Closed Bug 733322 Opened 13 years ago Closed 12 years ago

Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage or X_CopyArea: BadMatch (invalid parameter attributes)" with Flash Player in browser process

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect

Tracking

(firefox15-)

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox15 - ---

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Signature TouchBadMemory More Reports Search UUID 33c2b014-8357-400f-a6f9-32c172120305 Date Processed 2012-03-05 13:31:13 Uptime 3307 Last Crash 55.2 minutes before submission Install Age 57.2 minutes since version was first installed. Install Time 2012-03-05 12:33:30 Product Firefox Version 13.0a1 Build ID 20120304031031 Release Channel nightly OS Linux OS Version 0.0.0 Linux 3.0.0-12-generic-pae #20-Ubuntu SMP Fri Oct 7 16:37:17 UTC 2011 i686 Build Architecture x86 Build Architecture Info AuthenticAMD family 16 model 5 stepping 2 Crash Reason SIGSEGV Crash Address 0x0 App Notes OpenGL: NVIDIA Corporation -- GeForce GT 220/PCI/SSE2/3DNOW! -- 3.3.0 NVIDIA 280.13 -- texture_from_pixmap X_ShmPutImage: BadMatch (invalid parameter attributes); 167 requests agoxpcom_runtime_abort(###!!! ABORT: X_ShmPutImage: BadMatch (invalid parameter attributes); 167 requests ago: file /builds/slave/m-cen-lnx-ntly/build/toolkit/xre/nsX11ErrorHandler.cpp, line 190) EMCheckCompatibility False Crashing Thread Frame Module Signature Source 0 libmozalloc.so TouchBadMemory memory/mozalloc/mozalloc_abort.cpp:68 1 libmozalloc.so mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:89 2 libxul.so NS_DebugBreak_P xpcom/base/nsDebugImpl.cpp:388 3 libxul.so X11Error toolkit/xre/nsX11ErrorHandler.cpp:190 4 libbonoboui-2.so.0.0.0 libbonoboui-2.so.0.0.0@0x1ea74 5 libX11.so.6.3.0 _XError XlibInt.c:1583 6 libX11.so.6.3.0 handle_error xcb_io.c:212 7 libX11.so.6.3.0 handle_response xcb_io.c:324 8 libX11.so.6.3.0 _XEventsQueued xcb_io.c:363 9 libX11.so.6.3.0 XPending Pending.c:55 10 libgdk-x11-2.0.so.0.2400.6 gdk_event_prepare gdkevents-x11.c:159 11 libglib-2.0.so.0.3000.0 g_main_context_prepare gmain.c:2762 12 libglib-2.0.so.0.3000.0 g_main_context_iterate gmain.c:3069 13 libglib-2.0.so.0.3000.0 g_main_context_iteration gmain.c:3152 14 libxul.so nsAppShell::ProcessNextNativeEvent widget/gtk2/nsAppShell.cpp:162 15 libxul.so nsBaseAppShell::OnProcessNextEvent widget/xpwidgets/nsBaseAppShell.cpp:171 16 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:619 17 libxul.so NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:245 18 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 19 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:208 20 libxul.so nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:189 21 libxul.so nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:295 22 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp:3564 23 firefox main browser/app/nsBrowserApp.cpp:190 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=TouchBadMemory
Gecko doesn't usually use XShm. Some GTK themes may end up using it, but, given the Flash Player threads in the browser process, that looks the likely culprit. Flash Player should not be doing much in the browser process unless preferences have been changed, which I expect is the case here.
Component: Widget: Gtk → Plug-ins
QA Contact: gtk → plugins
Summary: Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage: BadMatch (invalid parameter attributes)" → Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage: BadMatch (invalid parameter attributes)" with Flash Player in browser process
I'll mark this as invalid as resetting dom.ipc.plugins.* preferences to their defaults should resolve the browser crash, and we don't have a reason to support running Flash Player in the browser process.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Crash Signature: [@ TouchBadMemory] [@ mozalloc_abort | NS_DebugBreak_P | X11Error] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error]
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ]
Note, the broken traces are bug 750637
(In reply to Chris Coulson from comment #4) > I wonder if people are having a specific issue which is causing them to change > dom.ipc.plugins.enabled? It's bug 704249 caused by IcedTea 1.1.
I'm not sure why I'm on this bug's list, but I specifically reset dom.ipc.plugins.enabled to the default value, after not knowing why it was changed in the first place, and I have ii icedtea6-plugin 6b18-1.8.13-0+squeeze1 which may or may not be that what you refer to as IcedTea 1.1 (but I have no clue about Java, either).
I'd also like to know why dom.ipc.plugins.enabled is often false, but the workaround for bug 704249 is setting a slightly different pref to true.
(In reply to Karl Tomlinson (:karlt) from comment #8) > I'd also like to know why dom.ipc.plugins.enabled is often false, but the > workaround for bug 704249 is setting a slightly different pref to true. Users usually know how to disable the OOPP with dom.ipc.plugins.enabled, but don't know it can be set for each plugin like dom.ipc.plugins.java.enabled for Java.
OOPP java is usually disabled, but the workaround for bug 704249 is to *enable* 00PP even for java.
The third hit on Google when searching for "plugin-container" is an article explaining how to turn off OOPP, so it's entirely conceivable that anyone who has a problem with it (something like high CPU usage, perhaps?) figures out how to disable it.
(In reply to Chris Coulson from comment #4) > There seem to be a lot of these types of crashes in Firefox 12 now, all with > flash running in the main process: This is cause by Bug 751641.
(In reply to Karl Tomlinson (:karlt) from comment #12) > (In reply to Chris Coulson from comment #4) > > There seem to be a lot of these types of crashes in Firefox 12 now, all with > > flash running in the main process: > > This is cause by Bug 751641. That bug cannot be about something in Firefox 12. That bug is a regression on mozilla-central only. See deps.
Oh, sorry, I somehow missed the version=Firefox%3A12.0
There is a spike in crashes starting in 15.0a1/20120503 making it #6 top crasher over the last day. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b13bfc70bc44&tochange=807403a04a6a I think it's related to bug 751826.
Status: RESOLVED → REOPENED
tracking-firefox15: --- → ?
Keywords: topcrash
Resolution: INVALID → ---
Summary: Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage: BadMatch (invalid parameter attributes)" with Flash Player in browser process → Crash in nsAppShell::ProcessNextNativeEvent with abort message: "X_ShmPutImage or X_CopyArea: BadMatch (invalid parameter attributes)" with Flash Player in browser process
Bug 751641 does appear to be the cause in nightly. Removing a broken pluginreg.dat caused by that bug fixes this crash for me.
Blocks: 748343
Depends on: 751641
http://crash-stats.mozilla.com/report/index/bp-3c010838-0942-427d-9241-1fb562120507 Hit this with today's Nightly. Simply loading www.gsp.ro on a clean profile triggers the crash. Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/15.0 Firefox/15.0a1
Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/15.0 Firefox/15.0a1 Built from http://hg.mozilla.org/mozilla-central/rev/94ce5f33a9ea Adobe Flash Player 11.2.202.235 No crash for me on http://www.gsp.ro with a new, clean profile and vanilla FX Nightly.
Ubuntu 12.04 here. I get the following output in the console: After trying another couple of times, the page does load normally, but rarely. It seems that the crash occurs in 4 out of 5-6 attempts, didn't find a useful pattern until now. When the page does load normally, the adds that use Flash aren't loaded (displayed as blank). Following output in the console. Only occurs on Nightly. ###!!! ABORT: X_ShmPutImage: BadMatch (invalid parameter attributes); 13 requests ago: file /builds/slave/m-cen-lnx-ntly/build/toolkit/xre/nsX11ErrorHandler.cpp, line 190
With today's Nightly this seems to be fixed for me: 20120510. The flash adds load completely and no crashes in Firefox when visiting gsp.ro (could also previously repro with one of the sites in crash stats comments:http://ava.furb.br)
Fixed by the patch in bug 751641.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
(In reply to Josh Aas (Mozilla Corporation) from comment #22) > Fixed by the patch in bug 751641. Either it's not fixed entirely, or I was seeing a different big in bug 754911. Which one should we reopen?
If you're still seeing this then it probably doesn't have anything to do with bug 751641 or bug 748343, which is a blocking dep here.
(In reply to Philipp von Weitershausen [:philikon] from comment #23) > Either it's not fixed entirely, or I was seeing a different big in bug > 754911. Which one should we reopen? bug 754911 landed in 15.0a1/20120505 but hasn't fixed it (around 40 crashes per build). See https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A15.0a1&query_search=signature&query_type=contains&reason_type=contains&range_value=28&range_unit=days&do_query=1&signature=TouchBadMemory%20|%20mozalloc_abort%20|%20NS_DebugBreak_P%20|%20X11Error
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
It seems the spike in 15.0 is gone in 15.0a1/20120518. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c00a9c1940c5&tochange=762e95608da3
mozalloc_abort | NS_DebugBreak_P | X11Error has 49 crashes on the trunk. TouchBadMemory has 2 crashes on Firefox 13/13.0.1. TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error still has a fair number of crashes for release versions but not for Aurora. That signature is also associated with 2 other open bugs (Bug 733323 and Bug 733325)
Shyam: do you know why you have flash player running in the browser process? Check dom.ipc.plugins.* preferences. If they are at their defaults, then try moving pluginreg.dat out of the way in the profile directory and it will be regenerated.
(In reply to Scoobidiver from comment #26) > It seems the spike in 15.0 is gone in 15.0a1/20120518. The working range is: > http://hg.mozilla.org/mozilla-central/ > pushloghtml?fromchange=c00a9c1940c5&tochange=762e95608da3 Please re-nominate if this trends up again in the future. Untracking for FF15 for now.
tracking-firefox15: +-
Depends on: 788399
This work for me. never more has crashed. Karl Tomlinson Check dom.ipc.plugins.* preferences. If they are at their defaults,
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ]
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P ] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ]
Oh, thanks - i was somehow fixated on TouchBadMemory. Worth noting that most of the "mozalloc_abort(char+const*)+|+NS_DebugBreak_P" ones are Fennec crashes below some "dalvik-LinearAlloc (deleted)" stack. I don't see a bug linked there for this, worth filing?
Priority: -- → P3
(In reply to Georg Fritzsche [:gfritzsche] from comment #39) > Worth noting that most of the > "mozalloc_abort(char+const*)+|+NS_DebugBreak_P" ones are Fennec crashes > below some "dalvik-LinearAlloc (deleted)" stack. I don't see a bug linked > there for this, worth filing? Stack traces for crashes on abort are buggy on Android. Only the abort message matters. It's bug 834243 and also bug 846243.
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P ] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] → [@ mozalloc_abort | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P | X11Error] [@ mozalloc_abort(char const*) | NS_DebugBreak_P ] [@ TouchBadMemory] [@ TouchBadMemory | mozalloc_abort | NS_DebugBreak_P | X11Error ] [@ mo…
Crash Signature: mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] → mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] [@ mozalloc_abort(char const*) ]
Crash Signature: mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] [@ mozalloc_abort(char const*) ] → mozalloc_abort(char const*) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | X11Error ] [@ mozalloc_abort(char const*) ] [@ mozalloc_abort(char const*) | libc-2.17.so@0x1af980 ] [@ mozalloc_abort(char const*) | libc-2.15.so@0x1a6980…
This is not a topcrash any more. Benjamin, should we close this bug completely as in-browser Flash is not supported any more at all?
Flags: needinfo?(benjamin)
Keywords: topcrash
Yes.
Status: REOPENED → RESOLVED
Closed: 13 years ago12 years ago
Flags: needinfo?(benjamin)
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.