If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

fennec-bin crash on creating a thumbnail after content-process death [@ mozilla::ipc::Shmem::AssertInvariants]

RESOLVED DUPLICATE of bug 606279

Status

Fennec Graveyard
General
RESOLVED DUPLICATE of bug 606279
7 years ago
4 years ago

People

(Reporter: cjones, Assigned: mfinkle)

Tracking

({crash})

Trunk
x86_64
Linux
crash

Details

(crash signature)

Attachments

(2 attachments)

STR
 (1) Load bing.com
 (2) kill -9 `pidof plugin-container`
 (3) Choose to reload the tab
 (4) Click on awesomebar
 (5) Hit enter to reload bing

This should crash in both opt/debug builds, but I've only tested with debug.

Relevant part of stack

#5  0x00007f06dee3eaa1 in mozilla::ipc::Shmem::AssertInvariants (this=0x1755770) at /home/cjones/mozilla/mozilla-central/ipc/glue/Shmem.cpp:354
#6  0x00007f06dee3eaea in mozilla::ipc::Shmem::RevokeRights (this=0x1755770) at /home/cjones/mozilla/mozilla-central/ipc/glue/Shmem.cpp:362
#7  0x00007f06dee75d72 in mozilla::dom::PBrowserParent::Write (this=0x1a9b410, __v=..., __msg=0x7f06c410a690) at PBrowserParent.cpp:1677
#8  0x00007f06dee716d8 in mozilla::dom::PBrowserParent::SendPDocumentRendererShmemConstructor (this=0x1a9b410, actor=0x7f06c410a610, x=@0x7fffc172c6c0, y=@0x7fffc172c6bc, w=@0x7fffc172c6b8, h=@0x7fffc172c6b4, bgcolor=..., flags=@0x7fffc172c6c4, flush=@0x7fffc172c6ce, matrix=..., buf=...) at PBrowserParent.cpp:575
#9  0x00007f06dee71513 in mozilla::dom::PBrowserParent::SendPDocumentRendererShmemConstructor (this=0x1a9b410, x=@0x7fffc172c6c0, y=@0x7fffc172c6bc, w=@0x7fffc172c6b8, h=@0x7fffc172c6b4, bgcolor=..., flags=@0x7fffc172c6c4, flush=@0x7fffc172c6ce, matrix=..., buf=...) at PBrowserParent.cpp:539
#10 0x00007f06ddff6ac1 in nsCanvasRenderingContext2D::AsyncDrawXULElement (this=0x105e2e0, aElem=0x157d788, aX=0, aY=0, aW=980, aH=591.69812, aBGColor=..., flags=0) at /home/cjones/mozilla/mozilla-central/content/canvas/src/nsCanvasRenderingContext2D.cpp:3941
#11 0x00007f06de85707d in nsIDOMCanvasRenderingContext2D_AsyncDrawXULElement (cx=0xdae320, argc=7, vp=0x7f06ccec85a0) at dom_quickstubs.cpp:3723
#12 0x00007f06df4de6d9 in js::Interpret (cx=0xdae320, entryFrame=0x7f06ccec8240, inlineCallCount=6, interpFlags=0) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.cpp:4625

mfinkle tells me we hold on to the documenttab <canvas> after content-process death, but as that's backed by Shmem owned by the old content process which is destroyed on its death, we have to let go of the canvas.
Note that the crash would be different in an opt build; we'd die in the content process by a fatal assertion after being handed an unknown Shmem, I believe.
tracking-fennec: --- → ?
Created attachment 483073 [details] [diff] [review]
patch

This patch recreates the canvas after a crash
Assignee: nobody → mark.finkle
Created attachment 483075 [details]
recreated thumbnail

Patch wfm, but I get a weird-looking thumbnail.  Might be unrelated.
With this patch applied, I just caught the same crash while loading a bunch of sites quickly in succession.  Probably another issue though.
Keywords: crash
Resolved -> subsumed.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 606279
Crash Signature: [@ mozilla::ipc::Shmem::AssertInvariants]
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.