Tor Browser is crashing on shutdown

While investigating #8601 (closed) I came across another crash which is probably related to the image cache patch. This one happens on shutdown after one surfs a bit on a website.

changed milestone to %TorBrowserBundle 2.3.x-stable

added MikePerry201304 component::firefox patch issues milestone::TorBrowserBundle 2.3.x-stable owner::mikeperry priority::medium resolution::duplicate status::closed tbb-crash type::defect labels

Here the gdb output:

###!!! ASSERTION: Tried to remove an object that's not tracked: 'state->IsTracked()', file ../../dist/include/nsExpirationTracker.h, line 127

Program received signal SIGSEGV, Segmentation fault. 0x00007ffff19f3e6b in nsTArray_base::Length (this=0x7fffd518a1c8) at ../../../dist/include/nsTArray.h:204 204 return mHdr->mLength; (gdb) bt #0 0x00007ffff19f3e6b in nsTArray_base::Length (this=0x7fffd518a1c8) at ../../../dist/include/nsTArray.h:204 #1 0x00007ffff1c4caa9 in nsExpirationTracker<imgCacheEntry, 3u>::RemoveObject (this=0x7fffd518a140, aObj=0x7fffcdec6bb0) at ../../dist/include/nsExpirationTracker.h:130 #2 (closed) 0x00007ffff1c4775a in imgLoader::RemoveFromCache (entry=0x7fffcdec6bb0) at /home/firefox64/TBB/debug-build/mozilla-esr17/image/src/imgLoader.cpp:1474 #3 (closed) 0x00007ffff1c478d4 in imgLoader::EvictEntries (aCacheToClear=...) at /home/firefox64/TBB/debug-build/mozilla-esr17/image/src/imgLoader.cpp:1499 #4 (closed) 0x00007ffff1c4579a in imgLoader::ClearImageCache () at /home/firefox64/TBB/debug-build/mozilla-esr17/image/src/imgLoader.cpp:1004 #5 (closed) 0x00007ffff1c4570d in imgLoader::Shutdown () at /home/firefox64/TBB/debug-build/mozilla-esr17/image/src/imgLoader.cpp:991 #6 (closed) 0x00007ffff1c26471 in imglib_Shutdown () at /home/firefox64/TBB/debug-build/mozilla-esr17/image/build/nsImageModule.cpp:106 #7 (closed) 0x00007ffff3462c69 in nsComponentManagerImpl::KnownModule::~KnownModule ( this=0x7fffe7ff9b40, __in_chrg=) at /home/firefox64/TBB/debug-build/mozilla-esr17/xpcom/components/nsComponentManager.h:175 #8 (closed) 0x00007ffff346bb43 in nsAutoPtrnsComponentManagerImpl::KnownModule::~nsAutoPtr (this=0x7ffff6c9b688, __in_chrg=) at ../../dist/include/nsAutoPtr.h:71 #9 (closed) 0x00007ffff346b795 in nsTArrayElementTraits<nsAutoPtrnsComponentManagerImpl::KnownModule >::Destruct (e=0x7ffff6c9b688) at ../../dist/include/nsTArray.h:360 #10 (closed) 0x00007ffff346adff in nsTArray<nsAutoPtrnsComponentManagerImpl::KnownModule, nsTArrayDefaultAllocator>::DestructRange (this=0x7ffff6c83458, start=0, count=55) at ../../dist/include/nsTArray.h:1225 #11 (closed) 0x00007ffff3469dbd in nsTArray<nsAutoPtrnsComponentManagerImpl::KnownModule, nsTArrayDefaultAllocator>::RemoveElementsAt (this=0x7ffff6c83458, start=0, count=55) at ../../dist/include/nsTArray.h:945 #12 (closed) 0x00007ffff3468b6f in nsTArray<nsAutoPtrnsComponentManagerImpl::KnownModule, nsTArrayDefaultAllocator>::Clear (this=0x7ffff6c83458) at ../../dist/include/nsTArray.h:956 #13 (closed) 0x00007ffff3465196 in nsComponentManagerImpl::Shutdown (this=0x7ffff6c83330) at /home/firefox64/TBB/debug-build/mozilla-esr17/xpcom/components/nsComponentManager.cpp:737 #14 (closed) 0x00007ffff340fc35 in mozilla::ShutdownXPCOM (servMgr=0x0) at /home/firefox64/TBB/debug-build/mozilla-esr17/xpcom/build/nsXPComInit.cpp:681 #15 (closed) 0x00007ffff340f661 in NS_ShutdownXPCOM_P (servMgr=0x7ffff6c83338) at /home/firefox64/TBB/debug-build/mozilla-esr17/xpcom/build/nsXPComInit.cpp:541 #16 (closed) 0x00007ffff199dff4 in ScopedXPCOMStartup::~ScopedXPCOMStartup (this=0x7fffe7f6a170, __in_chrg=) at /home/firefox64/TBB/debug-build/mozilla-esr17/toolkit/xre/nsAppRunner.cpp:1113 #17 (closed) 0x00007ffff19a713c in XREMain::XRE_main (this=0x7fffffffbc50, argc=1, argv=0x7fffffffe0b8, aAppData=0x637c40) at /home/firefox64/TBB/debug-build/mozilla-esr17/toolkit/xre/nsAppRunner.cpp:3911 #18 (closed) 0x00007ffff19a72e2 in XRE_main (argc=1, argv=0x7fffffffe0b8, aAppData=0x637c40, aFlags=0) at /home/firefox64/TBB/debug-build/mozilla-esr17/toolkit/xre/nsAppRunner.cpp:3965 #19 (closed) 0x0000000000402a7f in do_main (argc=1, argv=0x7fffffffe0b8) at /home/firefox64/TBB/debug-build/mozilla-esr17/browser/app/nsBrowserApp.cpp:174 #20 (closed) 0x0000000000402d35 in main (argc=1, argv=0x7fffffffe0b8) at /home/firefox64/TBB/debug-build/mozilla-esr17/browser/app/nsBrowserApp.cpp:279

gk: This is only debug builds, correct?

Possibly related to/dup of #8559 (closed). The same cache clearing functions get called in both cases.

See also #8601 (closed), which also triggered an image cache stacktrace.

Trac:
Keywords: N/A deleted, MikePerry201304 added

Replying to mikeperry:

gk: This is only debug builds, correct?

No. I get a crashing Tor Browser on shutdown with default TBBs as well. But it is not visible without e.g. attaching a debugger to it.

See #8628 (closed) for a potential fix.

gk: Has #8628 (closed) fixed this and the other crash bugs for you? They seem to have been fixed for me.

Replying to mikeperry:

gk: Has #8628 (closed) fixed this and the other crash bugs for you?

Yes.

Trac:
Status: new to closed
Resolution: N/A to duplicate

closed

mentioned in issue #8628 (closed)