Closed Bug 1736039 Opened 3 years ago Closed 3 years ago

Process crash on startupcache-invalidate notification from WebExtension Experiments

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
thunderbird_esr78 --- unaffected
thunderbird_esr91 --- unaffected
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox93 --- unaffected
firefox94 --- fixed
firefox95 --- fixed

People

(Reporter: arai, Assigned: arai)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Attached file test.xpi

(In reply to John Bieling (:TbSync) from bug 1718481 comment #8)

Created attachment 9246118 [details]
test.xpi

The changes introduced in this bug cause Firefox to crash, if WebExtension Experiments flush the cash using:

Services.obs.notifyObservers(null, "startupcache-invalidate", null);

This method has been working before and is the only supported and "preferred" way to do it. See instructions given in https://bugzilla.mozilla.org/show_bug.cgi?id=703720#c0

Crash observed on Windows 10.

Steps to reproduce:

  • Set xpinstall.signatures.required to false
  • Set extensions.experiments.enabled to true
  • Restart Firefox (to make sure the changed config is picked up)
  • Install the attached add-on
  • Wait 10 seconds
  • Disable the add-on in Add-ons Manager
  • Wait 10 seconds (until the add-on is moved to the "Disabled" section)
  • Open Hamburger Menu -> Settings/Preferences
  • Observe Firefox crash.
Assignee: nobody → arai.unmht
Severity: -- → S3
Status: NEW → ASSIGNED
Keywords: regression
Priority: -- → P1
Summary: Process crash on startupcache-invalidate notification from WebExtension → Process crash on startupcache-invalidate notification from WebExtension Experiments
Regressed by: 1718194
No longer regressed by: 1718481
Has Regression Range: --- → yes

The issue is that nsMessageManagerScriptExecutor::sCachedScripts holds stencils that's retrieved from ScriptPreloader::GetChildSingleton().GetCachedStencil(...), that can be stencil backed by on-memory XDR buffer (not mmaped XDR buffer),
and the on-memory XDR buffer is cleared on "startupcache-invalidate" notification.

The solutions are either:

  • (a) Do not cache stencils from ScriptPreloader in nsMessageManagerScriptExecutor::sCachedScripts, but only cache when the stencil is compiled in nsMessageManagerScriptExecutor::TryCacheLoadAndCompileScript
  • (b) Purge nsMessageManagerScriptExecutor::sCachedScripts on "startupcache-invalidate" notification.

I'm leaning toward (a), given caching the same stencil in 2 places doesn't make much sense.

Use nsMessageManagerScriptExecutor::sCachedScripts only for cacing stencils
compiled inside nsMessageManagerScriptExecutor::TryCacheLoadAndCompileScript.

Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/d6f67ce93bf2 Do not cache stencils returned from ScriptPreloader into nsMessageManagerScriptExecutor::sCachedScripts. r=kmag
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Comment on attachment 9246266 [details]
Bug 1736039 - Do not cache stencils returned from ScriptPreloader into nsMessageManagerScriptExecutor::sCachedScripts. r?kmag!

Beta/Release Uplift Approval Request

  • User impact if declined: Process crash when using WebExtension Experiments
    Verified the fix in the m-c binary from treeherder
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This removes duplication of cache.
    The cache still works and the content is same.
  • String changes made/needed:
Attachment #9246266 - Flags: approval-mozilla-beta?

Comment on attachment 9246266 [details]
Bug 1736039 - Do not cache stencils returned from ScriptPreloader into nsMessageManagerScriptExecutor::sCachedScripts. r?kmag!

Approved for 94.0rc1. Thanks for adding a test.

Attachment #9246266 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: