Closed Bug 1169200 Opened 9 years ago Closed 9 years ago

Using fast search suggestions on Duckduckgo cause a browser crash

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla41
Project Flags:
blocking-b2g 2.2+
Tracking Flags:
Tracking Status
firefox39 --- wontfix
firefox40 --- wontfix
firefox41 --- fixed
b2g-v2.1 --- unaffected
b2g-v2.2 --- verified
b2g-master --- verified

People

(Reporter: clement.lefevre, Assigned: sotaro)

Details

(Keywords: regression)

Attachments

(6 files)

logcat of issue
666.31 KB, text/plain
Details
logcat.txt
245.98 KB, text/plain
Details
gdb and logcat
10.77 KB, text/plain
Details
patch - Send OpRemoveTextureAsync before actor destroyed
4.28 KB, patch
nical
: review+
jocheng
: approval-mozilla-b2g37+
Details | Diff | Splinter Review
verified_v3.0.mp4
6.81 MB, video/mp4
Details
verified_v2.2.3gp
5.11 MB, video/3gpp
Details 
Using fast search suggestions on the Duckduckgo result page will cause a browser crash.

STR:

- Go on duckduckgo.com and do a first search, or do a search while DDG is your default search engine.
- After this first search is done, on the result page, type in the search field some things and click on one of the lines in the suggestions list.
- While it should do the search corresponding on the line you clicked on, it will crash the browser.

Reproducing everytime. Last nightly build/master:

Build ID               20150528004612
Build Type             user
Gaia Revision          05380df3158fa39e1dde1687c0bf11a71f8c6868
Gaia Date              2015-05-27 06:27:27
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/baa9c64fea6f
Gecko Version          41.0a1
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150212.043653
Firmware Date          Thu Feb 12 04:37:04 EST 2015
Bootloader             L1TC000118D0
Branch check needed
Keywords: regressionwindow-wanted
2.2 is also affected, however the repro rate is lowered to about 1 in 5 attempts.

Device: Flame (KK, full flashed, 319MB)
BuildID: 20150528002504
Gaia: 999bc627063d16c20f703e702f31a5cf0da8b4a6
Gecko: 351101ec82ba
Gonk: bd9cb3af2a0354577a6903917bc826489050b40d
Version: 37.0 (2.2) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:37.0) Gecko/37.0 Firefox/37.0

---

2.1 seems unaffected. Bug repro rate is 0 out of 10 attempts.

Device: Flame (KK, full flashed, 319MB)
BuildID: 20150528001205
Gaia: 2304a1f6327c2ccf35d6995ee16f2231ed1f22a3
Gecko: 894528758073
Gonk: bd9cb3af2a0354577a6903917bc826489050b40d
Version: 34.0 (2.1) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:34.0) Gecko/34.0 Firefox/34.0

-----

Not adding regression window wanted tag because according to the 2.2 results, the reproduction rate will only go lower to a point that we can't distinguish whether a build is reproducing the bug or not and the window will be inaccurate.
Status: UNCONFIRMED → NEW
QA Whiteboard: [QAnalyst-Triage?]
status-b2g-v2.1: --- → unaffected
status-b2g-v2.2: --- → affected
status-b2g-master: --- → affected
Ever confirmed: true
Flags: needinfo?(ktucker)
Keywords: qawanted
Can we get a crash ID?
Oh and is it only on 319MB configurations?
Whiteboard: [systemsfe]
It's a browser closing situation so there's no crash log.

QAwanted for the question at comment 4.
Keywords: qawanted
Attached file logcat of issue 
I uploaded a logcat reproducing the issue. And this issue occurs on 3.0 regardless of memory settings. It occurred 2 out of 2 attempts on 1GB RAM.
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker)
Attached file logcat.txt 
I got this in the browser:

W/Browser ( 5467): [JavaScript Warning: "SyntaxError: unreachable code after return statement" {file: "https://duckduckgo.com/d1782.js" line: 61 column: 143371 source: "mpty");this._hasText=1}}},_updateOverlay:function(n){return;if(!this.$input){return}n=n||this.$input.val();var m=this.ge"}]

I got some IPDL errors and then died a quiet death ( no crash reporter )
This browser stays up in 2.0 (had it on a different device because of other testing)
[Blocking Requested - why for this release]: we shouldn't choke on this.
blocking-b2g: --- → 2.2?
Flags: needinfo?(anygregor)
Thats just a warning. I doubt this causes any damage.
Flags: needinfo?(anygregor)
We need to attach with gdb and see whats going on.
Attached file gdb and logcat 
Milan, any ideas?
Flags: needinfo?(milan)
Component: Gaia::Browser → Graphics
Product: Firefox OS → Core
I'd imagine the graphics is just accidentally mentioned here, looks like ipc may be in bad shape already. I'm probably wrong - Sotaro, anything you see that points to graphics?
Flags: needinfo?(milan) → needinfo?(sotaro.ikeda.g)
I take a look.
Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(sotaro.ikeda.g)
Whiteboard: [systemsfe]
I confirmed to reproduce the crash on my master flame-kk.
When the problem happens, TileClient::DiscardFrontBuffer() is called from TiledContentClient::~TiledContentClient().

In the past, ~TiledContentClient() was called from out side of LayerTransaction. But on current master, ~TiledContentClient() is called during transaction.
Direct cause of the crash is caused by invalid 'OpRemoveTextureAsync' message to already deleted PCompositable. The problematic message is added by ShadowLayerForwarder::RemoveTextureFromCompositableAsync()
  https://dxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/ShadowLayers.cpp#428

When TiledContentClient::~TiledContentClient() is called during layer transaction, 'OpRemoveTextureAsync' is sent as part of layer transaction. But before the message sending, CompositableClient::Destroy() is called within the destructor and PCompositable becomes invalid before message sending. It causes the IPC error and the child process was killed.
This is a bit dirty fix. But it is necessary for gonk's tiled layer.
Attachment #8613677 - Flags: review?(nical.bugzilla)
Attachment #8613677 - Flags: review?(nical.bugzilla) → review+
blocking-b2g: 2.2? → 2.2+
https://hg.mozilla.org/mozilla-central/rev/ba3687909f5a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox41: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Please request b2g37 approval on this when you get a chance.
status-b2g-master: affectedfixed
status-firefox39: --- → wontfix
status-firefox40: --- → wontfix
Flags: needinfo?(sotaro.ikeda.g)
Comment on attachment 8613677 [details] [diff] [review]
patch - Send OpRemoveTextureAsync before actor destroyed

NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 1027088
User impact if declined: browser/application crash could happen.
Testing completed: locally tested.
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: none
Flags: needinfo?(sotaro.ikeda.g)
Attachment #8613677 - Flags: approval-mozilla-b2g37?
Keywords: verifyme
(In reply to Sotaro Ikeda [:sotaro] from comment #22)
> Comment on attachment 8613677 [details] [diff] [review]
> patch - Send OpRemoveTextureAsync before actor destroyed
> 
> NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to
> better understand the B2G approval process and landings.
> 
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): Bug 1027088
> User impact if declined: browser/application crash could happen.
> Testing completed: locally tested.
> Risk to taking this patch (and alternatives if risky): low
> String or UUID changes made by this patch: none

Sotaro,
Is it possible to add UT for this?
Flags: needinfo?(sotaro.ikeda.g)
> 
> Sotaro,
> Is it possible to add UT for this?

I do not think it is possible. We could not anticipate Layout's layer destruction timing.
Flags: needinfo?(sotaro.ikeda.g)
This bug has been verified as "pass" on latest build of Flame v3.0 by the STR in Comment 0.

Actual results: It does not crash anymore when searching in "duckduckgo.com" (or do a search while DDG is your default search engine).
See attachment: verified_v3.0.mp4
Reproduce rate: 0/15


Device: Flame v3.0 build(Pass, eng build)
Build ID               20150611160204
Gaia Revision          68269e7b6510930eb2f644f69d27d456c1bdec75
Gaia Date              2015-06-10 23:36:01
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/9ebd530c5843
Gecko Version          41.0a1
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150611.193436
Firmware Date          Thu Jun 11 19:34:48 EDT 2015
Bootloader             L1TC000118D0

Device: Flame v3.0 build(Pass, user build)
Build ID               20150611160204
Gaia Revision          68269e7b6510930eb2f644f69d27d456c1bdec75
Gaia Date              2015-06-10 23:36:01
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/9ebd530c5843
Gecko Version          41.0a1
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150611.193057
Firmware Date          Thu Jun 11 19:31:07 EDT 2015
Bootloader             L1TC000118D0

--------------------------------------------------
Leaving "verifyme" for v2.2 uplift & verification.
status-b2g-master: fixedverified
QA Whiteboard: [QAnalyst-Triage+] → [QAnalyst-Triage+][MGSEI-Triage+]
Attachment #8613677 - Flags: approval-mozilla-b2g37? → approval-mozilla-b2g37+
This bug has been verified as "pass" on latest Nightly build of Flame v2.2 by the STR in Comment 0.

Actual results: It does not crash anymore when searching in "duckduckgo.com" (or do a search while DDG is your default search engine).
See attachment: verified_v2.2.mp4
Reproduce rate: 0/40.


Device: Flame v2.2 build(Verified)
Build ID               20150617162515
Gaia Revision          3414b07dc489976bf510fd8042c0af3b1192c160
Gaia Date              2015-06-16 22:04:56
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/a2db74491088
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150617.195246
Firmware Date          Wed Jun 17 19:52:58 EDT 2015
Bootloader             L1TC000118D0
Status: RESOLVED → VERIFIED
status-b2g-v2.2: fixedverified
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: