Closed
Bug 1698235
Opened 3 years ago
Closed 3 years ago
crash near null in [@ nsPagePrintTimer::WaitForRemotePrint]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
RESOLVED
FIXED
88 Branch
People
(Reporter: tsmith, Assigned: MatsPalmgren_bugz)
References
(Blocks 2 open bugs)
Details
(Keywords: crash)
Attachments
(2 files)
|
4.87 KB,
patch
|
Details | Diff | Splinter Review | |
|
Bug 1698235 - Add some error handling when using RemotePrintJobChild which may be destroyed. r=TYLin
48 bytes,
text/x-phabricator-request
|
Details | Review |
The test case is flaky so I will attach a Pernosco session shortly.
==30891==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f3c5408b592 bp 0x7ffcfa311270 sp 0x7ffcfa311260 T0)
==30891==The signal is caused by a READ memory access.
==30891==Hint: address points to the zero page.
#0 0x7f3c5408b592 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:372:27
#1 0x7f3c5408b592 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:400:20
#2 0x7f3c5408b592 in operator=<nsITimer> /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:715:5
#3 0x7f3c5408b592 in nsPagePrintTimer::WaitForRemotePrint() /gecko/layout/printing/nsPagePrintTimer.cpp:159:26
#4 0x7f3c5408b519 in mozilla::layout::RemotePrintJobChild::ProcessPage(nsTArray<unsigned long>&&) /gecko/layout/printing/ipc/RemotePrintJobChild.cpp:61:20
#5 0x7f3c532ed0ae in nsDeviceContextSpecProxy::EndPage() /gecko/widget/nsDeviceContextSpecProxy.cpp:179:20
#6 0x7f3c4de764ff in nsDeviceContext::EndPage() /gecko/gfx/src/nsDeviceContext.cpp:583:47
#7 0x7f3c53c08db8 in nsPageSequenceFrame::DoPageEnd() /gecko/layout/generic/nsPageSequenceFrame.cpp:685:42
#8 0x7f3c5408fc4e in nsPrintJob::PrintSheet(nsPrintObject*, bool&) /gecko/layout/printing/nsPrintJob.cpp:2360:17
#9 0x7f3c5408f561 in nsPagePrintTimer::Run() /gecko/layout/printing/nsPagePrintTimer.cpp:74:43
#10 0x7f3c4b8ae47c in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#11 0x7f3c4b8b9d96 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:472:16
#12 0x7f3c4b8b6953 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:760:26
#13 0x7f3c4b8b4827 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:611:15
#14 0x7f3c4b8b4c7d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:395:36
#15 0x7f3c4b8c13d1 in operator() /gecko/xpcom/threads/TaskController.cpp:133:37
#16 0x7f3c4b8c13d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
#17 0x7f3c4b8dc724 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1158:16
#18 0x7f3c4b8d7e3e in NS_ProcessPendingEvents(nsIThread*, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:496:19
#19 0x7f3c4b948eb2 in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:619:5
#20 0x7f3c56dbb77c in XRE_TermEmbedding() /gecko/toolkit/xre/nsEmbedFunctions.cpp:212:3
#21 0x7f3c4cb174b4 in mozilla::ipc::ScopedXREEmbed::Stop() /gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
#22 0x7f3c56dbc2ce in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:737:16
#23 0x5564353579fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#24 0x556435357e21 in main /gecko/browser/app/nsBrowserApp.cpp:309:18
#25 0x7f3c6bb310b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#26 0x5564352ab399 in _start (/home/worker/builds/m-c-20210310093927-fuzzing-asan-opt/firefox+0x5a399)
|
Reporter | |
Comment 1•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/vh_jn6b9D-A1Syuri6eKRA/index.html
|
Assignee | |
Updated•3 years ago
|
Severity: -- → S2
Priority: -- → P2
|
|
Assignee | |
Comment 2•3 years ago
|
||
The RemotePrintJobChild is destroyed even before we even call nsPrintJob::PrintSheet, from this stack (top of stack is last line):
::PContentChild::OnChannelClose () at PContentChild.cpp:16368
::IProtocol::DestroySubtree () at ProtocolUtils.cpp:591
::IProtocol::DestroySubtree () at ProtocolUtils.cpp:591
::IProtocol::DestroySubtree () at ProtocolUtils.cpp:603
::RemotePrintJobChild::ActorDestroy () at RemotePrintJobChild.cpp:163
Looks like nsDeviceContextSpecProxy needs some error handling...
|
|
Assignee | |
Comment 3•3 years ago
|
||
Tyson, can you try this patch and see if that fixes it?
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 4•3 years ago
|
||
I verified I am unable to reproduce the issue with the patch applied.
Flags: needinfo?(twsmith)
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
||
Updated•3 years ago
|
Assignee: nobody → mats
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•3 years ago
|
||
Tyson, if you have a test that could reasonably be run as a crashtest I'd be happy to land that too.
Pushed by mpalmgren@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a6dad002989d Add some error handling when using RemotePrintJobChild which may be destroyed. r=TYLin
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
|
||
Updated•3 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•