Closed Bug 733322 Opened 12 years ago Closed 11 years ago

Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage or X_CopyArea: BadMatch (invalid parameter attributes)" with Flash Player in browser process

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect

Tracking

(firefox15-)

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox15 - ---

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Signature 	TouchBadMemory More Reports Search
UUID	33c2b014-8357-400f-a6f9-32c172120305
Date Processed	2012-03-05 13:31:13
Uptime	3307
Last Crash	55.2 minutes before submission
Install Age	57.2 minutes since version was first installed.
Install Time	2012-03-05 12:33:30
Product	Firefox
Version	13.0a1
Build ID	20120304031031
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 3.0.0-12-generic-pae #20-Ubuntu SMP Fri Oct 7 16:37:17 UTC 2011 i686
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 5 stepping 2
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
OpenGL: NVIDIA Corporation -- GeForce GT 220/PCI/SSE2/3DNOW! -- 3.3.0 NVIDIA 280.13 -- texture_from_pixmap
X_ShmPutImage: BadMatch (invalid parameter attributes); 167 requests agoxpcom_runtime_abort(###!!! ABORT: X_ShmPutImage: BadMatch (invalid parameter attributes); 167 requests ago: file /builds/slave/m-cen-lnx-ntly/build/toolkit/xre/nsX11ErrorHandler.cpp, line 190)	
EMCheckCompatibility	False

Crashing Thread
Frame 	Module 	Signature 	Source
0 	libmozalloc.so 	TouchBadMemory 	memory/mozalloc/mozalloc_abort.cpp:68
1 	libmozalloc.so 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:89
2 	libxul.so 	NS_DebugBreak_P 	xpcom/base/nsDebugImpl.cpp:388
3 	libxul.so 	X11Error 	toolkit/xre/nsX11ErrorHandler.cpp:190
4 	libbonoboui-2.so.0.0.0 	libbonoboui-2.so.0.0.0@0x1ea74 	
5 	libX11.so.6.3.0 	_XError 	XlibInt.c:1583
6 	libX11.so.6.3.0 	handle_error 	xcb_io.c:212
7 	libX11.so.6.3.0 	handle_response 	xcb_io.c:324
8 	libX11.so.6.3.0 	_XEventsQueued 	xcb_io.c:363
9 	libX11.so.6.3.0 	XPending 	Pending.c:55
10 	libgdk-x11-2.0.so.0.2400.6 	gdk_event_prepare 	gdkevents-x11.c:159
11 	libglib-2.0.so.0.3000.0 	g_main_context_prepare 	gmain.c:2762
12 	libglib-2.0.so.0.3000.0 	g_main_context_iterate 	gmain.c:3069
13 	libglib-2.0.so.0.3000.0 	g_main_context_iteration 	gmain.c:3152
14 	libxul.so 	nsAppShell::ProcessNextNativeEvent 	widget/gtk2/nsAppShell.cpp:162
15 	libxul.so 	nsBaseAppShell::OnProcessNextEvent 	widget/xpwidgets/nsBaseAppShell.cpp:171
16 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:619
17 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
18 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
19 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:208
20 	libxul.so 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
21 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
22 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3564
23 	firefox 	main 	browser/app/nsBrowserApp.cpp:190
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=TouchBadMemory
Gecko doesn't usually use XShm.
Some GTK themes may end up using it, but, given the Flash Player threads in the browser process, that looks the likely culprit.

Flash Player should not be doing much in the browser process unless preferences have been changed, which I expect is the case here.
Component: Widget: Gtk → Plug-ins
QA Contact: gtk → plugins
Summary: Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage: BadMatch (invalid parameter attributes)" → Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage: BadMatch (invalid parameter attributes)" with Flash Player in browser process
I'll mark this as invalid as resetting  dom.ipc.plugins.* preferences to their defaults should resolve the browser crash, and we don't have a reason to support running Flash Player in the browser process.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Crash Signature: [@ TouchBadMemory] [@ mozalloc_abort | NS_DebugBreak_P | X11Error] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error]
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ]
Note, the broken traces are bug 750637
(In reply to Chris Coulson from comment #4)
> I wonder if people are having a specific issue which is causing them to change
> dom.ipc.plugins.enabled?
It's bug 704249 caused by IcedTea 1.1.
I'm not sure why I'm on this bug's list, but I specifically reset dom.ipc.plugins.enabled to the default value, after not knowing why it was changed in the first place, and I have

ii  icedtea6-plugin  6b18-1.8.13-0+squeeze1

which may or may not be that what you refer to as IcedTea 1.1 (but I have no clue about Java, either).
I'd also like to know why dom.ipc.plugins.enabled is often false, but the workaround for bug 704249 is setting a slightly different pref to true.
(In reply to Karl Tomlinson (:karlt) from comment #8)
> I'd also like to know why dom.ipc.plugins.enabled is often false, but the
> workaround for bug 704249 is setting a slightly different pref to true.
Users usually know how to disable the OOPP with dom.ipc.plugins.enabled, but don't know it can be set for each plugin like dom.ipc.plugins.java.enabled for Java.
OOPP java is usually disabled, but the workaround for bug 704249 is to *enable* 00PP even for java.
The third hit on Google when searching for "plugin-container" is an article explaining how to turn off OOPP, so it's entirely conceivable that anyone who has a problem with it (something like high CPU usage, perhaps?) figures out how to disable it.
(In reply to Chris Coulson from comment #4)
> There seem to be a lot of these types of crashes in Firefox 12 now, all with
> flash running in the main process:

This is cause by Bug 751641.
(In reply to Karl Tomlinson (:karlt) from comment #12)
> (In reply to Chris Coulson from comment #4)
> > There seem to be a lot of these types of crashes in Firefox 12 now, all with
> > flash running in the main process:
> 
> This is cause by Bug 751641.

That bug cannot be about something in Firefox 12. That bug is a regression on mozilla-central only. See deps.
Oh, sorry, I somehow missed the version=Firefox%3A12.0
There is a spike in crashes starting in 15.0a1/20120503 making it #6 top crasher over the last day. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b13bfc70bc44&tochange=807403a04a6a
I think it's related to bug 751826.
Status: RESOLVED → REOPENED
tracking-firefox15: --- → ?
Keywords: topcrash
Resolution: INVALID → ---
Summary: Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage: BadMatch (invalid parameter attributes)" with Flash Player in browser process → Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage or X_CopyArea: BadMatch (invalid parameter attributes)" with Flash Player in browser process
Bug 751641 does appear to be the cause in nightly. Removing a broken pluginreg.dat caused by that bug fixes this crash for me.
Blocks: 748343
Depends on: 751641
http://crash-stats.mozilla.com/report/index/bp-3c010838-0942-427d-9241-1fb562120507

Hit this with today's Nightly.

Simply loading www.gsp.ro on a clean profile triggers the crash.

Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/15.0 Firefox/15.0a1
Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/15.0 Firefox/15.0a1
Built from http://hg.mozilla.org/mozilla-central/rev/94ce5f33a9ea
Adobe Flash Player 11.2.202.235

No crash for me on http://www.gsp.ro with a new, clean profile and vanilla FX Nightly.
Ubuntu 12.04 here. I get the following output in the console:

After trying another couple of times, the page does load normally, but rarely. It seems that the crash occurs in 4 out of 5-6 attempts, didn't find a useful pattern until now. When the page does load normally, the adds that use Flash aren't loaded (displayed as blank). 

Following output in the console. Only occurs on Nightly.

###!!! ABORT: X_ShmPutImage: BadMatch (invalid parameter attributes); 13 requests ago: file /builds/slave/m-cen-lnx-ntly/build/toolkit/xre/nsX11ErrorHandler.cpp, line 190
With today's Nightly this seems to be fixed for me: 20120510.
The flash adds load completely and no crashes in Firefox when visiting gsp.ro (could also previously repro with one of the sites in crash stats comments:http://ava.furb.br)
Fixed by the patch in bug 751641.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
(In reply to Josh Aas (Mozilla Corporation) from comment #22)
> Fixed by the patch in bug 751641.

Either it's not fixed entirely, or I was seeing a different big in bug 754911. Which one should we reopen?
If you're still seeing this then it probably doesn't have anything to do with bug 751641 or bug 748343, which is a blocking dep here.
(In reply to Philipp von Weitershausen [:philikon] from comment #23)
> Either it's not fixed entirely, or I was seeing a different big in bug
> 754911. Which one should we reopen?
bug 754911 landed in 15.0a1/20120505 but hasn't fixed it (around 40 crashes per build). See https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A15.0a1&query_search=signature&query_type=contains&reason_type=contains&range_value=28&range_unit=days&do_query=1&signature=TouchBadMemory%20|%20mozalloc_abort%20|%20NS_DebugBreak_P%20|%20X11Error
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
It seems the spike in 15.0 is gone in 15.0a1/20120518. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c00a9c1940c5&tochange=762e95608da3
mozalloc_abort | NS_DebugBreak_P | X11Error has 49 crashes on the trunk.

TouchBadMemory has 2 crashes on Firefox 13/13.0.1.

TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error still has a fair number of crashes for release versions but not for Aurora. That signature is also associated with 2 other open bugs (Bug 733323 and Bug 733325)
Shyam: do you know why you have flash player running in the browser process?

Check dom.ipc.plugins.* preferences.  If they are at their defaults, then try moving pluginreg.dat out of the way in the profile directory and it will be regenerated.
(In reply to Scoobidiver from comment #26)
> It seems the spike in 15.0 is gone in 15.0a1/20120518. The working range is:
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=c00a9c1940c5&tochange=762e95608da3

Please re-nominate if this trends up again in the future. Untracking for FF15 for now.
tracking-firefox15: +-
Depends on: 788399
This work for me. never more has crashed.
Karl Tomlinson
Check dom.ipc.plugins.* preferences.  If they are at their defaults,
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ]
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P ] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ]
Oh, thanks - i was somehow fixated on TouchBadMemory.

Worth noting that most of the "mozalloc_abort(char+const*)+|+NS_DebugBreak_P" ones are Fennec crashes below some "dalvik-LinearAlloc (deleted)" stack. I don't see a bug linked there for this, worth filing?
Priority: -- → P3
(In reply to Georg Fritzsche [:gfritzsche] from comment #39)
> Worth noting that most of the
> "mozalloc_abort(char+const*)+|+NS_DebugBreak_P" ones are Fennec crashes
> below some "dalvik-LinearAlloc (deleted)" stack. I don't see a bug linked
> there for this, worth filing?
Stack traces for crashes on abort are buggy on Android. Only the abort message matters. It's bug 834243 and also bug 846243.
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P ] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P ] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] [@ mo…
Crash Signature: mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] → mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] [@ mozalloc_abort(char const*) ]
Crash Signature: mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] [@ mozalloc_abort(char const*) ] → mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] [@ mozalloc_abort(char const*) ] [@ mozalloc_abort(char const*) | libc-2.17.so@0x1af980 ] [@ mozalloc_abort(char const*) | libc-2.15.so@0x1a6980…
This is not a topcrash any more.

Benjamin, should we close this bug completely as in-browser Flash is not supported any more at all?
Flags: needinfo?(benjamin)
Keywords: topcrash
Yes.
Status: REOPENED → RESOLVED
Closed: 12 years ago11 years ago
Flags: needinfo?(benjamin)
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.