Closed Bug 873757 Opened 7 years ago Closed 7 years ago

crash in JSStructuredCloneWriter::writeArrayBuffer

Categories

(Core :: JavaScript Engine, defect, critical)

24 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 --- verified

People

(Reporter: scoobidiver, Assigned: vlad)

References

()

Details

(4 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

It's #8 top crasher in 24.0a1 and first showed up in 24.0a1/20130514. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7130e5134a6e&tochange=81dd97739fa1
It's likely a regression from bug 866431.

Signature 	JSStructuredCloneWriter::writeArrayBuffer(JS::Handle<JSObject*>) More Reports Search
UUID	75112060-37b7-4025-8f5b-123b52130518
Date Processed	2013-05-18 13:24:49
Uptime	30
Last Crash	4.0 hours before submission
Install Age	21.9 hours since version was first installed.
Install Time	2013-05-17 15:33:15
Product	Firefox
Version	24.0a1
Build ID	20130517031000
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 30 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x4
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x6899, AdapterSubsysID: 29701682, AdapterDriverVersion: 9.12.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor03_phx1_mozilla_com_17732:2012
EMCheckCompatibility	False
Adapter Vendor ID	0x1002
Adapter Device ID	0x6899
Total Virtual Memory	4294836224
Available Virtual Memory	3629711360
System Memory Use Percentage	34
Available Page File	6877728768
Available Physical Memory	2810765312

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JSStructuredCloneWriter::writeArrayBuffer 	js/src/jsclone.cpp:605
1 	mozjs.dll 	JSStructuredCloneWriter::startWrite 	js/src/jsclone.cpp:679
2 	mozglue.dll 	arena_bin_nonfull_run_get 	memory/mozjemalloc/jemalloc.c:3890
3 	mozjs.dll 	JSStructuredCloneWriter::write 	js/src/jsclone.cpp:745
4 	mozjs.dll 	js::WriteStructuredClone 	js/src/jsclone.cpp:106
5 	mozjs.dll 	JS_WriteStructuredClone 	js/src/jsapi.cpp:6395
6 	xul.dll 	js::ArrayBufferBuilder::getArrayBuffer 	obj-firefox/dist/include/jsfriendapi.h:1067
7 	mozjs.dll 	JSAutoStructuredCloneBuffer::write 	js/src/jsapi.cpp:6519
8 	xul.dll 	nsAString_internal::Assign 	xpcom/string/src/nsTSubstring.cpp:347
9 	xul.dll 	`anonymous namespace'::EventRunnable::PreDispatch 	dom/workers/XMLHttpRequest.cpp:590
10 	xul.dll 	mozilla::dom::workers::WorkerRunnable::Dispatch 	dom/workers/WorkerPrivate.cpp:1534
11 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:922
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSStructuredCloneWriter%3A%3AwriteArrayBuffer%28JS%3A%3AHandle%3CJSObject*%3E%29
I admit, I'm confused.  JSAutoStructuredCloneBuffer::write definitely does not call js::ArrayBufferBuilder::getArrayBuffer, or uses ArrayBufferBuilder at all.  The only thing that does is XMLHttpRequest right now.
(In reply to Vladimir Vukicevic [:vlad] [:vladv] from comment #1)
> I admit, I'm confused. 
So it might be caused by bug 860965.
(In reply to Scoobidiver from comment #2)
> (In reply to Vladimir Vukicevic [:vlad] [:vladv] from comment #1)
> > I admit, I'm confused. 
> So it might be caused by bug 860965.

That looks like it got backed out on 13-May, and there are still crashes beyond that. :/  I wish we would include the offset in the symbol in the stack traces in the display, so that we can see if it's just using the wrong symbol in the stack trace.
I can reproduce with nightly by visiting the following url:
http://people.mozilla.com/~bdahl/sandbox/bug873757/web/viewer.html?file=intelisa.pdf
(In reply to Brendan Dahl from comment #4)
> I can reproduce with nightly by visiting the following url:
Me too.
Ah ha!  Awesome, thanks bdahl.

There was a failed assertion before this (at nsXMLHttpRequest::GetResponse -> ArrayBufferBuilder::getArrayBuffer -> JS_NewArrayBufferWithContents, where an assert(contents) was failing), so that null could have caused all this stuff.

The issue was that a 0-length read resulted in us never actually allocating contents, thus passing a null pointer to JS_NewArrayBufferWithContents.

And a bonus, I caught another missing reset(), this time with chunked XHR :/
Assignee: general → vladimir
Attachment #753181 - Flags: review?(bzbarsky)
Comment on attachment 753181 [details] [diff] [review]
fix builder when length == 0, and reset XHR

r=me
Attachment #753181 - Flags: review?(bzbarsky) → review+
Flags: in-testsuite?
Yeah, definitely in-testsuite?.  Things to test:

- loading an arraybuffer
- reusing an XHR to load another arraybuffer
- loading a chunked arraybuffer
- reusing an XHR to load another chunked arraybuffer
- not reading the response property in all of the above before continuing, as well as reading it
https://hg.mozilla.org/mozilla-central/rev/633a2ef5b0c2
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Reproduced Nightly 2013-05-17.
No longer reproducible in FF 24b5.
Also there are no crashes checking the crashstats for the last 4 weeks.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.