889885 - crash in mozilla::psm::NotifyObserverRunnable::~NotifyObserverRunnable @ nsXPCWrappedJS::Release

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Scoobidiver (away)]

There's one crash in 25.0a1/20130703.

Signature 	nsXPCWrappedJS::Release() More Reports Search
UUID 	ecd4cb41-b720-4b34-86b5-8ccc62130703
Date Processed	2013-07-03 14:22:21.169970
Uptime	100
Install Age 	100 since version was first installed.
Install Time 	2013-07-03 14:18:56
Product 	FennecAndroid
Version 	25.0a1
Build ID 	20130703031323
Release Channel 	nightly
OS 	Android
OS Version 	0.0.0 Linux 3.1.10-g05b777c #1 SMP PREEMPT Thu Nov 29 10:35:37 PST 2012 armv7l google/nakasi/grouper
Build Architecture 	arm
Build Architecture Info 	ARMv0 | None
Crash Reason 	SIGSEGV
Crash Address 	0x0
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra 3 -- OpenGL ES 2.0 14.01002 -- Model: Nexus 7, Product: nakasi, Manufacturer: asus, Hardware: grouper'
GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ 
asus Nexus 7
google/nakasi/grouper:4.2.2/JDQ39/573038:user/release-keys	
Adapter Vendor ID 	NVIDIA Corporation
Adapter Device ID 	NVIDIA Tegra 3
Android CPU ABI 	armeabi-v7a
Android Manufacturer 	asus
Android Model 	Nexus 7
Android Version 	17 (REL)

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsXPCWrappedJS::Release() 	js/xpconnect/src/XPCWrappedJS.cpp
1 	libxul.so 	GrGLProgramStage::name() const 	gfx/skia/src/gpu/gl/GrGLProgramStage.h
2 	libxul.so 	mozilla::RefPtr<mozilla::psm::TransportSecurityInfo>::~RefPtr() 	
3 	libxul.so 	mozilla::psm::NotifyObserverRunnable::~NotifyObserverRunnable() 	obj-firefox/dist/include/nsCOMPtr.h
4 	libxul.so 	mozilla::psm::NotifyObserverRunnable::~NotifyObserverRunnable() 	security/manager/ssl/src/PSMRunnable.h
5 	libxul.so 	PipUIContext::Release() 	security/manager/ssl/src/nsNSSComponent.cpp
6 	libxul.so 	mozilla::RefPtr<mozilla::psm::TransportSecurityInfo>::~RefPtr() 	
7 	libxul.so 	nsKeygenThread::Run() 	obj-firefox/dist/include/nsCOMPtr.h
8 	libnss3.so 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c
9 	libc.so 	__thread_entry 	
10 	libc.so 	pthread_create

More reports at:
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=nsXPCWrappedJS%3A%3ARelease%28%29

Comment 1

[Josh Matthews [:jdm]]

http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsKeygenThread.cpp#235

We can reach a point in nsKeygenThread::Run where statusDialogClosed is false and mNotifyObserver is non-null, causing us to null out mNotifyObserver and release a JS-implemented observer (http://mxr.mozilla.org/mozilla-central/source/security/manager/pki/resources/content/createCertInfo.js#27) off the main thread. mNotifyObserver needs to be an nsMainThreadPtrHandle in order to avoid this.

Comment 2

[Josh Matthews [:jdm]]

Attachment: Avoid releasing scripted observers from PSM off the main thread.

Comment 3

[Josh Matthews [:jdm]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/b588d61e105d

Comment 4

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/b588d61e105d

Comment 5

[Josh Matthews [:jdm]]

Comment on attachment 770964 [details] [diff] [review]
Avoid releasing scripted observers from PSM off the main thread.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 770840
User impact if declined: Occasional crashes.
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): None.
String or IDL/UUID changes made by this patch: None.

Comment 6

[bhavana bajaj [:bajaj]]

Comment on attachment 770964 [details] [diff] [review]
Avoid releasing scripted observers from PSM off the main thread.

Low risk patch that helps avoid occasional crashes.

Comment 7

[Josh Matthews [:jdm]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/5f5646dc9d94