Closed
Bug 896890
Opened 11 years ago
Closed 11 years ago
Crash in mozilla::dom::ContentParent::CreateBrowserOrApp
Categories
(Core :: IPC, defect)
Tracking
()
People
(Reporter: leo.bugzilla.gecko, Assigned: justin.lebar+bug)
Details
(Keywords: crash, Whiteboard: [b2g-crash][leo-triage])
Crash Data
Attachments
(1 file)
27.02 KB,
patch
|
khuey
:
review+
|
Details | Diff | Splinter Review |
Gecko: b2g18(0703) Gaia: v1-train(0703) CPU: arm ARMv0 0 CPUs Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!mozilla::dom::ContentParent::CreateBrowserOrApp [ContentParent.cpp : 423 + 0x0] r0 = 0x00000000 r1 = 0xbe9feb04 r2 = 0x0000003f r3 = 0xbe9feb18 r4 = 0xbe9feca0 r5 = 0x00000000 r6 = 0x520cacf0 r7 = 0x42050504 r8 = 0xbe9feb04 r9 = 0x00000000 r10 = 0xbe9fee80 r12 = 0x40cdf4c4 fp = 0xbe9ff598 sp = 0xbe9feaf8 lr = 0x41667405 pc = 0x4165c4f4 Found by: given as instruction pointer in context 1 libxul.so!nsFrameLoader::TryRemoteBrowser [nsFrameLoader.cpp : 2051 + 0x7] r4 = 0x505f00b0 r5 = 0x42040654 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fec00 pc = 0x411b4845 Found by: call frame info 2 libxul.so!nsFrameLoader::ReallyStartLoadingInternal [nsFrameLoader.cpp : 425 + 0x3] r4 = 0x505f00b0 r5 = 0x505f00b0 r6 = 0x45955ea8 r7 = 0x80004005 r8 = 0x00000001 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fed40 pc = 0x411b63a1 Found by: call frame info 3 libxul.so!nsFrameLoader::ReallyStartLoading [nsFrameLoader.cpp : 405 + 0x3] r4 = 0x45955c00 r5 = 0x505f00b0 r6 = 0x45955ea8 r7 = 0x42040654 r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fee08 pc = 0x411b6529 Found by: call frame info 4 libxul.so!nsDocument::MaybeInitializeFinalizeFrameLoaders [nsDocument.cpp : 5665 + 0x5] r4 = 0x45955c00 r5 = 0x505f00b0 r6 = 0x45955ea8 r7 = 0x42040654 r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fee18 pc = 0x411b0457 Found by: call frame info 5 libxul.so!nsDocument::EndUpdate [nsDocument.cpp : 4213 + 0x5] r0 = 0x45955c00 r1 = 0x45955c00 r2 = 0xbe9fee44 r3 = 0x00000000 r4 = 0x45955c00 r5 = 0xbe9fee44 r6 = 0x00000001 r7 = 0x42040654 r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fee38 pc = 0x411b051f Found by: call frame info 6 libxul.so!nsHTMLDocument::EndUpdate [nsHTMLDocument.cpp : 2353 + 0x3] r0 = 0x00000001 r1 = 0x00000000 r2 = 0x45955db8 r3 = 0x48f2ed70 r4 = 0x45955c00 r5 = 0x504ace70 r6 = 0x00000000 r7 = 0x42040654 r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fee58 pc = 0x41276181 Found by: call frame info 7 libxul.so!mozAutoDocUpdate::~mozAutoDocUpdate [mozAutoDocUpdate.h : 35 + 0x9] r4 = 0xbe9ff00c r5 = 0x504ace70 r6 = 0x00000000 r7 = 0x42040654 r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fee60 pc = 0x4111a297 Found by: call frame info 8 libxul.so!nsINode::ReplaceOrInsertBefore [nsINode.cpp : 1892 + 0xb] r4 = 0x4aa66290 r5 = 0x504ace70 r6 = 0x00000000 r7 = 0x42040654 r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598 sp = 0xbe9fee68 pc = 0x411c25fb Found by: call frame info 9 libxul.so!nsIDOMNode_AppendChild [nsINode.h : 1484 + 0xb] r4 = 0x445c49a0 r5 = 0x43b6c550 r6 = 0x43778de0 r7 = 0x411c2005 r8 = 0x00000000 r9 = 0x4aa66290 r10 = 0x504ace70 fp = 0xbe9ff598 sp = 0xbe9ff050 pc = 0x414d17fb Found by: call frame info 10 libxul.so!js::InvokeKernel [jscntxtinlines.h : 364 + 0x5] r4 = 0xbe9ff158 r5 = 0x00000000 r6 = 0x43778de0 r7 = 0x44562e40 r8 = 0x00000000 r9 = 0x41e56d58 r10 = 0x42038798 fp = 0xbe9ff598 sp = 0xbe9ff148 pc = 0x419f3389 Found by: call frame info 11 libxul.so!js::Interpret [jsinterp.cpp : 2475 + 0xd] r4 = 0xbe9ff2a8 r5 = 0x43778de0 r6 = 0x00000000 r7 = 0x43b6c560 r8 = 0x41edc33c r9 = 0x41e56d58 r10 = 0x42038798 fp = 0xbe9ff598 sp = 0xbe9ff1c8 pc = 0x419f0b83 Found by: call frame info 12 libxul.so!js::RunScript [jsinterp.cpp : 324 + 0x9] r4 = 0x43778de0 r5 = 0x43b6c370 r6 = 0xbe9ff624 r7 = 0x00000000 r8 = 0xbe9ff690 r9 = 0x43778e44 r10 = 0xbe9ff6f8 fp = 0xffffff87 sp = 0xbe9ff618 pc = 0x419f2c47 Found by: call frame info 13 libxul.so!js::Invoke [jsinterp.cpp : 378 + 0x7] r4 = 0x51052020 r5 = 0xbe9ff65c r6 = 0x43778de0 r7 = 0x00000000 r8 = 0xbe9ff690 r9 = 0x43778e44 r10 = 0xbe9ff6f8 fp = 0xffffff87 sp = 0xbe9ff648 pc = 0x419f4605 Found by: call frame info 14 libxul.so!JS_CallFunctionValue [jsapi.cpp : 5895 + 0x13] r4 = 0x43778de0 r5 = 0x00000000 r6 = 0x42040654 r7 = 0x00000000 r8 = 0xbe9ff720 r9 = 0x00000000 r10 = 0x51052020 fp = 0xffffff87 sp = 0xbe9ff6e8 pc = 0x4199116f Found by: call frame info 15 libxul.so!nsJSContext::CallEventHandler [nsJSEnvironment.cpp : 1954 + 0xd] r4 = 0x491d81f0 r5 = 0x00000000 r6 = 0x42040654 r7 = 0x00000000 r8 = 0xbe9ff720 r9 = 0x00000000 r10 = 0x51052020 fp = 0xffffff87 sp = 0xbe9ff710 pc = 0x412c2fc1 Found by: call frame info 16 libxul.so!nsGlobalWindow::RunTimeoutHandler [nsGlobalWindow.cpp : 9716 + 0x11] r4 = 0x502de6a0 r5 = 0x437fb9f0 r6 = 0xbe9ff884 r7 = 0x412c2e61 r8 = 0x491d81f0 r9 = 0x51052020 r10 = 0x00000002 fp = 0x44536040 sp = 0xbe9ff838 pc = 0x412ce76b Found by: call frame info 17 libxul.so!nsGlobalWindow::RunTimeout [nsGlobalWindow.cpp : 9965 + 0x3] r4 = 0x437fb9f0 r5 = 0x502de6a0 r6 = 0x502de6a0 r7 = 0x00000001 r8 = 0x00000001 r9 = 0xbe9ff920 r10 = 0x00000000 fp = 0xbe9ff8d0 sp = 0xbe9ff8c0 pc = 0x412d74df Found by: call frame info 18 libxul.so!nsGlobalWindow::TimerCallback [nsGlobalWindow.cpp : 10232 + 0x7] r4 = 0x502de6a0 r5 = 0x412d75b9 r6 = 0x00000002 r7 = 0x00012b66 r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0 sp = 0xbe9ff950 pc = 0x412d75cd Found by: call frame info 19 libxul.so!nsTimerImpl::Fire [nsTimerImpl.cpp : 473 + 0x5] r4 = 0x50be87c0 r5 = 0x412d75b9 r6 = 0x00000002 r7 = 0x00012b66 r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0 sp = 0xbe9ff958 pc = 0x41786fbd Found by: call frame info 20 libxul.so!nsTimerEvent::Run [nsTimerImpl.cpp : 556 + 0x5] r4 = 0x50be87c0 r5 = 0x00000000 r6 = 0x00000001 r7 = 0x00000001 r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0 sp = 0xbe9ff990 pc = 0x41787077 Found by: call frame info 21 libxul.so!nsThread::ProcessNextEvent [nsThread.cpp : 620 + 0x5] r4 = 0x40307ca0 r5 = 0x00000000 r6 = 0x00000001 r7 = 0x00000001 r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0 sp = 0xbe9ff998 pc = 0x417851af Found by: call frame info 22 libxul.so!NS_InvokeByIndex_P [xptcinvoke_arm.cpp : 160 + 0x23] r4 = 0x41785039 r5 = 0x00000001 r6 = 0xbe9ffaa0 r7 = 0xbe9ff9f0 r8 = 0x00000002 r9 = 0x41dbb784 r10 = 0xbe9ffcf8 fp = 0x40307ca0 sp = 0xbe9ff9d8 pc = 0x41791ac5 Found by: call frame info 23 libxul.so!XPCWrappedNative::CallMethod [XPCWrappedNative.cpp : 3084 + 0xd] r4 = 0xbe9ffaa0 r5 = 0xbe9ffa68 r6 = 0x00000008 r7 = 0x00000002 r8 = 0x0000000a r9 = 0x41dbb784 r10 = 0xbe9ffcf8 fp = 0x42040654 sp = 0xbe9ffa20 pc = 0x414c6687 Found by: call frame info 24 libxul.so!XPC_WN_CallMethod [XPCWrappedNativeJSOps.cpp : 1469 + 0x7] r4 = 0x4469c590 r5 = 0xbe9ffdd0 r6 = 0x54344fd0 r7 = 0x00000001 r8 = 0x43b6c328 r9 = 0x00000001 r10 = 0x43b6c2b0 fp = 0x4c7ee010 sp = 0xbe9ffdb0 pc = 0x414caef9 Found by: call frame info 25 libxul.so + 0xe127b9 r4 = 0x00000000 r5 = 0xffffff87 r6 = 0xffffff87 r7 = 0x4c738340 r8 = 0x41af37b5 r9 = 0x54344fd0 r10 = 0x43b6c2b0 fp = 0x4c7ee010 sp = 0xbe9ffe58 pc = 0x41af37bb Found by: call frame info 26 libxul.so!XPC_WN_GetterSetter [xpcprivate.h : 2867 + 0x17] sp = 0xbe9ffe5c pc = 0x414cae75 Found by: stack scanning 27 0x437a4ffe r4 = 0x43b6c2b0 r5 = 0x00000001 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xffffffff r10 = 0x00000000 sp = 0xbe9fff04 pc = 0x437a5000 Found by: call frame info 28 b2g!MOZ_PNG_push_read_IDAT [pngpread.c : 942 + 0x3] sp = 0xbe9fff44 pc = 0x0000ffff Found by: stack scanning 29 0x52682e06 r0 = 0xfffffb60 r1 = 0x4469c5f4 r4 = 0x43b6c300 r5 = 0x52200000 r6 = 0x419dd00f sp = 0xbe9fff5c pc = 0x52682e08 Found by: call frame info 30 libxul.so!js::detail::HashTable<const js::InitialShapeEntry, js::HashSet<js::InitialShapeEntry, js::InitialShapeEntry, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::match [jsscope.cpp : 1199 + 0x7] sp = 0xbe9fff60 pc = 0x41a356d5 Found by: stack scanning
Reporter | ||
Updated•11 years ago
|
Updated•11 years ago
|
Severity: normal → critical
Crash Signature: [@ mozilla::dom::ContentParent::CreateBrowserOrApp]
Reporter | ||
Comment 1•11 years ago
|
||
ownApp is set using aContext.GetOwnApp() nsCOMPtr<mozIApplication> ownApp = aContext.GetOwnApp(); The crash is occured the below code in CreateBrowserOrApp() if (NS_FAILED(ownApp->GetManifestURL(manifestURL))) { If ownApp is set to nullptr, this crash will be reproduced. the exception case might be needed.
Updated•11 years ago
|
Component: General → IPC
Product: Boot2Gecko → Core
Version: unspecified → Trunk
Assignee | ||
Comment 2•11 years ago
|
||
Do we know how to reproduce this aside from tweaking values in a debugger? If this is happening, it probably indicates that a child process is sending to the parent a bogus app ID. That should not crash the parent (this bug), but that also should not happen.
Comment 3•11 years ago
|
||
Needs actual end-user STR and analysis of user impact, otherwise, we can't block on this.
blocking-b2g: leo+ → leo?
Comment 4•11 years ago
|
||
Not blocking given comment #3, feel free to renom if there is anything actionable
blocking-b2g: leo? → -
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → justin.lebar+bug
Assignee | ||
Comment 5•11 years ago
|
||
This change reworks how TabContext stores its data. Before, it stored an app-id and translated that into an app; now we do the reverse. This lets us guarantee that HasOwnApp() is true iff GetOwnApp() is non-null. We added a new class, MaybeInvalidTabContext to assist with converting from an IPCTabContext to a TabContext. This allows us to ensure that a TabContext object is never invalid.
Attachment #781178 -
Flags: review?(khuey)
Assignee | ||
Comment 6•11 years ago
|
||
This patch doesn't solve the mystery of how we're getting into this case, but it's still the right patch, I'm pretty sure.
Comment 7•11 years ago
|
||
It is very difficult to find the STR for one time issue. But it have to be handled for find the solution. Let's this issue to re-nominated to triage.
blocking-b2g: - → leo?
Assignee | ||
Comment 8•11 years ago
|
||
> But it have to be handled for find the solution.
I don't understand what you mean.
Comment 9•11 years ago
|
||
It just means to effort to find the STR and solution Thank you
Comment 10•11 years ago
|
||
Triage - Partner cannot make decision on this patch given it was a one time issue. Over to Mozilla Triage to assess the necessity of this on v1.1.
Whiteboard: [b2g-crash] → [b2g-crash][leo-triage]
Comment 11•11 years ago
|
||
Since this isn't a high volume crash and there's no STR to prove this patch would resolve the issue let's land it on trains.
blocking-b2g: leo? → -
Attachment #781178 -
Flags: review?(khuey) → review+
Assignee | ||
Comment 12•11 years ago
|
||
I shouldn't have gotten away with this: + bool rv; if (ownApp) { - context.SetTabContextForAppFrame(ownApp, containingApp, scrollingBehavior); + rv = context.SetTabContextForAppFrame(ownApp, containingApp, scrollingBehavior); } else if (OwnerIsBrowserFrame()) { // The |else| above is unnecessary; OwnerIsBrowserFrame() implies !ownApp. - context.SetTabContextForBrowserFrame(containingApp, scrollingBehavior); + rv = context.SetTabContextForBrowserFrame(containingApp, scrollingBehavior); } + NS_ENSURE_TRUE(rv, false); Thankfully hg r-'ed it for me. :)
Assignee | ||
Comment 13•11 years ago
|
||
Thanks, Kyle. https://hg.mozilla.org/integration/mozilla-inbound/rev/4aeb00521c9d
Comment 14•11 years ago
|
||
Backed out for mass bustage. https://hg.mozilla.org/integration/mozilla-inbound/rev/9805018b868e https://tbpl.mozilla.org/php/getParsedLog.php?id=25923859&tree=Mozilla-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=25924003&tree=Mozilla-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=25924132&tree=Mozilla-Inbound
Assignee | ||
Comment 15•11 years ago
|
||
> Backed out for mass bustage.
Those warnings-as-errors were spot on.
Assignee | ||
Comment 16•11 years ago
|
||
This oughtta do it. https://hg.mozilla.org/integration/mozilla-inbound/rev/e53429eddc5b
Comment 17•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e53429eddc5b
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•