crash in mozilla::dom::PBlobStreamChild::FatalError

RESOLVED FIXED in Firefox 21

Status

()

defect
--
critical
RESOLVED FIXED
7 years ago
4 months ago

People

(Reporter: scoobidiver, Assigned: bent.mozilla)

Tracking

({crash})

Trunk
mozilla21
ARM
Gonk (Firefox OS)
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking-b2g:tef+, firefox19 wontfix, firefox20 wontfix, firefox21 fixed, b2g18 fixed, b2g18-v1.0.0 fixed)

Details

(Whiteboard: [b2g-crash][BTG-984], crash signature)

Attachments

(3 attachments)

It first showed up in 18.0/20130114.
It's #7 top crasher in B2G 18.0

xpcom_runtime_abort([Child 11309] ###!!! ABORT: [PBlobStreamChild] abort()ing as a result: file PBlobStreamChild.cpp, line 364)

Frame 	Module 	Signature 	Source
0 	libxul.so 	mozalloc_abort 	mozalloc_abort.cpp:30
1 	libxul.so 	NS_DebugBreak_P 	nsDebugImpl.cpp:423
2 	libxul.so 	mozilla::dom::PBlobStreamChild::FatalError 	PBlobStreamChild.cpp:364
3 	libxul.so 	mozilla::dom::PBlobStreamChild::OnMessageReceived 	PBlobStreamChild.cpp:215
4 	libxul.so 	mozilla::dom::PContentChild::OnMessageReceived 	PContentChild.cpp:2281
5 	libxul.so 	mozilla::ipc::AsyncChannel::OnDispatchMessage 	AsyncChannel.cpp:473
6 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	RPCChannel.cpp:402
7 	libxul.so 	RunnableMethod<IPC::ChannelProxy::Context, void , Tuple0>::Run 	tuple.h:383
8 	libxul.so 	mozilla::ipc::RPCChannel::DequeueTask::Run 	RPCChannel.h:425
9 	libxul.so 	MessageLoop::RunTask 	message_loop.cc:333
10 	libxul.so 	MessageLoop::DeferOrRunPendingTask 	message_loop.cc:341
11 	libxul.so 	MessageLoop::DoWork 	message_loop.cc:441
12 	libxul.so 	mozilla::ipc::DoWorkRunnable::Run 	MessagePump.cpp:42
13 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:620
14 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:237
15 	libxul.so 	mozilla::ipc::MessagePump::Run 	MessagePump.cpp:117
16 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	MessagePump.cpp:231
17 	libxul.so 	MessageLoop::RunInternal 	message_loop.cc:215
18 	libxul.so 	MessageLoop::Run 	message_loop.cc:208
19 	libxul.so 	nsBaseAppShell::Run 	nsBaseAppShell.cpp:163
20 	libxul.so 	XRE_RunAppShell 	nsEmbedFunctions.cpp:646
21 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	MessagePump.cpp:198
22 	libxul.so 	MessageLoop::RunInternal 	message_loop.cc:215
23 	libxul.so 	MessageLoop::Run 	message_loop.cc:208
24 	libxul.so 	XRE_InitChildProcess 	nsEmbedFunctions.cpp:485
25 	plugin-container 	main 	MozillaRuntimeMain.cpp:48 

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozalloc_abort+|+NS_DebugBreak_P+|+mozilla%3A%3Adom%3A%3APBlobStreamChild%3A%3AFatalError
Btw - anything that is a top crasher, feel free to nom with tef? so that drivers see this bug
blocking-b2g: --- → tef?
Component: General → DOM
Keywords: needURLs, qawanted
Product: Boot2Gecko → Core
Version: unspecified → Trunk
Blocks: 808607
Whiteboard: [b2g-crash] → [b2g-crash][BTG-984]
Duplicate of this bug: 831418
No URLs found for this crash, removing keyword.
Keywords: needURLs
The failing code is

            InputStreamParams params;
...
            if ((!(Read((&(params)), (&(__msg)), (&(__iter)))))) {
                FatalError("error deserializing (better message TODO)");

There are two component types that could plausibly fail during read

18 struct FileInputStreamParams
19 {
20   FileDescriptor file;

40 struct RemoteInputStreamParams
41 {
42   PBlob remoteBlob;

m1, do you happen to have a logcat from the bug 831418 report?
(In reply to Chris Jones [:cjones] [:warhammer] from comment #4)
> m1, do you happen to have a logcat from the bug 831418 report?

Yeah it's 33MB (camera is chatty!).  I can grep for something?
Dammitall, no :(.  The logging statement I wanted is off by default.  Will fix that wagon in a tick.
dougt, would usually tag bent for this but he doesn't seem to be around.  Really want to get this in for another test run tonight if we can't repro today.  Let me know if you're comfortable reviewing this.
Attachment #703056 - Flags: review?(doug.turner)
Do we end up running that code in desktop builds too (when handling OOP plugins)?
I don't think we want printf there.
Comment on attachment 703056 [details] [diff] [review]
Log breakpoint-level IPC errors always [checked in]

This is fine by me, if that's good enough for you.
Attachment #703056 - Flags: review+
(In reply to Olli Pettay [:smaug] from comment #8)
> Do we end up running that code in desktop builds too (when handling OOP
> plugins)?
> I don't think we want printf there.

Yes, but this is the equivalent of IPC-abort.  abort prints in all builds.  Do you have a specific concern?
bent, can you have a look here?
Assignee: nobody → bent.mozilla
Comment on attachment 703056 [details] [diff] [review]
Log breakpoint-level IPC errors always [checked in]

Stealing review...
Attachment #703056 - Flags: review?(doug.turner) → review+
hah. beat me to it.

I was going to say maybe prefix that logging with "ipdl":

+    printf_stderr("IPDL Protocol error: %s\n", aMsg);
|printf_stderr| doesn't make it into logcat right?  Should we be using logwrapper?
blocking-b2g: tef? → tef+
Keywords: qawanted
Keywords: qawanted
Expecting CAF test results by 1/23.
This patch makes deserialization error messages much more useful and puts them onto the FatalError path so that stack traces are a bit more useful. (As a bonus the message will make it into the crash report extra info section).
Attachment #705166 - Flags: review?(jones.chris.g)
So we caught this crash with the additional logging from comment 14 in place:

  IPDL protocol error: error deserializing (better message TODO)

Looks like that comes from ipc/ipdl/ipdl/lower.py
Sigh... The "TODO" referenced there is in my patch.
headdesk.  Ok, do you think this patch will land on b2g18 today?  If not I can land it internally for now so we can try to catch this again overnight
(In reply to Michael Vines [:m1] from comment #20)
> So we caught this crash with the additional logging from comment 14 in place:
> 
>   IPDL protocol error: error deserializing (better message TODO)
> 
> Looks like that comes from ipc/ipdl/ipdl/lower.py

Great!  That means the culprit is almost 100% for sure

18 struct FileInputStreamParams
19 {
20   FileDescriptor file;

in comment 4.
Attachment #705166 - Flags: review?(jones.chris.g) → review+
Attachment #703056 - Attachment description: Log breakpoint-level IPC errors always → Log breakpoint-level IPC errors always [checked in]
Attachment #705166 - Attachment description: Better logging of deserialization errors, v1 → Better logging of deserialization errors, v1 [checked in]
I hit this signature today when testing. From what I recall, I was operating in the camera app, and while doing so received a message that the contacts app crashed. The report points to this signature. 

Not sure if I am hitting a different variant of Bug 827749, but just thought I would mention the fact that I had seen it today since it looks as if this signature is still under investigation.
Thanks Marcia! Can you link the crash report?
https://crash-stats.mozilla.com/report/index/6cef5594-aac9-4237-8b0e-b00402130124

The device that crashed only had two contacts, and one of them had a picture associated with it.

(In reply to ben turner [:bent] from comment #27)
> Thanks Marcia! Can you link the crash report?
Ah, crap. That version apparently doesn't have my error message changes in it yet. Marcia, any chance you can try again with today's build?
This patch will protect the child from crashing if it should receive a junk filehandle.
Attachment #706168 - Flags: review?(jones.chris.g)
Attachment #706168 - Flags: review?(jones.chris.g) → review+
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
(We enumerated all the possible ways this FatalError() could be reached and believe we've fixed them.)
Whiteboard: [b2g-crash][BTG-984][leave open] → [b2g-crash][BTG-984]
Target Milestone: --- → mozilla21
Landed on mozilla-b2g18/gaia master prior to the 1/25 branching to mozilla-b2g18_v1_0_0/v1.0.0, updating status-b2g-v1.0.0 to fixed.
Seems to be fixed, I tried on 1/26 build otoro and 
Gecko  http://hg.mozilla.org/releases/mozilla-b2g18_v1_0_0/rev/361d9359f4f3
Gaia   0abc95774d0bbdfe314fa588e09fc92cac3e6427
BuildID 20130130113326
Version 18.0
Unagi

Michael or Marcia, can you verify as well please?
Flags: needinfo?(mvines)
Flags: needinfo?(mozillamarcia.knous)
I was never able to reproduce this crash, so I cannot really verify except that I have not crashed in this stack since I reported it.
Flags: needinfo?(mozillamarcia.knous)
Flags: needinfo?(mvines)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.