null cx Crash [@ JS_BeginRequest ] with dom workers

RESOLVED FIXED in Firefox 10

Status

()

Core
DOM
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: bc, Assigned: Ben Turner (not reading bugmail, use the needinfo flag!))

Tracking

(Blocks: 1 bug, {crash, regression, reproducible})

Trunk
mozilla11
x86
All
crash, regression, reproducible
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox8 affected, firefox9+ affected, firefox10+ verified)

Details

(Whiteboard: [qa+][qa!:10], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
1. https://crypto.cat/?c=test
2. Shutdown
3. Crash Aurora/8, Nightly/9 - Windows, Mac, Linux - Debug at least. Beta does not crash.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x000000fc
0x06d01633 in JS_BeginRequest (cx=0x0) at /work/mozilla/builds/nightly/mozilla/js/src/jsapi.cpp:899
899	    cx->outstandingRequests++;
(gdb) bt
#0  0x06d01633 in JS_BeginRequest (cx=0x0) at /work/mozilla/builds/nightly/mozilla/js/src/jsapi.cpp:899
#1  0x066e3050 in JSAutoRequest::JSAutoRequest (this=0xbfffcffc, cx=0x0, _notifier=@0xbfffd008) at jsapi.h:794
#2  0x05bb6dbe in mozilla::dom::workers::RuntimeService::ResumeWorkersForWindow (this=0x27f1e5a0, aCx=0x0, aWindow=0x24d047f0) at /work/mozilla/builds/nightly/mozilla/dom/workers/RuntimeService.cpp:1064
#3  0x05bb6ea0 in mozilla::dom::workers::ResumeWorkersForWindow (aCx=0x0, aWindow=0x24d047f0) at /work/mozilla/builds/nightly/mozilla/dom/workers/RuntimeService.cpp:460
Almost certainly a regression from the workers rewrite.
Blocks: 649537
Keywords: regressionwindow-wanted
Blocks: 687221
Full stack:

mozjs.dll!JS_BeginRequest(JSContext * cx)
xul.dll!JSAutoRequest::JSAutoRequest(JSContext * cx)
xul.dll!mozilla::dom::workers::RuntimeService::ResumeWorkersForWindow(JSContext * aCx, nsPIDOMWindow * aWindow)
xul.dll!mozilla::dom::workers::ResumeWorkersForWindow(JSContext * aCx, nsPIDOMWindow * aWindow)
xul.dll!nsGlobalWindow::ResumeTimeouts(int aThawChildren)
xul.dll!nsResumeTimeoutsEvent::Run()
xul.dll!nsThread::ProcessNextEvent(int mayWait, int * result)
...
xul.dll!XRE_main(int argc, char * * argv, const nsXREAppData * aAppData)

This one is simple, just need to make sure ResumeWorkersForWindow can handle a null context. It's not really needed, but if we have one we need a request.
I hafve someone here who encountered this after upgrading to 8.0. Crash report: https://crash-stats.mozilla.com/report/index/bp-0eef12a6-2e84-49c5-949f-8a1102111119
In regards to comment #3, the user is reliably able to reproduce this on http://www.cuetools.net/wiki/Main_Page. When he opens a link in a new window, he gets this crash. Latest report:
https://crash-stats.mozilla.com/report/index/bp-f23cf359-d6cf-4dc3-af1a-5d2ab2111122
The same person reports this crash still being present in Aurora for him. Latest report: https://crash-stats.mozilla.com/report/index/bp-ab204c45-08b7-4cb4-a2e0-864822111205.
Requesting tracking to get this one on the radar.
status-firefox10: --- → affected
tracking-firefox10: --- → ?
tracking-firefox9: --- → ?

Comment 6

6 years ago
#192 in 8.0.1, and #45 in 9.0b4. Tracking for FF9/10.
tracking-firefox10: ? → +
tracking-firefox9: ? → +

Updated

5 years ago
Whiteboard: [qa+]
Created attachment 579934 [details] [diff] [review]
Patch. v1

Simple.
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #579934 - Flags: review?(jonas)
Attachment #579934 - Flags: review?(jonas) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/21aac86d6658

Comment 9

5 years ago
https://hg.mozilla.org/mozilla-central/rev/21aac86d6658
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
Ben, would it make sense to request that this be allowed to land on Aurora and possibly even Beta since it fixes a crash?
Comment on attachment 579934 [details] [diff] [review]
Patch. v1

This patch is very simple (low risk) and fixes a reproducible crash currently being tracked for FF 9 and FF 10 (high reward).
Attachment #579934 - Flags: approval-mozilla-beta?
Attachment #579934 - Flags: approval-mozilla-aurora?
Comment on attachment 579934 [details] [diff] [review]
Patch. v1

[Triage Comment]
Minusing for beta because of how late we are in the cycle, but let's land this on aurora.
Attachment #579934 - Flags: approval-mozilla-beta?
Attachment #579934 - Flags: approval-mozilla-beta-
Attachment #579934 - Flags: approval-mozilla-aurora?
Attachment #579934 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/20ba8e63ed68
status-firefox10: affected → fixed
I see no crashes on Firefox 10b1:
Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101 Firefox/10.0
ftp://ftp.mozilla.org/pub/firefox/nightly/2011/12/2011-12-28-mozilla-beta-debug/firefox-10.0.en-US.debug-mac.dmg
ftp://ftp.mozilla.org/pub/firefox/nightly/2011/12/2011-12-28-mozilla-beta-debug/firefox-10.0.en-US.debug-linux-i686.tar.bz2
This is verified fixed on 10b1.
Whiteboard: [qa+] → [qa+][qa!:10]
(In reply to Paul Silaghi [QA] from comment #14)
> This is verified fixed on 10b1.

Don't forget to also set the status-firefox10 flag to verified.
status-firefox10: fixed → verified
Duplicate of this bug: 721191
You need to log in before you can comment on or make changes to this bug.