This crash occurs on current central, STR: 1. Add an attachment to a message. 2. Send. Expected: Not crash Actual: crash Note: After Gecko crashed and restarted, go back to the message app and resend the unsent message, the resending won't crash Gecko again. Stack: #0 mozilla::dom::ContentParent::GetOrCreateActorForBlob (this=0x47da9800, aBlob=0x44685d00) at /home/patrick/w/hgpool/unagi2/mcgit/dom/ipc/../../xpcom/base/nsAutoPtr.h:1016 #1 0x411d4ac2 in mozilla::dom::MmsMessage::GetData (this=0x486e6220, aParent=<value optimized out>, aData=...) at /home/patrick/w/hgpool/unagi2/mcgit/dom/mobilemessage/src/MmsMessage.cpp:316 #2 0x411d9fb4 in mozilla::dom::mobilemessage::SmsParent::GetMobileMessageDataFromMessage (this=0x46637580, aMsg=0x486e6220, aData=...) at /home/patrick/w/hgpool/unagi2/mcgit/dom/mobilemessage/src/ipc/SmsParent.cpp:285 #3 0x411da2a8 in mozilla::dom::mobilemessage::SmsParent::Observe (this=0x46637580, aSubject=0x486e6220, aTopic=0x486f6740 "sms-sending", aData=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/dom/mobilemessage/src/ipc/SmsParent.cpp:203 #4 0x41730fce in nsObserverList::NotifyObservers (this=<value optimized out>, aSubject=0x486e6220, aTopic=0x486f6740 "sms-sending", someData=0x0) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/ds/nsObserverList.cpp:96 #5 0x417310b4 in nsObserverService::NotifyObservers (this=<value optimized out>, aSubject=0x486e6220, aTopic=0x486f6740 "sms-sending", someData=0x0) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/ds/nsObserverService.cpp:334 #6 0x4175672e in NS_InvokeByIndex (that=<value optimized out>, methodIndex=<value optimized out>, paramCount=<value optimized out>, params=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:164 #7 0x4137c644 in CallMethodHelper::Invoke (ccx=<value optimized out>, mode=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2809 #8 CallMethodHelper::Call (ccx=<value optimized out>, mode=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2149 #9 XPCWrappedNative::CallMethod (ccx=<value optimized out>, mode=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2115 #10 0x41380962 in XPC_WN_CallMethod (cx=0x4041f270, argc=3, vp=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316 #11 0x41b108b2 in CallJSNative (cx=0x4041f270, args=..., construct=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/jscntxtinlines.h:219 #12 Invoke (cx=0x4041f270, args=..., construct=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:489 #13 0x41b0cd34 in Interpret (cx=0x4041f270, state=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:2484 #14 0x41b11790 in RunScript (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf65e8, rval=...) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:446 #15 Invoke (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf65e8, rval=...) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:508 #16 Invoke (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf65e8, rval=...) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:539 #17 0x41b83050 in JS_CallFunctionValue (cx=0x4041f270, objArg=<value optimized out>, fval=..., argc=2, argv=0xbedf65e8, rval=0xbedf66a0) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/jsapi.cpp:5428 #18 0x4137a198 in nsXPCWrappedJSClass::CallMethod (this=0x47bd5f40, wrapper=<value optimized out>, methodIndex=<value optimized out>, info_=0x435d8180, nativeParams=0xbedf6760) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedJSClass.cpp:1445 #19 0x41378590 in nsXPCWrappedJS::CallMethod (this=0x472aff80, methodIndex=3, info=0x435d8180, params=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedJS.cpp:587 #20 0x41756fc0 in PrepareAndDispatch (self=0x486f6b50, methodIndex=<value optimized out>, args=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105 #21 0x41756748 in SharedStub () from /home/patrick/w/hgpool/unagi2/B2G/objdir-gecko/dist/bin/libxul.so #22 0x4175672e in NS_InvokeByIndex (that=<value optimized out>, methodIndex=<value optimized out>, paramCount=<value optimized out>, params=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:164 #23 0x4137c644 in CallMethodHelper::Invoke (ccx=<value optimized out>, mode=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2809 #24 CallMethodHelper::Call (ccx=<value optimized out>, mode=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2149 #25 XPCWrappedNative::CallMethod (ccx=<value optimized out>, mode=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNative.cpp:2115 #26 0x41380962 in XPC_WN_CallMethod (cx=0x4041f270, argc=2, vp=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316 #27 0x41b108b2 in CallJSNative (cx=0x4041f270, args=..., construct=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/jscntxtinlines.h:219 #28 Invoke (cx=0x4041f270, args=..., construct=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:489 #29 0x41b0cd34 in Interpret (cx=0x4041f270, state=<value optimized out>) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:2484 #30 0x41b11790 in RunScript (cx=0x4041f270, thisv=<value optimized out>, fval=..., argc=<value optimized out>, argv=0xbedf7148, rval=...) at /home/patrick/w/hgpool/unagi2/mcgit/js/src/vm/Interpreter.cpp:446

This bug only happened in central branch not b2g18 branch.

Backtrace from gdb. RemotBlob::mActor is 0 in this case. Bent, could you please give some suggestions on this bug? Thanks. #0 mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::GetPBlob (this=0x4644e1a0) at /home/ctai/bugzone/904993/b2g-inbound/dom/ipc/Blob.cpp:1052 #1 0x416925fe in mozilla::dom::ContentParent::GetOrCreateActorForBlob ( this=0x478ec800, aBlob=0x4644e1a0) at /home/ctai/bugzone/904993/b2g-inbound/dom/ipc/ContentParent.cpp:1900 #2 0x4134ee9a in mozilla::dom::MmsMessage::GetData (this=0x43898a60, aParent=<value optimized out>, aData=...) at /home/ctai/bugzone/904993/b2g-inbound/dom/mobilemessage/src/MmsMessage.cpp:316 #3 0x41355200 in mozilla::dom::mobilemessage::SmsParent::GetMobileMessageDataFromMessage (this=0x464a1640, aMsg=0x43898a60, aData=...) at /home/ctai/bugzone/904993/b2g-inbound/dom/mobilemessage/src/ipc/SmsParent.cpp:285 #4 0x41355600 in mozilla::dom::mobilemessage::SmsParent::Observe ( this=0x464a1640, aSubject=0x43898a60, aTopic=0x445c2860 "sms-sending", aData=<value optimized out>) at /home/ctai/bugzone/904993/b2g-inbound/dom/mobilemessage/src/ipc/SmsParent.cpp:203 #5 0x419bfb3e in nsObserverList::NotifyObservers (this=<value optimized out>, aSubject=0x43898a60, aTopic=0x445c2860 "sms-sending", someData=0x0) at /home/ctai/bugzone/904993/b2g-inbound/xpcom/ds/nsObserverList.cpp:96

Hm, I'll need to debug it, but it sounds like the SMS app is dying somehow during the sending process?

Him Bent, The messaging AP(SMS/MMS) will try to get the Blob from content process when sending a MMS with picture. You can easily reproduce this by sending sending a wallpaper to someone via MMS. After that, the chrome process will crash in the http://mxr.mozilla.org/mozilla-central/source/dom/ipc/ContentParent.cpp#1897. This is called by http://mxr.mozilla.org/mozilla-central/source/dom/mobilemessage/src/MmsMessage.cpp#316. Any suggestion is welcome. Thanks.

Crash stack can be seen : https://crash-stats.mozilla.com/report/index/3c48405f-42a3-4942-8c65-6cf342130911

STR: 1. launch sms app 2. type in a phone number 3. attach a MMS (ie wallpaper) 4. try to send. Expected: no crashing, sent wallpaper Actual: crash

This issue was fixed in bug 887093 on b2g-18, but the relevant part never made it to trunk :-(

Comment on attachment 806483 [details] [diff] [review] Patch: don't assert actor if blob is a remote blob. Review of attachment 806483 [details] [diff] [review]: ----------------------------------------------------------------- r=me ::: dom/ipc/ContentParent.cpp @@ +1931,5 @@ > // simply pass its actor back here. > if (nsCOMPtr<nsIRemoteBlob> remoteBlob = do_QueryInterface(aBlob)) { > + if (void* blobParent = remoteBlob->GetPBlob()) { > + BlobParent* actor = static_cast<BlobParent*>(static_cast<PBlobParent*>(blobParent)); > + if (static_cast<ContentParent*>(actor->Manager()) == this) { bent pointed out to me that static_casting NULL gives you NULL even if the static_cast would adjust the pointer, so we don't need to do the intermediate void* bit.

This is effectively a regression from leo, and multiprocess blobs don't work correctly without this patch, so I'm going to go ahead and mark this as a koi blocker.

Address comment 9, trying: https://tbpl.mozilla.org/?tree=Try&rev=85bc0f0bb1d9

Thanks Patrick.