Closed Bug 774606 Opened 12 years ago Closed 11 years ago

Frame scripts can outlive something they need in TabChild?

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: cjones, Unassigned)

Details

Spun off from 773998.  For background, see comment 1, comment 4, comment 6.

STR are

Build b2g for desktop https://wiki.mozilla.org/Gaia/Hacking#Building_B2G .

STR are
 (1) Apply patch here
 (2) Unlock lock screen (pin is 0000)
 (3) Tap calculator icon to launch calculator app
 (4) Hold down HOME key to bring up task manager
 (5) Click the calculator task and swipe upwards to close it

It's somewhat hard to reproduce --- need to close the calculator a bunch of times, or shut down b2g.
In the stack, we're invoking callback functions that are in a frame script, while shutting down XPCOM.  But interestingly,

(gdb) f 35
#35 0x00007f97a72db8f0 in mozilla::dom::ContentProcess::CleanUp (this=0x18ed7b0) at /home/cjones/mozilla/mozilla-central/dom/ipc/ContentProcess.cpp:31
(gdb) ptarray mContent.mManagedPBrowserChild
nsTArray length = 0
nsTArray capacity = 0
Element type = nsTArray<mozilla::dom::PBrowserChild*, nsTArrayInfallibleAllocator>::elem_type

That means the ContentChild no longer has any TabChilds.  For it not to have TabChilds, TabChild::ActorDestroy() must have been called, which does

void
TabChild::ActorDestroy(ActorDestroyReason why)
{
  if (mTabChildGlobal) {
    // The messageManager relays messages via the TabChild which
    // no longer exists.
    static_cast<nsFrameMessageManager*>
      (mTabChildGlobal->mMessageManager.get())->Disconnect();
    mTabChildGlobal->mMessageManager = nsnull;
  }
}


In the log around the time of the crash, I also see

JS Component Loader: ERROR chrome://browser/content/forms.js:154
                     NS_ERROR_INVALID_POINTER: Component returned failure code: 0x80004003 (NS_ERROR_INVALID_POINTER) [nsIFrameMessageManager.removeMessageListener]

so I wonder if this is a bug in frame script management?
nsFrameMessageManager::Disconnect() nulls out its JSContext*, which seems like it might be related.
Happens for a variety of reasons, this bug isn't specific enough to be useful.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.