Closed Bug 1806395 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::dom::WorkerRunnable::Run]

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox108 --- unaffected
firefox109 --- unaffected
firefox110 --- fixed

People

(Reporter: jstutte, Assigned: yulia)

References

(Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main110-])

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/570e2142-c5cb-4712-9630-00c3e0221218

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  mozilla::dom::WorkerRunnable::Run  dom/workers/WorkerRunnable.cpp:401
1  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1198
2  xul.dll  NS_ProcessNextEvent  xpcom/threads/nsThreadUtils.cpp:474
3  xul.dll  mozilla::dom::WorkerPrivate::RunCurrentSyncLoop  dom/workers/WorkerPrivate.cpp:4238
4  xul.dll  mozilla::dom::AutoSyncLoopHolder::Run  dom/workers/WorkerPrivate.h:1511
5  xul.dll  mozilla::dom::workerinternals::  dom/workers/ScriptLoader.cpp:249
6  xul.dll  mozilla::dom::workerinternals::LoadMainScript  dom/workers/ScriptLoader.cpp:1658
7  xul.dll  mozilla::dom::  dom/workers/WorkerPrivate.cpp:381
8  xul.dll  mozilla::dom::WorkerRunnable::Run  dom/workers/WorkerRunnable.cpp:377
9  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1198

Cracking up https://crash-stats.mozilla.org/report/index/570e2142-c5cb-4712-9630-00c3e0221218 shows me that apparently we try to run an already freed WorkerRunnable while doing a sync loop and fail on reading its mWorkerPrivate member, which sounds weird.

See Also: → 1806064

Extracted the signature from bug 1806064. For now this is mitigated by backout as of bug 1247687 comment 77.

Group: dom-core-security
Regressed by: 1247687

:yulia, since you are the author of the regressor, bug 1247687, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ystartsev)
Keywords: regression
Severity: -- → S2
Flags: needinfo?(ystartsev)

It's unclear if this will be also solved by bug 1806390 but this was originally related to those crash signatures. It looks like it has the same cause (issue with refcount, looks like we crash and don't have the full signature in this case) I will do a pass over to see if i can retrigger the NT failures with PDF.js viewer with the new patch stack.

Severity: S2 → --
Severity: -- → S2
Group: core-security

Fixed by backout.

Assignee: nobody → ystartsev
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox108: --- → unaffected
status-firefox109: --- → unaffected
status-firefox110: --- → fixed
status-firefox-esr102: --- → unaffected
Resolution: --- → FIXED

I confirmed that this crash signature isn't showing up any more.

Group: dom-core-security → core-security-release

I will try to reland the changes now that emilios changes are in. I'll monitor the crashes over the next few days.

Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main110-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.