Closed Bug 1692957 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::RDDProcessManager::EnsureRDDProcessAndCreateBridge::<T>::operator()::<T>::operator()]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- fixed

People

(Reporter: mattwoodrow, Assigned: alwu)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1692957 - reject promise if RDD has been destroyed.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/65f12e00-a2fa-4b13-8f8c-b94810210216

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::RDDProcessManager::EnsureRDDProcessAndCreateBridge::<unnamed-tag>::operator const dom/media/ipc/RDDProcessManager.cpp:153
1 xul.dll mozilla::MozPromise<bool, nsresult, 0>::ThenValue<`lambda at /builds/worker/checkouts/gecko/dom/media/ipc/RDDProcessManager.cpp:152:13', `lambda at /builds/worker/checkouts/gecko/dom/media/ipc/RDDProcessManager.cpp:179:13'>::DoResolveOrRejectInternal xpcom/threads/MozPromise.h:835
2 xul.dll mozilla::MozPromise<bool, mozilla::ipc::ResponseRejectReason, 1>::ThenValueBase::ResolveOrRejectRunnable::Run xpcom/threads/MozPromise.h:476
3 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:739
4 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
5 xul.dll NS_ProcessPendingEvents xpcom/threads/nsThreadUtils.cpp:496
6 xul.dll mozilla::ShutdownXPCOM xpcom/build/XPCOMInit.cpp:628
7 xul.dll ScopedXPCOMStartup::~ScopedXPCOMStartup toolkit/xre/nsAppRunner.cpp:1649
8 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:5318
9 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:5360

Looks like there's a race condition here where mProcess could be cleared before the promise callback runs (if the RDD process crashed during startup).

Blocks: RDD
Severity: -- → S3
Priority: -- → P3
Assignee: nobody → alwu
See Also: → 1685666

This could happen if RDD crashed right after it created, then RDDProcessManager would clean mProcess and mRDDChild before running the lambda.

Depends on D106827

Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/33aeef90f53f
reject promise if RDD has been destroyed. r=mattwoodrow

https://hg.mozilla.org/mozilla-central/rev/33aeef90f53f

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: