Crash in [@ mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::RejectedCallback]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: gsvelto, Assigned: peterv)
References
Details
(Keywords: crash, leave-open)
Crash Data
Attachments
(3 files)
Crash report: https://crash-stats.mozilla.org/report/index/2ae0cb7c-4831-49c9-9ce2-811210210123
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 10 frames of crashing thread:
0 XUL mozilla::dom:: dom/promise/Promise.cpp:391
1 XUL mozilla::dom::NativeHandlerCallback dom/promise/Promise.cpp:341
2 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:594
3 XUL js::Call js/src/vm/Interpreter.cpp:664
4 XUL PromiseReactionJob js/src/builtin/Promise.cpp:1904
5 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:594
6 XUL JS::Call js/src/jsapi.cpp:2861
7 XUL mozilla::dom::PromiseJobCallback::Call dom/bindings/PromiseBinding.cpp:31
8 XUL mozilla::PromiseJobRunnable::Run xpcom/base/CycleCollectedJSContext.cpp:211
9 XUL mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint xpcom/base/CycleCollectedJSContext.cpp:644
I found this during nightly crash triage but it's not a recent regression given the first version with significant volume is release 84. The crash is caused by a NULL pointer access and it's happening on shutdown - at least two user comments mention this happening when they tried to quit Firefox. I can't tell from the stack what's the affected component unfortunately.
Comment 1•3 years ago
|
||
I think DOM is a reasonable starting component for a crash involving DOM promises.
Comment 2•3 years ago
|
||
It seems that the crash reports are coming after landing of bug 1679094.
djg: Could you take a look?
Comment 3•3 years ago
|
||
A recent crash report shows potentially interesting mac_crash_info:
bp-170a9dba-d442-4564-b8fc-ef7b30210718
{
"num_records": 1,
"records": [
{
"message": "Performing @selector(menuItemHit:) from sender NSMenuItem 0x12b0957b0",
"module": "/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit"
}
]
}
This is consistent with the crash having been triggered by pressing Cmd-Q
or choosing Quit Firefox
from the menu.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Looks like maybe mInner was unlinked or maybe previously resolved or rejected. I'm not sure how any of that could happen. We could probably just return if mInner is null, though maybe we'd still be in a bad state.
Comment 5•2 years ago
•
|
||
Hey Kagami,
The crash volume increased on nightly since April. From the crash stack, it's not very clear where we got this problematic promise from. However, you've touched Promise code recently for Streams, and we've started landed/enabled Streams recently. It could be that the crash increment on nightly is coming from unexpected resolved/rejected promises in this new feature. So I think it makes sense to start from asking for your help to take a first look. Thank you.
Comment 6•2 years ago
|
||
Hmm, indeed Streams heavily uses Promise::AppendNativeHandler
and thus the function. But I'm off this week, NI'ing :smaug in case he can get some idea before I return.
Assignee | ||
Comment 7•2 years ago
|
||
Smaug and I looked at it earlier this week. I found one problematic call to Promise::AppendNativeHandler, and we're also going to convert the assert at https://searchfox.org/mozilla-central/rev/ecd91b104714a8b2584a4c03175be50ccb3a7c67/dom/promise/Promise.cpp#405 to a diagnostic assert.
Assignee | ||
Comment 8•2 years ago
|
||
Assignee | ||
Comment 9•2 years ago
|
||
Depends on D145066
Assignee | ||
Updated•2 years ago
|
Comment 10•2 years ago
|
||
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4d2b018a42f9 extensions::RequestWorkerRunnable::Init should propagate failure of dom::PromiseWorkerProxy::Create. r=rpl https://hg.mozilla.org/integration/autoland/rev/5e2758073f60 Make PromiseNativeHandlerShim diagnostic assert that the PromiseNativeHandler is non-null. r=smaug
Assignee | ||
Updated•2 years ago
|
Comment 11•2 years ago
|
||
bugherder |
Assignee | ||
Comment 12•2 years ago
|
||
Comment 13•2 years ago
|
||
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/912fe57e9efb Log the reason for nulling out PromiseNativeHandlerShim::mInner. r=smaug
Comment 14•2 years ago
|
||
bugherder |
Assignee | ||
Comment 16•2 years ago
|
||
All the crashes I'm seeing are from ClearedFromCC (https://crash-stats.mozilla.org/search/?moz_crash_reason=~mState&signature=~PromiseNativeHandlerShim&_facets=signature&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=moz_crash_reason#crash-reports). There seems to be an intermittent test failure that's hitting the same condition too (dom/base/test/browser_bug1303838.js).
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment 19•2 years ago
|
||
FWIW, this is currently the #5 overall top content process crash for Fx101 on Release.
Comment hidden (Intermittent Failures Robot) |
Comment 21•2 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1688585#c14 landed to 102. It should prevent the crash at least.
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment 27•2 years ago
|
||
FYI, I just experienced a crash with fx 104
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment 36•2 years ago
|
||
And I just hit it in Nightly 106, with an in-browser Zoom tab. ClearedFromCC again.
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment 40•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 content process crashes on beta
:peterv, could you consider increasing the severity of this top-crash bug?
For more information, please visit auto_nag documentation.
Comment 41•2 years ago
|
||
Based on the topcrash criteria, the crash signatures linked to this bug are not in the topcrash signatures anymore.
For more information, please visit auto_nag documentation.
Comment 42•1 year ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:peterv, maybe it's time to close this bug?
For more information, please visit auto_nag documentation.
Updated•23 days ago
|
Description
•