Crash in nsPipe::AdvanceWriteCursor

RESOLVED FIXED in Firefox 63

Status

P1
critical
RESOLVED FIXED
9 months ago
7 months ago

People

(Reporter: marcia, Assigned: kmag)

Tracking

({crash, regression})

Trunk
mozilla63
Unspecified
macOS
crash, regression
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox61 unaffected, firefox62 unaffected, firefox63 fixed)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is
report bp-0faee110-5c94-433d-bb88-0e90a0180708.
=============================================================

Seen while doing nightly crash triage - 3 unique Mac users hit this on nightly: https://bit.ly/2m7mqRf. All have MOZ_RELEASE_ASSERT(newWriteCursor <= mWriteLimit). The URLS appear to be GMail.

Crashes started using the 20180701220749 build. Possible regression range based on that build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=19766d4c54e3c0ef09caf3c9a7fd3f162e4d5ac6&tochange=3cfc350101967376909ad3c729f9779ae0ab7a94

Top 10 frames of crashing thread:

0 XUL nsPipe::AdvanceWriteCursor xpcom/io/nsPipe3.cpp:927
1 XUL nsPipeOutputStream::WriteSegments xpcom/io/nsPipe3.cpp:1854
2 XUL NS_CopySegmentToStream xpcom/io/nsStreamUtils.cpp:812
3 XUL nsStringInputStream::ReadSegments xpcom/io/nsStringStream.cpp:270
4 XUL mozilla::dom::FetchDriver::OnDataAvailable dom/fetch/FetchDriver.cpp
5 XUL mozilla::net::nsHTTPCompressConv::do_OnDataAvailable netwerk/streamconv/converters/nsHTTPCompressConv.cpp:528
6 XUL mozilla::net::nsHTTPCompressConv::OnDataAvailable netwerk/streamconv/converters/nsHTTPCompressConv.cpp:443
7 XUL mozilla::net::HttpChannelChild::OnTransportAndData netwerk/protocol/http/HttpChannelChild.cpp:995
8 XUL mozilla::net::ChannelEventQueue::FlushQueue netwerk/ipc/ChannelEventQueue.cpp:93
9 XUL mozilla::net::ChannelEventQueue::ResumeInternal netwerk/ipc/ChannelEventQueue.h:329

=============================================================

Comment 1

9 months ago
This looks like a fetch issue. The main thing that jumps out at me is FetchDriver::OnDataAvailable notes that it can be accessed by any thread, but claims it's not an issue [1]. If you expand the crash report you can see threads 32 and 33 and hitting the same code path, I'm inclined to believe that's the underlying issue.

[1] https://searchfox.org/mozilla-central/rev/28daa2806c89684b3dfa4f0b551db1d099dda7c2/dom/fetch/FetchDriver.cpp#1103-1105
Component: XPCOM → DOM

Comment 2

9 months ago
Kris noted this might be WebExtensions breaking some assumptions.
Component: DOM → General
Flags: needinfo?(kmaglione+bmo)
Product: Core → WebExtensions
(Assignee)

Comment 3

9 months ago
Yeah, it looks like this happens when we're disconnecting a StreamFilter from a channel. The OnDataAvailable calls being flushed from our queue wind up racing with the ones coming directly from the channel while we disconnect.

This will require some thought.
Assignee: nobody → kmaglione+bmo
Component: General → Request Handling
Flags: needinfo?(kmaglione+bmo)
Priority: -- → P1
Comment hidden (mozreview-request)

Comment 5

8 months ago
mozreview-review
Comment on attachment 8994943 [details]
Bug 1474296: Don't disconnect disconnected channels on IPC error.

https://reviewboard.mozilla.org/r/259440/#review266482

After retracing all the state stuff, I think this is fine to do.
Attachment #8994943 - Flags: review?(mixedpuppy) → review+
(Assignee)

Comment 6

8 months ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4bf70a81f42f205bd2b0c91da3f511ca39c2f118
Bug 1474296: Don't disconnect disconnected channels on IPC error. r=mixedpuppy

Comment 7

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/4bf70a81f42f
Status: NEW → RESOLVED
Last Resolved: 8 months ago
status-firefox63: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
status-firefox61: --- → unaffected
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → unaffected

Comment 9

7 months ago
Is manual testing required on this bug? If yes, please provide some STR and the proper extension(if required) or set the “qe-verify -“ flag.

Thanks!
Flags: needinfo?(mixedpuppy)
Flags: needinfo?(mixedpuppy) → qe-verify-
You need to log in before you can comment on or make changes to this bug.