Closed Bug 912861 Opened 11 years ago Closed 11 years ago

[MMS] Gecko crash when sending an MMS message.

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:koi+, firefox25 wontfix, firefox26 fixed, firefox27 fixed, b2g-v1.2 verified)

Status:
RESOLVED FIXED
Project Flags:
blocking-b2g koi+
Tracking Flags:
Tracking Status
firefox25 --- wontfix
firefox26 --- fixed
firefox27 --- fixed
b2g-v1.2 --- verified

People

(Reporter: kk1fff, Assigned: kk1fff)

References

Details

(Keywords: crash, qablocker, regression, Whiteboard: burirun1)

Crash Data

Attachments

(1 file, 1 obsolete file)

Patch: don't assert actor if blob is a remote blob.
(deleted), patch
Details | Diff | Splinter Review 
This crash occurs on current central, STR:

1. Add an attachment to a message.
2. Send.

Expected:
Not crash

Actual:
crash

Note:
After Gecko crashed and restarted, go back to the message app and resend the unsent message, the resending won't crash Gecko again.

Stack:

#0  mozilla::dom::ContentParent::GetOrCreateActorForBlob (this=0x47da9800, aBlob=0x44685d00)
    at /home/patrick/w/hgpool/unagi2/mcgit/dom/ipc/../../xpcom/base/nsAutoPtr.h:1016
#1  0x411d4ac2 in mozilla::dom::MmsMessage::GetData (this=0x486e6220, aParent=<value optimized out>, aData=...)
    at /home/patrick/w/hgpool/unagi2/mcgit/dom/mobilemessage/src/MmsMessage.cpp:316
#2  0x411d9fb4 in mozilla::dom::mobilemessage::SmsParent::GetMobileMessageDataFromMessage (this=0x46637580, aMsg=0x486e6220, aData=...)
    at /home/patrick/w/hgpool/unagi2/mcgit/dom/mobilemessage/src/ipc/SmsParent.cpp:285
#3  0x411da2a8 in mozilla::dom::mobilemessage::SmsParent::Observe (this=0x46637580, aSubject=0x486e6220,
    aTopic=0x486f6740 "sms-sending", aData=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/dom/mobilemessage/src/ipc/SmsParent.cpp:203
#4  0x41730fce in nsObserverList::NotifyObservers (this=<value optimized out>, aSubject=0x486e6220, aTopic=0x486f6740 "sms-sending",
    someData=0x0) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/ds/nsObserverList.cpp:96
#5  0x417310b4 in nsObserverService::NotifyObservers (this=<value optimized out>, aSubject=0x486e6220,
    aTopic=0x486f6740 "sms-sending", someData=0x0) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/ds/nsObserverService.cpp:334
#6  0x4175672e in NS_InvokeByIndex (that=<value optimized out>, methodIndex=<value optimized out>, paramCount=<value optimized out>,
    params=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:164
#7  0x4137c644 in CallMethodHelper::Invoke (ccx=<value optimized out>, mode=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2809
#8  CallMethodHelper::Call (ccx=<value optimized out>, mode=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2149
#9  XPCWrappedNative::CallMethod (ccx=<value optimized out>, mode=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2115
#10 0x41380962 in XPC_WN_CallMethod (cx=0x4041f270, argc=3, vp=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
#11 0x41b108b2 in CallJSNative (cx=0x4041f270, args=..., construct=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/jscntxtinlines.h:219
#12 Invoke (cx=0x4041f270, args=..., construct=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:489
#13 0x41b0cd34 in Interpret (cx=0x4041f270, state=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:2484
#14 0x41b11790 in RunScript (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf65e8,
    rval=...) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:446
#15 Invoke (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf65e8, rval=...)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:508
#16 Invoke (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf65e8, rval=...)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:539
#17 0x41b83050 in JS_CallFunctionValue (cx=0x4041f270, objArg=<value optimized out>, fval=..., argc=2, argv=0xbedf65e8,
    rval=0xbedf66a0) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/jsapi.cpp:5428
#18 0x4137a198 in nsXPCWrappedJSClass::CallMethod (this=0x47bd5f40, wrapper=<value optimized out>, methodIndex=<value optimized out>,
    info_=0x435d8180, nativeParams=0xbedf6760) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedJSClass.cpp:1445
#19 0x41378590 in nsXPCWrappedJS::CallMethod (this=0x472aff80, methodIndex=3, info=0x435d8180, params=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedJS.cpp:587
#20 0x41756fc0 in PrepareAndDispatch (self=0x486f6b50, methodIndex=<value optimized out>, args=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105
#21 0x41756748 in SharedStub () from /home/patrick/w/hgpool/unagi2/B2G/objdir-gecko/dist/bin/libxul.so
#22 0x4175672e in NS_InvokeByIndex (that=<value optimized out>, methodIndex=<value optimized out>, paramCount=<value optimized out>,
    params=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:164
#23 0x4137c644 in CallMethodHelper::Invoke (ccx=<value optimized out>, mode=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2809
#24 CallMethodHelper::Call (ccx=<value optimized out>, mode=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2149
#25 XPCWrappedNative::CallMethod (ccx=<value optimized out>, mode=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2115
#26 0x41380962 in XPC_WN_CallMethod (cx=0x4041f270, argc=2, vp=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
#27 0x41b108b2 in CallJSNative (cx=0x4041f270, args=..., construct=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/jscntxtinlines.h:219
#28 Invoke (cx=0x4041f270, args=..., construct=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:489
#29 0x41b0cd34 in Interpret (cx=0x4041f270, state=<value optimized out>)
    at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:2484
#30 0x41b11790 in RunScript (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf7148,
    rval=...) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:446
This bug only happened in central branch not b2g18 branch.
Backtrace from gdb. RemotBlob::mActor is 0 in this case. Bent, could you please give some suggestions on this bug?
Thanks.

#0  mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::GetPBlob (this=0x4644e1a0)
    at /home/ctai/bugzone/904993/b2g-inbound/dom/ipc/Blob.cpp:1052
#1  0x416925fe in mozilla::dom::ContentParent::GetOrCreateActorForBlob (
    this=0x478ec800, aBlob=0x4644e1a0)
    at /home/ctai/bugzone/904993/b2g-inbound/dom/ipc/ContentParent.cpp:1900
#2  0x4134ee9a in mozilla::dom::MmsMessage::GetData (this=0x43898a60, 
    aParent=<value optimized out>, aData=...)
    at /home/ctai/bugzone/904993/b2g-inbound/dom/mobilemessage/src/MmsMessage.cpp:316
#3  0x41355200 in mozilla::dom::mobilemessage::SmsParent::GetMobileMessageDataFromMessage (this=0x464a1640, aMsg=0x43898a60, aData=...)
    at /home/ctai/bugzone/904993/b2g-inbound/dom/mobilemessage/src/ipc/SmsParent.cpp:285
#4  0x41355600 in mozilla::dom::mobilemessage::SmsParent::Observe (
    this=0x464a1640, aSubject=0x43898a60, aTopic=0x445c2860 "sms-sending", 
    aData=<value optimized out>)
    at /home/ctai/bugzone/904993/b2g-inbound/dom/mobilemessage/src/ipc/SmsParent.cpp:203
#5  0x419bfb3e in nsObserverList::NotifyObservers (this=<value optimized out>, 
    aSubject=0x43898a60, aTopic=0x445c2860 "sms-sending", someData=0x0)
    at /home/ctai/bugzone/904993/b2g-inbound/xpcom/ds/nsObserverList.cpp:96
Flags: needinfo?(bent.mozilla)
Hm, I'll need to debug it, but it sounds like the SMS app is dying somehow during the sending process?
Flags: needinfo?(bent.mozilla)
Flags: needinfo?(bent.mozilla)
Him Bent,
The messaging AP(SMS/MMS) will try to get the Blob from content process when sending a MMS with picture.
You can easily reproduce this by sending sending a wallpaper to someone via MMS. After that, the chrome process will crash in the http://mxr.mozilla.org/mozilla-central/source/dom/ipc/ContentParent.cpp#1897.
This is called by http://mxr.mozilla.org/mozilla-central/source/dom/mobilemessage/src/MmsMessage.cpp#316.
Any suggestion is welcome.
Thanks.
Crash stack can be seen : 
https://crash-stats.mozilla.com/report/index/3c48405f-42a3-4942-8c65-6cf342130911
Crash Signature: [@ mozilla::dom::ContentParent::GetOrCreateActorForBlob(nsIDOMBlob*) ]
Keywords: crash
STR:
1. launch sms app
2. type in a phone number
3. attach a MMS (ie wallpaper)
4. try to send.

Expected: no crashing, sent wallpaper
Actual: crash
Flags: needinfo?(nhirata.bugzilla)
blocking-b2g: --- → koi?
This issue was fixed in bug 887093 on b2g-18, but the relevant part never made it to trunk :-(
Depends on: 887093
Flags: needinfo?(bent.mozilla)

  

  



        Attachment #806483 -
        Flags: review?(khuey)

    
    

    
  
Comment on attachment 806483 [details] [diff] [review]
Patch: don't assert actor if blob is a remote blob.

Review of attachment 806483 [details] [diff] [review]:
-----------------------------------------------------------------

r=me

::: dom/ipc/ContentParent.cpp
@@ +1931,5 @@
>    // simply pass its actor back here.
>    if (nsCOMPtr<nsIRemoteBlob> remoteBlob = do_QueryInterface(aBlob)) {
> +    if (void* blobParent = remoteBlob->GetPBlob()) {
> +      BlobParent* actor = static_cast<BlobParent*>(static_cast<PBlobParent*>(blobParent));
> +      if (static_cast<ContentParent*>(actor->Manager()) == this) {

bent pointed out to me that static_casting NULL gives you NULL even if the static_cast would adjust the pointer, so we don't need to do the intermediate void* bit.

  

  



        Attachment #806483 -
        Flags: review?(khuey) → review+

    
    

    
  
This is effectively a regression from leo, and multiprocess blobs don't work correctly without this patch, so I'm going to go ahead and mark this as a koi blocker.

  

  


blocking-b2g: koi? → koi+

    
    

    
  


  
Address comment 9, trying: https://tbpl.mozilla.org/?tree=Try&rev=85bc0f0bb1d9

  

  



        Attachment #806483 -
        Attachment is obsolete: true

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/39ae127ad485

  

  


Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 1.2 FC (16sep)

    
    

    
  
https://hg.mozilla.org/releases/mozilla-aurora/rev/70ca362429c5

  

  



          status-b2g-v1.2:
          --- → fixed

          status-firefox27:
          --- → fixed
Target Milestone: 1.2 FC (16sep) → ---

    
    

    
  
Thanks Patrick.

  

  


Whiteboard: burirun1
Flags: needinfo?(nhirata.bugzilla)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: