0x7f93d0a2ec32 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:16070:13
    #23 0x7f93d830416e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #24 0x7f93d830416e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468
    #25 0x7f93d82ecb40 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:12
    #26 0x7f93d82ecb40 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086
    #27 0x7f93d82ced54 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:418:12
    #28 0x7f93d8303f67 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:490:15
    #29 0x7f93d8304cd3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536:10
    #30 0x7f93d8f7b98a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3029:12
    #31 0x7f93d105b7ad in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
    #32 0x7f93ced8df4b in Call<nsCOMPtr<nsISupports> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #33 0x7f93ced8df4b in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:6688
    #34 0x7f93cefa4ea7 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:877:42
    #35 0x7f93cefa4264 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:171:11
    #36 0x7f93cefa61c6 in Notify /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:239:5
    #37 0x7f93cefa61c6 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp
    #38 0x7f93cbf8dcef in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:704:40
    #39 0x7f93cbf5d559 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
    #40 0x7f93cbf7d30a in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:193:22
    #41 0x7f93cbf7ceaf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:79:15
    #42 0x7f93cbf43ee0 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25
    #43 0x7f93cbf6d6a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #44 0x7f93cbf88c40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #45 0x7f93cce3ffe6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #46 0x7f93ccd8e8c9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #47 0x7f93ccd8e8c9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #48 0x7f93ccd8e8c9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #49 0x7f93d3b2f06a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #50 0x7f93d7ff0cfb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #51 0x7f93ccd8e8c9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #52 0x7f93ccd8e8c9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #53 0x7f93ccd8e8c9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #54 0x7f93d7ff06da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #55 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #56 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #57 0x7f93ec53f1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #58 0x4265bc in _start (/home/worker/firefox/firefox+0x4265bc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:507:32 in Hdr
==10394==ABORTING
Attached file session.txt 

    
    

    
  
Unclear if there's sufficient information for this to be actionable, but it's worth a look sooner than later.
Priority: -- → P2
Component: DOM → DOM: Core & HTML

    
  
Severity: normal → S3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: