Closed Bug 1599026 Opened 2 months ago Closed 2 months ago

Crash in [@ mozilla::ipc::WriteIPDLParam<T> | mozilla::dom::PContentChild::SendNotifyMediaActiveChanged]


(Core :: Audio/Video: Playback, defect, P2)




Fission Milestone M5
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- wontfix
firefox72 --- fixed


(Reporter: gsvelto, Assigned: mccr8)


(Keywords: crash, regression)

This bug is for crash report bp-f4b3a31a-ad33-455c-bdaf-e31060191124.

Top 10 frames of crashing thread:

0 XUL void mozilla::ipc::WriteIPDLParam<mozilla::dom::BrowsingContext*&> ipc/glue/IPDLParamTraits.h:60
1 XUL mozilla::dom::PContentChild::SendNotifyMediaActiveChanged ipc/ipdl/PContentChild.cpp:7076
2 XUL mozilla::dom::NotifyMediaActiveChanged dom/media/mediacontrol/MediaControlUtils.h:32
3 XUL mozilla::dom::NotifyMediaStopped dom/media/mediacontrol/MediaControlUtils.h:81
4 XUL mozilla::dom::HTMLMediaElement::AudioChannelAgentCallback::UpdateAudioChannelPlayingState dom/html/HTMLMediaElement.cpp:1224
5 XUL mozilla::dom::HTMLMediaElement::NotifyOwnerDocumentActivityChanged dom/html/HTMLMediaElement.cpp:6422
6 XUL mozilla::dom::NotifyActivityChanged dom/base/Document.cpp:6599
7 XUL mozilla::dom::Document::OnPageHide dom/base/Document.cpp:10723
8 XUL nsDocumentViewer::PageHide layout/base/nsDocumentViewer.cpp:1492
9 XUL nsDocShell::FirePageHideNotificationInternal docshell/base/nsDocShell.cpp:956

macOS-only crash (for now) with crash reason:

MOZ_RELEASE_ASSERT(!aParam->IsDiscarded()) (Cannot send discarded BrowsingContext between processes!)

Fission is enable for all of these crashes, and the assertion sounds Fission-related.

I don't understand these crashes, because bug 1579437 added checks for the bc not being discarded.

Ah, ok. The check is done on a bc, then it does bc = bc->Top();, then it sends that bc. So the check is done on the initial bc, not the new one.

Assignee: nobody → continuation

It sounds like discarding a full bc tree or whatever isn't atomic, so you could end up in a situation where a bc is not discarded, but its parent is.

See Also: → 1599180

I expect that the intention is to indicate that these are helper
methods and to produce a warning if the helper methods are no longer
used, but making functions static in a header creates a new copy of
the function in every compilation unit that includes it.

This patch centralizes the checking for discarded browsing contexts
for the media IPC messages. It also adds a check that the top BC is
not discarded, which seems to be causing crashes. A BC can be
non-discarde when its parent is discarded because discarding a BC tree
is not atomic.

This changes the BC we log the id of, but hopefully that is okay.

The patch also fixes the 'Browing' typo in the method name.

Tracking for Fission dogfooding (M5)

Fission Milestone: --- → M5
Bug 1599222 will split out some mozilla::ipc::IPDLParamTraits<T>::Write signatures. It looks like a good chunk of them are this same issue.

Depends on: 1599222
Pushed by
Don't send media notifications to discarded top BCs. r=alwu
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

The [@ mozilla::ipc::IPDLParamTraits<T>::Write ] variant of this crash, like bp-4da20668-8ad1-4fec-a658-e4e520191127, seems to have also gone away.

