Closed Bug 1822937 Opened 1 year ago Closed 1 year ago

Crash in [@ nsIGlobalObject::IsDying]

Categories

(Core :: DOM: Workers, defect, P2)

Product:
Core
Component:
DOM: Workers
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox111 --- unaffected
firefox112 --- unaffected
firefox113 --- fixed

People

(Reporter: mccr8, Assigned: yulia)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Bug 1822937 - Ensure IsModuleEvaluationAborted returns correctly in the case that the workerPrivate or globalScope have already been cleaned up; r=jonco
48 bytes, text/x-phabricator-request
Details | Review
Bug 1822937 - Add devtools test to ensure we are no longer crashing; r=ochameau
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/39871796-cce6-4db5-b599-ebd240230316

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsIGlobalObject::IsDying const  dom/base/nsIGlobalObject.h:110
0  xul.dll  mozilla::dom::workerinternals::loader::WorkerModuleLoader::IsModuleEvaluationAborted  dom/workers/loader/WorkerModuleLoader.cpp:194
1  xul.dll  JS::loader::ModuleLoaderBase::EvaluateModuleInContext  js/loader/ModuleLoaderBase.cpp:1230
2  xul.dll  JS::loader::ModuleLoaderBase::EvaluateModule  js/loader/ModuleLoaderBase.cpp:1166
3  xul.dll  JS::loader::ModuleLoadRequest::EvaluateModule  js/loader/ModuleLoadRequest.h:113
3  xul.dll  mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript  dom/workers/ScriptLoader.cpp:1115
3  xul.dll  mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests  dom/workers/ScriptLoader.cpp:839
4  xul.dll  mozilla::dom::workerinternals::loader::WorkerModuleLoader::OnModuleLoadComplete  dom/workers/loader/WorkerModuleLoader.cpp:186
5  xul.dll  JS::loader::ModuleLoadRequest::LoadFinished  js/loader/ModuleLoadRequest.cpp:213
6  xul.dll  JS::loader::ModuleLoadRequest::DependenciesLoaded  js/loader/ModuleLoadRequest.cpp:179

This looks like a null deref on this line in WorkerModuleLoader::IsModuleEvaluationAborted:

return workerPrivate->GlobalScope()->IsDying();

So I guess GlobalScope() is null?

Only one installation, but the URL in the crash report is https://rhashimoto.github.io/browser-test-cases/worker-modules/ so maybe this is hitting some issue that is not being hit much in regular web code.

Set release status flags based on info from the regressing bug 1540913

:yulia, since you are the author of the regressor, bug 1540913, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

status-firefox111: --- → unaffected
status-firefox112: --- → unaffected
status-firefox113: --- → affected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(ystartsev)

This looks like an issue with worker termination & module loading -- probably the worker private is already gone when we get to this point, so we just need a check here. Thanks for the test case, I'll see if i can extract it as a crash test.

FWIW, it seems we arrive after the call to WorkerPrivate::GlobalScope and get a nullptr there on mScope:

      WorkerPrivate* workerPrivate = GetCurrentThreadWorkerPrivate();
    00007FFB80D17A74  call        mozilla::dom::GetCurrentThreadWorkerPrivate (07FFB7D238F70h)  
      return workerPrivate->GlobalScope()->IsDying();
    00007FFB80D17A79  mov         rcx,rax  
    00007FFB80D17A7C  call        mozilla::dom::WorkerPrivate::GlobalScope (07FFB7DCC7100h)  
RAX = 0000000000000000
>>> 00007FFB80D17A81  mov         al,byte ptr [rax+0B0h]  (inlined IsDying)
    00007FFB80D17A87  add         rsp,28h  
    00007FFB80D17A8B  ret

But also GetCurrentThreadWorkerPrivate can return nullptr, so we might better want to have two checks (or at least an assert for the workerPrivate - I see both variants in other places) ?

Assignee: nobody → ystartsev
Flags: needinfo?(ystartsev)
Severity: -- → S3
Priority: -- → P2

I think this can be reproduced by using the debugger with the test case, and may be related to: https://bugzilla.mozilla.org/show_bug.cgi?id=1816933 -- I confirmed that the above fixes it, but doesn't address the underlying devtools problem (which alex has found a solution for).

Attachment #9324230 - Attachment description: WIP: Bug 1822937 - Ensure IsModuleEvaluationAborted returns correctly in the case that the workerPrivate or globalScope have already been cleaned up → Bug 1822937 - Ensure IsModuleEvaluationAborted returns correctly in the case that the workerPrivate or globalScope have already been cleaned up; r=jonco

The test times out when it is unsuccessful.

Depends on D173177

Pushed by ystartsev@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a388243b829e
Ensure IsModuleEvaluationAborted returns correctly in the case that the workerPrivate or globalScope have already been cleaned up; r=jonco
https://hg.mozilla.org/integration/autoland/rev/98e944c6f288
Add devtools test to ensure we are no longer crashing; r=ochameau,devtools-reviewers

https://hg.mozilla.org/mozilla-central/rev/a388243b829e
https://hg.mozilla.org/mozilla-central/rev/98e944c6f288

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox113: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: