Closed Bug 1273215 Opened 8 years ago Closed 8 years ago

Undo Close Tab Container Crash: [@ IPCError-browser | (msgtype=0xA00005,name=PNecko::Msg_PHttpChannelConstructor)

Categories

(Core :: DOM: Security, defect, P1)

49 Branch
x86
macOS
defect

Tracking

()

RESOLVED DUPLICATE of bug 1250063
Tracking Status
e10s + ---
firefox49 --- affected

People

(Reporter: kjozwiak, Assigned: allstars.chh)

References

(Blocks 1 open bug)

Details

(Whiteboard: [userContextId][domsecurity-backlog])

Crash Data

When restoring a container tab via the "Undo Close Tab" feature, the container tab will be restored and instantly crash. I've attached the crash reports including the messages/errors that I'm receiving in the console while reproducing with an m-c under debug.

STR: (reproducible 100% of the time)

* launch the latest version of m-c
* enable containers via privacy.userContext.enabled;true under about:config
* select File -> New Container Tab -> Personal (or any other container)
* close the container tab that you've just opened
* right click on the regular tab and select "Undo Close Tab"

Crash Reports:
--------------

* https://crash-stats.mozilla.com/report/index/414812a5-4b64-4db3-bf7a-841342160516
* https://crash-stats.mozilla.com/report/index/488ae500-586b-42d7-9235-3c0172160516
* https://crash-stats.mozilla.com/report/index/cb1d8e77-6504-4bd1-971d-216b12160516

Error messaged under console:
-----------------------------

NeckoParent::AllocPHttpChannelParent: FATAL error: App does not have permission: KILLING CHILD PROCESS
[Parent 45834] WARNING: Error constructing actor PHttpChannelParent: file /Users/kjozwiak/projects/m-c-containers/objdir-ff-debug/ipc/ipdl/PNeckoParent.cpp, line 1209

###!!! [Parent][DispatchAsyncMessage] Error: (msgtype=0xA00005,name=PNecko::Msg_PHttpChannelConstructor) Value error: message was deserialized, but contained an illegal value

###!!! [Parent][MessageChannel] Error: (msgtype=0x2C007C,name=PBrowser::Msg_SuppressDisplayport) Channel error: cannot send/recv

###!!! [Parent][OnMaybeDequeueOne] Error: Channel error: cannot send/recv

###!!! [Parent][MessageChannel] Error: (msgtype=0x10,name=PAPZ::Msg_Destroy) Channel error: cannot send/recv

###!!! [Parent][MessageChannel] Error: (msgtype=0x2C0079,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Is this a regression?
Priority: -- → P1
Whiteboard: [userContextId]
From what I gathered, this looks like this was always broken after support for e10s was added via bug # 1195881.

INFO: Last good revision: 8150bbaade324fa7356aa955164f63efd10f917c
INFO: First bad revision: aa416d2a76faf1346c1c9e8a2b6fa44a38cd68fc
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8150bbaade324fa7356aa955164f63efd10f917c&tochange=aa416d2a76faf1346c1c9e8a2b6fa44a38cd68fc

* INFO: application_buildid: 20160501030217, application_changeset: 1461a4071341c282afcf7b72e33036412d2251d4
* INFO: application_buildid: 20160415030231, application_changeset: afd82f887093e5e9e4015115ca5795ec82a6f732
* INFO: application_buildid: 20160401030216, application_changeset: 538d248fa252a4100082fd9bc3fdc08d322cda22
* INFO: application_buildid: 20160325083832, application_changeset: b2dbee5ca727e87bdaeab9ab60fb83df2a9846a2
* INFO: application_buildid: 20160310030242, application_changeset: dd1abe874252e507b825a0a4e1063b0e13578288
* INFO: application_buildid: 20160301030237, application_changeset: 8ef94be995a453f5c464278c53478ba8c8554f81
* INFO: application_buildid: 20160220030407, application_changeset: 69ec3dc408a2a720cb2b8210fea33e3504aeec22
* INFO: application_buildid: 20160210071115, application_changeset: ac39fba33c6daf95b2cda71e588ca18e2eb752ab
* INFO: application_buildid: 20160125060632, application_changeset: 3f41d7d0f544ebd98273e39bd945c28878a47427
* INFO: application_buildid: 20160121030208, application_changeset: 977d78a8dd78afbc0153d37fd9887c3a200dce6a <-- crashes when restoring (uses e10s)
* INFO: application_buildid: 20160120030239, application_changeset: 2e50b83954e62d52d2ef294e850c4380d457d96a <-- doesn't restore the tab in the original container/e10s tab
Whiteboard: [userContextId] → [userContextId][domsecurity-backlog]
tracking-e10s: --- → ?
non-shipping feature, tracks but doesn't block e10s.
I cannot reproduce this crash on m-c, I've tried yesterday and today, none of them have crashed when 'undo close tab'.(debug build)

However I found that when the container tab is opened again via 'undo close tab', it becomes a normal tab, i.e. not a container tab anymore. Should be a seperate issue.
I can still reproduce the issue using the following build:
* fx49.0a1 (m-c) buildId: 20160517030211 changeset: a884b96685aa

Yoshi, I've attached a video [1] of the crash occurring under the latest m-c. Hopefully this helps you reproduce the problem :)

[1] https://youtu.be/HJWb6KCkqVk

> However I found that when the container tab is opened again via 'undo close
> tab', it becomes a normal tab, i.e. not a container tab anymore. Should be a
> seperate issue.

It looks like once the tab crashes after restoring via "Undo Close Tab", the awesome bar container UI disappears. However, the highlight indicator above the tab is still present. If you click on a link within the tab that was restored, it will correctly open a new tab using the same container and will restore the missing UI under the awesome bar. I've attached a video example below [2]. Yoshi, are you seeing something similar?

[2] https://youtu.be/5zJkkUO0lrY
(In reply to Kamil Jozwiak [:kjozwiak] from comment #5)
I downloaded the nightly and I can reproduce the crash. However I am stil not sure why my local build doesn't have this problem... still checking.
Assignee: nobody → allstars.chh
I think the problem is already fixed on m-c. I've tried this with latest m-c on Ubuntu and MacOS, both of them works well.

Then I tried the nightly build, the build after 0518 (included) works, and the builds before 0517(included) failed. (I think that also explained my Comment 4 and Comment 6)

Last Fail: https://ftp.ozilla.org/pub/firefox/nightly/2016/05/2016-05-17-03-02-11-mozilla-central/
First Succeed: https://ftp.mozilla.org/pub/firefox/nightly/2016/05/2016-05-18-03-02-34-mozilla-central/

So some commits between a884b96685aa13b65601feddb24e5f85ba861561 and f3f2fa1d7eed5a8262f6401ef18ff8117a3ce43e have fixed the problem

However I don't have time to finish the bisect today,
Kamil, if you have time, can you bisect the commit, or I could do it in these few days.

Thanks
(In reply to Yoshi Huang[:allstars.chh] from comment #7)
> However I don't have time to finish the bisect today,
> Kamil, if you have time, can you bisect the commit, or I could do it in
> these few days.
> 
Canada has a holiday today, so Kamil was out.  But maybe he will have time to look at this tomorrow, so needinfo'ing him.

Thanks Yoshi!
Flags: needinfo?(kjozwiak)
I do the bisect today and I found it's fixed by my Bug 1250063 Part 1 patch.
https://hg.mozilla.org/mozilla-central/rev/e12e9ba1286c#l1.16

If we were to allow it to set origin attributes on the docshell, it will have a mismatch origin attributes between TabContext/SerializedLoadContext in 
https://dxr.mozilla.org/mozilla-central/rev/16663eb3dcfa759f25b5e27b101bc79270c156f2/netwerk/ipc/NeckoParent.cpp#160

thus NeckoParent::CreateChannelLoadContext will return error.

I'll also try to write this test in Bug 1274461.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kjozwiak)
Resolution: --- → DUPLICATE
(In reply to Yoshi Huang[:allstars.chh] from comment #10)
> I do the bisect today and I found it's fixed by my Bug 1250063 Part 1 patch.

That's great!
Thanks for verifying this, Yoshi!
> However I don't have time to finish the bisect today,
> Kamil, if you have time, can you bisect the commit, or I could do it in
> these few days.

Apologies for the late reply :/ As Tavi mentioned, Canada had a holiday yesterday so I was off the entire day.

I went through the test case once again and FX isn't crashing anymore when restoring via "Undo Close Tab". However, it's restoring everything in the default container which is being handled in Bug # 1274461.

Thanks for going through this as well Yoshi!!

Build used for testing:
-----------------------

changeset:   298652:829d3be6ba64
tag:         tip
fxtree:      central
parent:      298268:f6e1ee9ac46c
parent:      298651:df5daa1095f2
user:        Carsten "Tomcat" Book <cbook@mozilla.com>
date:        Tue May 24 14:52:23 2016 +0200
summary:     merge mozilla-inbound to mozilla-central a=merge
You need to log in before you can comment on or make changes to this bug.