Closed
Bug 1265680
Opened 9 years ago
Closed 8 years ago
crash in mozalloc_abort | NS_DebugBreak | mozilla::ipc::FatalError | mozilla::dom::PBrowserChild::FatalError | mozilla::dom::PBrowserChild::OnMessageReceived
Categories
(Core :: DOM: Content Processes, defect, P1)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| e10s | + | --- |
People
(Reporter: kanru, Assigned: mccr8)
References
Details
(Keywords: crash, Whiteboard: btpp-active,e10st?)
Crash Data
+++ This bug was initially created as a clone of Bug #1258312 +++
I saw some new signatures on Nightly which are deserialization on nsTArray. One of the messages is PBrowser::Msg_HandleAccessKey. I haven't check the others.
https://crash-stats.mozilla.com/search/?product=Firefox&build_id=%3E%3D20160414000000&signature=~mozilla%3A%3Adom%3A%3APBrowserChild%3A%3AOnMessageReceived&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports
|
||
Comment 1•9 years ago
|
||
Note bug 1258312 altered Pickle::Resize so that it would oom crash with a more appropriate signature. Prior to that change those failures tended to show up under PBrowserChild::OnMessageReceived. This bug tracks remaining issues with PBrowserChild::OnMessageReceived.
|
Reporter | |
Comment 2•9 years ago
|
||
Some more data: 10 out of 10 crashes are SendHandleAccessKey error on deserialization of nsTArray. The Pickle header_size_ is 28 and capacity_ is 32 so basically an empty message. Let's see if this turns out to be a top crasher.
|
||
Updated•9 years ago
|
tracking-e10s:
--- → ?
|
|
||
Updated•9 years ago
|
|
|
||
Comment 3•9 years ago
|
||
Still happening on Nightly. For example, it has happened 7 times in Nightly 20160424030601, across 5 separate installations.
https://crash-stats.mozilla.com/report/index/0f880939-e506-4be5-8280-854d82160425
https://crash-stats.mozilla.com/report/index/7ea35299-13f6-4607-ad15-711022160426
https://crash-stats.mozilla.com/report/index/69e5648d-6562-42f3-ace6-155182160427
https://crash-stats.mozilla.com/report/index/3e5cfcf9-449b-44a5-8c92-d21852160426
https://crash-stats.mozilla.com/report/index/a96026bc-e209-42b2-950d-7f08e2160426
https://crash-stats.mozilla.com/report/index/91e7ebb0-7a9f-4f58-b9bb-d25442160426
https://crash-stats.mozilla.com/report/index/1846ab8c-5efb-4032-aed3-d22f42160425
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → continuation
|
|
Assignee | |
Comment 4•9 years ago
|
||
The first argument to this message has type nsTArray<uint32_t>. We send lots of nsTArrays over IPC, but not as many where |sUseWriteBytes| is true. ByteLengthIsValid() doesn't look correct to me, and if that returns |false|, we'll silently send a truncated message, which would result in the behavior Kan-Ru describes in comment 2. I'll fix up ByteLengthIsValid(), and makes its failure during Write() fatal in release builds, so we'll at least get information where it is going wrong (and confirm my hypothesis, hopefully).
|
|
Assignee | |
Comment 5•9 years ago
|
||
Oddly, I don't see any crashes with this signature after 4-24, which is before bug 1268130 landed. I don't know what could have fixed or changed the signature.
|
|
||
Updated•8 years ago
|
Whiteboard: btpp-active → btpp-active,e10st?
[Tracking Requested - why for this release]:
blocking-b2g: --- → 2.6?
tracking-b2g:
--- → backlog
|
||
Updated•8 years ago
|
blocking-b2g: 2.6? → ---
tracking-b2g:
backlog → ---
|
|
Reporter | |
Comment 7•8 years ago
|
||
Completely disappeared on Nightly.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•