Closed Bug 978892 Opened 10 years ago Closed 10 years ago

[e10s] Lightbeam addon crashes tabs during e10s session restore with ContentChild::ProcessingError() abort

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla32
Tracking Flags:
Tracking Status
e10s + ---
firefox31 --- affected
firefox32 --- fixed
firefox34 --- verified

People

(Reporter: cpeterson, Assigned: billm)

References

(
URL
)

Details

(Whiteboard: crash)

Attachments

(1 file)

cpow-creation
3.42 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review 
STR:
1. Install Mozilla's Lightbeam addon: https://addons.mozilla.org/en-US/firefox/addon/lightbeam
2. Set browser.tabs.remote.autostart pref to true.
3. Restart Firefox.

RESULT:
CRASH!

bp-b692f0fc-bef4-4f78-bacc-619de2140303
bp-c849ddf2-38b5-4db8-9613-f579c2140303

Frame 	Module 	Signature 	Source
0 	libmozalloc.dylib 	mozalloc_abort(char const*) 	memory/mozalloc/mozalloc_abort.cpp
1 	XUL 	Abort 	xpcom/base/nsDebugImpl.cpp
2 	XUL 	NS_DebugBreak 	xpcom/base/nsDebugImpl.cpp
3 	XUL 	mozilla::dom::ContentChild::ProcessingError(mozilla::ipc::HasResultCodes::Result) 	dom/ipc/ContentChild.cpp
4 	XUL 	mozilla::ipc::MessageChannel::DispatchUrgentMessage(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
5 	XUL 	mozilla::ipc::MessageChannel::ProcessPendingUrgentRequest() 	ipc/glue/MessageChannel.cpp
6 	XUL 	mozilla::ipc::MessageChannel::SendAndWait(IPC::Message*, IPC::Message*) 	ipc/glue/MessageChannel.cpp
7 	XUL 	mozilla::ipc::MessageChannel::Send(IPC::Message*, IPC::Message*) 	ipc/glue/MessageChannel.cpp
8 	XUL 	mozilla::dom::PBrowserChild::SendSyncMessage(nsString const&, mozilla::dom::ClonedMessageData const&, nsTArray<mozilla::jsipc::CpowEntry> const&, IPC::Principal const&, nsTArray<nsString>*) 	obj-firefox/x86_64/ipc/ipdl/PBrowserChild.cpp
9 	XUL 	mozilla::dom::TabChild::DoSendBlockingMessage(JSContext*, nsAString_internal const&, mozilla::dom::StructuredCloneData const&, JS::Handle<JSObject*>, nsIPrincipal*, nsTArray<nsString>*, bool) 	dom/ipc/TabChild.cpp
10 	XUL 	_ZThn224_N7mozilla3dom8TabChild21DoSendBlockingMessageEP9JSContextRK18nsAString_internalRKNS0_19StructuredCloneDataEN2JS6HandleIP8JSObjectEEP12nsIPrincipalP8nsTArrayI8nsStringEb 	obj-firefox/x86_64/dom/ipc/Unified_cpp_dom_ipc0.cpp
11 	XUL 	nsFrameMessageManager::SendMessage(nsAString_internal const&, JS::Handle<JS::Value>, JS::Handle<JS::Value>, nsIPrincipal*, JSContext*, unsigned char, JS::MutableHandle<JS::Value>, bool) 	content/base/src/nsFrameMessageManager.cpp
12 	XUL 	nsFrameMessageManager::SendSyncMessage(nsAString_internal const&, JS::Handle<JS::Value>, JS::Handle<JS::Value>, nsIPrincipal*, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) 	content/base/src/nsFrameMessageManager.cpp
13 	XUL 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp
14 	XUL 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
15 	XUL 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
16 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
17 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
18 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
19 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
20 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
21 	XUL 	JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
22 	XUL 	nsFrameMessageManager::ReceiveMessage(nsISupports*, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, CpowHolder*, nsIPrincipal*, nsTArray<nsString>*) 	content/base/src/nsFrameMessageManager.cpp
23 	XUL 	mozilla::dom::TabChild::RecvAsyncMessage(nsString const&, mozilla::dom::ClonedMessageData const&, nsTArray<mozilla::jsipc::CpowEntry> const&, IPC::Principal const&) 	dom/ipc/TabChild.cpp
24 	XUL 	mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) 	obj-firefox/x86_64/ipc/ipdl/PBrowserChild.cpp
25 	XUL 	mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) 	obj-firefox/x86_64/ipc/ipdl/PContentChild.cpp
26 	XUL 	mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
27 	XUL 	mozilla::ipc::MessageChannel::OnMaybeDequeueOne() 	ipc/glue/MessageChannel.cpp
28 	XUL 	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 	ipc/chromium/src/base/message_loop.cc
29 	XUL 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc
30 	XUL 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
31 	XUL 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
32 	XUL 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
33 	XUL 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
34 	XUL 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
35 	plugin-container 	main 	ipc/app/MozillaRuntimeMain.cpp
36 	plugin-container 	start
See Also: → 978417
Assignee: nobody → evilpies
Blocks: e10s-it2
Status: NEW → ASSIGNED
I can't reproduce this. Lightbeam doesn't seem to gather any data, but it also doesn't crash.
tracking-e10s: --- → +
Attached patch cpow-creationSplinter Review 
I was able to reproduce this. The problem is that both the parent and the child are trying to create PJavaScript instances at the same time. They both end up succeeding, so we have two PJavaScript instances in each process. We only expect to have one, and we end up very confused later on when there are more than one.

I think the easiest way to fix this is to require that the child always creates the PJavaScript instance. The parent really has no use for one until the child has tried to send up a CPOW. Right now, the parent needlessly tries to ensure the existence of a PJavaScript instance whenever it sends a message. By returning null here, we're saying that the parent should never be the first to send a CPOW. Currently we never send CPOWs from the parent though. If we change that, we'll have to fix this in some other way.
Assignee: evilpies → wmccloskey
Attachment #8411421 - Flags: review?(mrbkap)
Attachment #8411421 - Flags: review?(mrbkap) → review+
I was seeing this with Lightbeam, in addtion I was getting the tab crash notification looking the crash ids up lead to bug 961343.
https://hg.mozilla.org/mozilla-central/rev/f5421fcfb39c
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 32
Component: Session Restore → IPC
Product: Firefox → Core
Target Milestone: Firefox 32 → ---
Target Milestone: --- → mozilla32
Blocks: 1053007
I verified that Lightbeam does not crash Nightly 34, but I filed bug 1053007 because the Lightbeam UI's buttons do not work.
Status: RESOLVED → VERIFIED
status-firefox31: --- → affected
status-firefox32: --- → fixed
status-firefox34: --- → verified
Keywords: verifyme
See Also: → 1212248
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: