Open Bug 1688585 Opened 2 years ago Updated 6 days ago

Crash in [@ mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::RejectedCallback]

Categories

(Core :: DOM: Core & HTML, defect)

Unspecified
All
defect

Tracking

()

ASSIGNED

People

(Reporter: gsvelto, Assigned: peterv)

References

Details

(Keywords: crash, leave-open)

Crash Data

Attachments

(3 files)

Crash report: https://crash-stats.mozilla.org/report/index/2ae0cb7c-4831-49c9-9ce2-811210210123

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL mozilla::dom:: dom/promise/Promise.cpp:391
1 XUL mozilla::dom::NativeHandlerCallback dom/promise/Promise.cpp:341
2 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:594
3 XUL js::Call js/src/vm/Interpreter.cpp:664
4 XUL PromiseReactionJob js/src/builtin/Promise.cpp:1904
5 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:594
6 XUL JS::Call js/src/jsapi.cpp:2861
7 XUL mozilla::dom::PromiseJobCallback::Call dom/bindings/PromiseBinding.cpp:31
8 XUL mozilla::PromiseJobRunnable::Run xpcom/base/CycleCollectedJSContext.cpp:211
9 XUL mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint xpcom/base/CycleCollectedJSContext.cpp:644

I found this during nightly crash triage but it's not a recent regression given the first version with significant volume is release 84. The crash is caused by a NULL pointer access and it's happening on shutdown - at least two user comments mention this happening when they tried to quit Firefox. I can't tell from the stack what's the affected component unfortunately.

I think DOM is a reasonable starting component for a crash involving DOM promises.

Component: General → DOM: Core & HTML

It seems that the crash reports are coming after landing of bug 1679094.

djg: Could you take a look?

Flags: needinfo?(dan.glastonbury)

A recent crash report shows potentially interesting mac_crash_info:

bp-170a9dba-d442-4564-b8fc-ef7b30210718

    {
      "num_records": 1,
      "records": [
        {
          "message": "Performing @selector(menuItemHit:) from sender NSMenuItem 0x12b0957b0",
          "module": "/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit"
        }
      ]
    }

This is consistent with the crash having been triggered by pressing Cmd-Q or choosing Quit Firefox from the menu.

Severity: -- → S3
Flags: needinfo?(u480271)

Looks like maybe mInner was unlinked or maybe previously resolved or rejected. I'm not sure how any of that could happen. We could probably just return if mInner is null, though maybe we'd still be in a bad state.

Hey Kagami,
The crash volume increased on nightly since April. From the crash stack, it's not very clear where we got this problematic promise from. However, you've touched Promise code recently for Streams, and we've started landed/enabled Streams recently. It could be that the crash increment on nightly is coming from unexpected resolved/rejected promises in this new feature. So I think it makes sense to start from asking for your help to take a first look. Thank you.

Flags: needinfo?(krosylight)

Hmm, indeed Streams heavily uses Promise::AppendNativeHandler and thus the function. But I'm off this week, NI'ing :smaug in case he can get some idea before I return.

Flags: needinfo?(krosylight) → needinfo?(bugs)

Smaug and I looked at it earlier this week. I found one problematic call to Promise::AppendNativeHandler, and we're also going to convert the assert at https://searchfox.org/mozilla-central/rev/ecd91b104714a8b2584a4c03175be50ccb3a7c67/dom/promise/Promise.cpp#405 to a diagnostic assert.

Assignee: nobody → peterv
Status: NEW → ASSIGNED
Flags: needinfo?(bugs)
Keywords: leave-open
Pushed by pvanderbeken@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4d2b018a42f9
extensions::RequestWorkerRunnable::Init should propagate failure of dom::PromiseWorkerProxy::Create. r=rpl
https://hg.mozilla.org/integration/autoland/rev/5e2758073f60
Make PromiseNativeHandlerShim diagnostic assert that the PromiseNativeHandler is non-null. r=smaug
Crash Signature: [@ mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::RejectedCallback] → [@ mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::RejectedCallback][@ mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback]
Pushed by pvanderbeken@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/912fe57e9efb
Log the reason for nulling out PromiseNativeHandlerShim::mInner. r=smaug
Regressions: 1768823
No longer regressions: 1768823
Duplicate of this bug: 1768823

FWIW, this is currently the #5 overall top content process crash for Fx101 on Release.

https://bugzilla.mozilla.org/show_bug.cgi?id=1688585#c14 landed to 102. It should prevent the crash at least.

FYI, I just experienced a crash with fx 104

And I just hit it in Nightly 106, with an in-browser Zoom tab. ClearedFromCC again.

You need to log in before you can comment on or make changes to this bug.