Closed
Bug 1130838
Opened 10 years ago
Closed 10 years ago
crash in mozilla::layers::PLayerTransactionParent::Lookup(int)
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1132874
| Tracking | Status | |
|---|---|---|
| e10s | m6+ | --- |
People
(Reporter: jimm, Assigned: jimm)
Details
(Keywords: crash, Whiteboard: gfx-noted)
Crash Data
Combine the two signatures for this together this crash represents #5 top content crasher.
This bug was filed from the Socorro interface and is
report bp-cc01234c-5a03-43f3-8425-21c322150201.
=============================================================
0 xul.dll mozilla::layers::PLayerTransactionParent::Lookup(int) obj-firefox/ipc/ipdl/PHalChild.cpp
1 xul.dll mozilla::plugins::PPluginModuleParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PPluginModuleParent.cpp
2 xul.dll mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp
3 xul.dll mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message const&) ipc/glue/MessageChannel.cpp
4 xul.dll mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) ipc/glue/MessageChannel.cpp
5 xul.dll mozilla::plugins::PPluginScriptableObjectParent::CallInvalidate() obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp
6 xul.dll mozilla::plugins::PluginScriptableObjectParent::ScriptableInvalidate(NPObject*) dom/plugins/ipc/PluginScriptableObjectParent.cpp
7 xul.dll NPObjWrapperPluginDestroyedCallback dom/plugins/base/nsJSNPRuntime.cpp
8 xul.dll nsJSNPRuntime::OnPluginDestroy(_NPP*) dom/plugins/base/nsJSNPRuntime.cpp
9 xul.dll nsNPAPIPluginInstance::Stop() dom/plugins/base/nsNPAPIPluginInstance.cpp
|
Assignee | |
Updated•10 years ago
|
Crash Signature: [@ mozilla::layers::PLayerTransactionParent::Lookup(int)]
[@ mozilla::hal_sandbox::PHalParent::Lookup(int)] → [@ mozilla::layers::PLayerTransactionParent::Lookup(int)]
[@ mozilla::hal_sandbox::PHalParent::Lookup(int)]
[@ mozilla::layers::PTextureChild::Lookup(int)]
[@ mozilla::hal_sandbox::PHalChild::Lookup(int)]
|
|
Assignee | |
Updated•10 years ago
|
Crash Signature: [@ mozilla::layers::PLayerTransactionParent::Lookup(int)]
[@ mozilla::hal_sandbox::PHalParent::Lookup(int)]
[@ mozilla::layers::PTextureChild::Lookup(int)]
[@ mozilla::hal_sandbox::PHalChild::Lookup(int)] → [@ mozilla::layers::PLayerTransactionParent::Lookup(int)]
[@ mozilla::hal_sandbox::PHalParent::Lookup(int)]
[@ mozilla::layers::PTextureChild::Lookup(int)]
[@ mozilla::hal_sandbox::PHalChild::Lookup(int)]
[@ mozilla::layers::PTextureParent::Lookup(int…
|
||
Updated•10 years ago
|
Flags: needinfo?(gwright)
|
|
Assignee | |
Updated•10 years ago
|
Crash Signature: mozilla::layers::PTextureParent::Lookup(int)]
[@ mozilla::layers::PCompositableChild::Lookup(int)] → mozilla::layers::PTextureParent::Lookup(int)]
[@ mozilla::layers::PCompositableChild::Lookup(int)]
[@ mozilla::ipc::PBackgroundTestChild::Lookup(int)]
|
|
Assignee | |
Updated•10 years ago
|
Crash Signature: mozilla::layers::PTextureParent::Lookup(int)]
[@ mozilla::layers::PCompositableChild::Lookup(int)]
[@ mozilla::ipc::PBackgroundTestChild::Lookup(int)] → mozilla::layers::PTextureParent::Lookup(int)]
[@ mozilla::layers::PCompositableChild::Lookup(int)]
[@ mozilla::ipc::PBackgroundTestChild::Lookup(int)]
[@ mozilla::layers::PLayerTransactionChild::Lookup(int)]
|
||
Comment 1•10 years ago
|
||
kicked back into triage, because no action since needInfo was requested.
Flags: needinfo?(gwright)
|
||
Updated•10 years ago
|
Assignee: nobody → gwright
|
|
||
Comment 2•10 years ago
|
||
[@ mozilla::layers::PLayerTransactionParent::Lookup(int) ] shows only 3 urls. each one with only one crash.
1 http://euw.leagueoflegends.com/de/news/esports/esports-event/iem-katowice-fin...
1 http://www.cursuri-online.info/chineza/chinese-lessons/lesson04/lesson04.htm
1 https://www.meetme.com/
===================================
[@ mozilla::hal_sandbox::PHalChild::Lookup(int) ]
1 http://www.twitch.tv/directory
===================================
[@ mozilla::layers::PLayerTransactionChild::Lookup(int) ]
Total Count URL
5 about:blank
1 http://www.pln.co.id/dataweb/STAT/STAT2010IND.pdf
1 http://www.seratnews.ir/fa/news/225732/%D9%85%D8%AF%D8%B1%D8%B3%D9%87%E2%80%8...
1 https://www.google.com.ua/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CFIQr...
1 http://www.seratnews.ir/fa/news/231650/%D8%AD%D9%84-%D9%85%D8%B4%DA%A9%D9%84-...
1 http://prntscr.com/6gs9ju
1 http://mohdaahli.blogspot.ae/p/blog-page_20.html
===================================
All of the other signatures have no URLs associated with them.
|
||
Comment 3•10 years ago
|
||
More stack
0 xul.dll mozilla::layers::PLayerTransactionParent::Lookup(int) obj-firefox/ipc/ipdl/PHalChild.cpp
1 xul.dll mozilla::plugins::PPluginModuleParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PPluginModuleParent.cpp
2 xul.dll mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp
3 xul.dll mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message const&) ipc/glue/MessageChannel.cpp
4 xul.dll mozilla::ipc::MessageChannel::Call(IPC::Message*, IPC::Message*) ipc/glue/MessageChannel.cpp
5 xul.dll mozilla::plugins::PPluginScriptableObjectParent::CallInvalidate() obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp
6 xul.dll mozilla::plugins::PluginScriptableObjectParent::ScriptableInvalidate(NPObject*) dom/plugins/ipc/PluginScriptableObjectParent.cpp
7 xul.dll NPObjWrapperPluginDestroyedCallback dom/plugins/base/nsJSNPRuntime.cpp
8 xul.dll nsJSNPRuntime::OnPluginDestroy(_NPP*) dom/plugins/base/nsJSNPRuntime.cpp
9 xul.dll nsNPAPIPluginInstance::Stop() dom/plugins/base/nsNPAPIPluginInstance.cpp
10 xul.dll nsPluginHost::StopPluginInstance(nsNPAPIPluginInstance*) dom/plugins/base/nsPluginHost.cpp
11 xul.dll nsObjectLoadingContent::DoStopPlugin(nsPluginInstanceOwner*, bool, bool) dom/base/nsObjectLoadingContent.cpp
12 xul.dll nsObjectLoadingContent::StopPluginInstance() dom/base/nsObjectLoadingContent.cpp
13 xul.dll CheckPluginStopEvent::Run() dom/base/nsObjectLoadingContent.cpp
14 xul.dll nsBaseAppShell::RunSyncSectionsInternal(bool, unsigned int) widget/nsBaseAppShell.cpp
15 xul.dll nsBaseAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned int, bool) widget/nsBaseAppShell.cpp
16 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
17 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp
18 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp
19 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc
20 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc
21 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp
|
|
||
Comment 4•10 years ago
|
||
I'm having serious trouble trying to reproduce this. Wondering if you have any ideas, Bill?
Flags: needinfo?(wmccloskey)
The top stack frame doesn't make any sense. When PPluginModuleParent::OnMessageReceived calls Lookup, it's doing a vtable dispatch and somehow ending up in Hal code. That suggests that the memory is invalid. Most likely, the PluginModuleParent has already been freed. That seems quite possible given that we're in the process of shutting down the plugin. Plugin shutdown in e10s is kinda half-baked right now.
You could try to reproduce this by visiting some Flash-heavy pages and closing tabs at random times. I'm somewhat skeptical that will work though.
Besides inspecting the code to see if there's a problem, you could try to find a regression range. It might also help to see if these people are running with async plugin init enabled. I'm not sure if we report that in crash dumps, but we should.
Aaron might have some ideas too.
Flags: needinfo?(wmccloskey) → needinfo?(aklotz)
|
|
||
Comment 6•10 years ago
|
||
The testing I've been doing to try and get this to trigger so I can hook up a debugger has been to load lots of twitch.tv streams (which use Flash) and then close tabs randomly. I keep hitting the crash signature for bug 1130734 but still haven't got this one yet.
|
||
Comment 7•10 years ago
|
||
The PluginModuleParent should not be destroyed yet (and if it were, the PPluginScriptableObjectParent object would be blown away too). I'd sure like to know what the plugin process is trying to do, since it is clearly calling back into the content process. I agree that the top stack frame is silly.
Flags: needinfo?(aklotz)
|
|
||
Updated•10 years ago
|
Assignee: gwright → jmathies
|
|
||
Updated•10 years ago
|
Crash Signature: mozilla::layers::PTextureParent::Lookup(int)]
[@ mozilla::layers::PCompositableChild::Lookup(int)]
[@ mozilla::ipc::PBackgroundTestChild::Lookup(int)]
[@ mozilla::layers::PLayerTransactionChild::Lookup(int)] → mozilla::layers::PTextureParent::Lookup(int)]
[@ mozilla::layers::PCompositableChild::Lookup(int)]
[@ mozilla::ipc::PBackgroundTestChild::Lookup(int)]
[@ mozilla::layers::PLayerTransactionChild::Lookup(int)]
[@ mozilla::layers::PLayerChild::Lookup(in…
|
|
Assignee | |
Comment 8•10 years ago
|
||
I really hope bug 1132874 takes this nasty bug with it. We'll see, that patch should land on mc today.
Depends on: 1132874
|
|
Assignee | |
Comment 9•10 years ago
|
||
Appears to be the case:
older than yesterday's build:
https://crash-stats.mozilla.com/search/?product=Firefox&version=40.0a1&signature=~Lookup%28int%29&build_id=%3E20150408000000&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
71 crashes
older than or equal to today's build:
https://crash-stats.mozilla.com/search/?product=Firefox&version=40.0a1&signature=~Lookup%28int%29&build_id=%3E20150409000000&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
zero hits
You need to log in
before you can comment on or make changes to this bug.
Description
•