Open Bug 963996 Opened 11 years ago Updated 2 years ago

Startup crash at nsContentUtils::IsCallerChrome

Categories

(Core :: Security: CAPS, defect)

x86_64
Linux
defect

Tracking

()

People

(Reporter: cjones, Unassigned)

Details

(Whiteboard: [rr])

Attachments

(1 file)

This is in an --enable-profiling build of gecko-dev SHA1 41e8ad9c6f7192354d9ccfbf76579db2ab3ddc69. Abbreviated backtrace (gdb) bt #0 AsmJSFaultHandler (signum=11, info=0xbfffa20c, context=0xbfffa28c) at /home/cjones/rr/mozilla-central/js/src/../../js/src/jit/AsmJSSignalHandlers.cpp:914 #1 <signal handler called> #2 0x4376ea6d in nsContentUtils::IsCallerChrome () at /home/cjones/rr/mozilla-central/content/base/src/nsContentUtils.cpp:1758 #3 0x436d62db in mozilla::dom::workers::WorkerPrivate::GetLoadInfo ( aCx=0x4041d200, aWindow=0x0, aParent=0x0, aScriptURL=..., aIsChromeWorker=true, aLoadInfo=0xbfffa860) at /home/cjones/rr/mozilla-central/dom/workers/WorkerPrivate.cpp:3789 #4 0x436d70d3 in mozilla::dom::workers::WorkerPrivate::Constructor ( aGlobal=..., aScriptURL=..., aIsChromeWorker=true, aWorkerType=mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::WorkerTypeDedicated, aSharedWorkerName=..., aLoadInfo=0x0, aRv=...) at /home/cjones/rr/mozilla-central/dom/workers/WorkerPrivate.cpp:3678 #5 0x436d7294 in mozilla::dom::workers::ChromeWorkerPrivate::Constructor ( aGlobal=..., aScriptURL=..., aRv=...) at /home/cjones/rr/mozilla-central/dom/workers/WorkerPrivate.cpp:3637 #6 0x43453680 in mozilla::dom::ChromeWorkerBinding::_constructor ( cx=0x4041d200, argc=1, vp=0x4699c568) at /home/cjones/rr/ff-prof/dom/bindings/WorkerBinding.cpp:67 #7 0x445c48f3 in CallJSNative (args=<synthetic pointer>, native= 0x43453583 <mozilla::dom::ChromeWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*)>, cx=0x4041d200) at /home/cjones/rr/mozilla-central/js/src/../../js/src/jscntxtinlines.h:220 #8 CallJSNativeConstructor (args=<synthetic pointer>, native= 0x43453583 <mozilla::dom::ChromeWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*)>, cx=0x4041d200) at /home/cjones/rr/mozilla-central/js/src/../../js/src/jscntxtinlines.h:253 ... (there are 86 stack frames). It appears that there's some kind of race condition with workers and securitymanager startup. I have the crash saved in a deterministic trace, so can repro 100% reliably.
aWindow and aParent are both null.. I'm pretty interested in what's further up the stack. What's creating this worker, exactly, that's not a window or another worker, and at what point in startup is this code being run?
Most likely a JSM/component.
That looks like shutdown, not startup per se, right? Presumably we've already shut down nsContentUtils, so the MOZ_ASSERT(ssm) in WorkerPrivate::GetLoadInfo failed too, but this is an opt build. Kinda curious what this JS code is that runs at xpcom shutdown and tries to start workers...
> That looks like shutdown, not startup per se, right? Presumably we've already shut down nsContentUtils, so the MOZ_ASSERT(ssm) in WorkerPrivate::GetLoadInfo failed too, but this is an opt build. Ah, yes. The duration that FF runs is short, a few seconds, so I just assumed a startup bug. > Kinda curious what this JS code is that runs at xpcom shutdown and tries to start workers... Is there a way to tell by poking at something in the backtrace? Or something else that can be described in gdb-ese ;).
Try "call DumpJSStack()"?
Er, except in an opt build that might not work. If this is an opt build, you want to poke at cx->fp() and its script/filename/lineno etc manually...
A system update ruined my saved trace, and now I can't reproduce this crash anymore. Grr!! Will come back to this if it pops up again.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: