See testcase, to reproduce: - tap on the "windowopenbuttonclick" button Expected result: - Quickly opening, then closing window Actual result: - "Well, this is embarrassing :( We tried to display this webpage, but it's not responding." window I guess this is a crash?

blocks user interaction, fairly common to hit.

> I guess this is a crash? It would be helpful if you could build a b2g debug build and get a stack. You could do this by attaching GDB to the appropriate process.

Patrick, maybe you'd be interested in investigating this? I can help you get started while we're in the same room together.

Yes, it is a crash, stack: #0 mozalloc_abort (msg=0xbeee1a98 "[Child 966] ###!!! ABORT: aborting because of fatal error: file /home/patrick/w/otoro/B2G/gecko/dom/ipc/ContentChild.cpp, line 845") at /home/patrick/w/otoro/B2G/gecko/memory/mozalloc/mozalloc_abort.cpp:21 #1 0x40c1c4ea in Abort (aSeverity=<value optimized out>, aStr=0x4112b0a3 "aborting because of fatal error", aExpr=<value optimized out>, aFile=<value optimized out>, aLine=845) at /home/patrick/w/otoro/B2G/gecko/xpcom/base/nsDebugImpl.cpp:423 #2 NS_DebugBreak_P (aSeverity=<value optimized out>, aStr=0x4112b0a3 "aborting because of fatal error", aExpr=<value optimized out>, aFile=<value optimized out>, aLine=845) at /home/patrick/w/otoro/B2G/gecko/xpcom/base/nsDebugImpl.cpp:410 #3 0x40b14302 in mozilla::dom::ContentChild::ProcessingError (this=<value optimized out>, what=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/dom/ipc/ContentChild.cpp:845 #4 0x40b85c52 in mozilla::dom::PContentChild::OnProcessingError (this=0x34d, code=mozilla::ipc::HasResultCodes::MsgRouteError) at /home/patrick/w/otoro/B2G/objdir-gecko/ipc/ipdl/PContentChild.cpp:2857 #5 0x40b27f56 in mozilla::ipc::AsyncChannel::MaybeHandleError (this=0x34d, code=mozilla::ipc::HasResultCodes::MsgRouteError, channelName=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/AsyncChannel.cpp:613 #6 0x40b27fb4 in mozilla::ipc::AsyncChannel::OnDispatchMessage (this=0x41a311b0, msg=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/AsyncChannel.cpp:473 #7 0x40b2cdce in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x41a311b0) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/RPCChannel.cpp:402 #8 0x40b10dba in DispatchToMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)()> (this=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/tuple.h:383 #9 RunnableMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)(), Tuple0>::Run (this=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/task.h:307 #10 0x40b2b784 in mozilla::ipc::RPCChannel::RefCountedTask::Run (this=<value optimized out>) at ../../dist/include/mozilla/ipc/RPCChannel.h:425 #11 mozilla::ipc::RPCChannel::DequeueTask::Run (this=<value optimized out>) at ../../dist/include/mozilla/ipc/RPCChannel.h:448 #12 0x40c39ab8 in MessageLoop::RunTask (this=0xbeee28e8, task=0xbeee1ef4) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:333 #13 0x40c3a8ea in MessageLoop::DeferOrRunPendingTask (this=0x41a311b0, pending_task=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:341 #14 0x40c3b4c8 in MessageLoop::DoWork (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:441 #15 0x40b2b140 in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:42 #16 0x40c18232 in nsThread::ProcessNextEvent (this=0x41a06880, mayWait=<value optimized out>, result=0xbeee1fd7) at /home/patrick/w/otoro/B2G/gecko/xpcom/threads/nsThread.cpp:627 #17 0x40bf8996 in NS_ProcessNextEvent_P (thread=0x41a311b0, mayWait=false) at /home/patrick/w/otoro/B2G/objdir-gecko/xpcom/build/nsThreadUtils.cpp:221 #18 0x40b2b250 in mozilla::ipc::MessagePump::Run (this=0x41a022e0, aDelegate=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:82 #19 0x40b2b302 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x41a022e0, aDelegate=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:231 #20 0x40c39a68 in MessageLoop::RunInternal (this=0x1000000) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:215 #21 0x40c39b1e in MessageLoop::RunHandler (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:208 #22 MessageLoop::Run (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:182 #23 0x40ab4604 in nsBaseAppShell::Run (this=0x427fca60) at /home/patrick/w/otoro/B2G/gecko/widget/xpwidgets/nsBaseAppShell.cpp:163 #24 0x404510b4 in XRE_RunAppShell () at /home/patrick/w/otoro/B2G/gecko/toolkit/xre/nsEmbedFunctions.cpp:646 #25 0x40b2b2d0 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x41a022e0, aDelegate=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/glue/MessagePump.cpp:198 #26 0x40c39a68 in MessageLoop::RunInternal (this=0x427fca60) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:215 #27 0x40c39b1e in MessageLoop::RunHandler (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:208 #28 MessageLoop::Run (this=0xbeee28e8) at /home/patrick/w/otoro/B2G/gecko/ipc/chromium/src/base/message_loop.cc:182 #29 0x40451458 in XRE_InitChildProcess (aArgc=<value optimized out>, aArgv=<value optimized out>, aProcess=GeckoProcessType_Content) at /home/patrick/w/otoro/B2G/gecko/toolkit/xre/nsEmbedFunctions.cpp:485 #30 0x00008450 in main (argc=5, argv=0xbeee2a44) at /home/patrick/w/otoro/B2G/gecko/ipc/app/MozillaRuntimeMain.cpp:48 Error message says it's an IPC message route error.

This looks like an IPC error?

Looks like IPC actor use-after-__delete__.

(In reply to Chris Jones [:cjones] [:warhammer] from comment #6) > Looks like IPC actor use-after-__delete__. I think it is (or at least, related to) a use-after-__delete__ case. I observed that several receiver were unregistered from mActorMap, then ContentParent attempted to route a message, whose route_id is no longer existed.

This patch adds a boolean mIsDestroyed to record if TabParent::Destroy() has been called, and checks mIsDestroyed before sending IPC messages. Hi cjones, would you help to review this? Thanks.

An "if" statement is wrong, fix.

Comment on attachment 680323 [details] [diff] [review] Patch: Checking if TabParent has been distroyed before send IPC message >diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp >@@ -223,64 +229,80 @@ TabParent::LoadURL(nsIURI* aURI) > NS_WARNING(nsPrintfCString("TabParent::LoadURL(%s) called before " > "Show(). Ignoring LoadURL.\n", spec.get()).get()); > return; > } > > nsCString spec; > aURI->GetSpec(spec); > >- unused << SendLoadURL(spec); >+ if (!mIsDestroyed) { >+ unused << SendLoadURL(spec); >+ } This check should go at the beginning of the method and be if (mIsDestroyed) { return; } > void > TabParent::UpdateDimensions(const nsRect& rect, const nsIntSize& size) > { >- unused << SendUpdateDimensions(rect, size); >+ if (!mIsDestroyed) { >+ unused << SendUpdateDimensions(rect, size); >+ } Just do if (mIsDestroyed) { return; } >diff --git a/dom/ipc/TabParent.h b/dom/ipc/TabParent.h >+ bool mIsDestroyed; Add a comment describing what this member represents and what's valid/invalid when it's true and false. r=me with those.

Fix according to comment 10.

This seems to work now on my Otoro phone (updated today), but after running the testcase, I get an empty url bar and an useless progress bar. I filed bug 813349 for that.

I also get crashes/os reboots with a similar testcase as this one, I filed bug 813356 for it.