Open Bug 1724083 Opened 6 months ago Updated 5 months ago

Crash in [@ mozilla::dom::BrowserParent::ActorDestroy]

Categories

(Core :: DOM: Content Processes, defect, P2)

Unspecified
Windows 10
defect

Tracking

()

Tracking Status
firefox-esr78 --- affected
firefox-esr91 --- affected
firefox91 --- affected
firefox92 --- affected
firefox93 --- affected

People

(Reporter: Gijs, Assigned: nika)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/47400ad0-3133-4177-bedb-92a620210804

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(childBp)

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::BrowserParent::ActorDestroy dom/ipc/BrowserParent.cpp:678
1 xul.dll mozilla::ipc::IProtocol::DestroySubtree ipc/glue/ProtocolUtils.cpp:618
2 xul.dll mozilla::dom::PBrowserParent::OnMessageReceived ipc/ipdl/PBrowserParent.cpp:4182
3 xul.dll mozilla::dom::PContentParent::OnMessageReceived ipc/ipdl/PContentParent.cpp:6612
4 xul.dll mozilla::ipc::MessageChannel::DispatchMessage ipc/glue/MessageChannel.cpp:1978
5 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:805
6 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1148
7 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:85
8 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:324
9 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:306

STR (from bug 1722880 comment 6):

If you create a new tab, load a PDF from file, navigate to example.org - breakpoint in didDestroy in PdfJsParent doesn't fire.
If you then close the tab, it does fire.
when you then resume it crashes, but that only happens when debugging and only with the breakpoint set - not sure if that is related.

(to be clear, "breakpoint" here means setting a breakpoint with the browser debugger)

https://crash-stats.mozilla.org/signature/?product=Firefox&signature=mozilla%3A%3Adom%3A%3ABrowserParent%3A%3AActorDestroy&date=%3E%3D2021-07-07T21%3A14%3A00.000Z&date=%3C2021-08-04T21%3A14%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1

shows enough of these that I think there may be other cases where whatever this diagnostic assert is about breaks.

Note that the diagnostic assert doesn't mean we don't crash - the next line just dereferences the pointer we're checking so if it's null we just crash on the next line in release (and there are release crashes on crash-stats, so we do, in practice).

Severity: -- → S2
See Also: → 1722880

Assigning to Nika.

spinning nested event loop inside actor teardown of the actor hierarchy? Attempting to destroy BrowserParent twice after destroying JSWindowActorParent?

Nika will add some extra checks for recursive actor destruction.

Assignee: nobody → nika
Priority: -- → P2
See Also: 1722880
You need to log in before you can comment on or make changes to this bug.