Closed Bug 1801884 Opened 3 years ago Closed 1 year ago

Crash in [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1802315

People

(Reporter: sefeng211, Unassigned)

Details

(Keywords: crash, Whiteboard: dom-lws-bugdash-triage)

Crash Data

Sean Feng [:sefeng211]

Reporter

Description

•

3 years ago

Crash report: https://crash-stats.mozilla.org/report/index/42478a86-15e7-4086-96be-c214a0221118

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  RefPtr<nsIGlobalObject>::get const  mfbt/RefPtr.h:286
0  xul.dll  RefPtr<nsIGlobalObject>::operator nsIGlobalObject* const  mfbt/RefPtr.h:299
0  xul.dll  mozilla::dom::Promise::MaybeSomething<nsresult&>  dom/promise/Promise.h:407
1  xul.dll  mozilla::dom::Promise::MaybeReject  dom/promise/Promise.h:101
1  xul.dll  mozilla::dom::workerinternals::loader::WorkerScriptLoader::CancelMainThread  dom/workers/ScriptLoader.cpp:729
2  xul.dll  mozilla::detail::RunnableMethodArguments<std::function<void   xpcom/threads/nsThreadUtils.h:1162
2  xul.dll  mozilla::detail::RunnableMethodArguments<std::function<void   xpcom/threads/nsThreadUtils.h:1168
2  xul.dll  mozilla::detail::RunnableMethodImpl<mozilla::MemoryTelemetry*, nsresult   xpcom/threads/nsThreadUtils.h:1215
3  xul.dll  mozilla::RunnableTask::Run  xpcom/threads/TaskController.cpp:538
3  xul.dll  mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal  xpcom/threads/TaskController.cpp:851

Looks like we are reading some invalid memory, looks legit to me.

Jens Stutte [:jstutte]

Comment 1

•

3 years ago

Yulia, that seems to be recent?

Flags: needinfo?(ystartsev)

Yulia Startsev [:yulia] OOO until July 2026

Comment 2

•

3 years ago

•

Edited

This is recent, but using the old code. This is already fixed on nightly.

Flags: needinfo?(ystartsev)

Jens Stutte [:jstutte]

Comment 3

•

3 years ago

Hmm, there seemed to be some on nightly, but https://crash-stats.mozilla.org/report/index/73df9b86-a9a6-4177-80f8-4c69c0221120 actually seems to be something different?

:aryx, can we prefix the mozilla::dom::Promise::* frames in order to distinguish these better?

Flags: needinfo?(aryx.bugmail)

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 4

•

3 years ago

(In reply to Jens Stutte [:jstutte] from comment #3)

:aryx, can we prefix the mozilla::dom::Promise::* frames in order to distinguish these better?

Patch up in bug 1802315.

Flags: needinfo?(aryx.bugmail)

Sean Feng [:sefeng211]

Reporter

Updated

•

3 years ago

Crash Signature: [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>] → [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>] [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* const | mozilla::dom::Promise::MaybeSomething<T> ]

Joshua Marshall

Updated

•

3 years ago

Severity: -- → S3

Gabriele Svelto [:gsvelto]

Comment 5

•

3 years ago

The crash signature for comment 0 changed, here's the new ones. The length of these signatures is becoming unwieldy, I'll start trimming them by having Socorro ignore common frames (such as RefPtr) going forward.

Crash Signature: [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>] [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* const | mozilla::dom::Promise::MaybeSomething<T> ] → [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>] [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* const | mozilla::dom::Promise::MaybeSomething<T> ] [@ RefPtr<T>::get | RefPtr<T>::operator nsIG…

Jens Stutte [:jstutte]

Comment 6

•

3 years ago

(In reply to Yulia Startsev [:yulia] from comment #2)

This is recent, but using the old code. This is already fixed on nightly.

The incoming crashes for now seem to second this. I'd expect to see it go away also for beta 109, so let's just wait for confirmation.

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Updated

•

2 years ago

Crash Signature: [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>] [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* const | mozilla::dom::Promise::MaybeSomething<T> ] [@ RefPtr<T>::get | RefPtr<T>::operator nsIG… → [@ mozilla::dom::Promise::MaybeSomething<T> | mozilla::dom::Promise::MaybeReject | mozilla::dom::workerinternals::loader::WorkerScriptLoader::CancelMainThread] [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomethi…

Jens Stutte [:jstutte]

Comment 7

•

1 year ago

The remaining crashes are from old versions only.

Status: NEW → RESOLVED

Closed: 1 year ago

Duplicate of bug: 1802315

Resolution: --- → DUPLICATE

Jens Stutte [:jstutte]

Updated

•

1 year ago

Whiteboard: dom-lws-bugdash-triage

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash in [@ RefPtr<T>::get | RefPtr<T>::operator nsIGlobalObject* | mozilla::dom::Promise::MaybeSomething<T>]

Categories

(Core :: DOM: Workers, defect)

Tracking

()

People

(Reporter: sefeng211, Unassigned)

References

Details

(Keywords: crash, Whiteboard: dom-lws-bugdash-triage)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Updated

Comment 5

Comment 6

Updated

Comment 7

Updated