Closed Bug 1306716 Opened 6 years ago Closed 6 years ago

[e10s] Crash when tapping a link

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox52 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: snorp, Assigned: snorp)

Details

Attachments

(3 files, 2 obsolete files)

Call TabParent::SendHandleTap from the right thread on Android
2.06 KB, patch
kats
: review+
Details | Diff | Splinter Review
Don't retrieve (and ref) the TabParent on a non-main thread
5.05 KB, patch
kats
: review+
Details | Diff | Splinter Review
Follow up to not pass references across threads (!)
3.21 KB, patch
kats
: review+
Details | Diff | Splinter Review 
I get the following crash in the parent process when tapping a link with a e10s-enabled GeckoView.

#0  NS_CycleCollectorSuspect3 (aPtr=0x587a6e70, aCp=0x0, aRefCnt=0x587a6e74, aShouldDelete=0x0) at /Volumes/Source/source/gecko-apz/xpcom/base/nsCycleCollector.cpp:3998
#1  0x53bff676 in incr (aCp=0x0, aOwner=0x587a6e70, this=0x587a6e74) at /Volumes/Source/source/objdirs/objdir-android-opt/dist/include/nsISupportsImpl.h:190
#2  incr (aOwner=0x587a6e70, this=0x587a6e74) at /Volumes/Source/source/objdirs/objdir-android-opt/dist/include/nsISupportsImpl.h:176
#3  nsXULElementTearoff::AddRef (this=0x587a6e70) at /Volumes/Source/source/gecko-apz/dom/xul/nsXULElement.cpp:147
#4  0x53c09fae in nsXULElement::QueryInterface (this=0x594a1290, aIID=..., aInstancePtr=0xbe9ff4c4) at /Volumes/Source/source/gecko-apz/dom/xul/nsXULElement.cpp:349
#5  0x52e1f0a6 in nsCOMPtr_base::assign_from_qi (this=0xbe9ff4d4, aQI=..., aIID=...) at /Volumes/Source/source/gecko-apz/xpcom/glue/nsCOMPtr.cpp:51
#6  0x53b7c4c0 in nsCOMPtr (aQI=..., this=0xbe9ff4d4) at /Volumes/Source/source/objdirs/objdir-android-opt/dist/include/nsCOMPtr.h:512
#7  mozilla::dom::TabParent::GetFrameLoader (this=this@entry=0x5a90f400, aUseCachedFrameLoaderAfterDestroy=aUseCachedFrameLoaderAfterDestroy@entry=false) at /Volumes/Source/source/gecko-apz/dom/ipc/TabParent.cpp:2767
#8  0x53b7c676 in mozilla::dom::TabParent::GetChildProcessOffset (this=this@entry=0x5a90f400) at /Volumes/Source/source/gecko-apz/dom/ipc/TabParent.cpp:2141
#9  0x53b7ce0c in mozilla::dom::TabParent::SendHandleTap (this=0x5a90f400, aType=mozilla::layers::GeckoContentController::eSingleTap, aPoint=..., aModifiers=0, aGuid=..., aInputBlockId=1) at /Volumes/Source/source/gecko-apz/dom/ipc/TabParent.cpp:1699
#10 0x533ec3b8 in mozilla::layers::RemoteContentController::HandleTap (this=<optimized out>, aTapType=mozilla::layers::GeckoContentController::eSingleTap, aPoint=..., aModifiers=0, aGuid=..., aInputBlockId=1) at /Volumes/Source/source/gecko-apz/gfx/layers/ipc/RemoteContentController.cpp:84
#11 0x533aff00 in applyImpl<mozilla::layers::GeckoContentController, void (mozilla::layers::GeckoContentController::*)(mozilla::layers::GeckoContentController::TapType, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel> const&, unsigned short, mozilla::layers::ScrollableLayerGuid const&, unsigned long long), StoreCopyPassByValue<mozilla::layers::GeckoContentController::TapType>, StoreCopyPassByValue<mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> >, StoreCopyPassByValue<unsigned short>, StoreCopyPassByValue<mozilla::layers::ScrollableLayerGuid>, StoreCopyPassByValue<unsigned long long>, 0u, 1u, 2u, 3u, 4u> (args=..., 
    m=<optimized out>, o=0x580140b0) at /Volumes/Source/source/objdirs/objdir-android-opt/dist/include/nsThreadUtils.h:729
#12 apply<mozilla::layers::GeckoContentController, void (mozilla::layers::GeckoContentController::*)(mozilla::layers::GeckoContentController::TapType, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel> const&, unsigned short, mozilla::layers::ScrollableLayerGuid const&, unsigned long long)> (m=<optimized out>, 
    o=0x580140b0, this=<optimized out>) at /Volumes/Source/source/objdirs/objdir-android-opt/dist/include/nsThreadUtils.h:736
#13 mozilla::detail::RunnableMethodImpl<void (mozilla::layers::GeckoContentController::*)(mozilla::layers::GeckoContentController::TapType, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> const&, unsigned short, mozilla::layers::ScrollableLayerGuid const&, unsigned long long), true, false, mozilla::layers::GeckoContentController::TapType, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float>, unsigned short, mozilla::layers::ScrollableLayerGuid, unsigned long long>::Run (this=<optimized out>) at /Volumes/Source/source/objdirs/objdir-android-opt/dist/include/nsThreadUtils.h:764
#14 0x53c6eff4 in mozilla::AndroidBridge::RunDelayedUiThreadTasks (this=0x582f01f0) at /Volumes/Source/source/gecko-apz/widget/android/AndroidBridge.cpp:1430
#15 0x4085bc50 in ?? ()
#16 0x4085bc50 in ?? ()
This seems to be caused because we don't have a cycle collector on the UI (APZ controller) thread.
Attachment #8796733 - Attachment is obsolete: true
Attachment #8796733 - Flags: review?(bugmail)
Attachment #8796735 - Flags: review?(bugmail) → review+
Pushed by jwillcox@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/53291cfac404
Call TabParent::SendHandleTap from the right thread on Android r=kats
https://hg.mozilla.org/mozilla-central/rev/53291cfac404
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 52
This was still a bit busted because we can't ref TabParent on a non-main thread
Attachment #8797629 - Flags: review?(bugmail)
Comment on attachment 8797629 [details] [diff] [review]
Don't retrieve (and ref) the TabParent on a non-main thread

Review of attachment 8797629 [details] [diff] [review]:
-----------------------------------------------------------------

Would like to see a new version with the comments addressed.

::: gfx/layers/ipc/RemoteContentController.cpp
@@ +59,5 @@
>  
>    // If we get here we're probably in the parent process, but we might be in
>    // the GPU process in some shutdown phase where the LayerTreeState or
>    // APZCTreeManagerParent structures are torn down. In that case we'll just get
>    // a null TabParent.

Drop this comment

@@ +68,1 @@
>      MOZ_ASSERT(XRE_IsParentProcess());

Move this MOZ_ASSERT into HandleTap before the |if (NS_IsMainThread)| condition.

@@ +92,1 @@
>      }

Move this return out of the |if (apzctmp)| block so that it is hit unconditionally at the end of the |if XRE_GetProcessType| block.

@@ +94,5 @@
> +
> +  if (NS_IsMainThread()) {
> +    HandleTapOnMainThread(aTapType, aPoint, aModifiers, aGuid, aInputBlockId);
> +  } else {
> +    // We don't want to get the TabParent or call TabParent::SendHandleTap() from a non-main thread

Add "(this might happen on Android, where this is called on the Java UI thread)" to this comment.
Attachment #8797629 - Flags: review?(bugmail) → review-
Comment on attachment 8797725 [details] [diff] [review]
Don't retrieve (and ref) the TabParent on a non-main thread

Review of attachment 8797725 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with comments addressed (sorry I missed these in the previous review).

::: gfx/layers/ipc/RemoteContentController.cpp
@@ +59,5 @@
> +  if (tab) {
> +    MOZ_ASSERT(NS_IsMainThread());
> +
> +    // If we got a TabParent we're definitely in the parent process, and the
> +    // message is going to a child process. Also, we're guaranteed to be on the main thread.

Drop this comment as well, and move the assert up to the start of the function.

::: gfx/layers/ipc/RemoteContentController.h
@@ +89,5 @@
> +  void HandleTapOnMainThread(TapType aType,
> +                               const LayoutDevicePoint& aPoint,
> +                               Modifiers aModifiers,
> +                               const ScrollableLayerGuid& aGuid,
> +                               uint64_t aInputBlockId);

nit: alignment
Attachment #8797725 - Flags: review?(bugmail) → review+
Assignee: nobody → snorp
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Pushed by jwillcox@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/32c669981d22
Don't retrieve (and ref) the TabParent on a non-main thread r=kats
Comment on attachment 8797770 [details] [diff] [review]
Follow up to not pass references across threads (!)

Review of attachment 8797770 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/layers/ipc/RemoteContentController.cpp
@@ +54,2 @@
>                                                 Modifiers aModifiers,
> +                                               const ScrollableLayerGuid aGuid,

drop the const as well, throughout this patch
Attachment #8797770 - Flags: review?(bugmail) → review+
https://hg.mozilla.org/mozilla-central/rev/32c669981d22
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Pushed by jwillcox@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/809141755973
Follow up to not pass references across threads (!) r=kats
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.