Closed
Bug 1309958
Opened 8 years ago
Closed 8 years ago
Crash while running nsPluginInstanceOwner::GetNetscapeWindow during InterruptCallback
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox49 unaffected, firefox-esr45 unaffected, firefox50 unaffected, firefox51 unaffected, firefox52+ fixed)
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox49 | --- | unaffected |
firefox-esr45 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | + | fixed |
People
(Reporter: mccr8, Assigned: billm)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file)
2.19 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-0dc31218-8fe0-4d77-9759-99f602161013. ============================================================= I did a search on crash stats for MOZ_CRASH reason of MOZ_RELEASE_ASSERT(rt->allowGCBarriers()), and this is one of the top hits. Lots of URLs on plugin-related sites. It looks like the interrupt callback calls nsIDocument::EnumerateActivityObservers(void (*)(nsISupports*, void*), void*), which ends up in nsPluginInstanceOwner::GetNetscapeWindow(void*), which then tries to send a sync message to the parent, and the reply is somehow via PJavaScriptChild::OnMessageReceived which ends up in nsWrapperCache::GetWrapper() which hits the assert.
Reporter | ||
Comment 1•8 years ago
|
||
I see 83 of these crashes in the last week (this signature, with that release assert).
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(wmccloskey)
Reporter | ||
Comment 2•8 years ago
|
||
It looks like [@ SandboxPrivate::GetGlobalJSObject ] is a less common variation on this crash. There are only 7 of these crashes, and they are almost all from a single install time, but they have the same basic pattern of a call into GetNetscapeWindow ending up in PJavaScriptChild::OnMessageReceived.
Crash Signature: [@ nsWrapperCache::GetWrapper] → [@ nsWrapperCache::GetWrapper] [@ SandboxPrivate::GetGlobalJSObject ]
Reporter | ||
Updated•8 years ago
|
Summary: Crash in nsWrapperCache::GetWrapper during InterruptCallback → Crash while running nsPluginInstanceOwner::GetNetscapeWindow during InterruptCallback
Reporter | ||
Comment 3•8 years ago
|
||
[Tracking Requested - why for this release]: This is the number 3 top crash on Nightly Windows for 10-13.
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → unaffected
tracking-firefox52:
--- → ?
Keywords: topcrash,
topcrash-win
Comment 4•8 years ago
|
||
One possible workaround may be not doing this if the page has a plugin instantiated on it? Generally it seems like we should have an assertion going off when getting to NotifyObservers() off of an interrupt callback. Basically arbitrary things can happen from that point on. :(
Reporter | ||
Updated•8 years ago
|
Component: JavaScript Engine → Plug-ins
Assignee | ||
Comment 6•8 years ago
|
||
The problem here is that we're sending a sync message during painting, and from there we can run CPOW requests. I think we should try to mark any sync messages sent during painting as nested(inside_cpow). That way we'll never process CPOWs while waiting for a response. Instead, the parent will process these messages while waiting for its CPOW response. (Note that nested(inside_cpow) used to be prio(urgent) until we changed the name.)
Assignee: nobody → wmccloskey
Status: NEW → ASSIGNED
Flags: needinfo?(wmccloskey)
Attachment #8801405 -
Flags: review?(mrbkap)
Updated•8 years ago
|
Attachment #8801405 -
Flags: review?(mrbkap) → review+
Pushed by wmccloskey@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/88b266698d18 Use urgent messages for stuff sent during painting (r=mrbkap)
Comment 9•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/88b266698d18
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Reporter | ||
Comment 10•8 years ago
|
||
This is another signature for this crash: bp-2efd8c50-d96f-40f3-8ce2-abf292161020 (From the Oct 19 Nightly which I'm pretty sure won't have the fix that landed in comment 9.)
Crash Signature: [@ nsWrapperCache::GetWrapper] [@ SandboxPrivate::GetGlobalJSObject ] → [@ nsWrapperCache::GetWrapper] [@ SandboxPrivate::GetGlobalJSObject ] [@ nsWrapperCache::GetWrapper const ]
Updated•7 years ago
|
Version: unspecified → Trunk
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•