Closed Bug 1765194 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::dom::TransformerTransformCallback::Call]

Categories

(Core :: DOM: Streams, defect)

Product:
Core
Component:
DOM: Streams
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/1ac0fcf9-1e8a-4871-bf4c-6e4f50220414

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::TransformerTransformCallback::Call dom/bindings/TransformerBinding.cpp:375
1 xul.dll mozilla::dom::TransformerTransformCallback::Call<JS::Rooted<JSObject*> > dist/include/mozilla/dom/TransformerBinding.h:308
2 xul.dll mozilla::dom::TransformerAlgorithms::TransformCallback dom/streams/TransformerCallbackHelpers.cpp:59
3 xul.dll mozilla::dom::TransformStreamDefaultControllerPerformTransform dom/streams/TransformStream.cpp:105
4 xul.dll mozilla::dom::`anonymous namespace'::NativeThenHandler<`lambda at /builds/worker/checkouts/gecko/dom/streams/TransformStream.cpp:192:11', `lambda at /builds/worker/checkouts/gecko/dom/streams/TransformStream.cpp:192:11', std::tuple<RefPtr<mozilla::dom::TransformStream>, RefPtr<mozilla::dom::TransformStreamDefaultController> >, std::tuple<JS::Handle<JS::Value> > >::CallCallback<`lambda at /builds/worker/checkouts/gecko/dom/streams/TransformStream.cpp:192:11'> dom/promise/Promise-inl.h:216
5 xul.dll mozilla::dom::`anonymous namespace'::NativeThenHandler<`lambda at /builds/worker/checkouts/gecko/dom/streams/TransformStream.cpp:192:11', `lambda at /builds/worker/checkouts/gecko/dom/streams/TransformStream.cpp:192:11', std::tuple<RefPtr<mozilla::dom::TransformStream>, RefPtr<mozilla::dom::TransformStreamDefaultController> >, std::tuple<JS::Handle<JS::Value> > >::CallResolveCallback dom/promise/Promise-inl.h:185
6 xul.dll mozilla::dom::PromiseNativeThenHandlerBase::ResolvedCallback dom/promise/Promise.cpp:256
7 xul.dll mozilla::dom::`anonymous namespace'::PromiseNativeHandlerShim::ResolvedCallback dom/promise/Promise.cpp:412
8 xul.dll mozilla::dom::NativeHandlerCallback dom/promise/Promise.cpp:362
9 xul.dll js::Call js/src/vm/Interpreter.cpp:584

Not a high volume crash, but I figured I'd file it since streams is changing a lot and probably isn't heavily used. Looks like a crash inside the DOM bindings.

Hey Kagami,

Three crashes, all same signature, best guess says potentially same machine. Anything jump out?

Flags: needinfo?(krosylight)

Not sure, at least that's not my machine. Not sure how can it fail there... It's holiday here, I'm not looking at it right now.

Not sure how to reproduce this. The failing line: https://searchfox.org/mozilla-central/source/__GENERATED__/dom/bindings/TransformerBinding.cpp#375

  do {
    JS::ExposeValueToActiveJS(chunk);
    argv[0].set(chunk);
    if (!MaybeWrapValue(cx, argv[0])) { // <- failing line
      // Convert exception to a rejected promise.
      // See https://heycam.github.io/webidl/#call-a-user-objects-operation
      // step 10 and step 15.5.
      return CreateRejectedPromiseFromThrownException(cx, aRv);
    }
    break;
  } while (false);

That looks very SpiderMonkey, any idea how can that fail? Line 374 was okay so I guess argv[0] wasn't a nullptr.

Flags: needinfo?(krosylight) → needinfo?(mgaudet)

The only thing that I can imagine is that the JS::Value wasn't properly traced, and so we're crashing doing something with that pointer. Tracing backwards, this is one of the new ThenWithCycleCollectedArgs call sites... maybe that code didn't work like we thought it would?

Having said that: I'd actually like to just sit on this crash for a week or two, to see if we ever see it again.

Flags: needinfo?(mgaudet)

Going to resolve this as incomplete; we've never seen these crashes again.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.