Closed Bug 752408 Opened 13 years ago Closed 13 years ago

Content-process crash when destroying OOP iframe mozbrowser (near nsFrameMessageManager::Disconnect)

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: cjones, Assigned: cjones)

References

Details

Crash Data

Attachments

(1 file)

Check for null message manager
881 bytes, patch
smaug
: review+
Details | Diff | Splinter Review
Here's the crash report from the android debuggerd, with c++filt love F/libc ( 205): Fatal signal 11 (SIGSEGV) at 0x0000001c (code=1) I/DEBUG ( 78): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 78): Build fingerprint: 'unknown' I/DEBUG ( 78): pid: 205, tid: 205 >>> /system/b2g/plugin-container <<< I/DEBUG ( 78): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000001c I/DEBUG ( 78): r0 00000000 r1 00000001 r2 00000000 r3 0195fae8 I/DEBUG ( 78): r4 00000000 r5 be89eaa4 r6 00000002 r7 be89ea90 I/DEBUG ( 78): r8 be89eaa4 r9 413d16bc 10 413d16bc fp 00000001 I/DEBUG ( 78): ip 401422f0 sp be89ea80 lr 40a918af pc 40612494 cpsr 20000030 I/DEBUG ( 78): #00 pc 004cc494 /system/b2g/libxul.so (nsFrameMessageManager::Disconnect(bool)) I/DEBUG ( 78): #01 pc 00995d1c /system/b2g/libxul.so (mozilla::dom::PBrowserChild::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason)) I/DEBUG ( 78): #02 pc 00995f02 /system/b2g/libxul.so (mozilla::dom::PBrowserChild::Send__delete__(mozilla::dom::PBrowserChild*)) I/DEBUG ( 78): #03 pc 0094b948 /system/b2g/libxul.so (mozilla::dom::TabChild::RecvDestroy()) I/DEBUG ( 78): #04 pc 00998460 /system/b2g/libxul.so (mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&)) I/DEBUG ( 78): #05 pc 0099c672 /system/b2g/libxul.so (mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&)) I/DEBUG ( 78): #06 pc 00959686 /system/b2g/libxul.so (mozilla::ipc::AsyncChannel::OnDispatchMessage(IPC::Message const&)) I/DEBUG ( 78): #07 pc 0095d4b0 /system/b2g/libxul.so (mozilla::ipc::RPCChannel::OnMaybeDequeueOne()) I/DEBUG ( 78): #08 pc 0094d736 /system/b2g/libxul.so (RunnableMethod<mozilla::ipc::AsyncChannel::ProcessLink, void (mozilla::ipc::AsyncChannel::ProcessLink::*)(), Tuple0>::Run()) I/DEBUG ( 78): #09 pc 0095bbb4 /system/b2g/libxul.so (mozilla::ipc::RPCChannel::DequeueTask::Run()) I/DEBUG ( 78): #10 pc 00a0a4dc /system/b2g/libxul.so (MessageLoop::RunTask(Task*)) I/DEBUG ( 78): #11 pc 00a0b4d4 /system/b2g/libxul.so (MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&)) I/DEBUG ( 78): #12 pc 00a0c162 /system/b2g/libxul.so (MessageLoop::DoWork()) I/DEBUG ( 78): #13 pc 0095b724 /system/b2g/libxul.so (mozilla::ipc::DoWorkRunnable::Run()) I/DEBUG ( 78): #14 pc 009e7352 /system/b2g/libxul.so (nsThread::ProcessNextEvent(bool, bool*)) I/DEBUG ( 78): #15 pc 009c58aa /system/b2g/libxul.so (NS_ProcessNextEvent_P(nsIThread*, bool)) I/DEBUG ( 78): #16 pc 0095b644 /system/b2g/libxul.so (mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)) I/DEBUG ( 78): #17 pc 0095b686 /system/b2g/libxul.so (mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)) I/DEBUG ( 78): #18 pc 00a0a478 /system/b2g/libxul.so (MessageLoop::RunInternal()) I/DEBUG ( 78): #19 pc 00a0a556 /system/b2g/libxul.so (MessageLoop::Run()) I/DEBUG ( 78): #20 pc 008e6830 /system/b2g/libxul.so (nsBaseAppShell::Run()) I/DEBUG ( 78): #21 pc 002635c0 /system/b2g/libxul.so (XRE_RunAppShell) I/DEBUG ( 78): #22 pc 0095b680 /system/b2g/libxul.so (mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)) I/DEBUG ( 78): #23 pc 00a0a478 /system/b2g/libxul.so (MessageLoop::RunInternal()) I/DEBUG ( 78): #24 pc 00a0a556 /system/b2g/libxul.so (MessageLoop::Run()) I/DEBUG ( 78): #25 pc 0026391c /system/b2g/libxul.so (XRE_InitChildProcess) I/DEBUG ( 78): #26 pc 00008540 /system/b2g/plugin-container (main) I/DEBUG ( 78): #27 pc 00016900 /system/lib/libc.so (__libc_init)
Crash Signature: [@ nsFrameMessageManager::Disconnect(bool)]
Assignee: nobody → jones.chris.g
Attachment #621521 - Flags: review?(bugs)
Attachment #621521 - Flags: review?(bugs) → review+
Although, this would be strange. Do we re-enter TabChild::ActorDestroy ?
This might be papering over a bug in jlebar's patch queue. Following up.
Bad merge, false alarm.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: