Closed
Bug 1645852
Opened 4 years ago
Closed 4 years ago
crash near null in [@ mozilla::dom::BrowsingContext::Get]
Categories
(Core :: Audio/Video, defect, P3)
Core
Audio/Video
Tracking
()
VERIFIED
FIXED
mozilla79
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | unaffected |
| firefox79 | --- | fixed |
People
(Reporter: tsmith, Assigned: alwu)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files)
==28850==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f22c38d47ea bp 0x7ffda8696b10 sp 0x7ffda8696b10 T0)
==28850==The signal is caused by a WRITE memory access.
==28850==Hint: address points to the zero page.
#0 0x7f22c38d47e9 in fetch_add /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h
#1 0x7f22c38d47e9 in add /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:215:17
#2 0x7f22c38d47e9 in inc /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:241:12
#3 0x7f22c38d47e9 in operator++ /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:337:30
#4 0x7f22c38d47e9 in Checker::StartReadOp() /builds/worker/workspace/obj-build/dist/include/PLDHashTable.h:130:25
#5 0x7f22c38d213e in AutoReadOp /gecko/xpcom/ds/PLDHashTable.cpp:30:58
#6 0x7f22c38d213e in PLDHashTable::Search(void const*) const /gecko/xpcom/ds/PLDHashTable.cpp:489:14
#7 0x7f22cf11dd52 in GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:210:16
#8 0x7f22cf11dd52 in Get /builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h:153:28
#9 0x7f22cf11dd52 in mozilla::dom::BrowsingContext::Get(unsigned long) /gecko/docshell/base/BrowsingContext.cpp:144:39
#10 0x7f22caa98157 in mozilla::dom::ContentMediaAgent::NotifyMediaPlaybackChanged(unsigned long, mozilla::dom::MediaPlaybackState) /gecko/dom/media/mediacontrol/ContentMediaController.cpp:77:32
#11 0x7f22ca17a293 in mozilla::dom::HTMLMediaElement::MediaControlKeyListener::NotifyMediaStoppedPlaying() /gecko/dom/html/HTMLMediaElement.cpp:460:7
#12 0x7f22ca17aa86 in mozilla::dom::HTMLMediaElement::MediaControlKeyListener::Stop() /gecko/dom/html/HTMLMediaElement.cpp:428:5
#13 0x7f22ca133547 in mozilla::dom::HTMLMediaElement::cycleCollection::Unlink(void*) /gecko/dom/html/HTMLMediaElement.cpp:1956:10
#14 0x7f22c3876254 in nsCycleCollector::CollectWhite() /gecko/xpcom/base/nsCycleCollector.cpp:3083:26
#15 0x7f22c3878d36 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3432:24
#16 0x7f22c38788d5 in nsCycleCollector::ShutdownCollect() /gecko/xpcom/base/nsCycleCollector.cpp:3352:20
#17 0x7f22c387a7b6 in nsCycleCollector::Shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3641:5
#18 0x7f22c387c523 in nsCycleCollector_shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3956:18
#19 0x7f22c3aa167b in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:721:3
#20 0x7f22cfbeafeb in ScopedXPCOMStartup::~ScopedXPCOMStartup() /gecko/toolkit/xre/nsAppRunner.cpp:1279:5
#21 0x7f22cfc02878 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
#22 0x7f22cfc02878 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
#23 0x7f22cfc02878 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:275:5
#24 0x7f22cfc02878 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:4829:16
#25 0x7f22cfc034d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:4866:21
#26 0x55f5df374e17 in do_main /gecko/browser/app/nsBrowserApp.cpp:217:22
#27 0x55f5df374e17 in main /gecko/browser/app/nsBrowserApp.cpp:331:16
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
sBrowsingContexts is cleared in shut down before the final cycle collection, it looks like, and browsing contexts can live until then.
|
Reporter | |
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/xZlN5COT19Unj-f4oQh_HA/index.html
|
||
Updated•4 years ago
|
Blocks: fission-dogfooding
Component: DOM: Navigation → Audio/Video
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → alwu
Severity: -- → S3
Priority: -- → P3
|
|
Assignee | |
Comment 3•4 years ago
|
||
|
||
Updated•4 years ago
|
Attachment #9158363 -
Attachment description: Bug 1645852 - do not call 'BrowsingContext::Get()' after XPCOM shutdown. → Bug 1645852 - do not call `BrowsingContext::Get()` after XPCOM shutdown.
Pushed by alwu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/63961738f91e do not call `BrowsingContext::Get()` after XPCOM shutdown. r=bryce
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
|
||
Updated•4 years ago
|
status-firefox77:
--- → unaffected
status-firefox78:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Regressed by: 1640998
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•4 years ago
|
Flags: qe-verify+
|
||
Comment 6•4 years ago
|
||
Dropping the qe+ flag since we couldn't reproduce the crash.
As a safety margin, verified with the current (79.0b4) on Windows 10, macOS 10.15.5, Ubuntu 18 and debug builds on Ubuntu18/Windows 10 and no crashes were encountered.
In therms of manual verification, if additional checks are needed;
@Tyson if you have time, could you confirm if there are any issues still manifesting?
Flags: qe-verify+ → needinfo?(twsmith)
|
||
Updated•4 years ago
|
Keywords: regression
|
|
Reporter | |
Comment 7•4 years ago
|
||
The fuzzers are longer seeing this issue.
Status: RESOLVED → VERIFIED
Flags: needinfo?(twsmith)
You need to log in
before you can comment on or make changes to this bug.
Description
•