1041457 - [e10s] Tab crashes on certain page with Adblock Plus+ Tofu Filter if browser.tabs.remote.autostart = true

Status: VERIFIED FIXED

(Core :: General, defect)

Description

[Alice0775 White]

Build Identifier:
https://hg.mozilla.org/mozilla-central/rev/0894d2cdb16d
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 ID:20140720030203

Tab crashes when browser.tabs.remote.autostart = true.
However,
Tab does not crash on e10s window(browser.tabs.remote.autostart = false).

Steps To Reproduce:
1. Make sure e10s, set browser.tabs.remote.autostart = true and restart
2. Install Adblock Plus development build
   https://adblockplus.org/devbuilds/adblockplus/00latest.xpi
3. Subscribe 豆腐フィルタ(Tofu Filter) which is a famous filter for Japanese site.
   Open http://tofukko.r.ribbon.to/abp.html
   Click a link of "フィルタを購読する"
4. Open a certain web page http://blogs.yahoo.co.jp/alice0775

Actual Results:
Tab crashed

Expected Results:
Tab should not crash

Comment 1

[Alice0775 White]

Attachment: tofu_filter.txt

Comment 2

[Alice0775 White]

Tested with Adblock Plus 2.6.3.3849

Comment 3

[Alice0775 White]

Regression window(m-c)
Good:
https://hg.mozilla.org/mozilla-central/rev/31c5d0a5115d
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 ID:20140715053734
Bad:
https://hg.mozilla.org/mozilla-central/rev/d2d56f9066bf
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 ID:20140715055935
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=31c5d0a5115d&tochange=d2d56f9066bf


Regression window(m-i)
Good:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c93d64f6a76a
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 ID:20140714104309
Bad:
https://hg.mozilla.org/integration/mozilla-inbound/rev/692a0f99d09d
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 ID:20140714105411
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c93d64f6a76a&tochange=692a0f99d09d

Regressed by:
692a0f99d09d	Mike Conley — Bug 1002354 - Proxy nsIScreenManager and nsIScreen's from the child process to the parent process, with caching. r=roc,jimm,smichaud,snorp. Changes to nsIScreen and nsIScreenManager were reviewed by roc. Changes to dom/ipc were reviewed by jimm. Changes to gfx/src/nsDeviceContext.cpp were reviewed by roc. Changes to widget/android were reviewed by snorp. Changes to widget/cocoa were reviewed by smichaud. Changes to widget/gtk were reviewed by roc. Changes to widget/windows were reviewed by jimm. Changes to widget/xpwidgets were reviewed by roc.

Comment 4

[Mike Conley (:mconley) (:⚙️)]

Interesting - do you have a crash report you can attach too, Alice? Tab crashes should be listed in about:crashes too.

Comment 5

[Chris Peterson [:cpeterson]]

Alice: does this crash only happen when using the Tofu Filter?

Comment 6

[Alice0775 White]

(In reply to Mike Conley (:mconley) from comment #4)
> Interesting - do you have a crash report you can attach too, Alice? Tab
> crashes should be listed in about:crashes too.

bp-c56bfe23-187e-4e61-8584-13a292140722

Comment 7

[Alice0775 White]

(In reply to Chris Peterson (:cpeterson) from comment #5)
> Alice: does this crash only happen when using the Tofu Filter?

Tab also crashes with "ABP Japanese Filters (日本語)"

Steps to add the filter:
1. Open "Filter preferences…" (Ctrl+Shift+F)
2. Click [Add filter subscription…]
3. Click textlink "Add a different subscription"
3. Select "ABP Japanese Filters (日本語)"
5. Click [Add subscription] button

Comment 8

[Jim Mathies [:jimm]]

(In reply to Alice0775 White from comment #6)
> (In reply to Mike Conley (:mconley) from comment #4)
> > Interesting - do you have a crash report you can attach too, Alice? Tab
> > crashes should be listed in about:crashes too.
> 
> bp-c56bfe23-187e-4e61-8584-13a292140722

ProcessPendingUrgentRequest() is on the stack, and we're trying to send a sync request for a screen.

I've run into this in another case with some gfx related urgent messages, I'm not sure how we work around this.

Comment 9

[Grant]

Not just on Japanese filters, does it on this site for me with ABP installed too:

http://www.explosm.net/comics/new/

Comment 10

[Alice0775 White]

(In reply to Grant from comment #9)
> Not just on Japanese filters, does it on this site for me with ABP installed
> too:
> 
> http://www.explosm.net/comics/new/

Regression range is different. I filed separate Bug 1042587 .

Comment 12

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Attachment: rpc-for-screen

Comment 13

[Mike Conley (:mconley) (:⚙️)]

Comment on attachment 8465809 [details] [diff] [review]
rpc-for-screen

Review of attachment 8465809 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good to me. It's a shame that we have to change all of the method signatures like this, when we should probably just change the message type in ipdl, but whatever.

Thanks!

Comment 14

[Jim Mathies [:jimm]]

Comment on attachment 8465809 [details] [diff] [review]
rpc-for-screen

after a discussion on how this fixes this crash - rpc is allowed to make out calls from within processing of urgent message in the child.

Comment 15

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/9f4d1a20f5b3

Comment 16

[Nigel Babu [:nigelb]]

https://hg.mozilla.org/mozilla-central/rev/9f4d1a20f5b3

Comment 17

[Bogdan Maris, Desktop Test Engineering]

Reproduced the initial issue on old Nightly (2014-07-21), verified that the issue is fixed on latest Nightly 35.0a1. Since target milestone is set to 34 I will set the tracking flag as affected because this issue still exists in Aurora 34.0a2.