STR (1) Load bing.com (2) kill -9 `pidof plugin-container` (3) Choose to reload the tab (4) Click on awesomebar (5) Hit enter to reload bing This should crash in both opt/debug builds, but I've only tested with debug. Relevant part of stack #5 0x00007f06dee3eaa1 in mozilla::ipc::Shmem::AssertInvariants (this=0x1755770) at /home/cjones/mozilla/mozilla-central/ipc/glue/Shmem.cpp:354 #6 0x00007f06dee3eaea in mozilla::ipc::Shmem::RevokeRights (this=0x1755770) at /home/cjones/mozilla/mozilla-central/ipc/glue/Shmem.cpp:362 #7 0x00007f06dee75d72 in mozilla::dom::PBrowserParent::Write (this=0x1a9b410, __v=..., __msg=0x7f06c410a690) at PBrowserParent.cpp:1677 #8 0x00007f06dee716d8 in mozilla::dom::PBrowserParent::SendPDocumentRendererShmemConstructor (this=0x1a9b410, actor=0x7f06c410a610, x=@0x7fffc172c6c0, y=@0x7fffc172c6bc, w=@0x7fffc172c6b8, h=@0x7fffc172c6b4, bgcolor=..., flags=@0x7fffc172c6c4, flush=@0x7fffc172c6ce, matrix=..., buf=...) at PBrowserParent.cpp:575 #9 0x00007f06dee71513 in mozilla::dom::PBrowserParent::SendPDocumentRendererShmemConstructor (this=0x1a9b410, x=@0x7fffc172c6c0, y=@0x7fffc172c6bc, w=@0x7fffc172c6b8, h=@0x7fffc172c6b4, bgcolor=..., flags=@0x7fffc172c6c4, flush=@0x7fffc172c6ce, matrix=..., buf=...) at PBrowserParent.cpp:539 #10 0x00007f06ddff6ac1 in nsCanvasRenderingContext2D::AsyncDrawXULElement (this=0x105e2e0, aElem=0x157d788, aX=0, aY=0, aW=980, aH=591.69812, aBGColor=..., flags=0) at /home/cjones/mozilla/mozilla-central/content/canvas/src/nsCanvasRenderingContext2D.cpp:3941 #11 0x00007f06de85707d in nsIDOMCanvasRenderingContext2D_AsyncDrawXULElement (cx=0xdae320, argc=7, vp=0x7f06ccec85a0) at dom_quickstubs.cpp:3723 #12 0x00007f06df4de6d9 in js::Interpret (cx=0xdae320, entryFrame=0x7f06ccec8240, inlineCallCount=6, interpFlags=0) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.cpp:4625 mfinkle tells me we hold on to the documenttab <canvas> after content-process death, but as that's backed by Shmem owned by the old content process which is destroyed on its death, we have to let go of the canvas.
Note that the crash would be different in an opt build; we'd die in the content process by a fatal assertion after being handed an unknown Shmem, I believe.
7 years ago
Created attachment 483073 [details] [diff] [review] patch This patch recreates the canvas after a crash
Created attachment 483075 [details] recreated thumbnail Patch wfm, but I get a weird-looking thumbnail. Might be unrelated.
With this patch applied, I just caught the same crash while loading a bunch of sites quickly in succession. Probably another issue though.
Resolved -> subsumed.