Closed Bug 1599026 Opened 2 months ago Closed 2 months ago

Crash in [@ mozilla::ipc::WriteIPDLParam<T> | mozilla::dom::PContentChild::SendNotifyMediaActiveChanged]

Categories

(Core :: Audio/Video: Playback, defect, P2)

x86_64
macOS
defect

Tracking

()

RESOLVED FIXED
mozilla72
Fission Milestone M5
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- wontfix
firefox72 --- fixed

People

(Reporter: gsvelto, Assigned: mccr8)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file, 1 obsolete file)

This bug is for crash report bp-f4b3a31a-ad33-455c-bdaf-e31060191124.

Top 10 frames of crashing thread:

0 XUL void mozilla::ipc::WriteIPDLParam<mozilla::dom::BrowsingContext*&> ipc/glue/IPDLParamTraits.h:60
1 XUL mozilla::dom::PContentChild::SendNotifyMediaActiveChanged ipc/ipdl/PContentChild.cpp:7076
2 XUL mozilla::dom::NotifyMediaActiveChanged dom/media/mediacontrol/MediaControlUtils.h:32
3 XUL mozilla::dom::NotifyMediaStopped dom/media/mediacontrol/MediaControlUtils.h:81
4 XUL mozilla::dom::HTMLMediaElement::AudioChannelAgentCallback::UpdateAudioChannelPlayingState dom/html/HTMLMediaElement.cpp:1224
5 XUL mozilla::dom::HTMLMediaElement::NotifyOwnerDocumentActivityChanged dom/html/HTMLMediaElement.cpp:6422
6 XUL mozilla::dom::NotifyActivityChanged dom/base/Document.cpp:6599
7 XUL mozilla::dom::Document::OnPageHide dom/base/Document.cpp:10723
8 XUL nsDocumentViewer::PageHide layout/base/nsDocumentViewer.cpp:1492
9 XUL nsDocShell::FirePageHideNotificationInternal docshell/base/nsDocShell.cpp:956

macOS-only crash (for now) with crash reason:

MOZ_RELEASE_ASSERT(!aParam->IsDiscarded()) (Cannot send discarded BrowsingContext between processes!)

Fission is enable for all of these crashes, and the assertion sounds Fission-related.

I don't understand these crashes, because bug 1579437 added checks for the bc not being discarded.

Ah, ok. The check is done on a bc, then it does bc = bc->Top();, then it sends that bc. So the check is done on the initial bc, not the new one.

Assignee: nobody → continuation

It sounds like discarding a full bc tree or whatever isn't atomic, so you could end up in a situation where a bc is not discarded, but its parent is.

See Also: → 1599180

I expect that the intention is to indicate that these are helper
methods and to produce a warning if the helper methods are no longer
used, but making functions static in a header creates a new copy of
the function in every compilation unit that includes it.

This patch centralizes the checking for discarded browsing contexts
for the media IPC messages. It also adds a check that the top BC is
not discarded, which seems to be causing crashes. A BC can be
non-discarde when its parent is discarded because discarding a BC tree
is not atomic.

This changes the BC we log the id of, but hopefully that is okay.

The patch also fixes the 'Browing' typo in the method name.

Priority: -- → P2

Tracking for Fission dogfooding (M5)

Fission Milestone: --- → M5
Hardware: Unspecified → x86_64

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Attachment #9111424 - Attachment is obsolete: true
Attachment #9111425 - Attachment description: Bug 1599026, part 2 - Don't send media notifications to discarded top BCs. → Bug 1599026 - Don't send media notifications to discarded top BCs.

Bug 1599222 will split out some mozilla::ipc::IPDLParamTraits<T>::Write signatures. It looks like a good chunk of them are this same issue.

Depends on: 1599222
Pushed by amccreight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a5440adc58d0
Don't send media notifications to discarded top BCs. r=alwu
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

The [@ mozilla::ipc::IPDLParamTraits<T>::Write ] variant of this crash, like bp-4da20668-8ad1-4fec-a658-e4e520191127, seems to have also gone away.

You need to log in before you can comment on or make changes to this bug.