Closed Bug 806625 Opened 7 years ago Closed 7 years ago

"Well, this is embarrassing :( We tried to display this webpage, but it's not responding." with window.open that closes directly

Categories

(Firefox OS Graveyard :: General, defect, P3)

ARM
Gonk (Firefox OS)
defect

Tracking

(blocking-basecamp:+, firefox18 fixed, firefox19 fixed)

RESOLVED FIXED
blocking-basecamp +
Tracking Status
firefox18 --- fixed
firefox19 --- fixed

People

(Reporter: martijn.martijn, Assigned: kk1fff)

References

(Blocks 1 open bug, )

Details

Attachments

(1 file, 2 obsolete files)

See testcase, to reproduce:
- tap on the "windowopenbuttonclick" button

Expected result:
- Quickly opening, then closing window

Actual result:
- "Well, this is embarrassing :( We tried to display this webpage, but it's not responding." window
I guess this is a crash?
blocks user interaction, fairly common to hit.
blocking-basecamp: --- → ?
OS: Windows 7 → Gonk (Firefox OS)
Hardware: x86 → ARM
> I guess this is a crash?

It would be helpful if you could build a b2g debug build and get a stack.  You could do this by attaching GDB to the appropriate process.
blocking-basecamp: ? → +
Priority: -- → P3
Patrick, maybe you'd be interested in investigating this?  I can help you get started while we're in the same room together.
Yes, it is a crash, stack:

#0  mozalloc_abort (msg=0xbeee1a98 "[Child 966] ###!!! ABORT: aborting because of fatal error: file /home/patrick/w/otoro/B2G/gecko/dom/ipc/ContentChild.cpp, line 845")
    at /home/patrick/w/otoro/B2G/gecko/memory/mozalloc/mozalloc_abort.cpp:21
#1  0x40c1c4ea in Abort (aSeverity=<value optimized out>, aStr=0x4112b0a3 "aborting because of fatal error", aExpr=<value optimized out>, aFile=<value optimized out>, 
    aLine=845) at /home/patrick/w/otoro/B2G/gecko/xpcom/base/nsDebugImpl.cpp:423
#2  NS_DebugBreak_P (aSeverity=<value optimized out>, aStr=0x4112b0a3 "aborting because of fatal error", aExpr=<value optimized out>, aFile=<value optimized out>, aLine=845)
    at /home/patrick/w/otoro/B2G/gecko/xpcom/base/nsDebugImpl.cpp:410
#3  0x40b14302 in mozilla::dom::ContentChild::ProcessingError (this=<value optimized out>, what=<value optimized out>)
    at /home/patrick/w/otoro/B2G/gecko/dom/ipc/ContentChild.cpp:845
#4  0x40b85c52 in mozilla::dom::PContentChild::OnProcessingError (this=0x34d, code=mozilla::ipc::HasResultCodes::MsgRouteError)
    at /home/patrick/w/otoro/B2G/objdir-gecko/ipc/ipdl/PContentChild.cpp:2857
#5  0x40b27f56 in mozilla::ipc::AsyncChannel::MaybeHandleError (this=0x34d, code=mozilla::ipc::HasResultCodes::MsgRouteError, channelName=<value optimized out>)
    at /home/patrick/w/otoro/B2G/gecko/ipc/glue/AsyncChannel.cpp:613
#6  0x40b27fb4 in mozilla::ipc::AsyncChannel::OnDispatchMessage (this=0x41a311b0, msg=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/AsyncChannel.cpp:473
#7  0x40b2cdce in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x41a311b0) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/RPCChannel.cpp:402
#8  0x40b10dba in DispatchToMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)()> (this=<value optimized out>)
    at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/tuple.h:383
#9  RunnableMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)(), Tuple0>::Run (this=<value optimized out>)
    at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/task.h:307
#10 0x40b2b784 in mozilla::ipc::RPCChannel::RefCountedTask::Run (this=<value optimized out>) at ../../dist/include/mozilla/ipc/RPCChannel.h:425
#11 mozilla::ipc::RPCChannel::DequeueTask::Run (this=<value optimized out>) at ../../dist/include/mozilla/ipc/RPCChannel.h:448
#12 0x40c39ab8 in MessageLoop::RunTask (this=0xbeee28e8, task=0xbeee1ef4) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:333
#13 0x40c3a8ea in MessageLoop::DeferOrRunPendingTask (this=0x41a311b0, pending_task=<value optimized out>)
    at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:341
#14 0x40c3b4c8 in MessageLoop::DoWork (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:441
#15 0x40b2b140 in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:42
#16 0x40c18232 in nsThread::ProcessNextEvent (this=0x41a06880, mayWait=<value optimized out>, result=0xbeee1fd7)
    at /home/patrick/w/otoro/B2G/gecko/xpcom/threads/nsThread.cpp:627
#17 0x40bf8996 in NS_ProcessNextEvent_P (thread=0x41a311b0, mayWait=false) at /home/patrick/w/otoro/B2G/objdir-gecko/xpcom/build/nsThreadUtils.cpp:221
#18 0x40b2b250 in mozilla::ipc::MessagePump::Run (this=0x41a022e0, aDelegate=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:82
#19 0x40b2b302 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x41a022e0, aDelegate=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:231
#20 0x40c39a68 in MessageLoop::RunInternal (this=0x1000000) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:215
#21 0x40c39b1e in MessageLoop::RunHandler (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:208
#22 MessageLoop::Run (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:182
#23 0x40ab4604 in nsBaseAppShell::Run (this=0x427fca60) at /home/patrick/w/otoro/B2G/gecko/widget/xpwidgets/nsBaseAppShell.cpp:163
#24 0x404510b4 in XRE_RunAppShell () at /home/patrick/w/otoro/B2G/gecko/toolkit/xre/nsEmbedFunctions.cpp:646
#25 0x40b2b2d0 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x41a022e0, aDelegate=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:198
#26 0x40c39a68 in MessageLoop::RunInternal (this=0x427fca60) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:215
#27 0x40c39b1e in MessageLoop::RunHandler (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:208
#28 MessageLoop::Run (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:182
#29 0x40451458 in XRE_InitChildProcess (aArgc=<value optimized out>, aArgv=<value optimized out>, aProcess=GeckoProcessType_Content)
    at /home/patrick/w/otoro/B2G/gecko/toolkit/xre/nsEmbedFunctions.cpp:485
#30 0x00008450 in main (argc=5, argv=0xbeee2a44) at /home/patrick/w/otoro/B2G/gecko/ipc/app/MozillaRuntimeMain.cpp:48

Error message says it's an IPC message route error.
This looks like an IPC error?
Assignee: nobody → pwang
Looks like IPC actor use-after-__delete__.
(In reply to Chris Jones [:cjones] [:warhammer] from comment #6)
> Looks like IPC actor use-after-__delete__.

I think it is (or at least, related to) a use-after-__delete__ case. I observed that several receiver were unregistered from mActorMap, then ContentParent attempted to route a message, whose route_id is no longer existed.
This patch adds a boolean mIsDestroyed to record if TabParent::Destroy() has been called, and checks mIsDestroyed before sending IPC messages.

Hi cjones, would you help to review this? Thanks.
Attachment #680322 - Flags: review?(jones.chris.g)
An "if" statement is wrong, fix.
Attachment #680322 - Attachment is obsolete: true
Attachment #680322 - Flags: review?(jones.chris.g)
Attachment #680323 - Flags: review?(jones.chris.g)
Component: Gaia::Browser → General
Comment on attachment 680323 [details] [diff] [review]
Patch: Checking if TabParent has been distroyed before send IPC message

>diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp

>@@ -223,64 +229,80 @@ TabParent::LoadURL(nsIURI* aURI)
>       NS_WARNING(nsPrintfCString("TabParent::LoadURL(%s) called before "
>                                  "Show(). Ignoring LoadURL.\n", spec.get()).get());
>       return;
>     }
> 
>     nsCString spec;
>     aURI->GetSpec(spec);
> 
>-    unused << SendLoadURL(spec);
>+    if (!mIsDestroyed) {
>+      unused << SendLoadURL(spec);
>+    }

This check should go at the beginning of the method and be

 if (mIsDestroyed) {
   return;
 }

> void
> TabParent::UpdateDimensions(const nsRect& rect, const nsIntSize& size)
> {
>-  unused << SendUpdateDimensions(rect, size);
>+  if (!mIsDestroyed) {
>+    unused << SendUpdateDimensions(rect, size);
>+  }

Just do

 if (mIsDestroyed) {
   return;
 }

>diff --git a/dom/ipc/TabParent.h b/dom/ipc/TabParent.h

>+    bool mIsDestroyed;

Add a comment describing what this member represents and what's
valid/invalid when it's true and false.

r=me with those.
Attachment #680323 - Flags: review?(jones.chris.g) → review+
https://hg.mozilla.org/mozilla-central/rev/3d61038df883
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
This seems to work now on my Otoro phone (updated today), but after running the testcase, I get an empty url bar and an useless progress bar. I filed bug 813349 for that.
I also get crashes/os reboots with a similar testcase as this one, I filed bug 813356 for it.
You need to log in before you can comment on or make changes to this bug.