Crash in [@ mozilla::ipc::ProcessLink::SendMessage | IPC_Message_Name=PWindowGlobal::Msg_RawMessage]
Categories
(Firefox :: Menus, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | fixed |
| firefox73 | --- | fixed |
People
(Reporter: gsvelto, Assigned: mconley)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
This bug is for crash report bp-85df77ec-0024-49d4-ac2a-914ac0190824.
Top 10 frames of crashing thread:
0 libxul.so mozilla::ipc::ProcessLink::SendMessage ipc/glue/MessageLink.cpp:152
1 libxul.so mozilla::ipc::MessageChannel::Send ipc/glue/MessageChannel.cpp:1011
2 libxul.so mozilla::dom::PWindowGlobalChild::SendRawMessage ipc/ipdl/PWindowGlobalChild.cpp:71
3 libxul.so mozilla::dom::JSWindowActorChild::SendRawMessage dom/ipc/JSWindowActorChild.cpp:94
4 libxul.so mozilla::dom::JSWindowActor::QueryHandler::SendReply dom/ipc/JSWindowActor.cpp:325
5 libxul.so mozilla::dom::JSWindowActor::QueryHandler::ResolvedCallback dom/ipc/JSWindowActor.cpp:311
6 libxul.so mozilla::dom:: dom/promise/Promise.cpp:387
7 libxul.so mozilla::dom::NativeHandlerCallback dom/promise/Promise.cpp:340
8 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:539
9 libxul.so PromiseReactionJob js/src/builtin/Promise.cpp:1703
The raw crash reason is MOZ_CRASH(IPC message size is too large). All platforms seem to be affected.
|
||
Comment 1•6 years ago
•
|
||
This is caused by a sendQuery method replying with a very large message sent over JSWindowActors. The specific message which was sent isn't in the report IIRC, but there are only a few sendQuery messages in the wild right now. A quick search found only these (outside of test code):
As the reply is being sent from the child to the parent, we know that the message is one of the ones being sent from ContextMenuParent.jsm. There are 5 of them:
- ContextMenu:GetFrameTitle - https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/browser/actors/ContextMenuChild.jsm#70
- The title of a document could be long, but probably not >= 256MB long
- ContextMenu:Canvas:ToBlobURL - https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/browser/actors/ContextMenuChild.jsm#75
- Blob URL data is sent down in a stream, not directly inside the message, so this should be OK.
- ContextMenu:SaveVideoFrameAsImage - https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/browser/actors/ContextMenuChild.jsm#227
- This might be the culprit. It serializes the image as a
data:URI, and then sends that over IPC. That URI could probably exceed 256MB in some situations, which could cause this crash.
- This might be the culprit. It serializes the image as a
- ContextMenu:SetAsDesktopBackground - https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/browser/actors/ContextMenuChild.jsm#251
- Might also be the culprit. Serializes a canvas as a
data:URI and sends it over IPC. Possibly even more likely, as desktop backgrounds are often made to be very high resolution for fancy 8k displays?
- Might also be the culprit. Serializes a canvas as a
- ContextMenu:SearchFieldBookmarkData - https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/browser/actors/ContextMenuChild.jsm#212
- Could be a culprit, but potentially less likely. If a very large amount of form data was present in a form the concatenated
postDatastring could theoretically exceed 256MB.
- Could be a culprit, but potentially less likely. If a very large amount of form data was present in a form the concatenated
ni? :mconley as I think this was likely caused by bug 1505909
|
Assignee | |
Comment 2•6 years ago
|
||
Yeah, we should probably use a Blob or something for the video frames and desktop backgrounds. Keeping the needinfo on myself to figure out how to get this moving.
|
||
Updated•6 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 3•5 years ago
•
|
||
I just crashed with this signature when trying to capture a ~1 minute long profile, FWIW. (The crash happened shortly after I pressed Ctrl+Shift+2, after the tab opened that was analyzing/preparing my profile).
My crash report is bp-8efa5636-c34f-4571-9f6c-11cac0191121 and I was profiling the page https://data.firefox.com/dashboard/hardware with a window-length of 100s and a sample interval of 0.2s (and otherwise, fresh profile & default settings for the profiler installed from https://profiler.firefox.com )
|
||
Updated•5 years ago
|
|
||
Comment 4•5 years ago
|
||
if you get this issue while profiling make the window size smaller until the crash stops as a workaround,
|
||
Comment 5•5 years ago
|
||
(In reply to David Burns :automatedtester from comment #4)
if you get this issue while profiling make the window size smaller until the crash stops as a workaround,
Markus, is the profiler using IPC messages for screenshots?
|
||
Comment 6•5 years ago
|
||
No, but there's JS code that postMessage()s the array buffer with the serialized profile to the content process, as far as I know.
This bug is a grab bag of a bunch of different issues, we should have individual bugs for them.
|
||
Comment 7•5 years ago
|
||
I know for the message manager we reject large messages before we hit the IPC layer, and there's telemetry (REJECTED_MESSAGE_MANAGER_MESSAGE) that gives us the name of the message. See AllowMessage in dom/base/nsFrameMessageManager.cpp. Maybe we need something for JS window actors? It is a bit tricky to debug JS issues from C++ stacks.
|
|
||
Comment 8•5 years ago
|
||
REJECTED_MESSAGE_MANAGER_MESSAGE is long expired, but it was useful when investigating large message crashes in the run up to e10s release.
|
|
||
Comment 9•5 years ago
|
||
This shouldn't be an issue any more.
|
||
Updated•5 years ago
|
|
|
||
Updated•3 years ago
|
Description
•