Closed
Bug 990090
Opened 10 years ago
Closed 10 years ago
crash in JS::DescribeStack(JSContext*, unsigned int)
Categories
(Core :: DOM: Workers, defect)
Tracking
()
VERIFIED
FIXED
mozilla33
People
(Reporter: lizzard, Assigned: bholley)
References
Details
(Keywords: crash, topcrash, topcrash-win)
Crash Data
Attachments
(2 files)
2.12 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
2.35 KB,
patch
|
khuey
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-f3c4c86d-9316-4f97-9324-a28712140330. ============================================================= This is the #15 topcrash for Firefox 31 this week, with 65 out of 4290 crashes. It looks like the crashes spiked suddenly with the 2014032703 build.
Comment 1•10 years ago
|
||
It's a null deref on cx->compartment()->principals. We grab the cx in dom::GetCurrentJSStack from nsXPConnect::GetCurrentJSContext(), when on main thread, and the callstack is in fact on main thread, though in worker code: WorkerPrivateParent<Derived>::BroadcastErrorToSharedWorkers asserts IsOnMainThread.' This runnable does: 3121 if (actionsIndex == windowActions.NoIndex) { 3122 nsIScriptContext* scx = sharedWorker->GetContextForEventHandlers(&rv); 3123 cx = (NS_SUCCEEDED(rv) && scx) ? 3124 scx->GetNativeContext() : 3125 nsContentUtils::GetSafeJSContext(); 3126 } else { 3127 cx = windowActions[actionsIndex].mJSContext; 3128 } 3129 3130 AutoCxPusher autoPush(cx); Note that this can push the safe JS context, as far as I can see, in the SharedWorker case, without entering a compartment on it. And then it tries to throw/report an error on there, which presumably runs into the fix for bug 979481. 3128 } bent@149749 3129 bent@149749 3130 AutoCxPusher autoPush(cx);
Blocks: 979481
Updated•10 years ago
|
Component: DOM: Core & HTML → DOM: Workers
Comment 2•10 years ago
|
||
Er, ignore the part at the bottom of comment 1. ;) What this code trying to accomplish in the cases when it uses a SafeJSContext?
Flags: needinfo?(khuey)
Flags: needinfo?(bent.mozilla)
Updated•10 years ago
|
tracking-firefox31:
--- → ?
It's trying to handle the case where a SharedWorker lives somewhere without a window, like a JS component or JSM or bootstrap.js file I think.
Flags: needinfo?(bent.mozilla)
Comment 4•10 years ago
|
||
Yes, but handle it how? Where is it trying to throw/report the exception to?
Updated•10 years ago
|
Flags: needinfo?(bent.mozilla)
Oh, well, presumably to the context's error reporter. For the SafeJSContext I guess it gets dumped to stderr and (maybe) ends up in the Error Console?
Flags: needinfo?(bent.mozilla)
Comment 6•10 years ago
|
||
I guess the real question is whether there is a spec for SharedWorker error reporting. I guess what we should be doing here is entering the compartment of xpc::GetSafeJSContextGlobal() in the case when we're using the safe context?
Flags: needinfo?(khuey) → needinfo?(bobbyholley)
Assignee | ||
Comment 7•10 years ago
|
||
Seems like it would make more sense just to replace the whole thing with AutoEntryGlobal entry(globalObject). That'll sort out the correct context, push it, and enter the global's compartment. We should make a note that, depending on what we decided to do about error reporting in bug 989528, AutoEntryGlobal may not be the right long-term structure.
Flags: needinfo?(bobbyholley)
(In reply to Boris Zbarsky [:bz] from comment #6) > I guess the real question is whether there is a spec for SharedWorker error > reporting. Hixie was hesitant to spec since only Chrome had SharedWorker previously, but we chatted on irc and he said he had no objections to this approach. It seems crazy to me that this is a topcrash... Who is using SharedWorker in a context where there's no window?
Comment 10•10 years ago
|
||
(In reply to ben turner [:bent] (use the needinfo? flag!) from comment #9) > It seems crazy to me that this is a topcrash... Who is using SharedWorker in > a context where there's no window? I'm seeing a lot of crashes in DescribeStack on https://www.fimfiction.net, which (AFAIK) uses SharedWorkers for its web notifications.
Comment 11•10 years ago
|
||
Oh, and while this bug is about Windows, for me this happens in both Firefox 31.0a2 for Linux (Desktop) and Firefox 31.0a1 for Android. I've submitted crash reports for the latter, and bp-601d59a6-bbe8-4fa5-9414-afbac2140429 should be one of mine. For now I've turned off shared workers as a workaround.
Comment 12•10 years ago
|
||
Talked to one of Fimfiction's developer's about this bug, and it was discovered that the bug most likely happens in this scenario: There's only one tab making use of the notifications worker and the user navigates. This releases the worker and the window. When the worker now tries to make an update before it is destroyed, it throws an exception as there is no page to be updated and Firefox crashes as there is no window to report the error to. When there are at least two Fimfiction tabs open, the other tab will hold onto the worker so no crash happens. This is the worker code: http://www.fimfiction.net/workers/notifications_worker.js For anyone trying to replicate this, you'll need an account. Otherwise there won't be a worker.
Comment 13•10 years ago
|
||
Bobby, could you have a look to this bug or propose someone who could fix it? 31 is going to be in beta next week and it would be nice to have a fix. Thanks As comment 11 says, it seems to affect other platforms.
Flags: needinfo?(bobbyholley)
OS: Windows NT → All
Assignee | ||
Comment 14•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=d4940bd1789e
Assignee: nobody → bobbyholley
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 15•10 years ago
|
||
Attachment #8437219 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 16•10 years ago
|
||
Attachment #8437221 -
Flags: review?(khuey)
Comment 17•10 years ago
|
||
Comment on attachment 8437219 [details] [diff] [review] Part 1 - Add a version of AutoJSAPIWithErrorsReportedToWindow that takes an nsIGlobalObject. v1 >+ // Equivalent to AutoJSAPI is aGlobal is not a Window. s/is aGlobal/if aGlobal/ r=me
Attachment #8437219 -
Flags: review?(bzbarsky) → review+
Attachment #8437221 -
Flags: review?(khuey) → review+
Reporter | ||
Comment 18•10 years ago
|
||
This crash is still present in Firefox 30, 31, 32, and 33. https://crash-stats.mozilla.com/report/list?signature=JS%3A%3ADescribeStack%28JSContext*%2C+unsigned+int%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2014-06-12+16%3A00%3A00&range_value=1#tab-reports
Assignee | ||
Comment 19•10 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/de567b2d9350 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/3fe4e53dfe59
Assignee | ||
Comment 20•10 years ago
|
||
Comment on attachment 8437221 [details] [diff] [review] Part 2 - Use AutoJSAPI for BroadcastErrorToSharedWorkers. v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): unknown User impact if declined: crashes Testing completed (on m-c, etc.): Just pushed to m-i Risk to taking this patch (and alternatives if risky): Low risk. String or IDL/UUID changes made by this patch: None.
Attachment #8437221 -
Flags: approval-mozilla-beta?
Attachment #8437221 -
Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/de567b2d9350 https://hg.mozilla.org/mozilla-central/rev/3fe4e53dfe59
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Updated•10 years ago
|
Attachment #8437221 -
Flags: approval-mozilla-beta?
Attachment #8437221 -
Flags: approval-mozilla-beta+
Attachment #8437221 -
Flags: approval-mozilla-aurora?
Attachment #8437221 -
Flags: approval-mozilla-aurora+
Updated•10 years ago
|
Comment 22•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/f436868418ee https://hg.mozilla.org/releases/mozilla-aurora/rev/f1aebc2f1c58 https://hg.mozilla.org/releases/mozilla-beta/rev/4c62cbb21c01 https://hg.mozilla.org/releases/mozilla-beta/rev/86f90cef7574
status-b2g-v2.0:
--- → fixed
status-b2g-v2.1:
--- → fixed
Comment 23•10 years ago
|
||
Nightly 0 crashes in the last week: https://crash-stats.mozilla.com/query/?product=Firefox&version=Firefox%3A33.0a1&range_value=1&range_unit=weeks&date=07%2F01%2F2014+11%3A00%3A00&query_search=signature&query_type=contains&query=JS%3A%3ADescribeStack%28JSContext*%2C+unsigned+int%29&reason=&release_channels=&build_id=&process_type=any&hang_type=any Aurora 0 crashes in the last week: https://crash-stats.mozilla.com/query/?product=Firefox&version=Firefox%3A32.0a2&range_value=1&range_unit=weeks&date=07%2F01%2F2014+11%3A00%3A00&query_search=signature&query_type=contains&query=JS%3A%3ADescribeStack%28JSContext*%2C+unsigned+int%29&reason=&release_channels=&build_id=&process_type=any&hang_type=any Beta 11 crashes in the last week: https://crash-stats.mozilla.com/report/list?signature=JS%3A%3ADescribeStack%28JSContext%2A%2C+unsigned+int%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&version=Firefox%3A31.0b&hang_type=any&date=2014-07-01+11%3A00%3A00&range_value=1#reports Crashes after the fix: 31 beta 2 - 2 crashes 31 beta 4 - 3 crashes 31 beta 5 - 3 crashes Can we say that is verified on 31 regarding the low number of crashes recorded?
Assignee | ||
Comment 24•10 years ago
|
||
(In reply to Bogdan Maris, QA [:bogdan_maris] from comment #23) > Can we say that is verified on 31 regarding the low number of crashes > recorded? That sounds fine to me.
Flags: needinfo?(bobbyholley)
Comment 25•10 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #24) > (In reply to Bogdan Maris, QA [:bogdan_maris] from comment #23) > > Can we say that is verified on 31 regarding the low number of crashes > > recorded? > > That sounds fine to me. Thanks, marking as verified on 31.
You need to log in
before you can comment on or make changes to this bug.
Description
•