YouTube Tab Crash on macOS 10.11 in mozilla::PRemoteDecoderManagerChild::SendPRemoteDecoderConstructor
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
People
(Reporter: haik, Assigned: haik)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
When viewing a YouTube video on macOS 10.11 on a MacBook Air (11-inch, Early 2015), I'm hitting the following crash.
Firefox 68.0a1 Crash Report [@ mozilla::ipc::FatalError | mozilla::ipc::IProtocol::HandleFatalError | mozilla::PRemoteDecoderManagerChild::SendPRemoteDecoderConstructor ]
https://crash-stats.mozilla.org/report/index/171eb2b8-d884-48ac-8d51-6c0010190329
This appears to a regression introduced by my recent fix for Bug 1525086 just landed in 68.
Workaround:
Set security.sandbox.rdd.mac.earlyinit to false in about:config and restart.
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 1•6 years ago
|
||
I plan to land a patch to set the pref security.sandbox.rdd.mac.earlyinit to false to disable early start of the RDD sandbox (bug 1525086) while I spend more time working on a fix.
On 10.11, the call "[NSApplication class]" from nsAppShell::Init() is triggering filesystem activity and a crash.
widget/cocoa/nsAppShell.mm:
nsresult nsAppShell::Init() {
...
if (!gAppShellMethodsSwizzled) {
// We should only replace the original terminate: method if we're not
// running in a Cocoa embedder. See bug 604901.
if (!mRunningCocoaEmbedded) {
nsToolkit::SwizzleMethods([NSApplication class], @selector(terminate:),
@selector(nsAppShell_NSApplication_terminate:));
}
gAppShellMethodsSwizzled = true;
}
...
}
Crashing stack:
(lldb) bt
* thread #1: tid = 0x5dcbb, 0x00007fff901a7f06 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
* frame #0: 0x00007fff901a7f06 libsystem_kernel.dylib`__pthread_kill + 10
frame #1: 0x00007fff959754ec libsystem_pthread.dylib`pthread_kill + 90
frame #2: 0x00007fff824626df libsystem_c.dylib`abort + 129
frame #3: 0x00007fff852cbb31 libc++abi.dylib`abort_message + 257
frame #4: 0x00007fff852f1e07 libc++abi.dylib`default_terminate_handler() + 267
frame #5: 0x00007fff844c16ae libobjc.A.dylib`_objc_terminate() + 103
frame #6: 0x00007fff852eeffe libc++abi.dylib`std::__terminate(void (*)()) + 8
frame #7: 0x00007fff852ef073 libc++abi.dylib`std::terminate() + 51
frame #8: 0x00007fff844c143f libobjc.A.dylib`objc_terminate + 9
frame #9: 0x00007fff80e6641f libdispatch.dylib`_dispatch_client_callout + 28
frame #10: 0x00007fff80e66303 libdispatch.dylib`dispatch_once_f + 67
frame #11: 0x00007fff940321a9 AppKit`+[NSAppearance _defaultAppearance] + 22
frame #12: 0x00007fff94032037 AppKit`+[NSAppearance appearanceNamed:] + 24
frame #13: 0x00007fff940318ea AppKit`+[NSWindow initialize] + 166
frame #14: 0x00007fff844b53c8 libobjc.A.dylib`_class_initialize + 711
frame #15: 0x00007fff844b4d08 libobjc.A.dylib`lookUpImpOrForward + 179
frame #16: 0x00007fff844af591 libobjc.A.dylib`objc_msgSend + 209
frame #17: 0x00007fff940314e9 AppKit`+[NSApplication initialize] + 719
frame #18: 0x00007fff844b53c8 libobjc.A.dylib`_class_initialize + 711
frame #19: 0x00007fff844b4d08 libobjc.A.dylib`lookUpImpOrForward + 179
frame #20: 0x00007fff844af591 libobjc.A.dylib`objc_msgSend + 209
frame #21: 0x000000010b3c2555 XUL`nsAppShell::Init(this=0x0000000125d6edc0) + 2581 at nsAppShell.mm:359
frame #22: 0x000000010b419e02 XUL`nsAppShellInit() + 162 at nsAppShellSingleton.h:42
frame #23: 0x0000000105ee0306 XUL`nsComponentManagerImpl::KnownModule::Load(this=0x0000000125da90a0) + 342 at nsComponentManager.cpp:924
frame #24: 0x0000000105ee5343 XUL`nsFactoryEntry::GetFactory(this=0x0000000125da20c0) + 131 at nsComponentManager.cpp:1875
frame #25: 0x0000000105ee574f XUL`nsFactoryEntry::CreateInstance(this=0x0000000125da20c0, aOuter=0x0000000000000000, aIID=0x0000000111f70f0c, aResult=0x00007fff5a31d9a0) + 47 at nsComponentManager.cpp:1907
frame #26: 0x0000000105eea632 XUL`(anonymous namespace)::EntryWrapper::CreateInstance(this=0x00007fff5a31da40, aOuter=0x0000000000000000, aIID=0x0000000111f70f0c, aResult=0x00007fff5a31d9a0) + 82 at nsComponentManager.cpp:217
frame #27: 0x0000000105ee24a5 XUL`nsComponentManagerImpl::GetServiceLocked(this=0x0000000125da6080, aLock=0x00007fff5a31da30, aEntry=0x00007fff5a31da40, aIID=0x0000000111f70f0c, aResult=0x00007fff5a31daf8)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) + 757 at nsComponentManager.cpp:1401
frame #28: 0x0000000105edcf8a XUL`nsComponentManagerImpl::GetService(this=0x0000000125da6080, aClass=0x000000011225bb18, aIID=0x0000000111f70f0c, aResult=0x00007fff5a31daf8) + 186 at nsComponentManager.cpp:1453
frame #29: 0x0000000105ee660e XUL`CallGetService(aCID=0x000000011225bb18, aIID=0x0000000111f70f0c, aResult=0x00007fff5a31daf8) + 78 at nsComponentManagerUtils.cpp:51
frame #30: 0x0000000105ee6b88 XUL`nsGetServiceByCID::operator(this=0x00007fff5a31db00, aIID=0x0000000111f70f0c, aInstancePtr=0x00007fff5a31daf8)(nsID const&, void**) const + 40 at nsComponentManagerUtils.cpp:220
frame #31: 0x0000000105db334e XUL`nsCOMPtr_base::assign_from_gs_cid(this=0x00007fff5a31dbf0, aGS=const nsGetServiceByCID @ 0x00007fff5a31db00, aIID=0x0000000111f70f0c) + 62 at nsCOMPtr.cpp:64
frame #32: 0x00000001085de3dd XUL`nsCOMPtr<nsIAppShell>::nsCOMPtr(this=0x00007fff5a31dbf0, aGS=const nsGetServiceByCID @ 0x00007fff5a31db40) + 109 at nsCOMPtr.h:591
frame #33: 0x00000001085ced9d XUL`nsCOMPtr<nsIAppShell>::nsCOMPtr(this=0x00007fff5a31dbf0, aGS=const nsGetServiceByCID @ 0x00007fff5a31db68) + 29 at nsCOMPtr.h:588
frame #34: 0x000000010e168316 XUL`XRE_RunAppShell() + 54 at nsEmbedFunctions.cpp:881
frame #35: 0x0000000106a85b59 XUL`mozilla::ipc::MessagePumpForChildProcess::Run(this=0x0000000125d65ce0, aDelegate=0x00007fff5a31e0a0) + 57 at MessagePump.cpp:238
frame #36: 0x000000010695ba01 XUL`MessageLoop::RunInternal(this=0x00007fff5a31e0a0) + 81 at message_loop.cc:315
frame #37: 0x000000010695b985 XUL`MessageLoop::RunHandler(this=0x00007fff5a31e0a0) + 21 at message_loop.cc:308
frame #38: 0x000000010695b907 XUL`MessageLoop::Run(this=0x00007fff5a31e0a0) + 55 at message_loop.cc:290
frame #39: 0x000000010e167b2f XUL`XRE_InitChildProcess(aArgc=10, aArgv=0x00007fff5a31e390, aChildData=0x00007fff5a31e320) + 4015 at nsEmbedFunctions.cpp:762
frame #40: 0x000000010e1749b7 XUL`mozilla::BootstrapImpl::XRE_InitChildProcess(this=0x0000000125d10150, argc=13, argv=0x00007fff5a31e390, aChildData=0x00007fff5a31e320) + 39 at Bootstrap.cpp:67
frame #41: 0x00000001058e244b plugin-container`content_process_main(bootstrap=0x0000000125d10150, argc=13, argv=0x00007fff5a31e390) + 123 at plugin-container.cpp:56
frame #42: 0x00000001058e2530 plugin-container`main(argc=14, argv=0x00007fff5a31e390) + 112 at MozillaRuntimeMain.cpp:23
frame #43: 0x00007fff862c35ad libdyld.dylib`start + 1
|
|
Assignee | |
Comment 2•6 years ago
|
||
Verified this bug doesn't occur on 10.9, 10.10, 10.12, 10.13, or 10.13. Just 10.11.
|
|
Assignee | |
Comment 3•6 years ago
|
||
Disable early sandbox init for the RDD Mac process until the 10.11 crash is resolved.
|
|
Assignee | |
Updated•6 years ago
|
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 6•6 years ago
|
||
We do have some crashes on beta with this signature but the fix for the change in Bug 1525086 sets a pref we don't have on beta, so no easy uplift possible for the few beta crashes, wontfix 67.
|
|
Assignee | |
Comment 7•6 years ago
|
||
(In reply to Pascal Chevrel:pascalc from comment #6)
We do have some crashes on beta with this signature but the fix for the change in Bug 1525086 sets a pref we don't have on beta, so no easy uplift possible for the few beta crashes, wontfix 67.
The problem addressed by this bug is only in 68 so any signatures in Beta/67 wouldn't be caused by the same problem.
|
|
||
Comment 8•6 years ago
|
||
(In reply to Haik Aftandilian [:haik] from comment #7)
(In reply to Pascal Chevrel:pascalc from comment #6)
We do have some crashes on beta with this signature but the fix for the change in Bug 1525086 sets a pref we don't have on beta, so no easy uplift possible for the few beta crashes, wontfix 67.
The problem addressed by this bug is only in 68 so any signatures in Beta/67 wouldn't be caused by the same problem.
Should we file a separate bug for the crashes on beta then?
|
|
Assignee | |
Comment 9•6 years ago
|
||
(In reply to Pascal Chevrel:pascalc from comment #8)
(In reply to Haik Aftandilian [:haik] from comment #7)
(In reply to Pascal Chevrel:pascalc from comment #6)
We do have some crashes on beta with this signature but the fix for the change in Bug 1525086 sets a pref we don't have on beta, so no easy uplift possible for the few beta crashes, wontfix 67.
The problem addressed by this bug is only in 68 so any signatures in Beta/67 wouldn't be caused by the same problem.
Should we file a separate bug for the crashes on beta then?
See bug 1535335. It has the same signature and is being debugged.
Description
•