Closed Bug 1279340 Opened 8 years ago Closed 8 years ago

PPluginSurfaceChild tries to send a delete message from PluginInstanceChild::ActorDestroy()

Categories

(Core Graveyard :: Plug-ins, defect, P2)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows 10
Type:
defect

Tracking

(firefox48 affected, firefox49 affected, firefox50 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox48 --- affected
firefox49 --- affected
firefox50 --- fixed

People

(Reporter: mccr8, Assigned: dvander)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

patch
748 bytes, patch
benjamin
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-46bd127f-056b-47f1-ae3b-1dc652160608.
=============================================================
PluginInstanceChild::ClearAllSurfaces() calls PPluginSurfaceChild::Send__delete__(), but I think it fails because we're already in some kind of shutdown or error state.
I see 195 crash reports with this signature.
This should only be for the new async drawing mode which is in Flash betas but not Flash release. dvander?
Flags: needinfo?(dvander)
Priority: -- → P2
72% of these crashes are with Flash version 21.0.0.242, which looks like the current version you can download. (Another 17% are on 21.0.0.213.)
Attached patch patchSplinter Review 
It looks like this predates direct drawing. We're trying to send a __delete__ message over IPDL, but sending anything after an ActorDestroy will trigger a MOZ_CRASH. I think we can just set these actors to null so PluginInstanceChild doesn't try to access them again.
Assignee: nobody → dvander
Status: NEW → ASSIGNED
Flags: needinfo?(dvander)
Attachment #8765600 - Flags: review?(benjamin)
Attachment #8765600 - Flags: review?(benjamin) → review+
Pushed by danderson@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/971c1ee26cad
Don't try to send PPluginSurface::__delete__ within ActorDestroy. (bug 1279340, r=bsmedberg)
https://hg.mozilla.org/mozilla-central/rev/971c1ee26cad
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox50: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Crash volume for signature 'mozalloc_abort | NS_DebugBreak | mozilla::ipc::FatalError | mozilla::plugins::PPluginSurfaceChild::FatalError | mozilla::plugins::PPluginSurfaceChild::Write':
 - nightly (version 50): 202 crashes from 2016-06-06.
 - aurora  (version 49): 2565 crashes from 2016-06-07.
 - beta    (version 48): 10 crashes from 2016-06-06.
 - release (version 47): 0 crash from 2016-05-31.
 - esr     (version 45): 0 crash from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          6          5         44         40         68         37
 - aurora         353        389        420        428        419        332         51
 - beta             0          5          2          0          1          0          0
 - release          0          0          0          0          0          0          0
 - esr              0          0          0          0          0          0          0

Affected platform: Windows
status-firefox48: --- → affected
status-firefox49: --- → affected
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: