Closed Bug 1742991 Opened 3 years ago Closed 3 years ago

crash nsXPCWrappedJS::AddRef

Categories

(MailNews Core :: Networking: IMAP, defect)

Product:
MailNews Core
Component:
Networking: IMAP
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(thunderbird_esr91+ fixed, thunderbird96+ fixed)

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
thunderbird_esr91 + fixed
thunderbird96 + fixed

People

(Reporter: wsmwk, Assigned: m_kato)

References

(Blocks 4 open bugs,
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1742991 - nsImapProtocol should not inherit nsIRunnable. r=mkmelin
(deleted), text/x-phabricator-request
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr91+
Details

This covers what remains after Bug #1175168.

nsXPCWrappedJS::AddRef is #39 crash for 91.2.1, and #35 for 91.3.0.

Examples:

  • bp-5705411b-c580-466f-a8b6-c356d0211109 91.2.1
    0 xul.dll nsXPCWrappedJS::AddRef() js/xpconnect/src/XPCWrappedJS.cpp:240
    1 xul.dll AddRefThunk(IUnknown*) ipc/mscom/VTableBuilder.c:22
    2 xul.dll nsMsgMailNewsUrl::~nsMsgMailNewsUrl() comm/mailnews/base/src/nsMsgMailNewsUrl.cpp:73
    3 xul.dll [thunk]: virtual void* __thiscall nsImapUrl::vector deleting destructor
    4 xul.dll nsMsgMailNewsUrl::Release comm/mailnews/base/src/nsMsgMailNewsUrl.cpp:81
    5 xul.dll nsImapUrl::Release() comm/mailnews/imap/src/nsImapUrl.cpp:81
    6 xul.dll nsImapProtocol::~nsImapProtocol() comm/mailnews/imap/src/nsImapProtocol.cpp:669
    7 xul.dll [thunk]: virtual void* __thiscall nsImapProtocol::`vector deleting destructor'(unsigned int)
    8 xul.dll mozilla::net::HttpBaseChannel::Release() netwerk/protocol/http/HttpBaseChannel.cpp:383

  • bp-713462b1-ba1c-4e9c-b05f-440260211109 91.3.0 same stack

  • bp-c5867ab5-09e8-46bb-9ac1-0c23e0211109 91.3.0 same stack

Flags: needinfo?(mkmelin+mozilla)

6 xul.dll nsImapProtocol::~nsImapProtocol() comm/mailnews/imap/src/nsImapProtocol.cpp:669

This is known issue for me. This is race condition of nsImapProtocol's release code. I will file new issue to fix this.

If those stacks are all the same, maybe m_kato's bug will take care of them all? (Or feel free to use this bug if you didn't file one already.)

Flags: needinfo?(mkmelin+mozilla)

I will post new patch next week.

nsImapProtocol::Run has a race condition between main thread and IMAP thread.

IMAP thread is running Runnable by nsImapProtocol. But it is possible to run
releaseOnMain for nsIImapProtocol before decrementing reference count of
Runnable by nsImapProtocol on IMAP thread. So then, the destructor of
nsImapProtocol may run on IMAP thread that is shutting down.

In other words, this sequence is the following.

  1. nsImapProtocol::Run() calls NS_ReleaseOnMainThread to dereference
    nsImapProtocol on Imap thread.
  2. nsImapProtocol is released in main thread since we used
    NS_ReleaseOnMainThread.
  3. nsThread::ProcessNextEvent releases nsImapProtocol on Imap thread since
    nsIRunnble is done and nsImapProtocol inherits nsIRunnable.
  4. nsImapProtocol's reference is nothing, then it is deleted on Imap thread.

So nsImapProtocol shouldn't inherit nsIRunnable.

Assignee: nobody → m_kato
Status: NEW → ASSIGNED

Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/comm-central/rev/2f0f28b861b6
nsImapProtocol should not inherit nsIRunnable. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
status-thunderbird96: --- → affected
status-thunderbird_esr91: --- → affected
tracking-thunderbird96: --- → +
tracking-thunderbird_esr91: --- → +
Target Milestone: --- → 97 Branch

Thanks for the patch.

Doesn't need to ride the train if safe enough for uplift to beta. What do you think, OK to take next week on Monday's beta?

Flags: needinfo?(m_kato)

(In reply to Wayne Mery (:wsmwk) from comment #7)

Thanks for the patch.

Doesn't need to ride the train if safe enough for uplift to beta. What do you think, OK to take next week on Monday's beta?

Risk is medium since this fix changes object (nsImapProtcol)'s lifetime. But this can fix a lot of crashes, so I think that this should be uplifted.

Flags: needinfo?(m_kato)

Comment on attachment 9253842 [details]
Bug 1742991 - nsImapProtocol should not inherit nsIRunnable. r=mkmelin

[Triage Comment]
Approved for beta (it's been on nightly for a couple weeks)

We'll just want to keep a close eye out for regression behavior.

Attachment #9253842 - Flags: approval-comm-beta+

How do you feel about uplifting this to version 91? If so, it would likely go into 91.5.1 shipping in a week.

It's been on nightly for 6 weeks and beta for 4 weeks. So far, I'm not seeing any regression bug reports.

Flags: needinfo?(m_kato)
Blocks: 1750313

(In reply to Wayne Mery (:wsmwk) from comment #11)

How do you feel about uplifting this to version 91? If so, it would likely go into 91.5.1 shipping in a week.

It's been on nightly for 6 weeks and beta for 4 weeks. So far, I'm not seeing any regression bug reports.

If no regression, I think that this should uplift to 91 since this is crash issue by assertion.

Flags: needinfo?(m_kato)

Comment on attachment 9253842 [details]
Bug 1742991 - nsImapProtocol should not inherit nsIRunnable. r=mkmelin

[Triage Comment]
Approved for esr91

Attachment #9253842 - Flags: approval-comm-esr91+

m_kato, thanks for your hard work!

Unfortunately I didn't analyze the results when this landed in version 91 almost exactly a year ago, and we don't have crash statistics going back that far. So we don't have a record of which dependent bugs improved. Still open are bug 558452, bug 917961, bug 1344036, bug 1508649 a topcrash, bug 1581079, bug 1746655.

FWIW nsXPCWrappedJS::AddRef itself was a low crash rate as of August

I filed a related issue as bug 1813422

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: