Closed Bug 1631346 Opened 5 years ago Closed 5 years ago

Crash in [@ nsAutoTObserverArray<T>::AppendElementUnlessExists<T>]

Categories

(Core :: Performance: General, defect, P1)

Product:
Core
Component:
Performance: General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- fixed

People

(Reporter: gsvelto, Assigned: sefeng)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1631346 - Fix a null ptr crash in PerformanceObserver::Observe r=baku
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-ba7fba8d-60db-46d3-be92-44d7e0200419.

Top 10 frames of crashing thread:

0 libxul.so void nsAutoTObserverArray<mozilla::dom::PerformanceObserver*, 0ul>::AppendElementUnlessExists<mozilla::dom::PerformanceObserver*> xpcom/ds/nsTObserverArray.h:199
1 libxul.so mozilla::dom::PerformanceObserver::Observe dom/performance/PerformanceObserver.cpp:296
2 libxul.so mozilla::dom::PerformanceObserver_Binding::observe dom/bindings/PerformanceObserverBinding.cpp:255
3 libxul.so bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3205
4 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:584
5 libxul.so Interpret js/src/vm/Interpreter.cpp:647
6 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:619
7 libxul.so js::fun_call js/src/vm/JSFunction.cpp:1130
8 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:584
9 libxul.so Interpret js/src/vm/Interpreter.cpp:647

Looks like this crash has been around since bug 1539006 landed. From the looks of it we're accessing a NULL pointer hold by the mPerformance field. Not being familiar with this code I don't see how this could happen. Maybe the object was created with a NULL element to begin with?

The performance observer object could have been unlinked. Unlinking doesn't clear out the JS to C++ reference. Of course, this indicates a bug in code somewhere because we should not be able to get at JS that holds unlinked C++ objects.

Sean, the crash rate isn't too hard here but it seems like it would be an easy fix. Would you like to look at this?

Assignee: nobody → sefeng
Priority: -- → P1
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/186ec6c80cbd Fix a null ptr crash in PerformanceObserver::Observe r=baku

https://hg.mozilla.org/mozilla-central/rev/186ec6c80cbd

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
status-firefox76: --- → wontfix
status-firefox77: --- → wontfix
status-firefox-esr68: --- → wontfix
No longer depends on: 1539006
Regressed by: 1539006
Has Regression Range: --- → yes
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: