Closed rmottola closed 4 months ago
@roytam1 any idea? help in finding the breaking commit for newtab?
@roytam1 any idea? help in finding the breaking commit for newtab?
no idea, I'm still find the cause of crash in NSS(actually NSPR, in _PR_DestroyThreadPrivate
) when terminating arcticfox
@roytam1 crash on ArcticFox shutdown? Got that, but now seems gone. I commited lots of security related stuff and perhaps I fixed it "by luck"
crash on ArcticFox shutdown? Got that, but now seems gone.
I can get some more crashes, for example:
stack trace:
> xul.dll!mozilla::dom::CanvasRenderingContext2D::ClearRect(double aX, double aY, double aW, double aH) Line 2564 C++
xul.dll!mozilla::dom::CanvasRenderingContext2DBinding::clearRect(JSContext * cx, JS::Handle<JSObject *> obj, mozilla::dom::CanvasRenderingContext2D * self, const JSJitMethodCallArgs & args) Line 3155 C++
xul.dll!mozilla::dom::GenericBindingMethod(JSContext * cx, unsigned int argc, JS::Value * vp) Line 2731 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct) Line 478 C++
mozjs.dll!Interpret(JSContext * cx, js::RunState & state) Line 2841 C++
mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 428 C++
mozjs.dll!js::ExecuteKernel(JSContext * cx, JS::Handle<JSScript *> script, JSObject & scopeChainArg, const JS::Value & newTargetValue, js::AbstractFramePtr evalInFrame, JS::Value * result) Line 687 C++
mozjs.dll!js::Execute(JSContext * cx, JS::Handle<JSScript *> script, JSObject & scopeChainArg, JS::Value * rval) Line 717 C++
mozjs.dll!Evaluate(JSContext * cx, JS::Handle<JSObject *> scope, JS::Handle<js::StaticScope *> staticScope, const JS::ReadOnlyCompileOptions & optionsArg, JS::SourceBufferHolder & srcBuf, JS::MutableHandle<JS::Value> rval) Line 4473 C++
mozjs.dll!Evaluate(JSContext * cx, JS::AutoVectorRooter<JSObject *> & scopeChain, const JS::ReadOnlyCompileOptions & optionsArg, JS::SourceBufferHolder & srcBuf, JS::MutableHandle<JS::Value> rval) Line 4499 C++
mozjs.dll!JS::Evaluate(JSContext * cx, JS::AutoVectorRooter<JSObject *> & scopeChain, const JS::ReadOnlyCompileOptions & optionsArg, JS::SourceBufferHolder & srcBuf, JS::MutableHandle<JS::Value> rval) Line 4560 C++
xul.dll!nsJSUtils::EvaluateString(JSContext * aCx, JS::SourceBufferHolder & aSrcBuf, JS::Handle<JSObject *> aEvaluationGlobal, JS::CompileOptions & aCompileOptions, const nsJSUtils::EvaluateOptions & aEvaluateOptions, JS::MutableHandle<JS::Value> aRetValue, void * * aOffThreadToken) Line 213 C++
xul.dll!nsJSUtils::EvaluateString(JSContext * aCx, JS::SourceBufferHolder & aSrcBuf, JS::Handle<JSObject *> aEvaluationGlobal, JS::CompileOptions & aCompileOptions, void * * aOffThreadToken) Line 276 C++
xul.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest, JS::SourceBufferHolder & aSrcBuf) Line 1147 C++
xul.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest) Line 966 C++
xul.dll!nsScriptRequestProcessor::Run() Line 393 C++
xul.dll!nsContentUtils::RemoveScriptBlocker() Line 5149 C++
xul.dll!nsDocument::EndUpdate(unsigned int aUpdateType) Line 4891 C++
xul.dll!nsHTMLDocument::EndUpdate(unsigned int aUpdateType) Line 2534 C++
xul.dll!nsINode::ReplaceOrInsertBefore(bool aReplace, nsINode * aNewChild, nsINode * aRefChild, mozilla::ErrorResult & aError) Line 2465 C++
xul.dll!mozilla::dom::NodeBinding::insertBefore(JSContext * cx, JS::Handle<JSObject *> obj, nsINode * self, const JSJitMethodCallArgs & args) Line 583 C++
xul.dll!mozilla::dom::GenericBindingMethod(JSContext * cx, unsigned int argc, JS::Value * vp) Line 2731 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct) Line 478 C++
mozjs.dll!Interpret(JSContext * cx, js::RunState & state) Line 2841 C++
mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 428 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct) Line 499 C++
mozjs.dll!js::fun_apply(JSContext * cx, unsigned int argc, JS::Value * vp) Line 1377 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct) Line 478 C++
mozjs.dll!Interpret(JSContext * cx, js::RunState & state) Line 2841 C++
mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 428 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct) Line 499 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval) Line 530 C++
mozjs.dll!js::jit::DoCallFallback(JSContext * cx, js::jit::BaselineFrame * frame, js::jit::ICCall_Fallback * stub_, unsigned int argc, JS::Value * vp, JS::MutableHandle<JS::Value> res) Line 6144 C++
[External Code]
[Frames below may be incorrect and/or missing]
mozjs.dll!EnterBaseline(JSContext * cx, js::jit::EnterJitData & data) Line 152 C++
mozjs.dll!js::jit::EnterBaselineAtBranch(JSContext * cx, js::InterpreterFrame * fp, unsigned char * pc) Line 256 C++
mozjs.dll!Interpret(JSContext * cx, js::RunState & state) Line 1854 C++
mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 428 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct) Line 499 C++
mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval) Line 530 C++
mozjs.dll!JS::Call(JSContext * cx, JS::Handle<JS::Value> thisv, JS::Handle<JS::Value> fval, const JS::HandleValueArray & args, JS::MutableHandle<JS::Value> rval) Line 2904 C++
xul.dll!mozilla::dom::Function::Call(JSContext * cx, JS::Handle<JS::Value> aThisVal, const nsTArray<JS::Value> & arguments, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv) Line 37 C++
xul.dll!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(const nsCOMPtr<nsISupports> & thisVal, const nsTArray<JS::Value> & arguments, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv, const char * aExecutionReason, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling, JSCompartment * aCompartment) Line 58 C++
xul.dll!nsGlobalWindow::RunTimeoutHandler(nsTimeout * aTimeout, nsIScriptContext * aScx) Line 11975 C++
xul.dll!nsGlobalWindow::RunTimeout(nsTimeout * aTimeout) Line 12211 C++
xul.dll!nsGlobalWindow::TimerCallback(nsITimer * aTimer, void * aClosure) Line 12456 C++
xul.dll!nsTimerImpl::Fire() Line 526 C++
xul.dll!mozilla::BackgroundHangThread::FindThread() Line 510 C++
xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 1024 C++
xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 297 C++
xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate) Line 101 C++
xul.dll!MessageLoop::RunHandler() Line 228 C++
xul.dll!MessageLoop::Run() Line 202 C++
xul.dll!nsBaseAppShell::Run() Line 158 C++
xul.dll!nsAppShell::Run() Line 172 C++
xul.dll!nsAppStartup::Run() Line 282 C++
xul.dll!XREMain::XRE_mainRun() Line 4362 C++
xul.dll!NS_InitXPCOM2(nsIServiceManager * * aResult, nsIFile * aBinDirectory, nsIDirectoryServiceProvider * aAppFileLocationProvider) Line 757 C++
xul.dll!ScopedXPCOMStartup::Initialize() Line 1535 C++
xul.dll!base::Histogram::Add(int value) Line 131 C++
xul.dll!`anonymous namespace'::HistogramAdd(base::Histogram & histogram, int value, unsigned int dataset) Line 1187 C++
xul.dll!XRE_TelemetryAccumulate(int aID, unsigned int aSample) Line 3911 C++
[External Code]
void
CanvasRenderingContext2D::ClearRect(double aX, double aY, double aW,
double aH)
{
// Do not allow zeros - it's a no-op at that point per spec.
if (!ValidateRect(aX, aY, aW, aH, false)) {
return;
}
mTarget->ClearRect(gfx::Rect(aX, aY, aW, aH)); // <-- mTarget is nullptr here
while I addressed this in my repo: https://github.com/roytam1/palemoon27/commit/13e8a4e26a3e24893d30fd8d8cdbdeb08d5d1222
and the crash when terminating is still reproducible:
stack trace:
583ea5c2() Unknown
[Frames below may be incorrect and/or missing]
> nss3.dll!_PR_DestroyThreadPrivate(PRThread * self) Line 237 C
nss3.dll!_PR_CleanupThread(PRThread * thread) Line 33 C
nss3.dll!_PR_NativeRunThread(void * arg) Line 427 C
nss3.dll!pr_root(void * arg) Line 95 C
[External Code]
debug log:
Unhandled exception at 0x583EA5C2 in arcticfox.exe: 0xC0000005: Access violation executing location 0x583EA5C2.
void _PR_DestroyThreadPrivate(PRThread* self)
{
#define _PR_TPD_DESTRUCTOR_ITERATIONS 4
if (NULL != self->privateData) /* we have some */
{
PRBool clean;
PRUint32 index;
PRInt32 passes = _PR_TPD_DESTRUCTOR_ITERATIONS;
PR_ASSERT(0 != self->tpdLength);
do
{
clean = PR_TRUE;
for (index = 0; index < self->tpdLength; ++index)
{
void *priv = self->privateData[index]; /* extract */
if (NULL != priv) /* we have data at this index */
{
if (NULL != _pr_tpd_destructors[index])
{
self->privateData[index] = NULL; /* precondition */
(*_pr_tpd_destructors[index])(priv); /* destroy */ // <-- crash here
clean = PR_FALSE; /* unknown side effects */
}
}
possible cause: DLL is unloaded while it is still running: https://stackoverflow.com/questions/61312902/unloading-dll-throws-an-access-violation-error
but I'm not able to find which rev is guilty at the moment.
@roytam1 I think the current version has the shutdown crash fixed. Seems stable for me, I tried several times.
However, all the new patches seem to have made AF prone to crash with certain pages, consistently the same. I was unable to get a signifcant backtrace.
@roytam1 I think the current version has the shutdown crash fixed. Seems stable for me, I tried several times.
still happens here, try visiting https://www.jaynestars.com/ , scrolling to bottom with mouse wheel, then close browser.
@roytam1 tried and it crashes before reaching the bottom ! darn
@roytam1 tried and it crashes before reaching the bottom ! darn
you may hit CanvasRenderingContext2D::ClearRect()
null mTarget
crash first if you don't handle empty mTarget in ClearRect.
@roytam1 tried and it crashes before reaching the bottom ! darn
you may hit
CanvasRenderingContext2D::ClearRect()
nullmTarget
crash first if you don't handle empty mTarget in ClearRect.
oh... right, I found the culprit. I removed accidentally an EnsureTarget() during a patch merge. https://github.com/rmottola/Arctic-Fox/commit/32fa5b83374a5272590d324d9f0340c86192b78b
fixes it, it should make your other patch unnecessary. With this I can scroll the document down (it never finishes loading as many sites) quite ArcticFox and have no crash.
@roytam1 shutdown-crash solved now for you? It is for me, seems consistent.
So the original issue here, that one is still open for me.
@roytam1 shutdown-crash solved now for you?
haven't test here, will merge tomorrow and see if it still crash or not.
EDIT: tested and same happens.
It all looks fixed on my side, visiting https://www.jaynestars.com/ does not cause a crash on closure anymore, nor on Linux nor on MacOS. Perhaps you have some more changes you better review or take out since they are not needed? I hope it didn't became Windows specific.
@roytam1 the original bug is actually fixed too! So I would close here after your input. If it persists, it would be best to make a new issue and collect all the "crashy sites" as test cases.
@roytam1 the original bug is actually fixed too! So I would close here after your input. If it persists, it would be best to make a new issue and collect all the "crashy sites" as test cases.
yeah I think this bug can be closed. and NSPR crash bug when terminating may be not related to any sites, and may be only happen in windows.
crashing thread is a Cache2 I/O thread:
startFunc = 0x58729ab0 {xul.dll!mozilla::net::CacheIOThread::ThreadFunc(void *)}
name = 0x09a4d190 "Cache2 I/O"
@roytam1 hard with stack-trace. Please sync, update, check that you may have added changes not needed anymore and open separate bug. I suppose on windows NSPR is the AF supplied one and not system. I will test both.
This is a regression.
I suppose it comes from this commit: 1234522. But maybe more.
I made I quick fix for the toolbar, but newtab is still not working.