Closed Bug 901312 Opened 11 years ago Closed 11 years ago

crash in mozilla::dom::ContentParent::ActorDestroy @ nsFrameMessageManager::Disconnect

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
25 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla26
Tracking Flags:
Tracking Status
firefox24 --- unaffected
firefox25 + verified
firefox26 + verified

People

(Reporter: scoobidiver, Assigned: smaug)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

patch
1.45 KB, patch
justin.lebar+bug
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
With the stack trace below, it first showed up in 25.0a1/20130803. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=76a944fa6b25&tochange=d0edf8086809
It's likely a regression from bug 887781.

Signature 	nsFrameMessageManager::Disconnect(bool) More Reports Search
UUID 	6b4a79c0-3eb1-4227-b9e7-568052130804
Date Processed	2013-08-04 01:44:52.771479
Uptime	6002
Last Crash	6019 seconds before submission
Install Age 	8547 since version was first installed.
Install Time 	2013-08-03 23:22:11
Product 	Firefox
Version 	25.0a1
Build ID 	20130803030205
Release Channel 	nightly
OS 	Windows NT
OS Version 	6.2.9200
Build Architecture 	x86
Build Architecture Info 	AuthenticAMD family 21 model 16 stepping 1 | 4
Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x22
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9903, AdapterSubsysID: 184b103c, AdapterDriverVersion: 8.982.10.6000
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsFrameMessageManager::Disconnect(bool) 	content/base/src/nsFrameMessageManager.cpp
1 	xul.dll 	mozilla::dom::ContentParent::ActorDestroy(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) 	dom/ipc/ContentParent.cpp
2 	xul.dll 	mozilla::dom::PContentParent::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) 	obj-firefox/ipc/ipdl/PContentParent.cpp
3 	xul.dll 	mozilla::dom::PContentParent::OnChannelError() 	obj-firefox/ipc/ipdl/PContentParent.cpp
4 	xul.dll 	mozilla::ipc::AsyncChannel::NotifyMaybeChannelError() 	ipc/glue/AsyncChannel.cpp
5 	xul.dll 	mozilla::ipc::AsyncChannel::OnNotifyMaybeChannelError() 	ipc/glue/AsyncChannel.cpp
6 	xul.dll 	MessageLoop::RunTask(Task *) 	ipc/chromium/src/base/message_loop.cc
7 	xul.dll 	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) 	ipc/chromium/src/base/message_loop.cc
8 	xul.dll 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc
9 	xul.dll 	mozilla::ipc::DoWorkRunnable::Run() 	ipc/glue/MessagePump.cpp
10 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
11 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	obj-firefox/xpcom/build/nsThreadUtils.cpp
12 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
13 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
14 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
15 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
16 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
17 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
18 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
19 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
20 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
21 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
22 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
23 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
24 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
25 	kernel32.dll 	BaseThreadInitThunk 	
26 	ntdll.dll 	__RtlUserThreadStart 	
27 	ntdll.dll 	_RtlUserThreadStart

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsFrameMessageManager%3A%3ADisconnect%28bool%29
Null check required on mMessageManager.
Yeah, looks like a null pointer crash (+offset).
Odd that we have null check just few lines above, for ppm.
Hmm, but why would mMessageManager be null there, if ContentParent hasn't been deleted.
(In reply to Olli Pettay [:smaug] from comment #3)
> Hmm, but why would mMessageManager be null there, if ContentParent hasn't
> been deleted.

ShutDownProcess, which nulls out mMessageListener, can be called from any of ActorDestroy, xpcom-shutdown, NotifyTabDestroyed (from TabParent::Recv__delete__), or KillHard.
Ah, I was looking at my local tree which wasn't up-to-date, so it was missing Bug 899761!
Could be a regression from bug 899761.
Blocks: 899761
Assignee: nobody → bugs
Attached patch patchSplinter Review 

        Attachment #785549 -
        Flags: review?(justin.lebar+bug)

    
    

    
  
Comment on attachment 785549 [details] [diff] [review]
patch

Thanks, Olli.

        Attachment #785549 -
        Flags: review?(justin.lebar+bug) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/5fd699ed1c55
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26

    
    

    
  
It's #9 crasher in the first hours of 25.0a2.
Time to uplift?

    
    

    
  
Comment on attachment 785549 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 899761
User impact if declined: Topcrash
Testing completed (on m-c, etc.): m-c 
Risk to taking this patch (and alternatives if risky): No alternatives, hard to see this making things worse.
String or IDL/UUID changes made by this patch: None.

        Attachment #785549 -
        Flags: approval-mozilla-aurora?

    
  

        Attachment #785549 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
No reports of any crashes here with Firefox 25 after August 12th. Assuming this is fixed.
Status: RESOLVED → VERIFIED

          status-firefox25:
          fixedverified

          status-firefox26:
          fixedverified
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: