Closed Bug 1310116 Opened 3 years ago Closed 3 years ago

Crash in WaitPidDaemonThread (misattributed to _pt_root)

Categories

(Core :: Security: Process Sandboxing, defect, critical)

52 Branch
x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox52 + fixed

People

(Reporter: 6lobe, Unassigned)

References

Details

(Keywords: crash, crashreportid, Whiteboard: nightly-community, sblc2)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-c4c2e4e1-954d-444a-84b5-e6ec32161014.
=============================================================

STR:

Open https://upload.wikimedia.org/wikipedia/commons/9/9f/BayeuxTapestryScene39.jpg

Drag image with mouse pointer, results in crash.
Whiteboard: nightly-community
Here is the regression range:

INFO: Last good revision: 3e9a2031152fa07b088d0cb5e168eb53a2c882c0
INFO: First bad revision: c838d2546cadd65bf8d5579db20a268c8b6e4b87
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3e9a2031152fa07b088d0cb5e168eb53a2c882c0&tochange=c838d2546cadd65bf8d5579db20a268c8b6e4b87

INFO: Looks like the following bug has the changes which introduced the regression:
https://bugzilla.mozilla.org/show_bug.cgi?id=1289718
Blocks: 1289718
Has Regression Range: --- → yes
Has STR: --- → yes
Component: Untriaged → Security: Process Sandboxing
[Tracking Requested - why for this release]: Regression
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(gpascutto)
Keywords: crash, crashreportid
Version: 51 Branch → 52 Branch
This is waitpid(), which we never whitelisted (because it can't clone/fork() anything to wait on anyway). Not clear why file brokering makes this show up, 

I remember we had a discussion about wait4 with a similar useless stack in NSPR.
Flags: needinfo?(gpascutto)
Tracking 52+, recent security sandboxing crash regression.
(In reply to Gian-Carlo Pascutto [:gcp] from comment #3)
> I remember we had a discussion about wait4 with a similar useless stack in NSPR.

Bug 1299581, which also explains why the crash signature is wrong/unhelpful here — the crash is really in WaitPidDaemonThread[*] and the actual root cause is bug 227246.

[*] http://searchfox.org/mozilla-central/rev/d96317a351af8aa78ab9847e7feed964bbaac7d7/nsprpub/pr/src/md/unix/uxproces.c#648
I can't reproduce this, though. Tried loading that URL, dragging, dragging outside the window...

Reporter, does this also happen on a clean profile?
Flags: needinfo?(6lobe)
Yes, this happens on a clean profile.
Flags: needinfo?(6lobe)
Which distribution are you using? (The exact libc version/build is of interest)
Flags: needinfo?(6lobe)
Jed point out this is specific to 32-bit: wait4 is whitelisted: http://searchfox.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp#721

but waitpid isn't, which may be used by 32-bit libc.
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/waitpid.c;h=9de9ce1d51e873838a7c1f491ed819d7a72e82a1;hb=HEAD

waitpid() uses the waitpid syscall if it exists, but it doesn't exist on x86_64 because it's a subset of wait4 (and x86_64 is new enough that wait4 has always existed, or something like that).

If we'd had a test that tries to do nsIProcess or something in a content process we would've caught this… but I'm also a little surprised that nothing in our entire test suite managed to hit this via invoking the MIME service or whatever is going on in the STR in comment #0.
From the crash reports this happens on different versions of libc. I am on Ubuntu 16.10.
Flags: needinfo?(6lobe)
Crash is reproducible on a 32-bit system, as expected.

I made nsProcess crash when invoked from content:

Hit MOZ_CRASH(No RunProcess in content) at /home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:435
#01: nsProcess::RunProcess(bool, char**, nsIObserver*, bool, bool) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:435)
#02: nsProcess::CopyArgsAndRunProcess(bool, char const**, unsigned int, nsIObserver*, bool) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:379)
#03: nsProcess::Run(bool, char const**, unsigned int) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:348)
#04: nsOSHelperAppService::GetHandlerAndDescriptionFromMailcapFile(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsAString_internal&, nsAString_internal&, nsAString_internal&) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1091)
#05: nsOSHelperAppService::DoLookUpHandlerAndDescription(nsAString_internal const&, nsAString_internal const&, nsAString_internal&, nsAString_internal&, nsAString_internal&, bool) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:913)
#06: nsOSHelperAppService::GetFromType(nsCString const&) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1399)
#07: nsOSHelperAppService::GetMIMEInfoFromOS(nsACString_internal const&, nsACString_internal const&, bool*) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1466)
#08: nsExternalHelperAppService::GetFromTypeAndExtension(nsACString_internal const&, nsACString_internal const&, nsIMIMEInfo**) (/home/morbo/hg/firefox/uriloader/exthandler/nsExternalHelperAppService.cpp:2636)
#09: DragDataProducer::Produce(mozilla::dom::DataTransfer*, bool*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/base/nsContentAreaDragDrop.cpp:588)
#10: nsContentAreaDragDrop::GetDragData(nsPIDOMWindowOuter*, nsIContent*, nsIContent*, bool, mozilla::dom::DataTransfer*, bool*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/base/nsContentAreaDragDrop.cpp:129)
#11: mozilla::EventStateManager::DetermineDragTargetAndDefaultData(nsPIDOMWindowOuter*, nsIContent*, mozilla::dom::DataTransfer*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/events/EventStateManager.cpp:1860)
#12: mozilla::EventStateManager::GenerateDragGesture(nsPresContext*, mozilla::WidgetMouseEvent*) (/home/morbo/hg/firefox/dom/events/EventStateManager.cpp:1762)
#13: mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) (/home/morbo/hg/firefox/dom/events/EventStateManager.cpp:711)
#14: PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) (/home/morbo/hg/firefox/layout/base/nsPresShell.cpp:8228)
#15: PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) (/home/morbo/hg/firefox/layout/base/nsPresShell.cpp:8069)
#16: PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) (/home/morbo/hg/firefox/layout/base/nsPresShell.cpp:7855)
#17: nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) (/home/morbo/hg/firefox/view/nsViewManager.cpp:815)
#18: nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) (/home/morbo/hg/firefox/view/nsView.cpp:1117)
#19: mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) (/home/morbo/hg/firefox/widget/PuppetWidget.cpp:357)
#20: mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) (/home/morbo/hg/firefox/gfx/layers/apz/util/APZCCallbackHelper.cpp:471)
#21: mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long long const&) (/home/morbo/hg/firefox/dom/ipc/TabChild.cpp:1897)
#22: mozilla::dom::TabChild::RecvRealMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long long const&) (/home/morbo/hg/firefox/dom/ipc/TabChild.cpp:1862)
#23: mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/ipc/ipdl/PBrowserChild.cpp:3650)
#24: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/ipc/ipdl/PContentChild.cpp:6398)
#25: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (/home/morbo/hg/firefox/ipc/glue/MessageChannel.cpp:1672)
#26: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (/home/morbo/hg/firefox/ipc/glue/MessageChannel.cpp:1610)
#27: mozilla::ipc::MessageChannel::OnMaybeDequeueOne() (/home/morbo/hg/firefox/ipc/glue/MessageChannel.cpp:1577)
#28: decltype (((*{parm#1}).*{parm#2})()) mozilla::detail::RunnableMethodArguments<>::applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)(), mozilla::Tuple<>&, mozilla::IndexSequence<>) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/nsThreadUtils.h:729 (discriminator 4))
#29: decltype (applyImpl({parm#1}, {parm#2}, (*this).mArguments, (mozilla::IndexSequence<>)())) mozilla::detail::RunnableMethodArguments<>::apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)()) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/nsThreadUtils.h:736)
#30: mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/nsThreadUtils.h:764)
#31: mozilla::ipc::MessageChannel::RefCountedTask::Run() (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/mozilla/ipc/MessageChannel.h:540)
#32: mozilla::ipc::MessageChannel::DequeueTask::Run() (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/mozilla/ipc/MessageChannel.h:559)
#33: nsThread::ProcessNextEvent(bool, bool*) (/home/morbo/hg/firefox/xpcom/threads/nsThread.cpp:1082)
#34: NS_ProcessNextEvent(nsIThread*, bool) (/home/morbo/hg/firefox/xpcom/glue/nsThreadUtils.cpp:290)
#35: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:124)
#36: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:301)
#37: MessageLoop::RunInternal() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:232)
#38: MessageLoop::RunHandler() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:225)
#39: MessageLoop::Run() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:205)
#40: nsBaseAppShell::Run() (/home/morbo/hg/firefox/widget/nsBaseAppShell.cpp:156)
#41: XRE_RunAppShell (/home/morbo/hg/firefox/toolkit/xre/nsEmbedFunctions.cpp:869)
#42: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:269)
#43: MessageLoop::RunInternal() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:232)
#44: MessageLoop::RunHandler() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:225)
#45: MessageLoop::Run() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:205)
#46: XRE_InitChildProcess (/home/morbo/hg/firefox/toolkit/xre/nsEmbedFunctions.cpp:701)
#47: content_process_main(int, char**) (/home/morbo/hg/firefox/ipc/app/../contentproc/plugin-container.cpp:197)
#48: main (/home/morbo/hg/firefox/ipc/app/MozillaRuntimeMain.cpp:18)

Program /home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/bin/plugin-container (pid = 12562) received signal 11.
Stack:
#01: js::UnixExceptionHandler(int, siginfo_t*, void*) (/home/morbo/hg/firefox/js/src/ds/MemoryProtectionExceptionHandler.cpp:256)
#02: ??? (???:???)
#03: nsProcess::CopyArgsAndRunProcess(bool, char const**, unsigned int, nsIObserver*, bool) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:379)
#04: nsProcess::Run(bool, char const**, unsigned int) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:348)
#05: nsOSHelperAppService::GetHandlerAndDescriptionFromMailcapFile(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsAString_internal&, nsAString_internal&, nsAString_internal&) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1091)
#06: nsOSHelperAppService::DoLookUpHandlerAndDescription(nsAString_internal const&, nsAString_internal const&, nsAString_internal&, nsAString_internal&, nsAString_internal&, bool) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:913)
#07: nsOSHelperAppService::GetFromType(nsCString const&) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1399)
#08: nsOSHelperAppService::GetMIMEInfoFromOS(nsACString_internal const&, nsACString_internal const&, bool*) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1466)

###!!! [Parent][MessageChannel] Error: (msgtype=0x300072,name=PBrowser::Msg_RealMouseMoveEvent) Channel error: cannot send/recv

#09: nsExternalHelperAppService::GetFromTypeAndExtension(nsACString_internal const&, nsACString_internal const&, nsIMIMEInfo**) (/home/morbo/hg/firefox/uriloader/exthandler/nsExternalHelperAppService.cpp:2636)
#10: DragDataProducer::Produce(mozilla::dom::DataTransfer*, bool*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/base/nsContentAreaDragDrop.cpp:588)
#11: nsContentAreaDragDrop::GetDragData(nsPIDOMWindowOuter*, nsIContent*, nsIContent*, bool, mozilla::dom::DataTransfer*, bool*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/base/nsContentAreaDragDrop.cpp:129)
#12: mozilla::EventStateManager::DetermineDragTargetAndDefaultData(nsPIDOMWindowOuter*, nsIContent*, mozilla::dom::DataTransfer*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/events/EventStateManager.cpp:1860)
#13: mozilla::EventStateManager::GenerateDragGesture(nsPresContext*, mozilla::WidgetMouseEvent*) (/home/morbo/hg/firefox/dom/events/EventStateManager.cpp:1762)
#14: mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) (/home/morbo/hg/firefox/dom/events/EventStateManager.cpp:711)
#15: PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) (/home/morbo/hg/firefox/layout/base/nsPresShell.cpp:8228)
#16: PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) (/home/morbo/hg/firefox/layout/base/nsPresShell.cpp:8069)
#17: PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) (/home/morbo/hg/firefox/layout/base/nsPresShell.cpp:7855)
#18: nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) (/home/morbo/hg/firefox/view/nsViewManager.cpp:815)
#19: nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) (/home/morbo/hg/firefox/view/nsView.cpp:1117)

###!!! [Parent][MessageChannel] Error: (msgtype=0x300072,name=PBrowser::Msg_RealMouseMoveEvent) Channel error: cannot send/recv

#20: mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) (/home/morbo/hg/firefox/widget/PuppetWidget.cpp:357)
#21: mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) (/home/morbo/hg/firefox/gfx/layers/apz/util/APZCCallbackHelper.cpp:471)
#22: mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long long const&) (/home/morbo/hg/firefox/dom/ipc/TabChild.cpp:1897)
#23: mozilla::dom::TabChild::RecvRealMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long long const&) (/home/morbo/hg/firefox/dom/ipc/TabChild.cpp:1862)
#24: mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/ipc/ipdl/PBrowserChild.cpp:3650)
#25: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/ipc/ipdl/PContentChild.cpp:6398)
#26: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (/home/morbo/hg/firefox/ipc/glue/MessageChannel.cpp:1672)
#27: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (/home/morbo/hg/firefox/ipc/glue/MessageChannel.cpp:1610)

###!!! [Parent][MessageChannel] Error: (msgtype=0x300072,name=PBrowser::Msg_RealMouseMoveEvent) Channel error: cannot send/recv

#28: mozilla::ipc::MessageChannel::OnMaybeDequeueOne() (/home/morbo/hg/firefox/ipc/glue/MessageChannel.cpp:1577)
#29: decltype (((*{parm#1}).*{parm#2})()) mozilla::detail::RunnableMethodArguments<>::applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)(), mozilla::Tuple<>&, mozilla::IndexSequence<>) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/nsThreadUtils.h:729 (discriminator 4))
#30: decltype (applyImpl({parm#1}, {parm#2}, (*this).mArguments, (mozilla::IndexSequence<>)())) mozilla::detail::RunnableMethodArguments<>::apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)()) (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/nsThreadUtils.h:736)
#31: mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/nsThreadUtils.h:764)
#32: mozilla::ipc::MessageChannel::RefCountedTask::Run() (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/mozilla/ipc/MessageChannel.h:540)
#33: mozilla::ipc::MessageChannel::DequeueTask::Run() (/home/morbo/hg/firefox/obj-i686-pc-linux-gnu/dist/include/mozilla/ipc/MessageChannel.h:559)
#34: nsThread::ProcessNextEvent(bool, bool*) (/home/morbo/hg/firefox/xpcom/threads/nsThread.cpp:1082)
#35: NS_ProcessNextEvent(nsIThread*, bool) (/home/morbo/hg/firefox/xpcom/glue/nsThreadUtils.cpp:290)
#36: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:124)

###!!! [Parent][MessageChannel] Error: (msgtype=0x300072,name=PBrowser::Msg_RealMouseMoveEvent) Channel error: cannot send/recv

#37: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:301)
#38: MessageLoop::RunInternal() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:232)
#39: MessageLoop::RunHandler() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:225)
#40: MessageLoop::Run() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:205)
#41: nsBaseAppShell::Run() (/home/morbo/hg/firefox/widget/nsBaseAppShell.cpp:156)
#42: XRE_RunAppShell (/home/morbo/hg/firefox/toolkit/xre/nsEmbedFunctions.cpp:869)
#43: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/morbo/hg/firefox/ipc/glue/MessagePump.cpp:269)
#44: MessageLoop::RunInternal() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:232)
#45: MessageLoop::RunHandler() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:225)

###!!! [Parent][MessageChannel] Error: (msgtype=0x300072,name=PBrowser::Msg_RealMouseMoveEvent) Channel error: cannot send/recv

#46: MessageLoop::Run() (/home/morbo/hg/firefox/ipc/chromium/src/base/message_loop.cc:205)
#47: XRE_InitChildProcess (/home/morbo/hg/firefox/toolkit/xre/nsEmbedFunctions.cpp:701)
#48: content_process_main(int, char**) (/home/morbo/hg/firefox/ipc/app/../contentproc/plugin-container.cpp:197)
#49: main (/home/morbo/hg/firefox/ipc/app/MozillaRuntimeMain.cpp:18)
This is similar to bug 1292249. nsExternalHelperAppService::GetTypeFromFile vs nsExternalHelperAppService::GetFromTypeAndExtension
Do note that this isnt only about dragging and dropping files.

Panning in certain map applications also cause this crash. For example: https://www.mapquest.com/
(In reply to 6lobe from comment #14)
> Do note that this isnt only about dragging and dropping files.
> 
> Panning in certain map applications also cause this crash. For example:
> https://www.mapquest.com/

Panning is the same as a drag and drop, the crash comes from (almost) the same source:

Assertion failure: !XRE_IsContentProcess() (No launching of new processes in the content process.), at /home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:435
#01: nsProcess::RunProcess(bool, char**, nsIObserver*, bool, bool) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:434 (discriminator 1))
#02: nsProcess::CopyArgsAndRunProcess(bool, char const**, unsigned int, nsIObserver*, bool) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:379)
#03: nsProcess::Run(bool, char const**, unsigned int) (/home/morbo/hg/firefox/xpcom/threads/nsProcessCommon.cpp:348)
#04: nsOSHelperAppService::GetHandlerAndDescriptionFromMailcapFile(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsAString_internal&, nsAString_internal&, nsAString_internal&) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1091)
#05: nsOSHelperAppService::DoLookUpHandlerAndDescription(nsAString_internal const&, nsAString_internal const&, nsAString_internal&, nsAString_internal&, nsAString_internal&, bool) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:913)
#06: nsOSHelperAppService::GetFromType(nsCString const&) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1399)
#07: nsOSHelperAppService::GetMIMEInfoFromOS(nsACString_internal const&, nsACString_internal const&, bool*) (/home/morbo/hg/firefox/uriloader/exthandler/unix/nsOSHelperAppService.cpp:1466)
#08: nsExternalHelperAppService::GetFromTypeAndExtension(nsACString_internal const&, nsACString_internal const&, nsIMIMEInfo**) (/home/morbo/hg/firefox/uriloader/exthandler/nsExternalHelperAppService.cpp:2636)
#09: DragDataProducer::Produce(mozilla::dom::DataTransfer*, bool*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/base/nsContentAreaDragDrop.cpp:588)
#10: nsContentAreaDragDrop::GetDragData(nsPIDOMWindowOuter*, nsIContent*, nsIContent*, bool, mozilla::dom::DataTransfer*, bool*, nsISelection**, nsIContent**) (/home/morbo/hg/firefox/dom/base/nsContentAreaDragDrop.cpp:129)
Comment on attachment 8804393 [details]
Bug 1310116 - Allow waitpid but warn on creating processes in content.

https://reviewboard.mozilla.org/r/88392/#review87442
Attachment #8804393 - Flags: review?(jld) → review+
Whiteboard: nightly-community → nightly-community, sblc2
https://hg.mozilla.org/mozilla-central/rev/15775247c226
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Summary: Crash in _pt_root → Crash in WaitPidDaemonThread (misattributed to _pt_root)
You need to log in before you can comment on or make changes to this bug.