Using fast search suggestions on Duckduckgo cause a browser crash

VERIFIED FIXED in Firefox 41, Firefox OS v2.2

Status

()

Core
Graphics
VERIFIED FIXED
3 years ago
2 years ago

People

(Reporter: Clément Lefèvre, Assigned: sotaro)

Tracking

({regression})

unspecified
mozilla41
ARM
Gonk (Firefox OS)
regression
Points:
---

Firefox Tracking Flags

(blocking-b2g:2.2+, firefox39 wontfix, firefox40 wontfix, firefox41 fixed, b2g-v2.1 unaffected, b2g-v2.2 verified, b2g-master verified)

Details

Attachments

(6 attachments)

(Reporter)

Description

3 years ago
Using fast search suggestions on the Duckduckgo result page will cause a browser crash.

STR:

- Go on duckduckgo.com and do a first search, or do a search while DDG is your default search engine.
- After this first search is done, on the result page, type in the search field some things and click on one of the lines in the suggestions list.
- While it should do the search corresponding on the line you clicked on, it will crash the browser.

Reproducing everytime. Last nightly build/master:

Build ID               20150528004612
Build Type             user
Gaia Revision          05380df3158fa39e1dde1687c0bf11a71f8c6868
Gaia Date              2015-05-27 06:27:27
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/baa9c64fea6f
Gecko Version          41.0a1
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150212.043653
Firmware Date          Thu Feb 12 04:37:04 EST 2015
Bootloader             L1TC000118D0
(Reporter)

Updated

3 years ago
Keywords: qawanted, regression, regressionwindow-wanted
(Reporter)

Comment 1

3 years ago
Branch check needed
Keywords: regressionwindow-wanted
2.2 is also affected, however the repro rate is lowered to about 1 in 5 attempts.

Device: Flame (KK, full flashed, 319MB)
BuildID: 20150528002504
Gaia: 999bc627063d16c20f703e702f31a5cf0da8b4a6
Gecko: 351101ec82ba
Gonk: bd9cb3af2a0354577a6903917bc826489050b40d
Version: 37.0 (2.2) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:37.0) Gecko/37.0 Firefox/37.0

---

2.1 seems unaffected. Bug repro rate is 0 out of 10 attempts.

Device: Flame (KK, full flashed, 319MB)
BuildID: 20150528001205
Gaia: 2304a1f6327c2ccf35d6995ee16f2231ed1f22a3
Gecko: 894528758073
Gonk: bd9cb3af2a0354577a6903917bc826489050b40d
Version: 34.0 (2.1) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:34.0) Gecko/34.0 Firefox/34.0

-----

Not adding regression window wanted tag because according to the 2.2 results, the reproduction rate will only go lower to a point that we can't distinguish whether a build is reproducing the bug or not and the window will be inaccurate.
Status: UNCONFIRMED → NEW
QA Whiteboard: [QAnalyst-Triage?]
status-b2g-v2.1: --- → unaffected
status-b2g-v2.2: --- → affected
status-b2g-master: --- → affected
Ever confirmed: true
Flags: needinfo?(ktucker)
Keywords: qawanted
Can we get a crash ID?
Oh and is it only on 319MB configurations?
Whiteboard: [systemsfe]
It's a browser closing situation so there's no crash log.

QAwanted for the question at comment 4.
Keywords: qawanted
Created attachment 8612638 [details]
logcat of issue

I uploaded a logcat reproducing the issue. And this issue occurs on 3.0 regardless of memory settings. It occurred 2 out of 2 attempts on 1GB RAM.
Keywords: qawanted
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker)
Created attachment 8612664 [details]
logcat.txt

I got this in the browser:

W/Browser ( 5467): [JavaScript Warning: "SyntaxError: unreachable code after return statement" {file: "https://duckduckgo.com/d1782.js" line: 61 column: 143371 source: "mpty");this._hasText=1}}},_updateOverlay:function(n){return;if(!this.$input){return}n=n||this.$input.val();var m=this.ge"}]

I got some IPDL errors and then died a quiet death ( no crash reporter )
This browser stays up in 2.0 (had it on a different device because of other testing)
[Blocking Requested - why for this release]: we shouldn't choke on this.
blocking-b2g: --- → 2.2?
Flags: needinfo?(anygregor)
Thats just a warning. I doubt this causes any damage.
Flags: needinfo?(anygregor)
We need to attach with gdb and see whats going on.
Created attachment 8613010 [details]
gdb and logcat

Milan, any ideas?
Flags: needinfo?(milan)
Component: Gaia::Browser → Graphics
Product: Firefox OS → Core
I'd imagine the graphics is just accidentally mentioned here, looks like ipc may be in bad shape already. I'm probably wrong - Sotaro, anything you see that points to graphics?
Flags: needinfo?(milan) → needinfo?(sotaro.ikeda.g)
(Assignee)

Comment 13

3 years ago
I take a look.
Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(sotaro.ikeda.g)
Whiteboard: [systemsfe]
(Assignee)

Comment 14

3 years ago
I confirmed to reproduce the crash on my master flame-kk.
(Assignee)

Comment 15

3 years ago
When the problem happens, TileClient::DiscardFrontBuffer() is called from TiledContentClient::~TiledContentClient().

In the past, ~TiledContentClient() was called from out side of LayerTransaction. But on current master, ~TiledContentClient() is called during transaction.
(Assignee)

Comment 16

3 years ago
Direct cause of the crash is caused by invalid 'OpRemoveTextureAsync' message to already deleted PCompositable. The problematic message is added by ShadowLayerForwarder::RemoveTextureFromCompositableAsync()
  https://dxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/ShadowLayers.cpp#428

When TiledContentClient::~TiledContentClient() is called during layer transaction, 'OpRemoveTextureAsync' is sent as part of layer transaction. But before the message sending, CompositableClient::Destroy() is called within the destructor and PCompositable becomes invalid before message sending. It causes the IPC error and the child process was killed.
(Assignee)

Comment 17

3 years ago
Created attachment 8613677 [details] [diff] [review]
patch - Send OpRemoveTextureAsync before actor destroyed

This is a bit dirty fix. But it is necessary for gonk's tiled layer.
(Assignee)

Updated

3 years ago
Attachment #8613677 - Flags: review?(nical.bugzilla)
(Assignee)

Comment 18

3 years ago
https://treeherder.mozilla.org/#/jobs?repo=try&revision=03998bf03b4b

Updated

3 years ago
Attachment #8613677 - Flags: review?(nical.bugzilla) → review+

Comment 19

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/ba3687909f5a
blocking-b2g: 2.2? → 2.2+
https://hg.mozilla.org/mozilla-central/rev/ba3687909f5a
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox41: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Please request b2g37 approval on this when you get a chance.
status-b2g-master: affected → fixed
status-firefox39: --- → wontfix
status-firefox40: --- → wontfix
Flags: needinfo?(sotaro.ikeda.g)
(Assignee)

Comment 22

3 years ago
Comment on attachment 8613677 [details] [diff] [review]
patch - Send OpRemoveTextureAsync before actor destroyed

NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 1027088
User impact if declined: browser/application crash could happen.
Testing completed: locally tested.
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: none
Flags: needinfo?(sotaro.ikeda.g)
Attachment #8613677 - Flags: approval-mozilla-b2g37?

Updated

3 years ago
Keywords: verifyme

Comment 23

3 years ago
(In reply to Sotaro Ikeda [:sotaro] from comment #22)
> Comment on attachment 8613677 [details] [diff] [review]
> patch - Send OpRemoveTextureAsync before actor destroyed
> 
> NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to
> better understand the B2G approval process and landings.
> 
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): Bug 1027088
> User impact if declined: browser/application crash could happen.
> Testing completed: locally tested.
> Risk to taking this patch (and alternatives if risky): low
> String or UUID changes made by this patch: none

Sotaro,
Is it possible to add UT for this?
Flags: needinfo?(sotaro.ikeda.g)
(Assignee)

Comment 24

3 years ago
> 
> Sotaro,
> Is it possible to add UT for this?

I do not think it is possible. We could not anticipate Layout's layer destruction timing.
Flags: needinfo?(sotaro.ikeda.g)
This bug has been verified as "pass" on latest build of Flame v3.0 by the STR in Comment 0.

Actual results: It does not crash anymore when searching in "duckduckgo.com" (or do a search while DDG is your default search engine).
See attachment: verified_v3.0.mp4
Reproduce rate: 0/15


Device: Flame v3.0 build(Pass, eng build)
Build ID               20150611160204
Gaia Revision          68269e7b6510930eb2f644f69d27d456c1bdec75
Gaia Date              2015-06-10 23:36:01
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/9ebd530c5843
Gecko Version          41.0a1
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150611.193436
Firmware Date          Thu Jun 11 19:34:48 EDT 2015
Bootloader             L1TC000118D0

Device: Flame v3.0 build(Pass, user build)
Build ID               20150611160204
Gaia Revision          68269e7b6510930eb2f644f69d27d456c1bdec75
Gaia Date              2015-06-10 23:36:01
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/9ebd530c5843
Gecko Version          41.0a1
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150611.193057
Firmware Date          Thu Jun 11 19:31:07 EDT 2015
Bootloader             L1TC000118D0

--------------------------------------------------
Leaving "verifyme" for v2.2 uplift & verification.
status-b2g-master: fixed → verified
Created attachment 8621469 [details]
verified_v3.0.mp4
QA Whiteboard: [QAnalyst-Triage+] → [QAnalyst-Triage+][MGSEI-Triage+]

Updated

3 years ago
Attachment #8613677 - Flags: approval-mozilla-b2g37? → approval-mozilla-b2g37+
https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/b69b68b8a0a7
status-b2g-v2.2: affected → fixed
This bug has been verified as "pass" on latest Nightly build of Flame v2.2 by the STR in Comment 0.

Actual results: It does not crash anymore when searching in "duckduckgo.com" (or do a search while DDG is your default search engine).
See attachment: verified_v2.2.mp4
Reproduce rate: 0/40.


Device: Flame v2.2 build(Verified)
Build ID               20150617162515
Gaia Revision          3414b07dc489976bf510fd8042c0af3b1192c160
Gaia Date              2015-06-16 22:04:56
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/a2db74491088
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150617.195246
Firmware Date          Wed Jun 17 19:52:58 EDT 2015
Bootloader             L1TC000118D0
Status: RESOLVED → VERIFIED
status-b2g-v2.2: fixed → verified
Keywords: verifyme
Created attachment 8624168 [details]
verified_v2.2.3gp
You need to log in before you can comment on or make changes to this bug.