Closed
Bug 1470306
Opened 6 years ago
Closed 6 years ago
Crash in nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | + | fixed |
firefox63 | --- | fixed |
People
(Reporter: marcia, Assigned: baku)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(5 files)
933 bytes,
patch
|
bkelly
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.07 KB,
patch
|
smaug
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
5.37 KB,
patch
|
smaug
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.07 KB,
patch
|
qdot
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
2.48 KB,
patch
|
qdot
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-9215996a-9ed7-444d-bf88-dc97f0180617. ============================================================= Seen while looking at nightly crash stats - the crash is present on Mac and Android in 62 nightly and in Linux on 62.0b0: https://bit.ly/2K4f77o and https://bit.ly/2IdXAb0 Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0344af5522398276a98629b66df90cca6f395245&tochange=91db0c695f0272f00bf92c81c471a85101056d96 Not sure if Bug 1467179 is possibly involved. Top 10 frames of crashing thread: 0 XUL nsTArray_Impl<RefPtr<mozilla::dom::SharedMessagePortMessage>, nsTArrayInfallibleAllocator>::Clear xpcom/ds/nsTArray.h:1292 1 XUL mozilla::dom::MessagePort::CloseInternal dom/messagechannel/MessagePort.cpp:510 2 XUL mozilla::dom::MessagePort::CloseInternal dom/messagechannel/MessagePort.cpp:521 3 XUL mozilla::dom::MessagePort::DisconnectFromOwner dom/messagechannel/MessagePort.cpp:501 4 XUL std::__1::__function::__func<nsIGlobalObject::DisconnectEventTargetObjects dom/base/nsIGlobalObject.cpp:178 5 XUL nsIGlobalObject::ForEachEventTargetObject const clang/include/c++/v1/functional:1916 6 XUL <name omitted> dom/base/nsIGlobalObject.cpp:177 7 XUL mozilla::dom::WorkerPrivate::NotifyInternal dom/workers/WorkerScope.cpp:145 8 XUL mozilla::dom::WorkerPrivate::DoRunLoop dom/workers/WorkerPrivate.cpp:3253 9 XUL mozilla::dom::workerinternals:: dom/workers/RuntimeService.cpp:2707 =============================================================
Updated•6 years ago
|
Flags: needinfo?(amarchesini)
Comment 1•6 years ago
|
||
The code definitely looks error prone. It is unclear to me what keeps the MessagePort alive while DisconnectFromOwner is being called. hmm, but is this actually sort-of a regression from https://bug1438541.bmoattachments.org/attachment.cgi?id=8952759. We should keep DETH object alive when calling DisconnectFromOwner.
Flags: needinfo?(bkelly)
Comment 2•6 years ago
|
||
uncompiled patch, guess fix. (but I think we want something like this anyhow.)
Attachment #8986928 -
Flags: review?(bkelly)
Comment 3•6 years ago
|
||
Comment on attachment 8986928 [details] [diff] [review] DETH_disconnect.diff Review of attachment 8986928 [details] [diff] [review]: ----------------------------------------------------------------- I think arguably this is more of a bug in the MessagePort. The DETH owner mechanism never claims to hold the DETH alive. Still, it doesn't hurt to make nsIGlobalObject do the kungfugrip for the DETH object automatically.
Attachment #8986928 -
Flags: review?(bkelly) → review+
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal] → [@ nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal]
[@ nsTArray_Impl<T>::ClearAndRetainStorage | nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal]
Comment 4•6 years ago
|
||
This is clearly a bug in nsIGlobalObject. I should have caught this when reviewing. Per COM rules caller should keep callee alive.
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/15c95df467be DOMEventTargetHelper object should be kept alive while calling DisconnectFromOwner, r=bkelly
Comment 6•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/15c95df467be
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(amarchesini)
Updated•6 years ago
|
Flags: needinfo?(bkelly)
Updated•6 years ago
|
Crash Signature: [@ nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal]
[@ nsTArray_Impl<T>::ClearAndRetainStorage | nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal] → [@ nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal]
[@ nsTArray_Impl<T>::ClearAndRetainStorage | nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal]
[@ nsTArray_Impl<T>::ClearAndRetainStorage | mozilla::dom::MessagePor…
Updated•6 years ago
|
Assignee: nobody → bugs
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Comment 8•6 years ago
|
||
tab crashes with this signature are still occurring in firefox 62.0b and 63.0a1
Status: RESOLVED → REOPENED
Flags: needinfo?(bugs)
Resolution: FIXED → ---
Updated•6 years ago
|
status-firefox63:
--- → affected
Comment 9•6 years ago
|
||
ok, this was a possible fix based on stack traces.
Flags: needinfo?(bugs) → needinfo?(amarchesini)
Assignee | ||
Comment 10•6 years ago
|
||
Assignee: bugs → amarchesini
Flags: needinfo?(amarchesini)
Attachment #8989038 -
Flags: review?(bugs)
Updated•6 years ago
|
Attachment #8989038 -
Flags: review?(bugs) → review+
Updated•6 years ago
|
Priority: -- → P2
Comment 11•6 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ecdbee46819c MessagePort unlinked should start the cleanup/close/shutdown procedure of the object, r=smaug
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ecdbee46819c
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
Comment 13•6 years ago
|
||
sorry for bugging again, the signatures are still present on nightly after the latest patch has landed there.
Flags: needinfo?(amarchesini)
Comment 14•6 years ago
|
||
This is a fairly high number of crashes for beta, so I'm tracking this issue for 62.
tracking-firefox62:
--- → +
Updated•6 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Updated•6 years ago
|
Crash Signature: mozilla::dom::MessagePort::CloseInternal ] → mozilla::dom::MessagePort::CloseInternal ]
[@ nsTArray_Impl<T>::ClearAndRetainStorage | nsTArray_base<T>::ShrinkCapacity | nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal]
Assignee | ||
Comment 15•6 years ago
|
||
Working on it. I hope to have a patch soon.
Assignee | ||
Comment 16•6 years ago
|
||
This is not a fix. I want to add a MOZ_DIAGNOSTIC_ASSERT and an ScopeExit. This will increase our knowledge on what is going on here.
Flags: needinfo?(amarchesini)
Attachment #8991896 -
Flags: review?(bugs)
Updated•6 years ago
|
Attachment #8991896 -
Flags: review?(bugs) → review+
Updated•6 years ago
|
Keywords: leave-open
Comment 17•6 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e0f9fb876eec Adding some MOZ_DIAGNOSTIC_ASSERT in MessagePort, r=smaug
Comment 18•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e0f9fb876eec
Updated•6 years ago
|
Crash Signature: mozilla::dom::MessagePort::CloseInternal ]
[@ nsTArray_Impl<T>::ClearAndRetainStorage | nsTArray_base<T>::ShrinkCapacity | nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal] → mozilla::dom::MessagePort::CloseInternal ]
[@ nsTArray_Impl<T>::ClearAndRetainStorage | nsTArray_base<T>::ShrinkCapacity | nsTArray_Impl<T>::Clear | mozilla::dom::MessagePort::CloseInternal]
[@ mozilla::dom::MessagePort::CloseInternal]
Assignee | ||
Comment 19•6 years ago
|
||
Probably, this is not the fix, but it's something important to have.
Attachment #8992319 -
Flags: review?(kyle)
Updated•6 years ago
|
Attachment #8992319 -
Flags: review?(kyle) → review+
Comment 20•6 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/82aed14f5854 Ensure MessagePort is in the right state if the connection to PBackground fails, r=qdot
Comment 21•6 years ago
|
||
There are 4 crahses on android with nightly (20180715100113) and the moz_crash_reason is "MOZ_RELEASE_ASSERT(mUnshippedEntangledPort)".
Assignee | ||
Comment 22•6 years ago
|
||
Yes. That is my latest patch. I introduced that assertion to be 100% sure that the problem was a nullptr port. I also pushed a patch yesterday about an additional secure check.
Comment 23•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/82aed14f5854
Assignee | ||
Comment 24•6 years ago
|
||
Attachment #8994193 -
Flags: review?(kyle)
Updated•6 years ago
|
Attachment #8994193 -
Flags: review?(kyle) → review+
Comment 25•6 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2f59d7255981 More assertions in MessagePort, r=qdot
Comment 26•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2f59d7255981
Comment 27•6 years ago
|
||
(In reply to Raul Gurzau (:RaulGurzau) from comment #26) > https://hg.mozilla.org/mozilla-central/rev/2f59d7255981 Hey Baku, any updates after this landing?
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 28•6 years ago
|
||
Yes, it seems that we don't have any more crashes in nightly after the last push. Am I right? If yes, the problem was related to IPC initialization on workers and we should uplift that and the previous patch. Can somebody confirm that we don't have any new crash-report in nightly? Thanks.
Flags: needinfo?(amarchesini)
Comment 29•6 years ago
|
||
yes, the most recent recorded crashes were from nightly build 20180724100052 - nothing after that...
Updated•6 years ago
|
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Keywords: leave-open
OS: Mac OS X → All
Hardware: Unspecified → All
Resolution: --- → FIXED
Target Milestone: mozilla62 → mozilla63
Comment 30•6 years ago
|
||
could you take care of requesting approval for the right patches to be uplifted to 62? thanks
Flags: needinfo?(amarchesini)
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(amarchesini)
Attachment #8986928 -
Flags: approval-mozilla-beta?
Assignee | ||
Updated•6 years ago
|
Attachment #8989038 -
Flags: approval-mozilla-beta?
Assignee | ||
Updated•6 years ago
|
Attachment #8991896 -
Flags: approval-mozilla-beta?
Assignee | ||
Updated•6 years ago
|
Attachment #8992319 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 31•6 years ago
|
||
Comment on attachment 8994193 [details] [diff] [review] more assertions Approval Request Comment [Feature/Bug causing the regression]: Bug 1467179, probably. [User impact if declined]: a crash can occur. [Is this code covered by automated tests?]: n/a [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: n/a [List of other uplifts needed for the feature/fix]: just all the patches of this bug. [Is the change risky?]: no.. [Why is the change risky/not risky?]: These patches introduce return value checks. No logical changes involved. [String changes made/needed]: none
Attachment #8994193 -
Flags: approval-mozilla-beta?
Comment on attachment 8994193 [details] [diff] [review] more assertions Crash fix that seems to have helped in Nightly, Beta62+
Attachment #8994193 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8986928 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8989038 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8991896 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8992319 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 33•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/a07fb916fa61 https://hg.mozilla.org/releases/mozilla-beta/rev/c1927c01d7ed https://hg.mozilla.org/releases/mozilla-beta/rev/fb00c69a6787 https://hg.mozilla.org/releases/mozilla-beta/rev/3a3725e292e1
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•