Closed Bug 833606 Opened 7 years ago Closed 7 years ago

crash in libxul.so!mozilla::dom::ContentPermissionRequestParent::ActorDestroy

Categories

(Firefox OS Graveyard :: General, defect, critical)

ARM
Gonk (Firefox OS)
defect
Not set
critical

Tracking

(blocking-b2g:tef+, firefox19 wontfix, firefox20 wontfix, firefox21 fixed, b2g18 fixed, b2g18-v1.0.0 fixed)

VERIFIED FIXED
B2G C4 (2jan on)
blocking-b2g tef+
Tracking Status
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- fixed
b2g18 --- fixed
b2g18-v1.0.0 --- fixed

People

(Reporter: m1, Assigned: cyu)

References

Details

(Keywords: crash, Whiteboard: [b2g-crash][cr 443922])

Crash Data

Attachments

(2 files, 1 obsolete file)

This crash was seen during monkey testing on AU 182.  Looks very close to bug 700594. 

The Camera app was in the process of starting (and then killed by LMK) immediately before this b2g process crash occurred. 

.extra file contained nothing interesting.

Top frames:
----
Crash reason:  SIGSEGV
Crash address: 0x8

Thread 0 (crashed)
 0  libxul.so!mozilla::dom::ContentPermissionRequestParent::ActorDestroy [nsContentPermissionHelper.cpp : 48 + 0x4]
     r4 = 0x433c90c0    r5 = 0x00000004    r6 = 0x00000004    r7 = 0x00000001
     r8 = 0xbee5872c    r9 = 0x48b6bb34   r10 = 0x00000004    fp = 0x00000000
     sp = 0xbee58718    lr = 0x410a0a2d    pc = 0x40d268d4
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::docshell::POfflineCacheUpdateParent::DestroySubtree [POfflineCacheUpdateParent.cpp : 399 + 0x9]
     r4 = 0x433c90c0    r5 = 0x00000004    r6 = 0x00000004    r7 = 0x00000001
     r8 = 0xbee5872c    r9 = 0x48b6bb34   r10 = 0x00000004    fp = 0x00000000
     sp = 0xbee58718    pc = 0x410a0a2d
    Found by: call frame info
 2  libxul.so!mozilla::dom::PBrowserParent::DestroySubtree [PBrowserParent.cpp : 2122 + 0x5]
     r4 = 0x47f244a0    r5 = 0x41a3a390    r6 = 0x00000004    r7 = 0x00000001
     r8 = 0xbee5872c    r9 = 0x48b6bb34   r10 = 0x00000004    fp = 0x00000000
     sp = 0xbee58728    pc = 0x410b2685
    Found by: call frame info
 3  libxul.so!mozilla::dom::PContentParent::DestroySubtree [PContentParent.cpp : 3329 + 0x5]
     r4 = 0x41a3a390    r5 = 0x4a1766c0    r6 = 0x00000004    r7 = 0x00000001
     r8 = 0xbee58754    r9 = 0x490d3914   r10 = 0x00000004    fp = 0x00000000
     sp = 0xbee58750    pc = 0x410b93b3
    Found by: call frame info
 4  libxul.so!mozilla::dom::PContentParent::OnChannelError [PContentParent.cpp : 3166 + 0x3]
     r4 = 0x4a1766c0    r5 = 0x4a1766c8    r6 = 0x00000000    r7 = 0x404390c8
     r8 = 0xbee587d0    r9 = 0x40407c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbee58778    pc = 0x410b9877
    Found by: call frame info


|watch b2g-ps| at the time of the crash.   Kernel logs show the camera app getting killed by the LMK, then the b2g process coming down.
-----
APPLICATION       OOM_ADJ  OOM_SCORE  OOM_SCORE_ADJ  USER     PID   PPID  VSIZE  RSS     WCHAN    PC         NAME
b2g                  0        331         0          root      127   1     185696 67912 ffffffff 40ab44d8 R /system/b2g/b2g
Homescreen           3        287         200        app_395   395   127   65588  16344 ffffffff 400dc430 S /system/b2g/plugin-container
Send To Bluetoo      6        467         400        app_9355  9355  127   60340  12664 ffffffff 400bd430 S /system/b2g/plugin-container
Browser              6        451         400        app_11352 11352 127   59312  9596  ffffffff 400fc430 S /system/b2g/plugin-container
Communications       6        477         400        app_14937 14937 127   58232  14436 ffffffff 400d7430 S /system/b2g/plugin-container
(Preallocated a      6        477         400        app_17002 17002 127   56176  14428 ffffffff 400f7430 S /system/b2g/plugin-container
Cost Control         6        469         400        app_18195 18195 127   60396  13016 ffffffff 40094430 S /system/b2g/plugin-container
[H[JEvery 2s: b2g-ps --oom                                      2013-01-22 04:24:52

APPLICATION       OOM_ADJ  OOM_SCORE  OOM_SCORE_ADJ  USER     PID   PPID  VSIZE  RSS     WCHAN    PC         NAME
b2g                  0        340         0          root      127   1     186784 69456 ffffffff 41571dd2 D /system/b2g/b2g
Dogfood              6        449         400        app_345   345   127   58232  9156  ffffffff 400ed430 S /system/b2g/plugin-container
Homescreen           3        287         200        app_395   395   127   65588  16408 ffffffff 400dc430 S /system/b2g/plugin-container
Send To Bluetoo      6        467         400        app_9355  9355  127   60340  12664 ffffffff 400bd430 S /system/b2g/plugin-container
Browser              6        451         400        app_11352 11352 127   59312  9596  ffffffff 400fc430 S /system/b2g/plugin-container
Communications       6        477         400        app_14937 14937 127   58232  14524 ffffffff 400d7430 S /system/b2g/plugin-container
(Preallocated a      6        477         400        app_17002 17002 127   56176  14428 ffffffff 400f7430 S /system/b2g/plugin-container
Cost Control         6        469         400        app_18195 18195 127   60396  13016 ffffffff 40094430 S /system/b2g/plugin-container
(Preallocated a      1        115         67         app_25432 25432 127   26348  1052  00000000 b00010a8 R /system/b2g/plugin-container
[H[JEvery 2s: b2g-ps --oom                                      2013-01-22 04:24:55

APPLICATION       OOM_ADJ  OOM_SCORE  OOM_SCORE_ADJ  USER     PID   PPID  VSIZE  RSS     WCHAN    PC         NAME
b2g                  0        322         0          root      127   1     186720 66468 ffffffff 40d6bf50 D /system/b2g/b2g
Homescreen           3        281         200        app_395   395   127   65524  15720 ffffffff 400dc430 S /system/b2g/plugin-container
Send To Bluetoo      6        465         400        app_9355  9355  127   60340  12532 ffffffff 400bd430 S /system/b2g/plugin-container
Browser              6        452         400        app_11352 11352 127   59312  9928  ffffffff 400fc430 S /system/b2g/plugin-container
Communications       6        465         400        app_14937 14937 127   58232  12948 ffffffff 400d7430 S /system/b2g/plugin-container
(Preallocated a      6        462         400        app_17002 17002 127   56176  12196 ffffffff 400f7430 S /system/b2g/plugin-container
Cost Control         6        467         400        app_18195 18195 127   60396  12976 ffffffff 40094430 S /system/b2g/plugin-container
Camera               6        0           400        app_25432 25432 127   61500  20252 ffffffff 408959a8 D /system/b2g/plugin-container
[H[JEvery 2s: b2g-ps --oom                                      2013-01-22 04:24:58

APPLICATION       OOM_ADJ  OOM_SCORE  OOM_SCORE_ADJ  USER     PID   PPID  VSIZE  RSS     WCHAN    PC         NAME
b2g                  0        83          0          root      25580 1     72172  20104 ffffffff 411f8fba D /system/b2g/b2g
-----
Whiteboard: [cr 443922]
Severity: normal → critical
Crash Signature: [@ mozilla::dom::ContentPermissionRequestParent::ActorDestroy ]
Keywords: crash
Whiteboard: [cr 443922] → [b2g-crash][cr 443922]
From nsContentPermissionHelper.cpp, mProxy is allocated only after it receives the "prompt" message from child. ContentPermissionRequestParent is allocated but child is killed (e.g. because of OOM) and parent detects channel error, we could enter ActorDestroy() with null mProxy. If this is the case, then the simple solution is to check if mProxy is null in ActorDestroy().
Adding this to simulate OOM before sending prompt reproduces the crash

--- a/dom/src/geolocation/nsGeolocation.cpp
+++ b/dom/src/geolocation/nsGeolocation.cpp
@@ -1485,16 +1485,17 @@ nsGeolocation::RegisterRequestWithPrompt
     // Retain a reference so the object isn't deleted without IPDL's knowledge.
     // Corresponding release occurs in DeallocPContentPermissionRequest.
     request->AddRef();
     child->SendPContentPermissionRequestConstructor(request,
                                                     NS_LITERAL_CSTRING("geolocation"),
                                                     NS_LITERAL_CSTRING("unused"),
                                                     IPC::Principal(mPrincipal));
 
+    kill(getpid(), 9);
     request->Sendprompt();
     return true;
   }
 
   nsCOMPtr<nsIRunnable> ev  = new RequestPromptEvent(request);
   NS_DispatchToMainThread(ev);
   return true;
 }

Crash caught in gdb:
Program received signal SIGSEGV, Segmentation fault.
0x41ebd674 in mozalloc_abort (msg=<value optimized out>) at /home/cervantes/hg/mozilla-central/memory/mozalloc/mozalloc_abort.cpp:30
30          MOZ_CRASH();
(gdb) bt
#0  0x41ebd674 in mozalloc_abort (msg=<value optimized out>) at /home/cervantes/hg/mozilla-central/memory/mozalloc/mozalloc_abort.cpp:30
#1  0x41854b0a in Abort (aSeverity=<value optimized out>, aStr=<value optimized out>, aExpr=<value optimized out>, aFile=<value optimized out>, aLine=783) at /home/cervantes/hg/mozilla-central/xpcom/base/nsDebugImpl.cpp:422
#2  NS_DebugBreak_P (aSeverity=<value optimized out>, aStr=<value optimized out>, aExpr=<value optimized out>, aFile=<value optimized out>, aLine=783) at /home/cervantes/hg/mozilla-central/xpcom/base/nsDebugImpl.cpp:379
#3  0x41016492 in nsCOMPtr<nsContentPermissionRequestProxy>::operator-> (this=0x445827a0) at ../../dist/include/nsCOMPtr.h:783
#4  0x410164b2 in mozilla::dom::ContentPermissionRequestParent::ActorDestroy (this=<value optimized out>, why=3200474280) at /home/cervantes/hg/mozilla-central/dom/base/nsContentPermissionHelper.cpp:158
#5  0x41604a8e in mozilla::plugins::PPluginBackgroundDestroyerParent::DestroySubtree (this=0x44582780, why=mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::AbnormalShutdown) at /home/cervantes/git/b2g-device2/B2G/objdir-gecko-dbg/ipc/ipdl/PPluginBackgroundDestroyerParent.cpp:324
#6  0x416240e6 in mozilla::dom::PBrowserParent::DestroySubtree (this=0x47451ed0, why=mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::AbnormalShutdown) at /home/cervantes/git/b2g-device2/B2G/objdir-gecko-dbg/ipc/ipdl/PBrowserParent.cpp:2124
#7  0x4162f6de in mozilla::dom::PContentParent::DestroySubtree (this=0x46efac00, why=mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::AbnormalShutdown) at /home/cervantes/git/b2g-device2/B2G/objdir-gecko-dbg/ipc/ipdl/PContentParent.cpp:3261
#8  0x4162fbf0 in mozilla::dom::PContentParent::OnChannelError (this=0xaa) at /home/cervantes/git/b2g-device2/B2G/objdir-gecko-dbg/ipc/ipdl/PContentParent.cpp:3105
#9  0x415e60b8 in mozilla::ipc::AsyncChannel::NotifyMaybeChannelError (this=0x46efac08) at /home/cervantes/hg/mozilla-central/ipc/glue/AsyncChannel.cpp:549
#10 0x415e730a in mozilla::ipc::AsyncChannel::OnNotifyMaybeChannelError (this=0x46efac08) at /home/cervantes/hg/mozilla-central/ipc/glue/AsyncChannel.cpp:514
#11 0x415bcfbc in DispatchToMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)()> (this=<value optimized out>) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/tuple.h:383
#12 RunnableMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)(), Tuple0>::Run (this=<value optimized out>) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/task.h:307
#13 0x41880596 in MessageLoop::RunTask (this=0x4042b0c0, task=0x47c2c520) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:333
#14 0x41880dc0 in MessageLoop::DeferOrRunPendingTask (this=0xaa, pending_task=<value optimized out>) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:341
#15 0x41881b12 in MessageLoop::DoWork (this=0x4042b0c0) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:441
#16 0x415eb3cc in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>) at /home/cervantes/hg/mozilla-central/ipc/glue/MessagePump.cpp:42
#17 0x4184bb02 in nsThread::ProcessNextEvent (this=0x40404390, mayWait=<value optimized out>, result=0xbec366ef) at /home/cervantes/hg/mozilla-central/xpcom/threads/nsThread.cpp:627
#18 0x418138a0 in NS_ProcessNextEvent_P (thread=0xaa, mayWait=true) at /home/cervantes/git/b2g-device2/B2G/objdir-gecko-dbg/xpcom/build/nsThreadUtils.cpp:238
#19 0x415eb5d8 in mozilla::ipc::MessagePump::Run (this=0x40402430, aDelegate=0x4042b0c0) at /home/cervantes/hg/mozilla-central/ipc/glue/MessagePump.cpp:117
#20 0x41880b4a in MessageLoop::RunInternal (this=0x4042b0c0) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:215
#21 0x41880baa in MessageLoop::RunHandler (this=0x4042b0c0) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
#22 MessageLoop::Run (this=0x4042b0c0) at /home/cervantes/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:182
#23 0x41529a02 in nsBaseAppShell::Run (this=0x434266a0) at /home/cervantes/hg/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
#24 0x41417608 in nsAppStartup::Run (this=0x435bedc0) at /home/cervantes/hg/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:288
#25 0x40a14892 in XREMain::XRE_mainRun (this=0xbec36984) at /home/cervantes/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:3823
#26 0x40a1749e in XREMain::XRE_main (this=0xbec36984, argc=<value optimized out>, argv=0xbec38b84, aAppData=<value optimized out>) at /home/cervantes/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:3890
#27 0x40a17652 in XRE_main (argc=1, argv=0xbec38b84, aAppData=0x21184, aFlags=<value optimized out>) at /home/cervantes/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:4093
#28 0x0000a2f8 in do_main (argc=1, argv=0xbec38b84) at /home/cervantes/hg/mozilla-central/b2g/app/nsBrowserApp.cpp:164
#29 main (argc=1, argv=0xbec38b84) at /home/cervantes/hg/mozilla-central/b2g/app/nsBrowserApp.cpp:249
Tested with the simulated OOM kill to the camera app.
Assignee: nobody → cyu
Attachment #705309 - Flags: review?(jones.chris.g)
Maybe we should consider using gdb to simulate OOM killer before child sending each kind of message to detect all such bugs.
Comment on attachment 705309 [details] [diff] [review]
Null check mProxy in mozilla::dom::ContentPermissionRequestParent::ActorDestroy()

Review of attachment 705309 [details] [diff] [review]:
-----------------------------------------------------------------

r=me, and thanks for the patch!
Attachment #705309 - Flags: review?(jones.chris.g) → review+
blocking-b2g: tef? → tef+
Keywords: checkin-needed
Target Milestone: --- → B2G C4 (2jan on)
Landed on mozilla-b2g18/gaia master prior to the 1/25 branching to mozilla-b2g18_v1_0_0/v1.0.0, updating status-b2g-v1.0.0 to fixed.
Unagi Build ID: 20130313070202
Gecko: http://hg.mozilla.org/releases/mozilla-b2g18_v1_0_1/rev/e74dafa6b2d9
Gaia: b34e726147f8e671ad8c538b50900ccfbffcb084
Kernel: Dec 5th

Crash does not reproduce on this build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.