Closed Bug 1642817 Opened 1 month ago Closed 1 month ago

Local gtest run crashes with null dereference in OffTheBooksMutex::Lock()

Categories

(Core :: Graphics, defect)

defect

Tracking

()

RESOLVED FIXED
mozilla79
Tracking Status
firefox79 --- fixed

People

(Reporter: botond, Assigned: botond)

Details

Attachments

(1 file)

Today I ran a gtest locally with ./mach gtest 'APZCGestureDetectorTester.Pan_With_Tap', and it crashed with a null dereference with the following backtrace:

#0  0x00007f40bbea428d in nanosleep () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f40bbea41da in sleep () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f40ab5f548a in ah_crap_handler (signum=11) at /home/botond/dev/projects/mozilla/central/toolkit/xre/nsSigHandlers.cpp:95
#3  0x00007f40ac0ba0c8 in js::UnixExceptionHandler (signum=11, info=0x7ffec5b5b6f0, context=0x7ffec5b5b5c0) at /home/botond/dev/projects/mozilla/central/js/src/ds/MemoryProtectionExceptionHandler.cpp:277
#4  0x00007f40ace2718a in WasmTrapHandler (signum=11, info=0x7ffec5b5b6f0, context=0x7ffec5b5b5c0) at /home/botond/dev/projects/mozilla/central/js/src/wasm/WasmSignalHandlers.cpp:963
#5  <signal handler called>
#6  mozilla::BlockingResourceBase::CheckAcquire (this=0x28) at /home/botond/dev/projects/mozilla/central/xpcom/threads/BlockingResourceBase.cpp:216
#7  0x00007f40a21e2306 in mozilla::OffTheBooksMutex::Lock (this=0x0) at /home/botond/dev/projects/mozilla/central/xpcom/threads/BlockingResourceBase.cpp:317
#8  0x00007f40a108b0d8 in mozilla::Monitor::Lock (this=0x0) at /home/botond/dev/projects/mozilla/central/obj-x86_64-pc-linux-gnu/dist/include/mozilla/Monitor.h:31
#9  0x00007f40a114d5e3 in mozilla::MonitorAutoLock::MonitorAutoLock (this=0x7ffec5b5bca8, aMonitor=...) at /home/botond/dev/projects/mozilla/central/obj-x86_64-pc-linux-gnu/dist/include/mozilla/Monitor.h:66
#10 0x00007f40a4598ba0 in mozilla::layers::CompositorBridgeParent::CallWithIndirectShadowTree(mozilla::layers::LayersId, std::function<void (mozilla::layers::CompositorBridgeParent::LayerTreeState&)> const&) (aId=..., aFunc=...) at /home/botond/dev/projects/mozilla/central/gfx/layers/ipc/CompositorBridgeParent.cpp:2427
#11 0x00007f40a43f0227 in mozilla::layers::APZCTreeManager::GetContentController (aLayersId=...) at /home/botond/dev/projects/mozilla/central/gfx/layers/apz/src/APZCTreeManager.cpp:3617
#12 0x00007f40a43ff481 in mozilla::layers::APZCTreeManager::SendSubtreeTransformsToChromeMainThread (this=0x7f40bbb90000, aAncestor=0x7f4094738000) at /home/botond/dev/projects/mozilla/central/gfx/layers/apz/src/APZCTreeManager.cpp:3673
#13 0x00007f40a448a6c0 in mozilla::detail::RunnableMethodArguments<mozilla::layers::AsyncPanZoomController*>::applyImpl<mozilla::layers::APZCTreeManager, void (mozilla::layers::APZCTreeManager::*)(mozilla::layers::AsyncPanZoomController const*), StoreRefPtrPassByPtr<mozilla::layers::AsyncPanZoomController>, 0ul> (o=0x7f40bbb90000, m=(void (mozilla::layers::APZCTreeManager::*)(mozilla::layers::APZCTreeManager * const, const mozilla::layers::AsyncPanZoomController *)) 0x7f40a43ff430 <mozilla::layers::APZCTreeManager::SendSubtreeTransformsToChromeMainThread(mozilla::layers::AsyncPanZoomController const*)>, args=...) at /home/botond/dev/projects/mozilla/central/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:1185
#14 0x00007f40a448a60d in mozilla::detail::RunnableMethodArguments<mozilla::layers::AsyncPanZoomController*>::apply<mozilla::layers::APZCTreeManager, void (mozilla::layers::APZCTreeManager::*)(mozilla::layers::AsyncPanZoomController const*)> (this=0x7f4094737d20, o=0x7f40bbb90000, m=(void (mozilla::layers::APZCTreeManager::*)(mozilla::layers::APZCTreeManager * const, const mozilla::layers::AsyncPanZoomController *)) 0x7f40a43ff430 <mozilla::layers::APZCTreeManager::SendSubtreeTransformsToChromeMainThread(mozilla::layers::AsyncPanZoomController const*)>) at /home/botond/dev/projects/mozilla/central/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:1191
#15 0x00007f40a448a4c0 in mozilla::detail::RunnableMethodImpl<mozilla::layers::APZCTreeManager*, void (mozilla::layers::APZCTreeManager::*)(mozilla::layers::AsyncPanZoomController const*), true, (mozilla::RunnableKind)0, mozilla::layers::AsyncPanZoomController*>::Run (this=0x7f4094737ce0) at /home/botond/dev/projects/mozilla/central/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:1237
#16 0x00007f40a2217edf in nsThread::ProcessNextEvent (this=0x7f409642e890, aMayWait=true, aResult=0x7ffec5b5c677) at /home/botond/dev/projects/mozilla/central/xpcom/threads/nsThread.cpp:1211
#17 0x00007f40a221dc87 in NS_ProcessNextEvent (aThread=0x7f409642e890, aMayWait=true) at /home/botond/dev/projects/mozilla/central/xpcom/threads/nsThreadUtils.cpp:501
#18 0x00007f40a2216af3 in mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsThread::Shutdown()::$_2>(nsThread::Shutdown()::$_2&&, nsIThread*) (aPredicate=..., aThread=0x7f409642e890) at /home/botond/dev/projects/mozilla/central/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:359
#19 0x00007f40a22169db in nsThread::Shutdown (this=0x7f409642e9a0) at /home/botond/dev/projects/mozilla/central/xpcom/threads/nsThread.cpp:891
#20 0x00007f40a24e8ad6 in mozilla::net::nsSocketTransportService::ShutdownThread (this=0x7f40bbb1c5e0) at /home/botond/dev/projects/mozilla/central/netwerk/base/nsSocketTransportService2.cpp:792
#21 0x00007f40a24e897f in mozilla::net::nsSocketTransportService::Shutdown (this=0x7f40bbb1c5e0, aXpcomShutdown=false) at /home/botond/dev/projects/mozilla/central/netwerk/base/nsSocketTransportService2.cpp:778
#22 0x00007f40a246b54a in mozilla::net::nsIOService::SetOffline (this=0x7f40bbb9b380, offline=true) at /home/botond/dev/projects/mozilla/central/netwerk/base/nsIOService.cpp:1240
#23 0x00007f40a2471531 in mozilla::net::nsIOService::Observe (this=0x7f40bbb9b380, subject=0x0, topic=0x7f409b4792ba "profile-change-net-teardown", data=0x0) at /home/botond/dev/projects/mozilla/central/netwerk/base/nsIOService.cpp:1524
#24 0x00007f40a20e8635 in nsObserverList::NotifyObservers (this=0x7f409511f9c0, aSubject=0x0, aTopic=0x7f409b4792ba "profile-change-net-teardown", someData=0x0) at /home/botond/dev/projects/mozilla/central/xpcom/ds/nsObserverList.cpp:65
#25 0x00007f40a20fdd5c in nsObserverService::NotifyObservers (this=0x7f40964251a0, aSubject=0x0, aTopic=0x7f409b4792ba "profile-change-net-teardown", aSomeData=0x0) at /home/botond/dev/projects/mozilla/central/xpcom/ds/nsObserverService.cpp:288
#26 0x00007f40a160feef in ScopedXPCOM::~ScopedXPCOM (this=0x7ffec5b5cd78) at /home/botond/dev/projects/mozilla/central/obj-x86_64-pc-linux-gnu/dist/include/testing/TestHarness.h:99
#27 0x00007f40a160f959 in mozilla::RunGTestFunc (argc=0x7f40b208b828 <gArgc>, argv=0x7ffec5b5eb48) at /home/botond/dev/projects/mozilla/central/testing/gtest/mozilla/GTestRunner.cpp:157
#28 0x00007f40ab5d865b in XREMain::XRE_mainStartup (this=0x7ffec5b5d7e0, aExitFlag=0x7ffec5b5d6b7) at /home/botond/dev/projects/mozilla/central/toolkit/xre/nsAppRunner.cpp:3789
#29 0x00007f40ab5e2974 in XREMain::XRE_main (this=0x7ffec5b5d7e0, argc=3, argv=0x7ffec5b5eb48, aConfig=...) at /home/botond/dev/projects/mozilla/central/toolkit/xre/nsAppRunner.cpp:4798
#30 0x00007f40ab5e30e9 in XRE_main (argc=3, argv=0x7ffec5b5eb48, aConfig=...) at /home/botond/dev/projects/mozilla/central/toolkit/xre/nsAppRunner.cpp:4865
#31 0x00007f40ab5fb507 in mozilla::BootstrapImpl::XRE_main (this=0x7f40bbb56150, argc=3, argv=0x7ffec5b5eb48, aConfig=...) at /home/botond/dev/projects/mozilla/central/toolkit/xre/Bootstrap.cpp:45

What seems to be happening here is that a task that acquires sIndirectLayerTreesLock is still queued up at shutdown, and by the time it runs, sIndirectLayerTreesLock has been cleared and set to null.

Assignee: nobody → botond
Pushed by bballo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/124e127d05f4
Avoid accessing sIndirectLayerTreesLock during shutdown. r=kats
Status: NEW → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
You need to log in before you can comment on or make changes to this bug.