Closed
Bug 1199862
Opened 9 years ago
Closed 9 years ago
[e10s] crash in nsCOMPtr_base::assign_with_AddRef(nsISupports*zilla::net::HttpChannelParent::RecvDivertOnStopRequest(nsresult const&))
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
People
(Reporter: epinal99-bugzilla2, Assigned: dragana)
References
Details
(Keywords: crash, reproducible, Whiteboard: [mozfr-community])
Crash Data
Attachments
(1 file, 2 obsolete files)
9.83 KB,
patch
|
dragana
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-0db3adb3-c266-4749-bde5-977732150829. ============================================================= I hit this crash when testing bug 1199782. 1) Start Nightly in e10s mode 2) Open http://agpl.fsf.org/emailselfdefense.fsf.org/edward/CURRENT/ and click on the file "edward.tgz.sig" to download it 3) Close immediately the error dialog box (yellow triangle) by clicking on the X button Sometimes it doesn't crash, just spam the X button of the error dialog box to crash, it's a matter of "timing", I guess. Result: all the browser crashes! 2 CR with similar signatures: Firefox 43.0a1 Crash Report [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | PL_HashTableLookupConst | mozilla::net::HttpChannelParent::RecvDivertOnStopRequest(nsresult const&) ] https://crash-stats.mozilla.com/report/index/54875785-4431-49ac-b012-91cd02150829 Firefox 43.0a1 Crash Report [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | mozilla::net::HttpChannelParentListener::OnStopRequest(nsIRequest*, nsISupports*, nsresult) ] https://crash-stats.mozilla.com/report/index/8e1c1ea6-ae8d-4c02-877a-73e142150829
Summary: [e10s] crash in nsCOMPtr_base::assign_with_AddRef(nsISupports*zilla::net::HttpChannelParent::RecvDivertOnStopRequest(nsresult const&)) | PL_HashTableLookupConst | mo → [e10s] crash in nsCOMPtr_base::assign_with_AddRef(nsISupports*zilla::net::HttpChannelParent::RecvDivertOnStopRequest(nsresult const&))
Assignee | ||
Comment 1•9 years ago
|
||
The analysis: HttpChannelParent calls StopRequest of the listener which prompt the error dialog and does not return from the function but calls next function in the queue. On of the next functions is RecvDivertComplited which deletes the listener. So when the prompt returns it finish the function on already destroyed listener and that crashes.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → dd.mozilla
Status: NEW → ASSIGNED
Comment 2•9 years ago
|
||
This sounds like the problem with sync XHR/alert that we fixed back in 2010 by creating a queue of IPDL necko events and deferring running them until after we return from the listener calls. What changed?
Comment 3•9 years ago
|
||
Oh, this is happening in the parent this time :(
Assignee | ||
Comment 4•9 years ago
|
||
Attachment #8655367 -
Flags: review?(jduell.mcbugs)
Assignee | ||
Comment 5•9 years ago
|
||
Attachment #8655367 -
Attachment is obsolete: true
Attachment #8655367 -
Flags: review?(jduell.mcbugs)
Attachment #8655451 -
Flags: review?(jduell.mcbugs)
Assignee | ||
Comment 6•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=48b47970f0e0
Updated•9 years ago
|
tracking-e10s:
--- → m8+
Comment 7•9 years ago
|
||
Comment on attachment 8655451 [details] [diff] [review] bug_1199862_v1.patch Review of attachment 8655451 [details] [diff] [review]: ----------------------------------------------------------------- This looks good to me. I assume you've tested it against the STR in comment 0? In HttpChannelChild we hook :Suspend() so it also calls Suspend on the ChannelEventQueue. I was wondering if we need something like that here. Looking over the existing code (and with this patch) I'm under the impression that our DivertTo logic does not handle the case where we 1) DivertTo() a channel on the parent, and then 2) some external code (download manager) suspends that channel during the IPDL diversion process. It looks to me like we just call OnStartRequest/OnDataAvailable as the diverted IPDL messages arrive. I think that's a bug (though one that's unlikely to happen in practice, unless a user tried to suspend a download immediately after they start it--even that might be hard to human fingers to do in time?). Fortunately enough, adding mEventQueue to the parent should make fixing that easier. I assume we'd need to check the suspendCount of mChannel each time a diverted message arrives, and if it's >1 (i.e. if the channel has been suspended more than just when we did it as part of SuspendForDiversion()), then we could queue the message. Except we'd need some notification of when the channel was resumed back down to count==1. That may be a little messy. Anyway, if I'm right about this, it's clearly a new bug, and shouldn't block this one. But think over it, and file a bug if you also agree we've got a bug here.
Attachment #8655451 -
Flags: review?(jduell.mcbugs) → review+
Updated•9 years ago
|
Flags: needinfo?(dd.mozilla)
Assignee | ||
Comment 8•9 years ago
|
||
(In reply to Jason Duell [:jduell] (needinfo? me) from comment #7) > Comment on attachment 8655451 [details] [diff] [review] > bug_1199862_v1.patch > > Review of attachment 8655451 [details] [diff] [review]: > ----------------------------------------------------------------- > > This looks good to me. I assume you've tested it against the STR in comment > 0? > > In HttpChannelChild we hook :Suspend() so it also calls Suspend on the > ChannelEventQueue. I was wondering if we need something like that here. > Looking over the existing code (and with this patch) I'm under the > impression that our DivertTo logic does not handle the case where we 1) > DivertTo() a channel on the parent, and then 2) some external code (download > manager) suspends that channel during the IPDL diversion process. It looks > to me like we just call OnStartRequest/OnDataAvailable as the diverted IPDL > messages arrive. I think that's a bug (though one that's unlikely to happen > in practice, unless a user tried to suspend a download immediately after > they start it--even that might be hard to human fingers to do in time?). > Fortunately enough, adding mEventQueue to the parent should make fixing that > easier. I assume we'd need to check the suspendCount of mChannel each time > a diverted message arrives, and if it's >1 (i.e. if the channel has been > suspended more than just when we did it as part of SuspendForDiversion()), > then we could queue the message. Except we'd need some notification of when > the channel was resumed back down to count==1. That may be a little messy. > Anyway, if I'm right about this, it's clearly a new bug, and shouldn't block > this one. But think over it, and file a bug if you also agree we've got a > bug here. I will file another bug for this.
Flags: needinfo?(dd.mozilla)
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 9•9 years ago
|
||
Hi, this patch failed to apply: patching file netwerk/protocol/http/HttpChannelParent.h Hunk #1 FAILED at 152 1 out of 2 hunks FAILED -- saving rejects to file netwerk/protocol/http/HttpChannelParent.h.rej could you take a look, thanks!
Flags: needinfo?(dd.mozilla)
Keywords: checkin-needed
Assignee | ||
Comment 10•9 years ago
|
||
Rebased. Thanks!
Attachment #8655451 -
Attachment is obsolete: true
Flags: needinfo?(dd.mozilla)
Attachment #8656484 -
Flags: review+
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 11•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ef818b20a5d8
Keywords: checkin-needed
Comment 12•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ef818b20a5d8
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•