Closed
Bug 896890
Opened 11 years ago
Closed 11 years ago
Crash in mozilla::dom::ContentParent::CreateBrowserOrApp
Categories
(Core :: IPC, defect)
Tracking
()
People
(Reporter: leo.bugzilla.gecko, Assigned: justin.lebar+bug)
Details
(Keywords: crash, Whiteboard: [b2g-crash][leo-triage])
Crash Data
Attachments
(1 file)
|
27.02 KB,
patch
|
khuey
:
review+
|
Details | Diff | Splinter Review |
Gecko: b2g18(0703)
Gaia: v1-train(0703)
CPU: arm
ARMv0
0 CPUs
Crash reason: SIGSEGV
Crash address: 0x0
Thread 0 (crashed)
0 libxul.so!mozilla::dom::ContentParent::CreateBrowserOrApp [ContentParent.cpp : 423 + 0x0]
r0 = 0x00000000 r1 = 0xbe9feb04 r2 = 0x0000003f r3 = 0xbe9feb18
r4 = 0xbe9feca0 r5 = 0x00000000 r6 = 0x520cacf0 r7 = 0x42050504
r8 = 0xbe9feb04 r9 = 0x00000000 r10 = 0xbe9fee80 r12 = 0x40cdf4c4
fp = 0xbe9ff598 sp = 0xbe9feaf8 lr = 0x41667405 pc = 0x4165c4f4
Found by: given as instruction pointer in context
1 libxul.so!nsFrameLoader::TryRemoteBrowser [nsFrameLoader.cpp : 2051 + 0x7]
r4 = 0x505f00b0 r5 = 0x42040654 r6 = 0x00000000 r7 = 0x00000000
r8 = 0x00000000 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fec00 pc = 0x411b4845
Found by: call frame info
2 libxul.so!nsFrameLoader::ReallyStartLoadingInternal [nsFrameLoader.cpp : 425 + 0x3]
r4 = 0x505f00b0 r5 = 0x505f00b0 r6 = 0x45955ea8 r7 = 0x80004005
r8 = 0x00000001 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fed40 pc = 0x411b63a1
Found by: call frame info
3 libxul.so!nsFrameLoader::ReallyStartLoading [nsFrameLoader.cpp : 405 + 0x3]
r4 = 0x45955c00 r5 = 0x505f00b0 r6 = 0x45955ea8 r7 = 0x42040654
r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fee08 pc = 0x411b6529
Found by: call frame info
4 libxul.so!nsDocument::MaybeInitializeFinalizeFrameLoaders [nsDocument.cpp : 5665 + 0x5]
r4 = 0x45955c00 r5 = 0x505f00b0 r6 = 0x45955ea8 r7 = 0x42040654
r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fee18 pc = 0x411b0457
Found by: call frame info
5 libxul.so!nsDocument::EndUpdate [nsDocument.cpp : 4213 + 0x5]
r0 = 0x45955c00 r1 = 0x45955c00 r2 = 0xbe9fee44 r3 = 0x00000000
r4 = 0x45955c00 r5 = 0xbe9fee44 r6 = 0x00000001 r7 = 0x42040654
r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fee38 pc = 0x411b051f
Found by: call frame info
6 libxul.so!nsHTMLDocument::EndUpdate [nsHTMLDocument.cpp : 2353 + 0x3]
r0 = 0x00000001 r1 = 0x00000000 r2 = 0x45955db8 r3 = 0x48f2ed70
r4 = 0x45955c00 r5 = 0x504ace70 r6 = 0x00000000 r7 = 0x42040654
r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fee58 pc = 0x41276181
Found by: call frame info
7 libxul.so!mozAutoDocUpdate::~mozAutoDocUpdate [mozAutoDocUpdate.h : 35 + 0x9]
r4 = 0xbe9ff00c r5 = 0x504ace70 r6 = 0x00000000 r7 = 0x42040654
r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fee60 pc = 0x4111a297
Found by: call frame info
8 libxul.so!nsINode::ReplaceOrInsertBefore [nsINode.cpp : 1892 + 0xb]
r4 = 0x4aa66290 r5 = 0x504ace70 r6 = 0x00000000 r7 = 0x42040654
r8 = 0x00000009 r9 = 0x00000000 r10 = 0xbe9fee80 fp = 0xbe9ff598
sp = 0xbe9fee68 pc = 0x411c25fb
Found by: call frame info
9 libxul.so!nsIDOMNode_AppendChild [nsINode.h : 1484 + 0xb]
r4 = 0x445c49a0 r5 = 0x43b6c550 r6 = 0x43778de0 r7 = 0x411c2005
r8 = 0x00000000 r9 = 0x4aa66290 r10 = 0x504ace70 fp = 0xbe9ff598
sp = 0xbe9ff050 pc = 0x414d17fb
Found by: call frame info
10 libxul.so!js::InvokeKernel [jscntxtinlines.h : 364 + 0x5]
r4 = 0xbe9ff158 r5 = 0x00000000 r6 = 0x43778de0 r7 = 0x44562e40
r8 = 0x00000000 r9 = 0x41e56d58 r10 = 0x42038798 fp = 0xbe9ff598
sp = 0xbe9ff148 pc = 0x419f3389
Found by: call frame info
11 libxul.so!js::Interpret [jsinterp.cpp : 2475 + 0xd]
r4 = 0xbe9ff2a8 r5 = 0x43778de0 r6 = 0x00000000 r7 = 0x43b6c560
r8 = 0x41edc33c r9 = 0x41e56d58 r10 = 0x42038798 fp = 0xbe9ff598
sp = 0xbe9ff1c8 pc = 0x419f0b83
Found by: call frame info
12 libxul.so!js::RunScript [jsinterp.cpp : 324 + 0x9]
r4 = 0x43778de0 r5 = 0x43b6c370 r6 = 0xbe9ff624 r7 = 0x00000000
r8 = 0xbe9ff690 r9 = 0x43778e44 r10 = 0xbe9ff6f8 fp = 0xffffff87
sp = 0xbe9ff618 pc = 0x419f2c47
Found by: call frame info
13 libxul.so!js::Invoke [jsinterp.cpp : 378 + 0x7]
r4 = 0x51052020 r5 = 0xbe9ff65c r6 = 0x43778de0 r7 = 0x00000000
r8 = 0xbe9ff690 r9 = 0x43778e44 r10 = 0xbe9ff6f8 fp = 0xffffff87
sp = 0xbe9ff648 pc = 0x419f4605
Found by: call frame info
14 libxul.so!JS_CallFunctionValue [jsapi.cpp : 5895 + 0x13]
r4 = 0x43778de0 r5 = 0x00000000 r6 = 0x42040654 r7 = 0x00000000
r8 = 0xbe9ff720 r9 = 0x00000000 r10 = 0x51052020 fp = 0xffffff87
sp = 0xbe9ff6e8 pc = 0x4199116f
Found by: call frame info
15 libxul.so!nsJSContext::CallEventHandler [nsJSEnvironment.cpp : 1954 + 0xd]
r4 = 0x491d81f0 r5 = 0x00000000 r6 = 0x42040654 r7 = 0x00000000
r8 = 0xbe9ff720 r9 = 0x00000000 r10 = 0x51052020 fp = 0xffffff87
sp = 0xbe9ff710 pc = 0x412c2fc1
Found by: call frame info
16 libxul.so!nsGlobalWindow::RunTimeoutHandler [nsGlobalWindow.cpp : 9716 + 0x11]
r4 = 0x502de6a0 r5 = 0x437fb9f0 r6 = 0xbe9ff884 r7 = 0x412c2e61
r8 = 0x491d81f0 r9 = 0x51052020 r10 = 0x00000002 fp = 0x44536040
sp = 0xbe9ff838 pc = 0x412ce76b
Found by: call frame info
17 libxul.so!nsGlobalWindow::RunTimeout [nsGlobalWindow.cpp : 9965 + 0x3]
r4 = 0x437fb9f0 r5 = 0x502de6a0 r6 = 0x502de6a0 r7 = 0x00000001
r8 = 0x00000001 r9 = 0xbe9ff920 r10 = 0x00000000 fp = 0xbe9ff8d0
sp = 0xbe9ff8c0 pc = 0x412d74df
Found by: call frame info
18 libxul.so!nsGlobalWindow::TimerCallback [nsGlobalWindow.cpp : 10232 + 0x7]
r4 = 0x502de6a0 r5 = 0x412d75b9 r6 = 0x00000002 r7 = 0x00012b66
r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0
sp = 0xbe9ff950 pc = 0x412d75cd
Found by: call frame info
19 libxul.so!nsTimerImpl::Fire [nsTimerImpl.cpp : 473 + 0x5]
r4 = 0x50be87c0 r5 = 0x412d75b9 r6 = 0x00000002 r7 = 0x00012b66
r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0
sp = 0xbe9ff958 pc = 0x41786fbd
Found by: call frame info
20 libxul.so!nsTimerEvent::Run [nsTimerImpl.cpp : 556 + 0x5]
r4 = 0x50be87c0 r5 = 0x00000000 r6 = 0x00000001 r7 = 0x00000001
r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0
sp = 0xbe9ff990 pc = 0x41787077
Found by: call frame info
21 libxul.so!nsThread::ProcessNextEvent [nsThread.cpp : 620 + 0x5]
r4 = 0x40307ca0 r5 = 0x00000000 r6 = 0x00000001 r7 = 0x00000001
r8 = 0xbe9ffaa0 r9 = 0x40307ccc r10 = 0xbe9ffcf8 fp = 0x40307ca0
sp = 0xbe9ff998 pc = 0x417851af
Found by: call frame info
22 libxul.so!NS_InvokeByIndex_P [xptcinvoke_arm.cpp : 160 + 0x23]
r4 = 0x41785039 r5 = 0x00000001 r6 = 0xbe9ffaa0 r7 = 0xbe9ff9f0
r8 = 0x00000002 r9 = 0x41dbb784 r10 = 0xbe9ffcf8 fp = 0x40307ca0
sp = 0xbe9ff9d8 pc = 0x41791ac5
Found by: call frame info
23 libxul.so!XPCWrappedNative::CallMethod [XPCWrappedNative.cpp : 3084 + 0xd]
r4 = 0xbe9ffaa0 r5 = 0xbe9ffa68 r6 = 0x00000008 r7 = 0x00000002
r8 = 0x0000000a r9 = 0x41dbb784 r10 = 0xbe9ffcf8 fp = 0x42040654
sp = 0xbe9ffa20 pc = 0x414c6687
Found by: call frame info
24 libxul.so!XPC_WN_CallMethod [XPCWrappedNativeJSOps.cpp : 1469 + 0x7]
r4 = 0x4469c590 r5 = 0xbe9ffdd0 r6 = 0x54344fd0 r7 = 0x00000001
r8 = 0x43b6c328 r9 = 0x00000001 r10 = 0x43b6c2b0 fp = 0x4c7ee010
sp = 0xbe9ffdb0 pc = 0x414caef9
Found by: call frame info
25 libxul.so + 0xe127b9
r4 = 0x00000000 r5 = 0xffffff87 r6 = 0xffffff87 r7 = 0x4c738340
r8 = 0x41af37b5 r9 = 0x54344fd0 r10 = 0x43b6c2b0 fp = 0x4c7ee010
sp = 0xbe9ffe58 pc = 0x41af37bb
Found by: call frame info
26 libxul.so!XPC_WN_GetterSetter [xpcprivate.h : 2867 + 0x17]
sp = 0xbe9ffe5c pc = 0x414cae75
Found by: stack scanning
27 0x437a4ffe
r4 = 0x43b6c2b0 r5 = 0x00000001 r6 = 0x00000000 r7 = 0x00000000
r8 = 0x00000000 r9 = 0xffffffff r10 = 0x00000000 sp = 0xbe9fff04
pc = 0x437a5000
Found by: call frame info
28 b2g!MOZ_PNG_push_read_IDAT [pngpread.c : 942 + 0x3]
sp = 0xbe9fff44 pc = 0x0000ffff
Found by: stack scanning
29 0x52682e06
r0 = 0xfffffb60 r1 = 0x4469c5f4 r4 = 0x43b6c300 r5 = 0x52200000
r6 = 0x419dd00f sp = 0xbe9fff5c pc = 0x52682e08
Found by: call frame info
30 libxul.so!js::detail::HashTable<const js::InitialShapeEntry, js::HashSet<js::InitialShapeEntry, js::InitialShapeEntry, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::match [jsscope.cpp : 1199 + 0x7]
sp = 0xbe9fff60 pc = 0x41a356d5
Found by: stack scanning
|
Reporter | |
Updated•11 years ago
|
|
||
Updated•11 years ago
|
Severity: normal → critical
Crash Signature: [@ mozilla::dom::ContentParent::CreateBrowserOrApp]
|
|
Reporter | |
Comment 1•11 years ago
|
||
ownApp is set using aContext.GetOwnApp()
nsCOMPtr<mozIApplication> ownApp = aContext.GetOwnApp();
The crash is occured the below code in CreateBrowserOrApp()
if (NS_FAILED(ownApp->GetManifestURL(manifestURL))) {
If ownApp is set to nullptr, this crash will be reproduced.
the exception case might be needed.
|
||
Updated•11 years ago
|
Component: General → IPC
Product: Boot2Gecko → Core
Version: unspecified → Trunk
|
Assignee | |
Comment 2•11 years ago
|
||
Do we know how to reproduce this aside from tweaking values in a debugger? If this is happening, it probably indicates that a child process is sending to the parent a bogus app ID. That should not crash the parent (this bug), but that also should not happen.
|
|
||
Comment 3•11 years ago
|
||
Needs actual end-user STR and analysis of user impact, otherwise, we can't block on this.
blocking-b2g: leo+ → leo?
|
||
Comment 4•11 years ago
|
||
Not blocking given comment #3, feel free to renom if there is anything actionable
blocking-b2g: leo? → -
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → justin.lebar+bug
|
|
Assignee | |
Comment 5•11 years ago
|
||
This change reworks how TabContext stores its data. Before, it stored an app-id and translated that into an app; now we do the reverse. This lets us guarantee that HasOwnApp() is true iff GetOwnApp() is non-null. We added a new class, MaybeInvalidTabContext to assist with converting from an IPCTabContext to a TabContext. This allows us to ensure that a TabContext object is never invalid.
Attachment #781178 -
Flags: review?(khuey)
|
|
Assignee | |
Comment 6•11 years ago
|
||
This patch doesn't solve the mystery of how we're getting into this case, but it's still the right patch, I'm pretty sure.
|
||
Comment 7•11 years ago
|
||
It is very difficult to find the STR for one time issue. But it have to be handled for find the solution. Let's this issue to re-nominated to triage.
blocking-b2g: - → leo?
|
|
Assignee | |
Comment 8•11 years ago
|
||
> But it have to be handled for find the solution.
I don't understand what you mean.|
|
||
Comment 9•11 years ago
|
||
It just means to effort to find the STR and solution Thank you
|
||
Comment 10•11 years ago
|
||
Triage - Partner cannot make decision on this patch given it was a one time issue. Over to Mozilla Triage to assess the necessity of this on v1.1.
Whiteboard: [b2g-crash] → [b2g-crash][leo-triage]
|
||
Comment 11•11 years ago
|
||
Since this isn't a high volume crash and there's no STR to prove this patch would resolve the issue let's land it on trains.
blocking-b2g: leo? → -
Attachment #781178 -
Flags: review?(khuey) → review+
|
|
Assignee | |
Comment 12•11 years ago
|
||
I shouldn't have gotten away with this:
+ bool rv;
if (ownApp) {
- context.SetTabContextForAppFrame(ownApp, containingApp, scrollingBehavior);
+ rv = context.SetTabContextForAppFrame(ownApp, containingApp, scrollingBehavior);
} else if (OwnerIsBrowserFrame()) {
// The |else| above is unnecessary; OwnerIsBrowserFrame() implies !ownApp.
- context.SetTabContextForBrowserFrame(containingApp, scrollingBehavior);
+ rv = context.SetTabContextForBrowserFrame(containingApp, scrollingBehavior);
}
+ NS_ENSURE_TRUE(rv, false);
Thankfully hg r-'ed it for me. :)|
|
Assignee | |
Comment 13•11 years ago
|
||
Thanks, Kyle. https://hg.mozilla.org/integration/mozilla-inbound/rev/4aeb00521c9d
|
||
Comment 14•11 years ago
|
||
Backed out for mass bustage. https://hg.mozilla.org/integration/mozilla-inbound/rev/9805018b868e https://tbpl.mozilla.org/php/getParsedLog.php?id=25923859&tree=Mozilla-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=25924003&tree=Mozilla-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=25924132&tree=Mozilla-Inbound
|
|
Assignee | |
Comment 15•11 years ago
|
||
> Backed out for mass bustage.
Those warnings-as-errors were spot on.|
|
Assignee | |
Comment 16•11 years ago
|
||
This oughtta do it. https://hg.mozilla.org/integration/mozilla-inbound/rev/e53429eddc5b
|
|
||
Comment 17•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e53429eddc5b
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•