Closed
Bug 544518
Opened 14 years ago
Closed 14 years ago
[OOPP] Crash killing plugin-container [@ txForwardContext::getVariable(int, nsIAtom*, txAExprResult*&) ] [@ mozilla::ipc::AsyncChannel::OnSend(IPC::Message*) ]
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: fehe, Assigned: cjones)
References
()
Details
(Keywords: crash, Whiteboard: [rc-ridealong] [qa-examined-192])
Crash Data
Attachments
(2 files)
|
5.43 KB,
patch
|
Details | Diff | Splinter Review | |
|
7.12 KB,
patch
|
bent.mozilla
:
review+
christian
:
approval1.9.2.4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100205 Minefield/3.7a1pre (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20100205 Minefield/3.7a1pre Browser crashes when killing mozilla-runtime, after launching the linked URL. http://crash-stats.mozilla.com/report/index/d1a8c23c-0778-4f65-929d-08fa52100205 http://crash-stats.mozilla.com/report/index/bp-3ac6d53c-6a83-4773-bc08-164962100205 Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll txForwardContext::getVariable ipc/glue/AsyncChannel.cpp:429 1 xul.dll RunnableMethod<mozilla::ipc::AsyncChannel,void ipc/chromium/src/base/task.h:307 2 xul.dll MessageLoop::RunTask ipc/chromium/src/base/message_loop.cc:326 3 xul.dll MessageLoop::DeferOrRunPendingTask ipc/chromium/src/base/message_loop.cc:334 4 xul.dll MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:434 5 xul.dll base::MessagePumpForIO::DoRunLoop ipc/chromium/src/base/message_pump_win.cc:446 6 xul.dll base::MessagePumpWin::RunWithDispatcher ipc/chromium/src/base/message_pump_win.cc:52 7 xul.dll base::MessagePumpWin::Run ipc/chromium/src/base/message_pump_win.h:78 8 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:194 9 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:168 10 xul.dll base::Thread::ThreadMain ipc/chromium/src/base/thread.cc:165 11 xul.dll `anonymous namespace'::ThreadFunc ipc/chromium/src/base/platform_thread_win.cc:26 12 kernel32.dll BaseThreadStart Reproducible: Always Steps to Reproduce: 1. Configure Adobe Reader to NOT display in the browser. Specifically, uncheck the "Display PDF in browser" option at: Edit --> Preferences... --> Internet 2. Close Adobe Reader 3. Create a new profile 4. Visit the linked URL 5. After the plugin launches and Adobe Reader displays the PDF, close Adobe Reader. 6. Kill associated mozilla-runtime.exe process 7. Browser crashes with reported signature.
Something seems different, so the following slightly modified STR is needed to reproduce this bug: 1. Configure Adobe Reader to NOT display in the browser. Specifically, uncheck the "Display PDF in browser" option at: Edit --> Preferences... --> Internet 2. Close Adobe Reader 3. Create a new profile 4. Visit the linked URL 5. After the plugin launches and Adobe Reader displays the PDF, close Adobe Reader. 6. If the browser had opened a new tab when performing Step 4, close that tab (this is a critical step) 7. Kill associated mozilla-runtime.exe process 8. Browser crashes with reported signature. I will try and generate a stack trace log...
I can't reproduce the crash when using WinDbg. Nor can I get it to crash with the same signature. Now I'm crashing with the PR_UNLOCK signature. But also my STR is not quite right. You pretty much have to run through Steps 4 to 7 twice, to get the crash. Nevertheless, since I can't get the same signature and am now getting only the PR_UNLOCK signature, which already has a bug against it, I'm resolving this WORKSFORME Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a2pre) Gecko/20100217 Minefield/3.7a2pre (.NET CLR 3.5.30729) ID:20100217050024
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
I just got this crash using today's nightly. I was reproducing bug 557609 and the browser crashed (usually it is just the plugin). Upon restarting Firefox and checking about:crashes, I had two crash reports at the same time: http://crash-stats.mozilla.com/report/index/c0b3e861-0fda-430c-b323-e32c22100407 http://crash-stats.mozilla.com/report/index/d41a3084-8623-4fbe-810b-4e7172100407 The first being this bug and the second being bug 557609.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
|
||
Comment 4•14 years ago
|
||
The crash is actually at AsyncChannel::OnSend(Message* aMsg) Either "this" or "mTransport" is bogus. I'll bet mTransport, since the crash address is 0x0. cjones, can there be pending I/O events when we tear down a crashed plugin? And if so, who is supposed to cancel them?
|
|
||
Updated•14 years ago
|
Summary: [OOPP] Crash killing mozilla-runtime [@ txForwardContext::getVariable(int, nsIAtom*, txAExprResult*&) ] → [OOPP] Crash killing mozilla-runtime [@ txForwardContext::getVariable(int, nsIAtom*, txAExprResult*&) ] [@ mozilla::ipc::AsyncChannel::OnSend(IPC::Message*) ]
|
Assignee | |
Comment 5•14 years ago
|
||
This is the first IPC bug I haven't been able to write an even reasonably probabilistic black-box IPDL/C++ test for. Out of maybe 10 different timing strategies (including some tuned for my machine), I repro'd this bug once in maybe 100 runs (and one time in gdb by accident). The problem is that to trigger the bug, OnError() needs to happen on the IO thread nearly simultaneously but just after a Send() on the worker thread, and NotifyError() needs to happen on the worker thread before OnSend() on the IO thread. This patch adds a PR_Sleep() to AsyncChannel::OnError() to slow things down.
Assignee: nobody → jones.chris.g
|
|
Assignee | |
Comment 6•14 years ago
|
||
Don't think this is CRITICAL given the intricate timing needed to trigger this bug.
Severity: critical → normal
|
|
Assignee | |
Comment 7•14 years ago
|
||
Attachment #438958 -
Flags: review?(bent.mozilla)
|
|
Assignee | |
Updated•14 years ago
|
status1.9.2:
--- → ?
|
|
||
Comment 8•14 years ago
|
||
Technically this is "critical" because the definition of critical is a crasher bug, and the frequency of the crash isn't taken into account. Doesn't really matter, though. I don't see this much with 3.6.3plugin1 (only 4 reports), although it may be hiding under a different signature.
Severity: normal → critical
blocking1.9.2: --- → ?
Whiteboard: [rc-ridealong]
Summary: [OOPP] Crash killing mozilla-runtime [@ txForwardContext::getVariable(int, nsIAtom*, txAExprResult*&) ] [@ mozilla::ipc::AsyncChannel::OnSend(IPC::Message*) ] → [OOPP] Crash killing plugin-container [@ txForwardContext::getVariable(int, nsIAtom*, txAExprResult*&) ] [@ mozilla::ipc::AsyncChannel::OnSend(IPC::Message*) ]
|
||
Updated•14 years ago
|
blocking1.9.2: ? → .4+
status1.9.2:
? → ---
|
|
Assignee | |
Comment 9•14 years ago
|
||
bent, would be nice to get this reviewed soonish.
Comment on attachment 438958 [details] [diff] [review] Send Messages directly through the Transport on the IO thread rather than through a no-added-value AsyncChannel indirection Looks good. Nice comment :)
Attachment #438958 -
Flags: review?(bent.mozilla) → review+
|
||
Comment 11•14 years ago
|
||
Comment on attachment 438958 [details] [diff] [review] Send Messages directly through the Transport on the IO thread rather than through a no-added-value AsyncChannel indirection a=LegNeato for 1.9.2.4 (this is a blocker we want on the branch asap)
Attachment #438958 -
Flags: approval1.9.2.4+
|
|
Assignee | |
Comment 12•14 years ago
|
||
Sorry, didn't ask for approval because I thought it needed to land on m-c first (and that's been exceedingly difficult of late).
|
|
Assignee | |
Comment 13•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/e3cfb6ca54c9 Will let bake for a bit, land on branch ASAP, probably tomorrow.
Status: NEW → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 14•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ca6df0574ed6 (default) http://hg.mozilla.org/releases/mozilla-1.9.2/rev/c38bf492bef4 (relbranch)
status1.9.2:
--- → .4-fixed
|
||
Comment 15•14 years ago
|
||
(In reply to comment #1) > Something seems different, so the following slightly modified STR is needed to > reproduce this bug: > > 1. Configure Adobe Reader to NOT display in the browser. Specifically, uncheck > the "Display PDF in browser" option at: Edit --> Preferences... --> Internet > 2. Close Adobe Reader > 3. Create a new profile > 4. Visit the linked URL > 5. After the plugin launches and Adobe Reader displays the PDF, close Adobe > Reader. > 6. If the browser had opened a new tab when performing Step 4, close that tab > (this is a critical step) > 7. Kill associated mozilla-runtime.exe process > 8. Browser crashes with reported signature. > > I will try and generate a stack trace log... I can't get this to reproduce in build 1 of Firefox 3.6.4 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100413 Firefox/3.6.4 (.NET CLR 3.5.30729)).
|
|
||
Updated•14 years ago
|
Whiteboard: [rc-ridealong] → [rc-ridealong] [qa-examined-192]
|
|
||
Comment 16•14 years ago
|
||
IU, can you try verifying this fix with a nightly 1.9.2 build?
|
Reporter | |
Comment 17•14 years ago
|
||
I tried but was unable to confirm whether this fixed the issue. I tried a build before this landed and couldn't get it to crash; however, I don't crash with this patch either. Whatever fixed it, it's definitely fixed.
|
||
Updated•13 years ago
|
Crash Signature: [@ txForwardContext::getVariable(int, nsIAtom*, txAExprResult*&) ]
[@ mozilla::ipc::AsyncChannel::OnSend(IPC::Message*) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•