Closed Bug 1634995 Opened 4 years ago Closed 4 years ago

Intermittent /fetch/api/idlharness.any.serviceworker.html | application crashed [@ mozilla::dom::WorkerPrivate::OnProcessNextEvent()]

Categories

(Core :: DOM: Workers, defect, P3)

Product:
Core
Component:
DOM: Workers
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1634259

People

(Reporter: intermittent-bug-filer, Unassigned)

References

Details

(Keywords: crash, intermittent-failure)

Crash Data

Filed by: nbeleuzu [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=300583584&repo=mozilla-central
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Op2lCktsTGOsCBc-WdFR6w/runs/0/artifacts/public/logs/live_backing.log

[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - PROCESS-CRASH | /fetch/api/idlharness.any.serviceworker.html | application crashed [@ mozilla::dom::WorkerPrivate::OnProcessNextEvent()]
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - Crash dump filename: /tmp/tmpIz0Q00/minidumps/7d9d6ea5-7b22-395e-f13b-160792ce3b1d.dmp
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - Operating system: Linux
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - 0.0.0 Linux 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018 x86_64
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - CPU: amd64
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - family 6 model 62 stepping 4
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - 8 CPUs
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO -
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO - GPU: UNKNOWN
[task 2020-05-03T23:40:22.842Z] 23:40:22 INFO -
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - Crash reason: SIGSEGV /SEGV_MAPERR
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - Crash address: 0x8
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - Process uptime: not available
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO -
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - Thread 24 (crashed)
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - 0 libxul.so!mozilla::dom::WorkerPrivate::OnProcessNextEvent() [WorkerPrivate.cpp:d95c612379c34bd08c24846a13f698c2f7ea3ebe : 2989 + 0x13]
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - rax = 0x0000000000000000 rdx = 0x00007ff9098f00b0
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - rcx = 0x00007ff917295220 rbx = 0x00007ff9107886e0
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - rsi = 0x00007ff923c8e880 rdi = 0x00007ff91a40cc00
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - rbp = 0x00007ff9091fdf60 rsp = 0x00007ff9091fdf50
[task 2020-05-03T23:40:22.843Z] 23:40:22 INFO - r8 = 0x0000000000458af8 r9 = 0x0000000000000000
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - r10 = 0x000569fe3eab1939 r11 = 0x0000000000000246
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - r12 = 0x00007ff923c8e880 r13 = 0x0000000000000000
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - r14 = 0x00007ff9099c1800 r15 = 0x0000000000a8fe72
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - rip = 0x00007ff91728fb1d
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - Found by: given as instruction pointer in context
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - 1 libxul.so!mozilla::dom::WorkerThread::Observer::OnProcessNextEvent(nsIThreadInternal*, bool) [WorkerThread.cpp:d95c612379c34bd08c24846a13f698c2f7ea3ebe : 356 + 0x9]
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - rbx = 0x00007ff9107886e0 rbp = 0x00007ff9091fdf70
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - rsp = 0x00007ff9091fdf70 r12 = 0x00007ff923c8e880
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - r13 = 0x0000000000000000 r14 = 0x0000000000000000
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - r15 = 0x0000000000a8fe72 rip = 0x00007ff917295281
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - Found by: call frame info
[task 2020-05-03T23:40:22.844Z] 23:40:22 INFO - 2 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:d95c612379c34bd08c24846a13f698c2f7ea3ebe : 1107 + 0x7a]
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - rbx = 0x00007ff9107886e0 rbp = 0x00007ff9091fe4a0
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - rsp = 0x00007ff9091fdf80 r12 = 0x00007ff923c8e880
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - r13 = 0x0000000000000000 r14 = 0x0000000000000000
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - r15 = 0x0000000000a8fe72 rip = 0x00007ff91615afab
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - Found by: call frame info
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - 3 libxul.so!NS_ProcessPendingEvents(nsIThread*, unsigned int) [nsThreadUtils.cpp:d95c612379c34bd08c24846a13f698c2f7ea3ebe : 429 + 0x1d]
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - rbx = 0x00007ff923c8e880 rbp = 0x00007ff9091fe4f0
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - rsp = 0x00007ff9091fe4b0 r12 = 0x00007ff9091fe4bf
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - r13 = 0x00007ff9099c1800 r14 = 0x00007ff91615a470
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - r15 = 0x0000000000a8fe72 rip = 0x00007ff9161597fe
[task 2020-05-03T23:40:22.845Z] 23:40:22 INFO - Found by: call frame info
[task 2020-05-03T23:40:22.846Z] 23:40:22 INFO - 4 libxul.so!mozilla::dom::WorkerPrivate::ClearMainEventQueue(mozilla::dom::WorkerPrivate::WorkerRanOrNot) [WorkerPrivate.cpp:d95c612379c34bd08c24846a13f698c2f7ea3ebe : 3517 + 0xd]
[task 2020-05-03T23:40:22.846Z] 23:40:22 INFO - rbx = 0x00007ff90b1fe820 rbp = 0x00007ff9091fe530
[task 2020-05-03T23:40:22.846Z] 23:40:22 INFO - rsp = 0x00007ff9091fe500 r12 = 0x0000000000000000
[task 2020-05-03T23:40:22.846Z] 23:40:22 INFO - r13 = 0x00007ff9099c1800 r14 = 0x0000000000000001
[task 2020-05-03T23:40:22.846Z] 23:40:22 INFO - r15 = 0x00007ff90b1fe820 rip = 0x00007ff9172901b4
[task 2020-05-03T23:40:22.846Z] 23:40:22 INFO - Found by: call frame info

I see a missing nullptr check here: CycleCollectedJSContext::Get() can return nullptr but the caller does not check it and thus the next access on the data structure on mOwningThread may fail.

I see many places in WorkerPrivate.cpp, where CycleCollectedJSContext::Get() is used as if it always returns a healthy (raw!) pointer. Either we make sure, that this is the case or we should check all call sites for proper error handling.

Severity: normal → S3
Priority: -- → P3
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.