PPluginSurfaceChild tries to send a delete message from PluginInstanceChild::ActorDestroy()

RESOLVED FIXED in Firefox 50

Status

()

Product:
Core
Component:
Plug-ins
Importance:
P2
critical
Status:
RESOLVED FIXED
Reported:
3 years ago
Modified:
3 years ago

People

(Reporter: mccr8, Assigned: dvander)

Tracking

({crash})

Version:
Trunk
Target:
mozilla50
Platform:
x86
Windows 10
Keywords:
crash
Points:
---

Firefox Tracking Flags

(firefox48 affected, firefox49 affected, firefox50 fixed)

Details

(crash signature)

Attachments

(1 attachment)

patch
748 bytes, patch
benjamin
: review+
Details | Diff | Splinter Review
(Reporter)

Description

3 years ago 
This bug was filed from the Socorro interface and is 
report bp-46bd127f-056b-47f1-ae3b-1dc652160608.
=============================================================
(Reporter)

Comment 1

3 years ago 
PluginInstanceChild::ClearAllSurfaces() calls PPluginSurfaceChild::Send__delete__(), but I think it fails because we're already in some kind of shutdown or error state.
(Reporter)

Comment 2

3 years ago 
I see 195 crash reports with this signature.

Comment 3

3 years ago 
This should only be for the new async drawing mode which is in Flash betas but not Flash release. dvander?
Flags: needinfo?(dvander)
Priority: -- → P2
(Reporter)

Comment 4

3 years ago 
72% of these crashes are with Flash version 21.0.0.242, which looks like the current version you can download. (Another 17% are on 21.0.0.213.)
(Assignee)

Comment 5

3 years ago 
Created attachment 8765600 [details] [diff] [review]
patch

It looks like this predates direct drawing. We're trying to send a __delete__ message over IPDL, but sending anything after an ActorDestroy will trigger a MOZ_CRASH. I think we can just set these actors to null so PluginInstanceChild doesn't try to access them again.
Assignee: nobody → dvander
Status: NEW → ASSIGNED
Flags: needinfo?(dvander)
Attachment #8765600 - Flags: review?(benjamin)

Updated

3 years ago
Attachment #8765600 - Flags: review?(benjamin) → review+

Comment 6

3 years ago 
Pushed by danderson@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/971c1ee26cad
Don't try to send PPluginSurface::__delete__ within ActorDestroy. (bug 1279340, r=bsmedberg)

Comment 7

3 years ago
bugherder 
https://hg.mozilla.org/mozilla-central/rev/971c1ee26cad
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox50: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50

Comment 8

3 years ago 
Crash volume for signature 'mozalloc_abort | NS_DebugBreak | mozilla::ipc::FatalError | mozilla::plugins::PPluginSurfaceChild::FatalError | mozilla::plugins::PPluginSurfaceChild::Write':
 - nightly (version 50): 202 crashes from 2016-06-06.
 - aurora  (version 49): 2565 crashes from 2016-06-07.
 - beta    (version 48): 10 crashes from 2016-06-06.
 - release (version 47): 0 crash from 2016-05-31.
 - esr     (version 45): 0 crash from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          6          5         44         40         68         37
 - aurora         353        389        420        428        419        332         51
 - beta             0          5          2          0          1          0          0
 - release          0          0          0          0          0          0          0
 - esr              0          0          0          0          0          0          0

Affected platform: Windows
status-firefox48: --- → affected
status-firefox49: --- → affected
You need to log in before you can comment on or make changes to this bug.