Closed Bug 1207921 Opened 9 years ago Closed 9 years ago

[e10s]? plugin-container crashes when PPluginModule logging is enabled

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(e10s+, firefox44 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
e10s + ---
firefox44 --- fixed

People

(Reporter: gw280, Assigned: gw280)

Details

Attachments

(1 file)

ipdl-reorder.patch
667 bytes, patch
billm
: review+
Details | Diff | Splinter Review 
With e10s enabled and PPluginModule logging enabled, when I try to load flash content, we get a crash:

(gdb) where
#0  0x00007f4c2fbee1bd in nanosleep () at /lib64/libc.so.6
#1  0x00007f4c2fbee054 in sleep () at /lib64/libc.so.6
#2  0x00007f4c3578ba62 in ah_crap_handler(int) (signum=11)
    at /home/george/dev/gecko/toolkit/xre/nsSigHandlers.cpp:103
#3  0x00007f4c3578baad in child_ah_crap_handler(int) (signum=11)
    at /home/george/dev/gecko/toolkit/xre/nsSigHandlers.cpp:115
#4  0x00007f4c2fb5e960 in <signal handler called> () at /lib64/libc.so.6
#5  0x00007f4c31fc06f0 in mozilla::plugins::PPluginInstanceChild::OnCallReceived(IPC::Message const&, IPC::Message*&) (this=0x7f4c1cd15c00, msg__=..., reply__=@0x7ffe1f0ac790: 0x7f4c1cd1ca30)
    at /home/george/dev/gecko/obj-linux-gcc/ipc/ipdl/PPluginInstanceChild.cpp:2076
#6  0x00007f4c31fd9594 in mozilla::plugins::PPluginModuleChild::OnCallReceived(IPC::Message const&, IPC::Message*&) (this=0x7f4c1cd0ec00, msg__=..., reply__=@0x7ffe1f0ac790: 0x7f4c1cd1ca30)
    at /home/george/dev/gecko/obj-linux-gcc/ipc/ipdl/PPluginModuleChild.cpp:1192
#7  0x00007f4c31d70fcf in mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const&, unsigned long) (this=0x7f4c1cd0ec68, aMsg=..., stackDepth=0)
    at /home/george/dev/gecko/ipc/glue/MessageChannel.cpp:1450
#8  0x00007f4c31d707cf in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) (this=0x7f4c1cd0ec68, aMsg=...) at /home/george/dev/gecko/ipc/glue/MessageChannel.cpp:1300
#9  0x00007f4c31d705fb in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() (this=0x7f4c1cd0ec68)
    at /home/george/dev/gecko/ipc/glue/MessageChannel.cpp:1273
#10 0x00007f4c31d86830 in DispatchToMethod<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)(), Tuple0 const&) (obj=0x7f4c1cd0ec68, method=(bool (mozilla::ipc::MessageChannel::*)(mozilla::ipc::MessageChannel * const)) 0x7f4c31d7049c <mozilla::ipc::MessageChannel::OnMaybeDequeueOne()>, arg=...)
    at /home/george/dev/gecko/ipc/chromium/src/base/tuple.h:387
#11 0x00007f4c31d862b0 in RunnableMethod<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)(), Tuple0>::Run() (this=0x7f4c1cd32040)
    at /home/george/dev/gecko/ipc/chromium/src/base/task.h:323
#12 0x00007f4c31d79725 in mozilla::ipc::MessageChannel::RefCountedTask::Run() (this=0x7f4c257fe4f0)
    at ../../dist/include/mozilla/ipc/MessageChannel.h:459
#13 0x00007f4c31d798fa in mozilla::ipc::MessageChannel::DequeueTask::Run() (this=0x7f4c1cd697c0)
    at ../../dist/include/mozilla/ipc/MessageChannel.h:476
#14 0x00007f4c31d01493 in MessageLoop::RunTask(Task*) (this=0x7ffe1f0acc70, task=0x7f4c1cd697c0)
    at /home/george/dev/gecko/ipc/chromium/src/base/message_loop.cc:364
#15 0x00007f4c31d0150b in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (this=0x7ffe1f0acc70, pending_task=...) at /home/george/dev/gecko/ipc/chromium/src/base/message_loop.cc:372
#16 0x00007f4c31d01966 in MessageLoop::DoWork() (this=0x7ffe1f0acc70)
    at /home/george/dev/gecko/ipc/chromium/src/base/message_loop.cc:459
#17 0x00007f4c31cf1bc3 in base::MessagePumpForUI::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpForUI::Dispatcher*) (this=0x7f4c2574d940, delegate=0x7ffe1f0acc70, dispatcher=0x0)
    at /home/george/dev/gecko/ipc/chromium/src/base/message_pump_glib.cc:196
#18 0x00007f4c31cf2314 in base::MessagePumpForUI::Run(base::MessagePump::Delegate*) (this=0x7f4c2574d940, delegate=0x7ffe1f0acc70) at /home/george/dev/gecko/ipc/chromium/src/base/message_pump_glib.h:59
#19 0x00007f4c31d00f35 in MessageLoop::RunInternal() (this=0x7ffe1f0acc70)
    at /home/george/dev/gecko/ipc/chromium/src/base/message_loop.cc:234
---Type <return> to continue, or q <return> to quit---
#20 0x00007f4c31d00eca in MessageLoop::RunHandler() (this=0x7ffe1f0acc70)
    at /home/george/dev/gecko/ipc/chromium/src/base/message_loop.cc:227
#21 0x00007f4c31d00e5b in MessageLoop::Run() (this=0x7ffe1f0acc70)
    at /home/george/dev/gecko/ipc/chromium/src/base/message_loop.cc:201
#22 0x00007f4c35787160 in XRE_InitChildProcess(int, char**, mozilla::gmp::GMPLoader*) (aArgc=4, aArgv=0x7ffe1f0ae208, aGMPLoader=0x0) at /home/george/dev/gecko/toolkit/xre/nsEmbedFunctions.cpp:621
#23 0x00000000004215ba in content_process_main(int, char**) (argc=6, argv=0x7ffe1f0ae208)
    at /home/george/dev/gecko/ipc/app/../contentproc/plugin-container.cpp:237
#24 0x0000000000421683 in main(int, char**) (argc=7, argv=0x7ffe1f0ae208)
    at /home/george/dev/gecko/ipc/app/MozillaRuntimeMain.cpp:11

The issue is in mozilla::plugins::PPluginInstanceChild::OnCallReceived() and it's because when logging is enabled, we call OtherPid() which calls mManager which has been deleted.
Not sure if this is the right thing to do, but reorder the generator for genDtorRecvCase so that the reply+log happens before we do the actual destruction. Is this safe or should we just move the logging statement?
Attachment #8665252 - Flags: review?(wmccloskey)
Assignee: nobody → gwright
Attachment #8665252 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/ea5f69a5ddd8
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: