1130838 - crash in mozilla::layers::PLayerTransactionParent::Lookup(int)

Status: RESOLVED DUPLICATE of bug 1132874

(Core :: Graphics, defect)

Description

[Jim Mathies [:jimm]]

Combine the two signatures for this together this crash represents #5 top content crasher.


This bug was filed from the Socorro interface and is 
report bp-cc01234c-5a03-43f3-8425-21c322150201.
=============================================================

0 	xul.dll 	mozilla::layers::PLayerTransactionParent::Lookup(int) 	obj-firefox/ipc/ipdl/PHalChild.cpp
1 	xul.dll 	mozilla::plugins::PPluginModuleParent::OnMessageReceived(IPC::Message const&) 	obj-firefox/ipc/ipdl/PPluginModuleParent.cpp
2 	xul.dll 	mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
3 	xul.dll 	mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
4 	xul.dll 	mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) 	ipc/glue/MessageChannel.cpp
5 	xul.dll 	mozilla::plugins::PPluginScriptableObjectParent::CallInvalidate() 	obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp
6 	xul.dll 	mozilla::plugins::PluginScriptableObjectParent::ScriptableInvalidate(NPObject*) 	dom/plugins/ipc/PluginScriptableObjectParent.cpp
7 	xul.dll 	NPObjWrapperPluginDestroyedCallback 	dom/plugins/base/nsJSNPRuntime.cpp
8 	xul.dll 	nsJSNPRuntime::OnPluginDestroy(_NPP*) 	dom/plugins/base/nsJSNPRuntime.cpp
9 	xul.dll 	nsNPAPIPluginInstance::Stop() 	dom/plugins/base/nsNPAPIPluginInstance.cpp

Comment 1

[Tracy Walker [:tracy]]

kicked back into triage, because no action since needInfo was requested.

Comment 2

[Tracy Walker [:tracy]]

[@ mozilla::layers::PLayerTransactionParent::Lookup(int) ] shows only 3 urls.  each one with only one crash.

1 	http://euw.leagueoflegends.com/de/news/esports/esports-event/iem-katowice-fin...
1 	http://www.cursuri-online.info/chineza/chinese-lessons/lesson04/lesson04.htm
1 	https://www.meetme.com/
===================================

[@ mozilla::hal_sandbox::PHalChild::Lookup(int) ]

1 	http://www.twitch.tv/directory
===================================

[@ mozilla::layers::PLayerTransactionChild::Lookup(int) ]

Total Count 	URL
5 	about:blank
1 	http://www.pln.co.id/dataweb/STAT/STAT2010IND.pdf
1 	http://www.seratnews.ir/fa/news/225732/%D9%85%D8%AF%D8%B1%D8%B3%D9%87%E2%80%8...
1 	https://www.google.com.ua/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CFIQr...
1 	http://www.seratnews.ir/fa/news/231650/%D8%AD%D9%84-%D9%85%D8%B4%DA%A9%D9%84-...
1 	http://prntscr.com/6gs9ju
1 	http://mohdaahli.blogspot.ae/p/blog-page_20.html
===================================

All of the other signatures have no URLs associated with them.

Comment 3

[Mike Conley (:mconley) (:⚙️)]

More stack

0 	xul.dll 	mozilla::layers::PLayerTransactionParent::Lookup(int) 	obj-firefox/ipc/ipdl/PHalChild.cpp
1 	xul.dll 	mozilla::plugins::PPluginModuleParent::OnMessageReceived(IPC::Message const&) 	obj-firefox/ipc/ipdl/PPluginModuleParent.cpp
2 	xul.dll 	mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
3 	xul.dll 	mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
4 	xul.dll 	mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) 	ipc/glue/MessageChannel.cpp
5 	xul.dll 	mozilla::plugins::PPluginScriptableObjectParent::CallInvalidate() 	obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp
6 	xul.dll 	mozilla::plugins::PluginScriptableObjectParent::ScriptableInvalidate(NPObject*) 	dom/plugins/ipc/PluginScriptableObjectParent.cpp
7 	xul.dll 	NPObjWrapperPluginDestroyedCallback 	dom/plugins/base/nsJSNPRuntime.cpp
8 	xul.dll 	nsJSNPRuntime::OnPluginDestroy(_NPP*) 	dom/plugins/base/nsJSNPRuntime.cpp
9 	xul.dll 	nsNPAPIPluginInstance::Stop() 	dom/plugins/base/nsNPAPIPluginInstance.cpp
10 	xul.dll 	nsPluginHost::StopPluginInstance(nsNPAPIPluginInstance*) 	dom/plugins/base/nsPluginHost.cpp
11 	xul.dll 	nsObjectLoadingContent::DoStopPlugin(nsPluginInstanceOwner*, bool, bool) 	dom/base/nsObjectLoadingContent.cpp
12 	xul.dll 	nsObjectLoadingContent::StopPluginInstance() 	dom/base/nsObjectLoadingContent.cpp
13 	xul.dll 	CheckPluginStopEvent::Run() 	dom/base/nsObjectLoadingContent.cpp
14 	xul.dll 	nsBaseAppShell::RunSyncSectionsInternal(bool, unsigned int) 	widget/nsBaseAppShell.cpp
15 	xul.dll 	nsBaseAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned int, bool) 	widget/nsBaseAppShell.cpp
16 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
17 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
18 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
19 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
20 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
21 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp

Comment 4

[George Wright (:gw280) (needinfo me!)]

I'm having serious trouble trying to reproduce this. Wondering if you have any ideas, Bill?

Comment 5

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

The top stack frame doesn't make any sense. When PPluginModuleParent::OnMessageReceived calls Lookup, it's doing a vtable dispatch and somehow ending up in Hal code. That suggests that the memory is invalid. Most likely, the PluginModuleParent has already been freed. That seems quite possible given that we're in the process of shutting down the plugin. Plugin shutdown in e10s is kinda half-baked right now.

You could try to reproduce this by visiting some Flash-heavy pages and closing tabs at random times. I'm somewhat skeptical that will work though.

Besides inspecting the code to see if there's a problem, you could try to find a regression range. It might also help to see if these people are running with async plugin init enabled. I'm not sure if we report that in crash dumps, but we should.

Aaron might have some ideas too.

Comment 6

[George Wright (:gw280) (needinfo me!)]

The testing I've been doing to try and get this to trigger so I can hook up a debugger has been to load lots of twitch.tv streams (which use Flash) and then close tabs randomly. I keep hitting the crash signature for bug 1130734 but still haven't got this one yet.

Comment 7

[(No longer employed by Mozilla) Aaron Klotz]

The PluginModuleParent should not be destroyed yet (and if it were, the PPluginScriptableObjectParent object would be blown away too). I'd sure like to know what the plugin process is trying to do, since it is clearly calling back into the content process. I agree that the top stack frame is silly.

Comment 8

[Jim Mathies [:jimm]]

I really hope bug 1132874 takes this nasty bug with it. We'll see, that patch should land on mc today.

Comment 9

[Jim Mathies [:jimm]]

Appears to be the case:

older than yesterday's build:
https://crash-stats.mozilla.com/search/?product=Firefox&version=40.0a1&signature=~Lookup%28int%29&build_id=%3E20150408000000&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

71 crashes

older than or equal to today's build:
https://crash-stats.mozilla.com/search/?product=Firefox&version=40.0a1&signature=~Lookup%28int%29&build_id=%3E20150409000000&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

zero hits