1597965 - Crash in [@ nsWrapperCache::GetWrapper]

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Marcia Knous [:marcia]]

This bug is for crash report bp-c7fcf926-a6aa-4195-a35c-8c1af0191116.

Seen while looking at nightly crashes - started spiking in 72 in 20191114214957: https://mzl.la/2CYJf1Z. 165 crashes/47 installs so far. Noticeable spike in the build from 11/20. No particular pattern to the URLs and comment are not really useful.

Possible regression range based on build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2f19e7b646e0a52fa855b75c868f0a3f3a990ad3&tochange=88db9bea4580df16dc444668f8c2cddbb3414318

Top 7 frames of crashing thread:

0 xul.dll nsWrapperCache::GetWrapper dom/base/nsWrapperCacheInlines.h:27
1 xul.dll static bool mozilla::dom::Window_Binding::getWindowGlobalChild dom/bindings/WindowBinding.cpp:7409
2 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3154
3 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:548
4 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp:2940
5  @0x312b97b3f9e 
6 xul.dll trunc 

Comment 1

[David Burns :automatedtester]

I have had this happen to me today and have had 4 crashes in the last 40 minutes. There is no definitive steps to reproduce for me

Comment 2

[Nathan Froyd [:froydnj]]

Looking at that regression range, I think bz and emilio have modified code that is at least vaguely related to that. ni? to them to see if there's something obvious, or if something in that regression range jumps out to them whereas it doesn't to me.

Comment 3

[Steven Michaud [:smichaud] (Retired)]

Noticeable spike in the build from 11/20.

That's because, as of the fix for bug 1371390, these crashes have started to become visible on the Mac :-)

Comment 4

[Julien Cristau [:jcristau]]

I've just turned off updates on nightly based on the crash volume in the latest build.

Comment 5

[Steven Michaud [:smichaud] (Retired)]

(Following up comment 3)

Actually probably not. These crashes are visible on the Mac for the first time in the 20191120094758 mozilla-central nightly. But the spike on all platforms (currently 691) is much greater than the spike on the Mac (138).

Comment 6

[Will Kahn-Greene [:willkg] ET needinfo? me]

I'm having this problem with Firefox nightly 20191120094758 on Ubuntu Linux 19.04. I wasn't having this problem until I updated to the latest nightly.

I can reproduce it at will by opening any Google doc. As soon as the Google doc finishes loading, the tab crashes.

Here's one of my crash reports:

https://crash-stats.mozilla.org/report/index/b3f3dfc0-d2fc-4daf-be3d-9e8d40191120

Comment 7

[Julien Cristau [:jcristau]]

Nightly updates are now rolled back to 20191119215132 and re-enabled.

Comment 8

[Emilio Cobos Álvarez (:emilio)]

(In reply to Will Kahn-Greene [:willkg] ET needinfo? me from comment #6)

I'm having this problem with Firefox nightly 20191120094758 on Ubuntu Linux 19.04. I wasn't having this problem until I updated to the latest nightly.

I can reproduce it at will by opening any Google doc. As soon as the Google doc finishes loading, the tab crashes.

I couldn't repro on a simple google doc (or at all so far) on a mozilla-central build. Do you have any add-ons installed or such that could help me repro?

So far the stacks point to a null windowGlobalChild(), so it is more likely that some of the fission changes triggered this than my patches, or bz's patches.

I think this should be nullable: https://searchfox.org/mozilla-central/rev/652014ca1183c56bc5f04daf01af180d4e50a91c/dom/webidl/Window.webidl#552

But probably existing code didn't trigger it.

Looking a bit into it.

Comment 9

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1597965 - Window.getWindowGlobalChild() should be nullable. r=bzbarsky

It can be null after FreeInnerObjects.

Though it looks a bit spooky for chrome code to poke at a window in that state?
We should at least figure out which change made this such a high-volume crash.

This should unblock nightly updates for now... I can add an assertion when
called from DOM bindings if you want, so that we catch this on debug builds at
least?

Comment 10

[Emilio Cobos Álvarez (:emilio)]

Is that regression range correct? It seems from 14th of november and such. so quite a bit ago.

Comment 11

[Emilio Cobos Álvarez (:emilio)]

Bugs that have recently introduced calls to getWindowGlobalChild():

• Bug 1595143
• Bug 1595154 (backed out)
• Bug 1577498

Of course the issue could be in other patches too... Bug 1577498 seems like it could be the culprit?

Comment 12

[Marcia Knous [:marcia]]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #10)

Is that regression range correct? It seems from 14th of november and such. so quite a bit ago.

There were one off crashes started on 11/14, but the large spike which just presented itself is in 20191120094758. So that means it could be something that landed in https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fdd07df83c87f12725f4b97c80e644fd11673977&tochange=79821df172391d2d9ab224951b36bd8856df0fb1 (changes between 19th and 20th).

Comment 13

[Boris Zbarsky [:bzbarsky]]

I think this should be nullable: https://searchfox.org/mozilla-central/rev/652014ca1183c56bc5f04daf01af180d4e50a91c/dom/webidl/Window.webidl#552

Very much so, given how it's handled in FreeInnerObjects.

Though it looks a bit spooky for chrome code to poke at a window in that state?

It's not really that hard. As an example, if you are poking a window from an iframe that was removed from the DOM, it's in that state.

I wish we got JS stacks from crash-stats; something like https://crash-stats.mozilla.org/report/index/b3f3dfc0-d2fc-4daf-be3d-9e8d40191120 would be legible with those. As it stands, what I can see is that we are firing DOMContentLoaded, which queues a Promise resolution or rejection, which then runs the Promise handler, which then calls PrecompiledScript::ExecuteInGlobal (and note, that at this point if the global is the window involved it could already have had its FreeInnerObjects called by some other DOMContentLoaded listener!) and then the chrome script pokes at getWindowGlobalChild().

Bug 1577498 seems like it could be the culprit?

Well, it's definitely in the regression range from comment 12.

So, we can definitely make getWindowGlobalChild() nullable, but then consumers need to check for null and deal with it, or at least check that they are OK with exceptions. Now luckily there just aren't that many consumers...

Tomislav, can any of the consumers added in bug 1577498 run at a point after the window's docshell has been torn down, do you know?

Comment 14

[Michal Kluka]

This page will always crash for me https://www.postoj.sk/48952/za-ciarou?fbclid=IwAR2vQ_E8gmBejfAr7zOfnUZy0THId26tkjFQgxCcQ_Xe1WY6Ln6alwSZMrw

Application Basics

Name: Firefox
Version: 72.0a1
Build ID: 20191120094758
Update Channel: nightly
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
OS: Windows_NT 10.0
Launcher Process: Enabled
Multiprocess Windows: 1/1 Enabled by default
Remote Processes: 5
Enterprise Policies: Inactive
Google Location Service Key: Found
Google Safebrowsing Key: Found
Mozilla Location Service Key: Found
Safe Mode: false

Crash Reports for the Last 3 Days

Report ID: bp-b2487c77-3702-49d7-8453-78a5d0191120
Submitted: 4 minutes ago

Report ID: bp-8ebc0f6e-bd1e-4eee-82f0-c74bb0191120
Submitted: 4 minutes ago

Report ID: bp-1e739f9e-37f8-4416-820d-235050191120
Submitted: 7 minutes ago

Report ID: bp-51dcbf9f-7ece-4515-806e-fbc690191120
Submitted: 8 minutes ago

Nightly Features

Name: Firefox Screenshots
Version: 39.0.0
ID: screenshots@mozilla.org

Name: Form Autofill
Version: 1.0
ID: formautofill@mozilla.org

Name: Web Compat
Version: 6.4.0
ID: webcompat@mozilla.org

Name: WebCompat Reporter
Version: 1.1.0
ID: webcompat-reporter@mozilla.org

Remote Processes

Type: Web Content
Count: 3 / 8

Type: Extension
Count: 1

Type: GPU
Count: 1

Extensions

Name: Amazon.com
Version: 1.1
Enabled: true
ID: amazondotcom@search.mozilla.org

Name: Bing
Version: 1.0
Enabled: true
ID: bing@search.mozilla.org

Name: DuckDuckGo
Version: 1.0
Enabled: true
ID: ddg@search.mozilla.org

Name: Google
Version: 1.0
Enabled: true
ID: google@search.mozilla.org

Name: Twitter
Version: 1.0
Enabled: true
ID: twitter@search.mozilla.org

Name: uBlock Origin
Version: 1.23.0
Enabled: true
ID: uBlock0@raymondhill.net

Name: Wikipedia (en)
Version: 1.0
Enabled: true
ID: wikipedia@search.mozilla.org

Security Software

Type: ESET Security

Type:

Type: ESET Firewall

Graphics

Features
Compositing: WebRender
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled
WebGL 1 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000009051) EGL_VERSION: 1.4 (ANGLE 2.1.0.fe53e2b60af2) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_ANGLE_image_d3d11_texture EGL_ANGLE_create_context_backwards_compatible EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context EGL_ANGLE_feature_control
WebGL 1 Driver Renderer: Google Inc. -- ANGLE (NVIDIA Quadro 2000M Direct3D11 vs_5_0 ps_5_0)
WebGL 1 Driver Version: OpenGL ES 2.0.0 (ANGLE 2.1.0.fe53e2b60af2)
WebGL 1 Driver Extensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_multiview_multisample GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_lose_context GL_CHROMIUM_sync_query GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_depth24 GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_3D GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_disjoint_timer_query EXT_float_blend EXT_frag_depth EXT_shader_texture_lod EXT_sRGB EXT_texture_compression_bptc EXT_texture_filter_anisotropic OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
WebGL 2 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000009051) EGL_VERSION: 1.4 (ANGLE 2.1.0.fe53e2b60af2) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_ANGLE_image_d3d11_texture EGL_ANGLE_create_context_backwards_compatible EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context EGL_ANGLE_feature_control
WebGL 2 Driver Renderer: Google Inc. -- ANGLE (NVIDIA Quadro 2000M Direct3D11 vs_5_0 ps_5_0)
WebGL 2 Driver Version: OpenGL ES 3.0.0 (ANGLE 2.1.0.fe53e2b60af2)
WebGL 2 Driver Extensions: GL_ANGLE_client_arrays GL_ANGLE_copy_texture_3d GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_multiview_multisample GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_multisample GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_lose_context GL_CHROMIUM_sync_query GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_depth24 GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_3D GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object GL_OVR_multiview GL_OVR_multiview2 OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
WebGL 2 Extensions: EXT_color_buffer_float EXT_disjoint_timer_query EXT_float_blend EXT_texture_compression_bptc EXT_texture_filter_anisotropic OES_texture_float_linear OVR_multiview2 WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
Direct2D: true
Uses Tiling (Content): true
Off Main Thread Painting Enabled: true
Off Main Thread Painting Worker Count: 3
Target Frame Rate: 50
DirectWrite: true (10.0.18362.476)
GPU #1
Active: Yes
Description: NVIDIA Quadro 2000M
Vendor ID: 0x10de
Device ID: 0x0dda
Driver Version: 21.21.13.7783
Driver Date: 1-13-2018
Drivers: C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvd3dumx,C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvwgf2umx,C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvwgf2umx,C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvwgf2umx C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvd3dum,C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvwgf2um,C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvwgf2um,C:\WINDOWS\System32\DriverStore\FileRepository\nvltwi.inf_amd64_149cf9b6f0e14a4c\nvwgf2um
Subsys ID: 21d117aa
RAM: 2048
GPU #2
Active: No
Description: Intel(R) HD Graphics 3000
Vendor ID: 0x8086
Device ID: 0x0126
Driver Version: 9.17.10.4459
Driver Date: 5-19-2016
Drivers: igdumd64 igd10umd64 igd10umd64 igdumd32 igd10umd32 igd10umd32
Subsys ID: 21d117aa
RAM: Unknown
Diagnostics
AzureCanvasBackend: direct2d 1.1
AzureCanvasBackend (UI Process): skia
AzureContentBackend: skia
AzureContentBackend (UI Process): skia
AzureFallbackCanvasBackend (UI Process): none
CMSOutputProfile: AAALuldpbgACEAAAbW50clJHQiBYWVogB9kABwAYAAwAAAAAYWNzcE1TRlQAAAAATE5WAAAAAAAAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0ytMTlYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARZGVzYwAAAVAAAAB2ZG1uZAAAAcgAAABhZG1kZAAAAVAAAAB2dnVlZAAAAiwAAACGdmlldwAAArQAAAAkbHVtaQAAAtgAAAAUbWVhcwAAAuwAAAAkclhZWgAAAxAAAAAUZ1hZWgAAAyQAAAAUYlhZWgAAAzgAAAAUclRSQwAAA0wAAAgMZ1RSQwAAA0wAAAgMYlRSQwAAA0wAAAgMd3RwdAAAC1gAAAAUYmtwdAAAC2wAAAAUdGVjaAAAC4AAAAAMY3BydAAAC4wAAAAuZGVzYwAAAAAAAAAcTGVub3ZvIFRoaW5rUGFkIExDRCBNb25pdG9yAAAAAAAAAAAAAAAAAAAAAADYskAAAAAAAP////8gDIkA+AuJAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AuJAAAAAAD4C4kAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAHTGVub3ZvAAAAAAAAAAAAAAAAAAAAAADYskAAAAAAAP////8gDIkA+AuJAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AuJAAAAAAD4C4kAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAANAAAAAKCAAAAADO7QABwBjQAzQAAAAAIAAAA+RIABAAAAADw/X8kCAAAAAAAACYAAAA4jEIAyg5DANm3QAD4dUIAAAB2aWV3AAAAAAATpP4AFF8uABDPFAAD7csABBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf5m1lYXMAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAEAAAKPAAAAAlhZWiAAAAAAAABvogAAOPUAAAOQWFlaIAAAAAAAAGKZAAC3hQAAGNpYWVogAAAAAAAAJKAAAA+EAAC2z2N1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIANwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCkAKkArgCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ7BowGnQavBsAG0QbjBvUHBwcZBysHPQdPB2EHdAeGB5kHrAe/B9IH5Qf4CAsIHwgyCEYIWghuCIIIlgiqCL4I0gjnCPsJEAklCToJTwlkCXkJjwmkCboJzwnlCfsKEQonCj0KVApqCoEKmAquCsUK3ArzCwsLIgs5C1ELaQuAC5gLsAvIC+EL+QwSDCoMQwxcDHUMjgynDMAM2QzzDQ0NJg1ADVoNdA2ODakNww3eDfgOEw4uDkkOZA5/DpsOtg7SDu4PCQ8lD0EPXg96D5YPsw/PD+wQCRAmEEMQYRB+EJsQuRDXEPURExExEU8RbRGMEaoRyRHoEgcSJhJFEmQShBKjEsMS4xMDEyMTQxNjE4MTpBPFE+UUBhQnFEkUahSLFK0UzhTwFRIVNBVWFXgVmxW9FeAWAxYmFkkWbBaPFrIW1hb6Fx0XQRdlF4kXrhfSF/cYGxhAGGUYihivGNUY+hkgGUUZaxmRGbcZ3RoEGioaURp3Gp4axRrsGxQbOxtjG4obshvaHAIcKhxSHHscoxzMHPUdHh1HHXAdmR3DHeweFh5AHmoelB6+HukfEx8+H2kflB+/H+ogFSBBIGwgmCDEIPAhHCFIIXUhoSHOIfsiJyJVIoIiryLdIwojOCNmI5QjwiPwJB8kTSR8JKsk2iUJJTglaCWXJccl9yYnJlcmhya3JugnGCdJJ3onqyfcKA0oPyhxKKIo1CkGKTgpaymdKdAqAio1KmgqmyrPKwIrNitpK50r0SwFLDksbiyiLNctDC1BLXYtqy3hLhYuTC6CLrcu7i8kL1ovkS/HL/4wNTBsMKQw2zESMUoxgjG6MfIyKjJjMpsy1DMNM0YzfzO4M/E0KzRlNJ402DUTNU01hzXCNf02NzZyNq426TckN2A3nDfXOBQ4UDiMOMg5BTlCOX85vDn5OjY6dDqyOu87LTtrO6o76DwnPGU8pDzjPSI9YT2hPeA+ID5gPqA+4D8hP2E/oj/iQCNAZECmQOdBKUFqQaxB7kIwQnJCtUL3QzpDfUPARANER0SKRM5FEkVVRZpF3kYiRmdGq0bwRzVHe0fASAVIS0iRSNdJHUljSalJ8Eo3Sn1KxEsMS1NLmkviTCpMcky6TQJNSk2TTdxOJU5uTrdPAE9JT5NP3VAnUHFQu1EGUVBRm1HmUjFSfFLHUxNTX1OqU/ZUQlSPVNtVKFV1VcJWD1ZcVqlW91dEV5JX4FgvWH1Yy1kaWWlZuFoHWlZaplr1W0VblVvlXDVchlzWXSddeF3JXhpebF69Xw9fYV+zYAVgV2CqYPxhT2GiYfViSWKcYvBjQ2OXY+tkQGSUZOllPWWSZedmPWaSZuhnPWeTZ+loP2iWaOxpQ2maafFqSGqfavdrT2una/9sV2yvbQhtYG25bhJua27Ebx5veG/RcCtwhnDgcTpxlXHwcktypnMBc11zuHQUdHB0zHUodYV14XY+dpt2+HdWd7N4EXhueMx5KnmJeed6RnqlewR7Y3vCfCF8gXzhfUF9oX4BfmJ+wn8jf4R/5YBHgKiBCoFrgc2CMIKSgvSDV4O6hB2EgITjhUeFq4YOhnKG14c7h5+IBIhpiM6JM4mZif6KZIrKizCLlov8jGOMyo0xjZiN/45mjs6PNo+ekAaQbpDWkT+RqJIRknqS45NNk7aUIJSKlPSVX5XJljSWn5cKl3WX4JhMmLiZJJmQmfyaaJrVm0Kbr5wcnImc951kndKeQJ6unx2fi5/6oGmg2KFHobaiJqKWowajdqPmpFakx6U4pammGqaLpv2nbqfgqFKoxKk3qamqHKqPqwKrdavprFys0K1ErbiuLa6hrxavi7AAsHWw6rFgsdayS7LCszizrrQltJy1E7WKtgG2ebbwt2i34LhZuNG5SrnCuju6tbsuu6e8IbybvRW9j74KvoS+/796v/XAcMDswWfB48JfwtvDWMPUxFHEzsVLxcjGRsbDx0HHv8g9yLzJOsm5yjjKt8s2y7bMNcy1zTXNtc42zrbPN8+40DnQutE80b7SP9LB00TTxtRJ1MvVTtXR1lXW2Ndc1+DYZNjo2WzZ8dp22vvbgNwF3IrdEN2W3hzeot8p36/gNuC94UThzOJT4tvjY+Pr5HPk/OWE5g3mlucf56noMui86Ubp0Opb6uXrcOv77IbtEe2c7ijutO9A78zwWPDl8XLx//KM8xnzp/Q09ML1UPXe9m32+/eK+Bn4qPk4+cf6V/rn+3f8B/yY/Sn9uv5L/tz/bf//WFlaIAAAAAAAAPNRAAEAAAABFsxYWVogAAAAAAAAAAAAAAAAAAAAAHNpZyAAAAAAQU1EIHRleHQAAAAAQ29weXJpZ2h0IChjKSAyMDA1IExlbm92byBDb3Jwb3JhdGlvbgA=
Display0: 1920x1080@50Hz
DisplayCount: 1
GPUProcessPid: 12676
GPUProcess: Terminate GPU Process
Device Reset: Trigger Device Reset
ClearType Parameters: Gamma: 1,8 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50
Decision Log
WEBRENDER:
opt-in by default: WebRender is an opt-in feature
available by user: Qualified enabled by pref
WEBGPU:
disabled by default: Disabled by default

Failure Log
(#0): GP+[GFX1-]: RenderTargetViewNeedsRecreating

Media

Audio Backend: wasapi
Max Channels: 2
Preferred Sample Rate: 48000
Output Devices
Name: Group
Headphones (Conexant 20672 SmartAudio HD):
Recording Control (Conexant 20672 SmartAudio HD):
Speakers (Conexant 20672 SmartAudio HD):
Headphones (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_14F1&DEV_506E&SUBSYS_17AA21CF&REV_1000\4&13501a43&0&0001
Recording Control (Conexant 20672 SmartAudio HD):
Recording Control (Conexant 20672 SmartAudio HD):
Recording Control (Conexant 20672 SmartAudio HD):
Speakers (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_14F1&DEV_506E&SUBSYS_17AA21CF&REV_1000\4&13501a43&0&0001
Input Devices
Name: Group
Interní mikrofon (Conexant 20672 SmartAudio HD):
Microphone (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_14F1&DEV_506E&SUBSYS_17AA21CF&REV_1000\4&13501a43&0&0001
Docking Microphone (Conexant 20672 SmartAudio HD):
Microphone (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_14F1&DEV_506E&SUBSYS_17AA21CF&REV_1000\4&13501a43&0&0001
Externí mikrofon (Conexant 20672 SmartAudio HD):
Internal AUX Jack (Conexant 20672 SmartAudio HD):
Externí mikrofon (Conexant 20672 SmartAudio HD):
Media Capabilities
Enumerate database

Important Modified Preferences

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.amount_written: 355491
browser.cache.disk.capacity: 1048576
browser.cache.disk.filesystem_reported: 1
browser.cache.disk.hashstats_reported: 1
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.telemetry_report_ID: 2
browser.contentblocking.category: standard
browser.download.useDownloadDir: false
browser.places.smartBookmarksVersion: 8
browser.sessionstore.upgradeBackup.latestBuildID: 20191120094758
browser.startup.homepage_override.buildID: 20191120094758
browser.startup.homepage_override.mstone: 72.0a1
browser.urlbar.placeholderName: Google
browser.urlbar.timesBeforeHidingSuggestionsHint: 0
dom.forms.autocomplete.formautofill: true
dom.push.userAgentID: c801c04f52944fa4a2cf504722d34bae
extensions.lastAppVersion: 72.0a1
font.internaluseonly.changed: false
gfx.crash-guard.status.wmfvpxvideo: 2
gfx.crash-guard.wmfvpxvideo.appVersion: 72.0a1
gfx.crash-guard.wmfvpxvideo.deviceID: 0x0dda
gfx.crash-guard.wmfvpxvideo.driverVersion: 21.21.13.7783
idle.lastDailyNotification: 1574245977
layers.mlgpu.sanity-test-failed: false
media.gmp-gmpopenh264.abi: x86_64-msvc-x64
media.gmp-gmpopenh264.lastUpdate: 1574067031
media.gmp-gmpopenh264.version: 1.8.1.1
media.gmp-manager.buildID: 20191120094758
media.gmp-manager.lastCheck: 1574265442
media.gmp-widevinecdm.abi: x86_64-msvc-x64
media.gmp-widevinecdm.lastUpdate: 1574067033
media.gmp-widevinecdm.version: 4.10.1440.19
media.gmp.storage.version.observed: 1
media.hardware-video-decoding.failed: false
network.cookie.prefsMigrated: true
network.dns.disablePrefetch: true
network.http.speculative-parallel-limit: 0
network.predictor.cleaned-up: true
network.predictor.enabled: false
network.prefetch-next: false
places.database.lastMaintenance: 1574069930
places.history.expiration.transient_current_max_pages: 96141
privacy.sanitize.pending: [{"id":"newtab-container","itemsToClear":[],"options":{}}]
security.remote_settings.crlite_filters.checked: 1574245491
security.remote_settings.intermediates.checked: 1574245491
security.sandbox.content.tempDirSuffix: {a57a6d0b-5af7-477b-a9ec-112a0f8e8a15}
security.sandbox.plugin.tempDirSuffix: {6c2c8abb-8d13-4a3e-bd81-1bac2b2c90db}
services.sync.declinedEngines:
services.sync.engine.addresses.available: true
signon.importedFromSqlite: true
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1571657925
ui.osk.debug.keyboardDisplayReason: IKPOS: Touch screen not found.

Important Locked Preferences

Places Database

JavaScript

Incremental GC: true

Accessibility

Activated: false
Prevent Accessibility: 0
Accessible Handler Used: true
Accessibility Instantiator:

Library Versions

NSPR
Expected minimum version: 4.24 Beta
Version in use: 4.24 Beta

NSS
Expected minimum version: 3.48 Beta
Version in use: 3.48 Beta

NSSSMIME
Expected minimum version: 3.48 Beta
Version in use: 3.48 Beta

NSSSSL
Expected minimum version: 3.48 Beta
Version in use: 3.48 Beta

NSSUTIL
Expected minimum version: 3.48 Beta
Version in use: 3.48 Beta

Sandbox

Content Process Sandbox Level: 5
Effective Content Process Sandbox Level: 5

Internationalization & Localization

Application Settings
Requested Locales: ["en-US"]
Available Locales: ["en-US"]
App Locales: ["en-US"]
Regional Preferences: ["en-US"]
Default Locale: "en-US"
Operating System
System Locales: ["en-US"]
Regional Preferences: ["cs-CZ"]

Remote Debugging (Chromium Protocol)

Accepting Connections: false
URL:

Comment 15

[Tomislav Jovanovic :zombie]

Yeah, this most definitely looks like it's getting triggered from bug 1577498. PrecompiledScript::ExecuteInGlobal is how we run content scripts, and often behind the DOMContentLoaded.

I'll dig in some more, but I believe returning null in that case would be fine, and even more expected from my point of view.

Comment 16

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c09a360d3bd3
Window.getWindowGlobalChild() should be nullable. r=bzbarsky

Comment 17

[Tomislav Jovanovic :zombie]

So yes, turns out this is executing lazily after we're already in the content script, the first time they try to access the the browser api exposed inside the sandbox. Since we're already in extension code by that point, it's very possible that docShell was very much alive when we decided to inject the content script, and got killed in the meantime.

If getWindowGlobalChild() starts returning null at that point, the lazy getter will just throw, and likely abort the whole content script (or at least neuter it, since we'll never expose the api endpoint). This is almost certainly a better outcome than what would currently happen in that case (before bug 1577498).

(In reply to Michal Kluka from comment #14)

This page will always crash for me https://www.postoj.sk/48952/za-ciarou?fbclid=IwAR2vQ_E8gmBejfAr7zOfnUZy0THId26tkjFQgxCcQ_Xe1WY6Ln6alwSZMrw

Hey Michal, sorry for marking your comment "off-topic", it's too long and was making the discussion hard to follow, and I don't know how else to collapse it.

Comment 18

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/c09a360d3bd3

Comment 19

[Steven Michaud [:smichaud] (Retired)]

For what it's worth, these crashes are still happening in the current mozilla-central nightly (20191120234543), though at a much lower volume (and so far only on Windows):

https://crash-stats.mozilla.org/search/?build_id=%3E%3D20191120234543&signature=~nsWrapperCache%3A%3AGetWrapper&date=%3E%3D2019-11-20T16%3A26%3A00.000Z&date=%3C2019-11-21T16%3A26%3A00.000Z&_facets=signature&_facets=platform_version&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

Comment 20

[Boris Zbarsky [:bzbarsky]]

That's really odd. That nightly seems to be build from rev 66531295716a76515be6e24774d788dc4ed8ecdf which should have this fix...

Comment 21

[Steven Michaud [:smichaud] (Retired)]

As best I can tell, the patch for this bug (https://phabricator.services.mozilla.com/D53967) landed first in the 20191120215217 mozilla-central nightly, whose rev is e76dbab2aea8354660281221c1aa08356107881c:

https://hg.mozilla.org/mozilla-central/pushloghtml?changeset=e76dbab2aea8354660281221c1aa08356107881c

Since it landed there've been a number of these crashes, though not nearly so many as with the 20191120094758 nightly:

https://crash-stats.mozilla.org/search/?build_id=%3E%3D20191120215217&signature=~nsWrapperCache%3A%3AGetWrapper&date=%3E%3D2019-11-20T16%3A26%3A00.000Z&date=%3C2019-11-21T16%3A26%3A00.000Z&_facets=signature&_facets=platform_version&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

Interestingly, the vast majority are on "6.1.7601 Service Pack 1". And only one isn't on Windows (it's on macOS 10.15.1).

Comment 22

[Steven Michaud [:smichaud] (Retired)]

There are a number of crashes with AsyncShutdownTimeout in the signature, most (all?) of which also (like this bug's crashes) have PromiseReactionJob() on the stack, and are also disproportionately on Windows. Possibly related?

https://crash-stats.mozilla.org/search/?signature=~AsyncShutdownTimeout&date=%3E%3D2019-11-14T18%3A23%3A00.000Z&date=%3C2019-11-21T18%3A23%3A00.000Z&_facets=signature&_facets=platform_version&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

Comment 23

[Julien Cristau [:jcristau]]

Pretty much all the crashes on builds after this fix have a null install date, so I'd take them with a grain of salt. Is it possible they're actually crashes from the broken build but we're making up some of the metadata on submission?

Comment 24

[Gabriele Svelto [:gsvelto]]

(In reply to Julien Cristau [:jcristau] from comment #23)

Pretty much all the crashes on builds after this fix have a null install date, so I'd take them with a grain of salt. Is it possible they're actually crashes from the broken build but we're making up some of the metadata on submission?

Yeah, if they're missing the install time then they're orphaned crashed and the metadata is unreliable (we synthesize the bare minimum from the installation that's submitting them). Orphaned crashes are sent in batches when they're found so that might be why you're seeing a spike, it should go away quickly.

Comment 25

[Steven Michaud [:smichaud] (Retired)]

You're right, Gabriele. These crashes are completely gone as of the 20191123094742 trunk nightly.

Comment 27

[Firefox Bug Husbandry Bot]

Please specify a root cause for this bug. See :tmaity for more information.