If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

100% reproducible crash nsXPConnect::GetXPConnect after a few seconds

RESOLVED INVALID

Status

()

Core
XPConnect
--
blocker
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: mats, Unassigned)

Tracking

Trunk
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox20 unaffected, firefox21 unaffected, firefox22 affected, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Reporter)

Description

5 years ago
Local mozilla-inbound debug build (rev 68621375dec1) on Linux64.

STEPS TO REPRODUCE
1. start Firefox with a fresh profile
2. wait a few seconds

ACTUAL RESULTS
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe4e4c700 (LWP 18284)]
nsXPConnect::GetXPConnect () at js/xpconnect/src/nsXPConnect.cpp:139
139             MOZ_CRASH();
(gdb) bt
#0  nsXPConnect::GetXPConnect () at js/xpconnect/src/nsXPConnect.cpp:139
#1  0x00007ffff2ffc94d in nsXPConnect::GetRuntimeInstance () at js/xpconnect/src/nsXPConnect.cpp:241
#2  0x00007ffff3b40b69 in mozilla::dom::HTMLCollectionBinding::DOMProxyHandler::finalize (this=0x7ffff66cc270, fop=0x7fffe4e4bcc0, proxy=(JSObject *) 0x7fffcefb0300 [object Proxy]) at dom/bindings/HTMLCollectionBinding.cpp:639
#3  0x00007ffff4c3bfbc in proxy_Finalize (fop=0x7fffe4e4bcc0, obj=(js::RawObject) 0x7fffcefb0300 [object Proxy]) at js/src/jsproxy.cpp:3040
#4  0x00007ffff4b08747 in finalize (this=(JSObject *) 0x7fffcefb0300 [object Proxy], fop=0x7fffe4e4bcc0) at js/src/jsobjinlines.h:245
#5  js::gc::Arena::finalize<JSObject> (this=0x7fffcefb0000, fop=0x7fffe4e4bcc0, thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND, thingSize=64) at js/src/jsgc.cpp:354
#6  0x00007ffff4afc6eb in FinalizeTypedArenas (fop=0x7fffe4e4bcc0, src=0x7fffe4e4bc20, dest=..., thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND, budget=...) at js/src/jsgc.cpp:418
#7  0x00007ffff4ad5dff in FinalizeArenas (fop=0x7fffe4e4bcc0, src=0x7fffe4e4bc20, dest=..., thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND, budget=...) at js/src/jsgc.cpp:455
#8  0x00007ffff4ad5a71 in js::gc::ArenaLists::backgroundFinalize (fop=0x7fffe4e4bcc0, listHead=0x7fffcef2c000, onBackgroundThread=true) at js/src/jsgc.cpp:1396
#9  0x00007ffff4adc8b7 in SweepBackgroundThings (rt=0x7fffe51da000, onBackgroundThread=true) at js/src/jsgc.cpp:2208
#10 0x00007ffff4adb614 in js::GCHelperThread::doSweep (this=0x7fffe51daec8) at js/src/jsgc.cpp:2490
#11 0x00007ffff4adb3a3 in js::GCHelperThread::threadLoop (this=0x7fffe51daec8) at js/src/jsgc.cpp:2334
#12 0x00007ffff4adb2e7 in js::GCHelperThread::threadMain (arg=0x7fffe51daec8) at js/src/jsgc.cpp:2313
#13 0x00007ffff7eb9f82 in _pt_root (arg=0x7ffff6c49be0) at nsprpub/pr/src/pthreads/ptthread.c:191
#14 0x00007ffff7bc4e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#15 0x00007ffff6ed8cbd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#16 0x0000000000000000 in ?? ()
(gdb) list
134     {
135         // Do a release-mode assert that we're not doing anything significant in
136         // XPConnect off the main thread. If you're an extension developer hitting
137         // this, you need to change your code. See bug 716167.
138         if (!MOZ_LIKELY(NS_IsMainThread() || NS_IsCycleCollectorThread()))
139             MOZ_CRASH();
140
141         if (!gSelf) {
142             if (gOnceAliveNowDead)
143                 return nullptr;
(gdb)
(Reporter)

Comment 1

5 years ago
I'd guess the regression occurred in last 24h or so...
Keywords: crash, regression
Background finalization is triggering a DOM finalizer somehow.  I would guess it is a DOM issue?  Did somebody change proxy finalization recently?  I looked at the function, and it just seemed like a one liner.
This seems potentially quite bad so I'm going to mark it s-s for now...
Group: core-security
Keywords: regressionwindow-wanted
(Reporter)

Comment 4

5 years ago
This cset appears to work:
changeset:   125150:09f72f45a0b7
date:        Sun Mar 17 12:45:03 2013 -0700
summary:     Merge the last PGO-green mozilla-inbound cset to mozilla-central
> thingKind=js::gc::FINALIZE_OBJECT4_BACKGROUND

That should so not happen for DOM proxies...
Probably bug 841801. In retrospect, someone else should have reviewed the last patch in that series.
Blocks: 841801
status-b2g18: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → unaffected
status-firefox22: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox22: --- → ?
Wait a minute. This looks exactly like some very recent bustage on inbound.
  https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=49ca6a3ef0b6
Mats, can you update to a tree that passes tests and try again? I'm guessing this is nothing.
tracking-firefox22: ? → ---
Flags: needinfo?(matspal)
(Reporter)

Comment 8

5 years ago
You're right, rev cbe09ce5f9ed appears to be working.  Sorry for the false alarm.
No longer blocks: 841801
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(matspal)
Keywords: crash, regression, regressionwindow-wanted
Resolution: --- → INVALID
Better safe than sorry. :)
Group: core-security
You need to log in before you can comment on or make changes to this bug.