1752856 - Crash in [@ mozilla::detail::SupportCheckedUnsafePtrImpl<T>::~SupportCheckedUnsafePtrImpl | mozilla::dom::(anonymous namespace)::TopLevelWorkerFinishedRunnable::Run]

Status: RESOLVED FIXED

(Core :: DOM: Workers, defect, P3)

Description

[Calixte Denizet (:calixte)]

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/496d69cb-2e3c-4715-9544-eb1890220126

MOZ_CRASH Reason: MOZ_CRASH(Found dangling CheckedUnsafePtr)

Top 10 frames of crashing thread:

0 xul.dll mozilla::detail::SupportCheckedUnsafePtrImpl<mozilla::CrashOnDanglingCheckedUnsafePtr, mozilla::CheckingSupport::Enabled>::~SupportCheckedUnsafePtrImpl dom/quota/CheckedUnsafePtr.h:284
1 xul.dll mozilla::dom::`anonymous namespace'::TopLevelWorkerFinishedRunnable::Run dom/workers/WorkerPrivate.cpp:315
2 xul.dll mozilla::ThrottledEventQueue::Inner::Executor::Run xpcom/threads/ThrottledEventQueue.cpp:81
3 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:770
4 xul.dll mozilla::TaskController::ProcessPendingMTTask xpcom/threads/TaskController.cpp:390
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1195
6 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:107
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:324
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:306
9 xul.dll nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137

There are 20 crashes (from 15 installations) in nightly 98 starting with buildid 20220125190421. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1744025.

[1] https://hg.mozilla.org/mozilla-central/rev?node=968efcd33efb

Comment 1

[Florian Quèze [:florian]]

Attachment: Apple crash report

I encountered crashes with mozilla::dom::WorkerPrivate::~WorkerPrivate() and mozilla::dom::(anonymous namespace)::TopLevelWorkerFinishedRunnable::Run() in the stack frequently while using the Firefox Profiler on my local build on my M1 Macbook Pro. Just yesterday, I had this crash 7 times. I'm attaching the full Apple crash report.

Steps matching what I did when it happened (not sure if it'll reproduce easily) : capture a profile, and then attempt to explore it on the profiler.firefox.com front-end. It often crashed when I tried to scroll around, or show hidden threads.

I haven't encountered this on my Intel Macbook Pro.

Comment 2

[Florian Quèze [:florian]]

Attachment: Linux stack from gdb

I also see this crash on my Linux debug build, and it crashes frequently enough that it makes working difficult. I replaced locally the MOZ_CRASH with an NS_WARNING.

If we can't find a quick fix for this, could we at least make the error non-fatal?

Comment 3

[Jens Stutte [:jstutte]]

If we keep the other bugs secret, so should we do here, even though it is just "potentially unsafe".

Comment 5

[Pascal Chevrel:pascalc]

Jens, can we get this bug assigned? We still have 2 weeks before the release to get a patch in 98 if we can have a safe one that would either fix of mitigate the crashes. Thanks

Comment 6

[Jens Stutte [:jstutte]]

Just to be clear, this is a diagnostic assert that will go away in late beta. It indicates a potential problem like here in bug 1752120. It might even improve once https://phabricator.services.mozilla.com/D138442 landed, but we cannot know it just from the stack trace here.

Comment 7

[Pascal Chevrel:pascalc]

Good, our last early beta is tomorrow, so I can mark it as disabled for 98, thanks.

Comment 8

[Jens Stutte [:jstutte]]

This is not a release crash. Investigation will continue, of course, but severity is definitely lower than S2 here.

Comment 9

[Gabriele Svelto [:gsvelto]]

Could this Fenix signature be related?

Comment 10

[Gabriele Svelto [:gsvelto]]

FYI it was also reported by Clouseau

Comment 11

[Jens Stutte [:jstutte]]

(In reply to Gabriele Svelto [:gsvelto] from comment #9)

Could this Fenix signature be related?

I think this is a different case. It is related somehow, of course, but I suspect it to have a different root cause.

Comment 12

[Gabriele Svelto [:gsvelto]]

I found another Fenix signature that looks suspicious, could be related.

Comment 13

[Eden Chuang[:edenchuang]]

Attachment: Bug 1752856 - narrow down the crash signature to TopLevelWorkerFinishRunnable::Run. r=#dom-worker-reviewers

Comment 14

[Eden Chuang[:edenchuang]]

Attachment: Bug 1752856 - Null CheckedUnsafePtr<WorkerPrivate> for members of WorkerGlobalScope when releaseing WorkerPrivate. r=#dom-worker-reviewers

Comment 15

[Eden Chuang[:edenchuang]]

Keep this bug open for tracking if new crash reports appear after patch landed.

Comment 16

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 content process crashes on beta

:edenchuang, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Comment 18

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the following bug duplicate has higher severity:

• Bug 1766272: S2

:edenchuang, could you consider increasing the severity of this bug to S2?

For more information, please visit auto_nag documentation.

Comment 20

[BugBot [:suhaib / :marco/ :calixte]]

Copying crash signatures from duplicate bugs.

Comment 21

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/5b8986808a06

Comment 23

[Ryan VanderMeulen [:RyanVM]]

Not seeing any Nightly crashes since this landed. Are we good here? :)

Comment 24

[Eden Chuang[:edenchuang]]

I think we can close this bug according to the crash report checking result. Remove leave-open.

Ryan, could you help to close the bug? Or I can just close it directly without modifying on Tracking flags?

Comment 25

[Ryan VanderMeulen [:RyanVM]]

Let's see what happens with some of the early 109 betas just to be sure. Leaving the NI for now to check back.

Comment 26

[Ryan VanderMeulen [:RyanVM]]

No crashes from Beta109 - I think we're good here!