Closed
Bug 1169200
Opened 9 years ago
Closed 9 years ago
Using fast search suggestions on Duckduckgo cause a browser crash
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: clement.lefevre, Assigned: sotaro)
Details
(Keywords: regression)
Attachments
(6 files)
666.31 KB,
text/plain
|
Details | |
245.98 KB,
text/plain
|
Details | |
10.77 KB,
text/plain
|
Details | |
4.28 KB,
patch
|
nical
:
review+
jocheng
:
approval-mozilla-b2g37+
|
Details | Diff | Splinter Review |
6.81 MB,
video/mp4
|
Details | |
5.11 MB,
video/3gpp
|
Details |
Using fast search suggestions on the Duckduckgo result page will cause a browser crash. STR: - Go on duckduckgo.com and do a first search, or do a search while DDG is your default search engine. - After this first search is done, on the result page, type in the search field some things and click on one of the lines in the suggestions list. - While it should do the search corresponding on the line you clicked on, it will crash the browser. Reproducing everytime. Last nightly build/master: Build ID 20150528004612 Build Type user Gaia Revision 05380df3158fa39e1dde1687c0bf11a71f8c6868 Gaia Date 2015-05-27 06:27:27 Gecko Revision https://hg.mozilla.org/mozilla-central/rev/baa9c64fea6f Gecko Version 41.0a1 Device Name flame Firmware(Release) 4.4.2 Firmware(Incremental) eng.cltbld.20150212.043653 Firmware Date Thu Feb 12 04:37:04 EST 2015 Bootloader L1TC000118D0
Reporter | ||
Updated•9 years ago
|
Comment 2•9 years ago
|
||
2.2 is also affected, however the repro rate is lowered to about 1 in 5 attempts. Device: Flame (KK, full flashed, 319MB) BuildID: 20150528002504 Gaia: 999bc627063d16c20f703e702f31a5cf0da8b4a6 Gecko: 351101ec82ba Gonk: bd9cb3af2a0354577a6903917bc826489050b40d Version: 37.0 (2.2) Firmware Version: v18D-1 User Agent: Mozilla/5.0 (Mobile; rv:37.0) Gecko/37.0 Firefox/37.0 --- 2.1 seems unaffected. Bug repro rate is 0 out of 10 attempts. Device: Flame (KK, full flashed, 319MB) BuildID: 20150528001205 Gaia: 2304a1f6327c2ccf35d6995ee16f2231ed1f22a3 Gecko: 894528758073 Gonk: bd9cb3af2a0354577a6903917bc826489050b40d Version: 34.0 (2.1) Firmware Version: v18D-1 User Agent: Mozilla/5.0 (Mobile; rv:34.0) Gecko/34.0 Firefox/34.0 ----- Not adding regression window wanted tag because according to the 2.2 results, the reproduction rate will only go lower to a point that we can't distinguish whether a build is reproducing the bug or not and the window will be inaccurate.
Status: UNCONFIRMED → NEW
QA Whiteboard: [QAnalyst-Triage?]
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → affected
Ever confirmed: true
Flags: needinfo?(ktucker)
Keywords: qawanted
Comment 3•9 years ago
|
||
Can we get a crash ID?
Comment 5•9 years ago
|
||
It's a browser closing situation so there's no crash log. QAwanted for the question at comment 4.
Keywords: qawanted
Comment 6•9 years ago
|
||
I uploaded a logcat reproducing the issue. And this issue occurs on 3.0 regardless of memory settings. It occurred 2 out of 2 attempts on 1GB RAM.
Updated•9 years ago
|
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker)
I got this in the browser: W/Browser ( 5467): [JavaScript Warning: "SyntaxError: unreachable code after return statement" {file: "https://duckduckgo.com/d1782.js" line: 61 column: 143371 source: "mpty");this._hasText=1}}},_updateOverlay:function(n){return;if(!this.$input){return}n=n||this.$input.val();var m=this.ge"}] I got some IPDL errors and then died a quiet death ( no crash reporter ) This browser stays up in 2.0 (had it on a different device because of other testing)
[Blocking Requested - why for this release]: we shouldn't choke on this.
blocking-b2g: --- → 2.2?
Flags: needinfo?(anygregor)
Comment 9•9 years ago
|
||
Thats just a warning. I doubt this causes any damage.
Flags: needinfo?(anygregor)
Comment 10•9 years ago
|
||
We need to attach with gdb and see whats going on.
Updated•9 years ago
|
Component: Gaia::Browser → Graphics
Product: Firefox OS → Core
I'd imagine the graphics is just accidentally mentioned here, looks like ipc may be in bad shape already. I'm probably wrong - Sotaro, anything you see that points to graphics?
Flags: needinfo?(milan) → needinfo?(sotaro.ikeda.g)
Assignee | ||
Comment 13•9 years ago
|
||
I take a look.
Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(sotaro.ikeda.g)
Updated•9 years ago
|
Whiteboard: [systemsfe]
Assignee | ||
Comment 14•9 years ago
|
||
I confirmed to reproduce the crash on my master flame-kk.
Assignee | ||
Comment 15•9 years ago
|
||
When the problem happens, TileClient::DiscardFrontBuffer() is called from TiledContentClient::~TiledContentClient(). In the past, ~TiledContentClient() was called from out side of LayerTransaction. But on current master, ~TiledContentClient() is called during transaction.
Assignee | ||
Comment 16•9 years ago
|
||
Direct cause of the crash is caused by invalid 'OpRemoveTextureAsync' message to already deleted PCompositable. The problematic message is added by ShadowLayerForwarder::RemoveTextureFromCompositableAsync() https://dxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/ShadowLayers.cpp#428 When TiledContentClient::~TiledContentClient() is called during layer transaction, 'OpRemoveTextureAsync' is sent as part of layer transaction. But before the message sending, CompositableClient::Destroy() is called within the destructor and PCompositable becomes invalid before message sending. It causes the IPC error and the child process was killed.
Assignee | ||
Comment 17•9 years ago
|
||
This is a bit dirty fix. But it is necessary for gonk's tiled layer.
Assignee | ||
Updated•9 years ago
|
Attachment #8613677 -
Flags: review?(nical.bugzilla)
Assignee | ||
Comment 18•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=03998bf03b4b
Updated•9 years ago
|
Attachment #8613677 -
Flags: review?(nical.bugzilla) → review+
Updated•9 years ago
|
blocking-b2g: 2.2? → 2.2+
https://hg.mozilla.org/mozilla-central/rev/ba3687909f5a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Comment 21•9 years ago
|
||
Please request b2g37 approval on this when you get a chance.
Assignee | ||
Comment 22•9 years ago
|
||
Comment on attachment 8613677 [details] [diff] [review] patch - Send OpRemoveTextureAsync before actor destroyed NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 1027088 User impact if declined: browser/application crash could happen. Testing completed: locally tested. Risk to taking this patch (and alternatives if risky): low String or UUID changes made by this patch: none
Flags: needinfo?(sotaro.ikeda.g)
Attachment #8613677 -
Flags: approval-mozilla-b2g37?
Comment 23•9 years ago
|
||
(In reply to Sotaro Ikeda [:sotaro] from comment #22) > Comment on attachment 8613677 [details] [diff] [review] > patch - Send OpRemoveTextureAsync before actor destroyed > > NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to > better understand the B2G approval process and landings. > > [Approval Request Comment] > Bug caused by (feature/regressing bug #): Bug 1027088 > User impact if declined: browser/application crash could happen. > Testing completed: locally tested. > Risk to taking this patch (and alternatives if risky): low > String or UUID changes made by this patch: none Sotaro, Is it possible to add UT for this?
Flags: needinfo?(sotaro.ikeda.g)
Assignee | ||
Comment 24•9 years ago
|
||
>
> Sotaro,
> Is it possible to add UT for this?
I do not think it is possible. We could not anticipate Layout's layer destruction timing.
Flags: needinfo?(sotaro.ikeda.g)
Comment 25•9 years ago
|
||
This bug has been verified as "pass" on latest build of Flame v3.0 by the STR in Comment 0. Actual results: It does not crash anymore when searching in "duckduckgo.com" (or do a search while DDG is your default search engine). See attachment: verified_v3.0.mp4 Reproduce rate: 0/15 Device: Flame v3.0 build(Pass, eng build) Build ID 20150611160204 Gaia Revision 68269e7b6510930eb2f644f69d27d456c1bdec75 Gaia Date 2015-06-10 23:36:01 Gecko Revision https://hg.mozilla.org/mozilla-central/rev/9ebd530c5843 Gecko Version 41.0a1 Device Name flame Firmware(Release) 4.4.2 Firmware(Incremental) eng.cltbld.20150611.193436 Firmware Date Thu Jun 11 19:34:48 EDT 2015 Bootloader L1TC000118D0 Device: Flame v3.0 build(Pass, user build) Build ID 20150611160204 Gaia Revision 68269e7b6510930eb2f644f69d27d456c1bdec75 Gaia Date 2015-06-10 23:36:01 Gecko Revision https://hg.mozilla.org/mozilla-central/rev/9ebd530c5843 Gecko Version 41.0a1 Device Name flame Firmware(Release) 4.4.2 Firmware(Incremental) eng.cltbld.20150611.193057 Firmware Date Thu Jun 11 19:31:07 EDT 2015 Bootloader L1TC000118D0 -------------------------------------------------- Leaving "verifyme" for v2.2 uplift & verification.
Comment 26•9 years ago
|
||
Updated•9 years ago
|
QA Whiteboard: [QAnalyst-Triage+] → [QAnalyst-Triage+][MGSEI-Triage+]
Updated•9 years ago
|
Attachment #8613677 -
Flags: approval-mozilla-b2g37? → approval-mozilla-b2g37+
Comment 28•9 years ago
|
||
This bug has been verified as "pass" on latest Nightly build of Flame v2.2 by the STR in Comment 0. Actual results: It does not crash anymore when searching in "duckduckgo.com" (or do a search while DDG is your default search engine). See attachment: verified_v2.2.mp4 Reproduce rate: 0/40. Device: Flame v2.2 build(Verified) Build ID 20150617162515 Gaia Revision 3414b07dc489976bf510fd8042c0af3b1192c160 Gaia Date 2015-06-16 22:04:56 Gecko Revision https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/a2db74491088 Gecko Version 37.0 Device Name flame Firmware(Release) 4.4.2 Firmware(Incremental) eng.cltbld.20150617.195246 Firmware Date Wed Jun 17 19:52:58 EDT 2015 Bootloader L1TC000118D0
Comment 29•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•