ShadowLayersParent::RecvUpdate crashes when trying to use destroyed layer manager

RESOLVED FIXED in mozilla2.0b9

Status

()

defect
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: tatiana, Assigned: tatiana)

Tracking

({crash})

Trunk
mozilla2.0b9
x86
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

8 years ago
Posted file [@SetAllocator].bt
Created attachment 498983 [details]
[@cairo_surface_reference].bt

STEPS LEADING TO PROBLEM: 
1. Open Fennec and navigate to www.lemonde.fr
2. Click on top page banner (it opens new tab)
3. Close Fennec as fast as you can

EXPECTED OUTCOME:
no crash observed

ACTUAL OUTCOME:
TaskSwitcherWindow::closeEvent 
TaskSwitcherWindow::closeTab 
TaskSwitcherWindow::notifyObservers aBrowser: 0xa19270, aTopic: fennec-taskswitcher-window-closed
TaskSwitcherWindow::notifyObservers Notifying observers with topic 'fennec-taskswitcher-window-closed'
virtual nsresult nsWindow::Destroy():402
virtual void mozilla::layers::LayerManagerOGL::Destroy():93
TaskSwitcherWindow::~TaskSwitcherWindow 
layer_manager()->IsDestroyed(): 1
[ParentSide] CreateImageLayer

###!!! [Child][SyncChannel] Error: Channel error: cannot send/recv

Segmentation fault (core dumped)
(Assignee)

Updated

8 years ago
Blocks: 619056
(Assignee)

Updated

8 years ago
Attachment #499833 - Attachment mime type: application/octet-stream → text/plain
Is this crash happening before or after the PBrowser:Destroy message is received by the content process?  (At TabChild::RecvDestroy.)
(Assignee)

Comment 3

8 years ago
(In reply to comment #2)
> Is this crash happening before or after the PBrowser:Destroy message is
> received by the content process?  (At TabChild::RecvDestroy.)

before
Comment on attachment 499836 [details] [diff] [review]
patch: ignore update if layer manager IsDestroyed()

Thanks.  This is a somewhat ugly race condition.  We eventually should propagate the destroyed state discovered during this transaction back to the child process, and do an analogous Destroy() there, but AFAIK this patch should be fine for now, because of the way shadow OGL layers work.  Can look into the harder bits with a followup.
Attachment #499836 - Flags: review?(jones.chris.g) → review+
I guess it should be safe to push
tracking-fennec: --- → ?
(Assignee)

Updated

8 years ago
Keywords: crash
Comment on attachment 499836 [details] [diff] [review]
patch: ignore update if layer manager IsDestroyed()

This crash is also very easy to hit in reftest-ipc+GL.

Can we pretty please get blocking+ or approval?
Attachment #499836 - Flags: approval2.0?

Updated

8 years ago
Attachment #499836 - Flags: approval2.0? → approval2.0+
(Assignee)

Updated

8 years ago
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/959744a69f80
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Assignee: nobody → tanya.meshkova
Keywords: checkin-needed
Target Milestone: --- → mozilla2.0b9
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.