Closed Bug 1457475 Opened Last year Closed Last year

Crash in js::GlobalHelperThreadState::finishParseTask

Categories

(Core :: JavaScript Engine, defect, P1, critical)

Unspecified
Windows 10
defect

Tracking

()

VERIFIED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 + verified

People

(Reporter: marcia, Assigned: jandem)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is
report bp-a38d9b33-58e6-47c9-83d1-6f6100180427.
=============================================================

These Mac and Windows crashes started showing up using 20180426220144: https://bit.ly/2Hu9BgZ. Not sure if they are expected due to Bug 1452114? ni on :jandem

Top 10 frames of crashing thread:

0 xul.dll js::GlobalHelperThreadState::finishParseTask js/src/vm/HelperThreads.cpp:1709
1 xul.dll mozilla::ScriptPreloader::MaybeFinishOffThreadDecode js/xpconnect/loader/ScriptPreloader.cpp:980
2 xul.dll mozilla::ScriptPreloader::WaitForCachedScript js/xpconnect/loader/ScriptPreloader.cpp:863
3 xul.dll mozilla::ScriptPreloader::GetCachedScript js/xpconnect/loader/ScriptPreloader.cpp:849
4 xul.dll mozJSComponentLoader::ObjectForLocation js/xpconnect/loader/mozJSComponentLoader.cpp:826
5 xul.dll mozJSComponentLoader::LoadModule js/xpconnect/loader/mozJSComponentLoader.cpp:442
6 xul.dll nsComponentManagerImpl::KnownModule::Load xpcom/components/nsComponentManager.cpp:717
7 xul.dll nsFactoryEntry::GetFactory xpcom/components/nsComponentManager.cpp:1748
8 xul.dll nsComponentManagerImpl::CreateInstanceByContractID xpcom/components/nsComponentManager.cpp:1046
9 xul.dll nsComponentManagerImpl::GetServiceByContractID xpcom/components/nsComponentManager.cpp:1409

=============================================================
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Some of these look like OOMs but not all of them. Something is failing but not reporting an exception.

For now we can demote this MOZ_DIAGNOSTIC_ASSERT to MOZ_ASSERT, maybe fuzzing will find something.
Flags: needinfo?(jdemooij)
Attachment #8971763 - Flags: review?(jcoppeard)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Comment on attachment 8971763 [details] [diff] [review]
Patch

Review of attachment 8971763 [details] [diff] [review]:
-----------------------------------------------------------------

Good plan.
Attachment #8971763 - Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/45603dbcb3bb
Demote MOZ_DIAGNOSTIC_ASSERT to MOZ_ASSERT. r=jonco
I'd like to know if the frontend or the worker thread machinery is to blame. Can we assert on the worker thread that this doesn't happen? (Maybe in HelperThread::handleParseWorkload.)
<jandem> jorendorff: we could add a similar assert to the main thread frontend code
<jorendorff> yes, i was just thinking that
<jorendorff> jandem: seems like a very good idea if we really want fuzzer help
Priority: -- → P1
Flags: needinfo?(jdemooij)
https://hg.mozilla.org/mozilla-central/rev/45603dbcb3bb
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
See Also: → 1458198
Flags: needinfo?(jdemooij)
Hm it looks like many of these are actually *decode* tasks instead of *parse* tasks, despite it being called finishParseTask, so we should probably add similar asserts to the XDR decoder.
OK the XDR decoder only reports an exception if TranscodeResult_Throw is used, but there are other failure TranscodeResults that don't report a pending exception so the helper threads code should check for that. I'll file another followup.
Flags: needinfo?(jdemooij)
Filed bug 1458209 for the XDR bug.
Flags: needinfo?(jdemooij)
No more crashes since the patch landed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.