Closed
Bug 1744561
Opened 2 years ago
Closed 2 years ago
crash near null in [@ mozilla::dom::EventSourceImpl::CreateWorkerRef]
Categories
(Core :: DOM: Events, defect)
Core
DOM: Events
Tracking
()
RESOLVED
FIXED
97 Branch
People
(Reporter: tsmith, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
A reliable test case is not available. However a Pernosco session is available: https://pernos.co/debug/r0hidC5qEwSEapG4aBLQUA/index.html
This crash is seen on a regular basis by the fuzzers, so it will be easy to verify once it is fixed.
==20991==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000160 (pc 0x7f350ba5bfbf bp 0x7f34f690c510 sp 0x7f34f690c3e0 T21)
==20991==The signal is caused by a READ memory access.
==20991==Hint: address points to the zero page.
#0 0x7f350ba5bfbf in load /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:396:9
#1 0x7f350ba5bfbf in load /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:195:17
#2 0x7f350ba5bfbf in operator bool /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:496:12
#3 0x7f350ba5bfbf in mozilla::dom::EventSourceImpl::CreateWorkerRef(mozilla::dom::WorkerPrivate*) /gecko/dom/base/EventSource.cpp:1867:7
#4 0x7f350ba5cfee in mozilla::dom::EventSource::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::EventSourceInit const&, mozilla::ErrorResult&) /gecko/dom/base/EventSource.cpp:2041:32
#5 0x7f350d3d673c in mozilla::dom::EventSource_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/EventSourceBinding.cpp:712:57
#6 0x7f351504fd85 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:388:13
#7 0x7f351504fd85 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:404:8
#8 0x7f351504fd85 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /gecko/js/src/vm/Interpreter.cpp:599:10
#9 0x7f35150393cf in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3233:16
#10 0x7f351501e221 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:357:13
#11 0x7f351504d08f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:507:13
#12 0x7f351504f1db in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:552:8
#13 0x7f35152c85fd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#14 0x7f350d38d18f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#15 0x7f350dfc2593 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#16 0x7f350dfc0ac4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
#17 0x7f350df87d08 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1309:22
#18 0x7f350df89368 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1500:17
#19 0x7f350df7763e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
#20 0x7f350df75e4d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
#21 0x7f350df7a0c5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1085:11
#22 0x7f350df7f5d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
#23 0x7f350df3122d in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/events/DOMEventTargetHelper.cpp:181:17
#24 0x7f350df96e93 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /gecko/dom/events/EventTarget.cpp:180:13
#25 0x7f350fb0a706 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /gecko/dom/workers/MessageEventRunnable.cpp:106:12
#26 0x7f350fb80c5a in mozilla::dom::WorkerRunnable::Run() /gecko/dom/workers/WorkerRunnable.cpp:378:12
#27 0x7f35082629cb in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1177:16
#28 0x7f350826d68c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#29 0x7f350fb68ef0 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /gecko/dom/workers/WorkerPrivate.cpp:3103:7
#30 0x7f350fb3029d in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2220:42
#31 0x7f35082629cb in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1177:16
#32 0x7f350826d68c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#33 0x7f350976dff1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
#34 0x7f35095ebd31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#35 0x7f35095ebd31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#36 0x7f35095ebd31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#37 0x7f350825aecf in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
#38 0x7f352525c09e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#39 0x7f352737e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#40 0x7f3526f46292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Reporter | |
Updated•2 years ago
|
Crash Signature: [@ mozilla::dom::EventSourceImpl::CreateWorkerRef]
|
||
Comment 1•2 years ago
|
||
EventSourceImpl::CreateWorkerRef was touched by bug 1445740, baku, could you take a look?
Flags: needinfo?(amarchesini)
|
Assignee | |
Comment 2•2 years ago
|
||
I think this can happen if we close a worker right when we're creating an EventSource object. Waiting for pernosco to load here.
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(amarchesini)
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → bugs
Status: NEW → ASSIGNED
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8145609705b9 check that mESImpl is still non-null after dispatching a WorkerMainThreadRunnable (InitRunnable), r=jstutte
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
|
||
Updated•2 years ago
|
status-firefox95:
--- → wontfix
status-firefox-esr91:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•