Closed Bug 896890 Opened 7 years ago Closed 7 years ago

Crash in mozilla::dom::ContentParent::CreateBrowserOrApp

Categories

(Core :: IPC, defect)

ARM
Gonk (Firefox OS)
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25
blocking-b2g -

People

(Reporter: leo.bugzilla.gecko, Assigned: justin.lebar+bug)

Details

(Keywords: crash, Whiteboard: [b2g-crash][leo-triage])

Crash Data

Attachments

(1 file)

Gecko: b2g18(0703)
Gaia: v1-train(0703)

CPU: arm
     ARMv0
     0 CPUs

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  libxul.so!mozilla::dom::ContentParent::CreateBrowserOrApp [ContentParent.cpp : 423 + 0x0]
     r0 = 0x00000000    r1 = 0xbe9feb04    r2 = 0x0000003f    r3 = 0xbe9feb18
     r4 = 0xbe9feca0    r5 = 0x00000000    r6 = 0x520cacf0    r7 = 0x42050504
     r8 = 0xbe9feb04    r9 = 0x00000000   r10 = 0xbe9fee80   r12 = 0x40cdf4c4
     fp = 0xbe9ff598    sp = 0xbe9feaf8    lr = 0x41667405    pc = 0x4165c4f4
    Found by: given as instruction pointer in context
 1  libxul.so!nsFrameLoader::TryRemoteBrowser [nsFrameLoader.cpp : 2051 + 0x7]
     r4 = 0x505f00b0    r5 = 0x42040654    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fec00    pc = 0x411b4845
    Found by: call frame info
 2  libxul.so!nsFrameLoader::ReallyStartLoadingInternal [nsFrameLoader.cpp : 425 + 0x3]
     r4 = 0x505f00b0    r5 = 0x505f00b0    r6 = 0x45955ea8    r7 = 0x80004005
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fed40    pc = 0x411b63a1
    Found by: call frame info
 3  libxul.so!nsFrameLoader::ReallyStartLoading [nsFrameLoader.cpp : 405 + 0x3]
     r4 = 0x45955c00    r5 = 0x505f00b0    r6 = 0x45955ea8    r7 = 0x42040654
     r8 = 0x00000009    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fee08    pc = 0x411b6529
    Found by: call frame info
 4  libxul.so!nsDocument::MaybeInitializeFinalizeFrameLoaders [nsDocument.cpp : 5665 + 0x5]
     r4 = 0x45955c00    r5 = 0x505f00b0    r6 = 0x45955ea8    r7 = 0x42040654
     r8 = 0x00000009    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fee18    pc = 0x411b0457
    Found by: call frame info
 5  libxul.so!nsDocument::EndUpdate [nsDocument.cpp : 4213 + 0x5]
     r0 = 0x45955c00    r1 = 0x45955c00    r2 = 0xbe9fee44    r3 = 0x00000000
     r4 = 0x45955c00    r5 = 0xbe9fee44    r6 = 0x00000001    r7 = 0x42040654
     r8 = 0x00000009    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fee38    pc = 0x411b051f
    Found by: call frame info
 6  libxul.so!nsHTMLDocument::EndUpdate [nsHTMLDocument.cpp : 2353 + 0x3]
     r0 = 0x00000001    r1 = 0x00000000    r2 = 0x45955db8    r3 = 0x48f2ed70
     r4 = 0x45955c00    r5 = 0x504ace70    r6 = 0x00000000    r7 = 0x42040654
     r8 = 0x00000009    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fee58    pc = 0x41276181
    Found by: call frame info
 7  libxul.so!mozAutoDocUpdate::~mozAutoDocUpdate [mozAutoDocUpdate.h : 35 + 0x9]
     r4 = 0xbe9ff00c    r5 = 0x504ace70    r6 = 0x00000000    r7 = 0x42040654
     r8 = 0x00000009    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fee60    pc = 0x4111a297
    Found by: call frame info
 8  libxul.so!nsINode::ReplaceOrInsertBefore [nsINode.cpp : 1892 + 0xb]
     r4 = 0x4aa66290    r5 = 0x504ace70    r6 = 0x00000000    r7 = 0x42040654
     r8 = 0x00000009    r9 = 0x00000000   r10 = 0xbe9fee80    fp = 0xbe9ff598
     sp = 0xbe9fee68    pc = 0x411c25fb
    Found by: call frame info
 9  libxul.so!nsIDOMNode_AppendChild [nsINode.h : 1484 + 0xb]
     r4 = 0x445c49a0    r5 = 0x43b6c550    r6 = 0x43778de0    r7 = 0x411c2005
     r8 = 0x00000000    r9 = 0x4aa66290   r10 = 0x504ace70    fp = 0xbe9ff598
     sp = 0xbe9ff050    pc = 0x414d17fb
    Found by: call frame info
10  libxul.so!js::InvokeKernel [jscntxtinlines.h : 364 + 0x5]
     r4 = 0xbe9ff158    r5 = 0x00000000    r6 = 0x43778de0    r7 = 0x44562e40
     r8 = 0x00000000    r9 = 0x41e56d58   r10 = 0x42038798    fp = 0xbe9ff598
     sp = 0xbe9ff148    pc = 0x419f3389
    Found by: call frame info
11  libxul.so!js::Interpret [jsinterp.cpp : 2475 + 0xd]
     r4 = 0xbe9ff2a8    r5 = 0x43778de0    r6 = 0x00000000    r7 = 0x43b6c560
     r8 = 0x41edc33c    r9 = 0x41e56d58   r10 = 0x42038798    fp = 0xbe9ff598
     sp = 0xbe9ff1c8    pc = 0x419f0b83
    Found by: call frame info
12  libxul.so!js::RunScript [jsinterp.cpp : 324 + 0x9]
     r4 = 0x43778de0    r5 = 0x43b6c370    r6 = 0xbe9ff624    r7 = 0x00000000
     r8 = 0xbe9ff690    r9 = 0x43778e44   r10 = 0xbe9ff6f8    fp = 0xffffff87
     sp = 0xbe9ff618    pc = 0x419f2c47
    Found by: call frame info
13  libxul.so!js::Invoke [jsinterp.cpp : 378 + 0x7]
     r4 = 0x51052020    r5 = 0xbe9ff65c    r6 = 0x43778de0    r7 = 0x00000000
     r8 = 0xbe9ff690    r9 = 0x43778e44   r10 = 0xbe9ff6f8    fp = 0xffffff87
     sp = 0xbe9ff648    pc = 0x419f4605
    Found by: call frame info
14  libxul.so!JS_CallFunctionValue [jsapi.cpp : 5895 + 0x13]
     r4 = 0x43778de0    r5 = 0x00000000    r6 = 0x42040654    r7 = 0x00000000
     r8 = 0xbe9ff720    r9 = 0x00000000   r10 = 0x51052020    fp = 0xffffff87
     sp = 0xbe9ff6e8    pc = 0x4199116f
    Found by: call frame info
15  libxul.so!nsJSContext::CallEventHandler [nsJSEnvironment.cpp : 1954 + 0xd]
     r4 = 0x491d81f0    r5 = 0x00000000    r6 = 0x42040654    r7 = 0x00000000
     r8 = 0xbe9ff720    r9 = 0x00000000   r10 = 0x51052020    fp = 0xffffff87
     sp = 0xbe9ff710    pc = 0x412c2fc1
    Found by: call frame info
16  libxul.so!nsGlobalWindow::RunTimeoutHandler [nsGlobalWindow.cpp : 9716 + 0x11]
     r4 = 0x502de6a0    r5 = 0x437fb9f0    r6 = 0xbe9ff884    r7 = 0x412c2e61
     r8 = 0x491d81f0    r9 = 0x51052020   r10 = 0x00000002    fp = 0x44536040
     sp = 0xbe9ff838    pc = 0x412ce76b
    Found by: call frame info
17  libxul.so!nsGlobalWindow::RunTimeout [nsGlobalWindow.cpp : 9965 + 0x3]
     r4 = 0x437fb9f0    r5 = 0x502de6a0    r6 = 0x502de6a0    r7 = 0x00000001
     r8 = 0x00000001    r9 = 0xbe9ff920   r10 = 0x00000000    fp = 0xbe9ff8d0
     sp = 0xbe9ff8c0    pc = 0x412d74df
    Found by: call frame info
18  libxul.so!nsGlobalWindow::TimerCallback [nsGlobalWindow.cpp : 10232 + 0x7]
     r4 = 0x502de6a0    r5 = 0x412d75b9    r6 = 0x00000002    r7 = 0x00012b66
     r8 = 0xbe9ffaa0    r9 = 0x40307ccc   r10 = 0xbe9ffcf8    fp = 0x40307ca0
     sp = 0xbe9ff950    pc = 0x412d75cd
    Found by: call frame info
19  libxul.so!nsTimerImpl::Fire [nsTimerImpl.cpp : 473 + 0x5]
     r4 = 0x50be87c0    r5 = 0x412d75b9    r6 = 0x00000002    r7 = 0x00012b66
     r8 = 0xbe9ffaa0    r9 = 0x40307ccc   r10 = 0xbe9ffcf8    fp = 0x40307ca0
     sp = 0xbe9ff958    pc = 0x41786fbd
    Found by: call frame info
20  libxul.so!nsTimerEvent::Run [nsTimerImpl.cpp : 556 + 0x5]
     r4 = 0x50be87c0    r5 = 0x00000000    r6 = 0x00000001    r7 = 0x00000001
     r8 = 0xbe9ffaa0    r9 = 0x40307ccc   r10 = 0xbe9ffcf8    fp = 0x40307ca0
     sp = 0xbe9ff990    pc = 0x41787077
    Found by: call frame info
21  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp : 620 + 0x5]
     r4 = 0x40307ca0    r5 = 0x00000000    r6 = 0x00000001    r7 = 0x00000001
     r8 = 0xbe9ffaa0    r9 = 0x40307ccc   r10 = 0xbe9ffcf8    fp = 0x40307ca0
     sp = 0xbe9ff998    pc = 0x417851af
    Found by: call frame info
22  libxul.so!NS_InvokeByIndex_P [xptcinvoke_arm.cpp : 160 + 0x23]
     r4 = 0x41785039    r5 = 0x00000001    r6 = 0xbe9ffaa0    r7 = 0xbe9ff9f0
     r8 = 0x00000002    r9 = 0x41dbb784   r10 = 0xbe9ffcf8    fp = 0x40307ca0
     sp = 0xbe9ff9d8    pc = 0x41791ac5
    Found by: call frame info
23  libxul.so!XPCWrappedNative::CallMethod [XPCWrappedNative.cpp : 3084 + 0xd]
     r4 = 0xbe9ffaa0    r5 = 0xbe9ffa68    r6 = 0x00000008    r7 = 0x00000002
     r8 = 0x0000000a    r9 = 0x41dbb784   r10 = 0xbe9ffcf8    fp = 0x42040654
     sp = 0xbe9ffa20    pc = 0x414c6687
    Found by: call frame info
24  libxul.so!XPC_WN_CallMethod [XPCWrappedNativeJSOps.cpp : 1469 + 0x7]
     r4 = 0x4469c590    r5 = 0xbe9ffdd0    r6 = 0x54344fd0    r7 = 0x00000001
     r8 = 0x43b6c328    r9 = 0x00000001   r10 = 0x43b6c2b0    fp = 0x4c7ee010
     sp = 0xbe9ffdb0    pc = 0x414caef9
    Found by: call frame info
25  libxul.so + 0xe127b9
     r4 = 0x00000000    r5 = 0xffffff87    r6 = 0xffffff87    r7 = 0x4c738340
     r8 = 0x41af37b5    r9 = 0x54344fd0   r10 = 0x43b6c2b0    fp = 0x4c7ee010
     sp = 0xbe9ffe58    pc = 0x41af37bb
    Found by: call frame info
26  libxul.so!XPC_WN_GetterSetter [xpcprivate.h : 2867 + 0x17]
     sp = 0xbe9ffe5c    pc = 0x414cae75
    Found by: stack scanning
27  0x437a4ffe
     r4 = 0x43b6c2b0    r5 = 0x00000001    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xffffffff   r10 = 0x00000000    sp = 0xbe9fff04
     pc = 0x437a5000
    Found by: call frame info
28  b2g!MOZ_PNG_push_read_IDAT [pngpread.c : 942 + 0x3]
     sp = 0xbe9fff44    pc = 0x0000ffff
    Found by: stack scanning
29  0x52682e06
     r0 = 0xfffffb60    r1 = 0x4469c5f4    r4 = 0x43b6c300    r5 = 0x52200000
     r6 = 0x419dd00f    sp = 0xbe9fff5c    pc = 0x52682e08
    Found by: call frame info
30  libxul.so!js::detail::HashTable<const js::InitialShapeEntry, js::HashSet<js::InitialShapeEntry, js::InitialShapeEntry, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::match [jsscope.cpp : 1199 + 0x7]
     sp = 0xbe9fff60    pc = 0x41a356d5
    Found by: stack scanning
blocking-b2g: --- → leo+
Keywords: crash
Whiteboard: [b2g-crash]
Severity: normal → critical
Crash Signature: [@ mozilla::dom::ContentParent::CreateBrowserOrApp]
ownApp is set using aContext.GetOwnApp()
nsCOMPtr<mozIApplication> ownApp = aContext.GetOwnApp();

The crash is occured the below code in CreateBrowserOrApp()
    if (NS_FAILED(ownApp->GetManifestURL(manifestURL))) {

If ownApp is set to nullptr, this crash will be reproduced.
the exception case might be needed.
Component: General → IPC
Product: Boot2Gecko → Core
Version: unspecified → Trunk
Do we know how to reproduce this aside from tweaking values in a debugger?

If this is happening, it probably indicates that a child process is sending to the parent a bogus app ID.  That should not crash the parent (this bug), but that also should not happen.
Needs actual end-user STR and analysis of user impact, otherwise, we can't block on this.
blocking-b2g: leo+ → leo?
Not blocking given comment #3, feel free to renom if there is anything actionable
blocking-b2g: leo? → -
Assignee: nobody → justin.lebar+bug
Attached patch Patch, v1Splinter Review
This change reworks how TabContext stores its data.  Before, it stored
an app-id and translated that into an app; now we do the reverse.  This
lets us guarantee that HasOwnApp() is true iff GetOwnApp() is non-null.

We added a new class, MaybeInvalidTabContext to assist with converting
from an IPCTabContext to a TabContext.  This allows us to ensure that a
TabContext object is never invalid.
Attachment #781178 - Flags: review?(khuey)
This patch doesn't solve the mystery of how we're getting into this case, but it's still the right patch, I'm pretty sure.
It is very difficult to find the STR for one time issue. But it have to be handled for find the solution.
Let's this issue to re-nominated to triage.
blocking-b2g: - → leo?
> But it have to be handled for find the solution.

I don't understand what you mean.
It just means to effort to find the STR and solution
Thank you
Triage - Partner cannot make decision on this patch given it was a one time issue. Over to Mozilla Triage to assess the necessity of this on v1.1.
Whiteboard: [b2g-crash] → [b2g-crash][leo-triage]
Since this isn't a high volume crash and there's no STR to prove this patch would resolve the issue let's land it on trains.
blocking-b2g: leo? → -
I shouldn't have gotten away with this:

+  bool rv;
   if (ownApp) {
-    context.SetTabContextForAppFrame(ownApp, containingApp, scrollingBehavior);
+    rv = context.SetTabContextForAppFrame(ownApp, containingApp, scrollingBehavior);
   } else if (OwnerIsBrowserFrame()) {
     // The |else| above is unnecessary; OwnerIsBrowserFrame() implies !ownApp.
-    context.SetTabContextForBrowserFrame(containingApp, scrollingBehavior);
+    rv = context.SetTabContextForBrowserFrame(containingApp, scrollingBehavior);
   }
+  NS_ENSURE_TRUE(rv, false);

Thankfully hg r-'ed it for me.  :)
> Backed out for mass bustage.

Those warnings-as-errors were spot on.
https://hg.mozilla.org/mozilla-central/rev/e53429eddc5b
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.