1801884 - Crash in [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>]

Status: NEW

(Core :: DOM: Workers, defect)

Description

[Sean Feng [:sefeng]]

Crash report: https://crash-stats.mozilla.org/report/index/42478a86-15e7-4086-96be-c214a0221118

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  RefPtr<nsIGlobalObject>::get const  mfbt/RefPtr.h:286
0  xul.dll  RefPtr<nsIGlobalObject>::operator nsIGlobalObject* const  mfbt/RefPtr.h:299
0  xul.dll  mozilla::dom::Promise::MaybeSomething<nsresult&>  dom/promise/Promise.h:407
1  xul.dll  mozilla::dom::Promise::MaybeReject  dom/promise/Promise.h:101
1  xul.dll  mozilla::dom::workerinternals::loader::WorkerScriptLoader::CancelMainThread  dom/workers/ScriptLoader.cpp:729
2  xul.dll  mozilla::detail::RunnableMethodArguments<std::function<void   xpcom/threads/nsThreadUtils.h:1162
2  xul.dll  mozilla::detail::RunnableMethodArguments<std::function<void   xpcom/threads/nsThreadUtils.h:1168
2  xul.dll  mozilla::detail::RunnableMethodImpl<mozilla::MemoryTelemetry*, nsresult   xpcom/threads/nsThreadUtils.h:1215
3  xul.dll  mozilla::RunnableTask::Run  xpcom/threads/TaskController.cpp:538
3  xul.dll  mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal  xpcom/threads/TaskController.cpp:851

Looks like we are reading some invalid memory, looks legit to me.

Comment 1

[Jens Stutte [:jstutte]]

Yulia, that seems to be recent?

Comment 2

[Yulia Startsev [:yulia]]

This is recent, but using the old code. This is already fixed on nightly.

Comment 3

[Jens Stutte [:jstutte]]

Hmm, there seemed to be some on nightly, but https://crash-stats.mozilla.org/report/index/73df9b86-a9a6-4177-80f8-4c69c0221120 actually seems to be something different?

:aryx, can we prefix the mozilla::dom::Promise::* frames in order to distinguish these better?

Comment 4

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

(In reply to Jens Stutte [:jstutte] from comment #3)

:aryx, can we prefix the mozilla::dom::Promise::* frames in order to distinguish these better?

Patch up in bug 1802315.

Comment 5

[Gabriele Svelto [:gsvelto] (PTO)]

The crash signature for comment 0 changed, here's the new ones. The length of these signatures is becoming unwieldy, I'll start trimming them by having Socorro ignore common frames (such as RefPtr) going forward.

Comment 6

[Jens Stutte [:jstutte]]

(In reply to Yulia Startsev [:yulia] from comment #2)

This is recent, but using the old code. This is already fixed on nightly.

The incoming crashes for now seem to second this. I'd expect to see it go away also for beta 109, so let's just wait for confirmation.