Closed Bug 242282 Opened 21 years ago Closed 21 years ago

[FIXr]M17rc1 crash quickly hitting back button [@ nsPluginDOMContextMenuListener::Destroy]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.7final

People

(Reporter: danm.moz, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, topcrash, verified1.7)

Crash Data

Attachments

(1 file)

Patch to test
3.47 KB, patch
jst
: review+
jst
: superreview+
asa
: approval1.7+
Details | Diff | Splinter Review
Navigate to http://www.roadandtrack.com/ Hit pretty much any link to go to another roadandtrack page. I'm clicking on the picture for the main article in the top left, which happens to be a Chrysler 300c at the moment. Other links also work, for instance 2004 New York International Auto Show, bottom left. Allow the page to load. Repeat above. Both my above examples lead to multi-page articles; I've just been going to page 2 of the article. Hit the Chrome Back button. Quickly! Just as the previous page begins to load, hit the back button once again. I get best results if I do this just as the first element of the previous page is drawn. It also seems to work to just quickly and repeatedly hit the back button. Crash reliably. Every client I've in which I've tried this, crashes. This includes a downloaded Firefox 0.8, a homebuilt Mozilla 1.7b 20040410, and a homebuilt Mozilla 1.8a 20040427. This is difficult to debug because timing is critical, and interposing a debugger screws up the timing. Here's what I know. It crashes in layout/html/base/src/nsPluginInstanceOwner::Destroy() at mCXMenuListener->Destroy(mOwner) because mCXMenuListener is nonzero and in fact points to hell. This happens because mCXMenuListener is never initialized. It's not set to 0 in the constructor. Normally it's initialized about 40 lines into nsPluginInstanceOwner::Init but it never gets that far. Half a dozen lines above, in that same Init method, where it reads if (docShell) { nsCOMPtr<nsIContentViewer> cv; docShell->GetContentViewer(getter_AddRefs(cv)); if (cv) cv->Show(); } It calls cv->Show, but never returns. So nsPluginInstanceOwner::Destroy is being called from the same nsPluginInstanceOwner's Init method, via cv->Show. PS setting mCXMenuListener to 0 earlier is not the solution. Yeah, I tried it for fun. That does allow it to survive the Destroy method, but quickly enough it stumbles into a morass of deleted objects being referenced, and crashes a little further down the line. Sincere badness is going on. I don't know this code. cc:ing some likely-seeming people from the cvs annotation.
Keywords: crash
> So nsPluginInstanceOwner::Destroy is being called from the same > nsPluginInstanceOwner's Init method, via cv->Show. Is it going by way of the prevViewer->Destroy() call in Show()?
Yup.
Hmm... So we call Init() and that calls our own destroy? So somehow the prev viewer is the same as the current viewer?? Just out of curiousity, does moving the code that destroys the instance owner in ~nsObjectFrame into nsObjectFrame::Destroy change anything?
This isn't hard to reproduce, is it? Is it Windows-only? Perhaps it's time for a big ol' mostly noise stack trace. This one is without your suggested change: nsPluginDOMContextMenuListener::Destroy(nsObjectFrame * 0x03989ab0) line 2028 + 33 bytes nsPluginInstanceOwner::Destroy() line 3604 -- same object as in Init(), below nsObjectFrame::~nsObjectFrame() line 407 nsObjectFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsFrame::Destroy(nsFrame * const 0x03989ab0, nsIPresContext * 0x03d3fb08) line 649 + 34 bytes nsSplittableFrame::Destroy(nsSplittableFrame * const 0x03989ab0, nsIPresContext * 0x03d3fb08) line 72 nsContainerFrame::Destroy(nsContainerFrame * const 0x03989ab0, nsIPresContext * 0x03d3fb08) line 170 + 13 bytes nsObjectFrame::Destroy(nsObjectFrame * const 0x03989ab0, nsIPresContext * 0x03d3fb08) line 741 nsLineBox::DeleteLineList(nsIPresContext * 0x03d3fb08, nsLineList & {...}) line 301 nsBlockFrame::Destroy(nsBlockFrame * const 0x0398997c, nsIPresContext * 0x03d3fb08) line 300 + 16 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x0398991c, nsIPresContext * 0x03d3fb08) line 166 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x039898c4, nsIPresContext * 0x03d3fb08) line 166 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x03d26778, nsIPresContext * 0x03d3fb08) line 166 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x03d266a4, nsIPresContext * 0x03d3fb08) line 166 nsTableFrame::Destroy(nsTableFrame * const 0x03d266a4, nsIPresContext * 0x03d3fb08) line 311 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x03d26560, nsIPresContext * 0x03d3fb08) line 166 nsTableOuterFrame::Destroy(nsTableOuterFrame * const 0x03d26560, nsIPresContext * 0x03d3fb08) line 83 nsLineBox::DeleteLineList(nsIPresContext * 0x03d3fb08, nsLineList & {...}) line 301 nsBlockFrame::Destroy(nsBlockFrame * const 0x03d2632c, nsIPresContext * 0x03d3fb08) line 300 + 16 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x03d262cc, nsIPresContext * 0x03d3fb08) line 166 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x03d26188, nsIPresContext * 0x03d3fb08) line 166 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x038b02e4, nsIPresContext * 0x03d3fb08) line 166 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x038b0144, nsIPresContext * 0x03d3fb08) line 166 nsTableFrame::Destroy(nsTableFrame * const 0x038b0144, nsIPresContext * 0x03d3fb08) line 311 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08) line 166 nsTableOuterFrame::Destroy(nsTableOuterFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08) line 83 nsLineBox::DeleteLineList(nsIPresContext * 0x03d3fb08, nsLineList & {...}) line 301 nsBlockFrame::Destroy(nsBlockFrame * const 0x0380ee0c, nsIPresContext * 0x03d3fb08) line 300 + 16 bytes nsLineBox::DeleteLineList(nsIPresContext * 0x03d3fb08, nsLineList & {...}) line 301 nsBlockFrame::Destroy(nsBlockFrame * const 0x0380ec08, nsIPresContext * 0x03d3fb08) line 300 + 16 bytes nsAreaFrame::Destroy(nsAreaFrame * const 0x0380ec08, nsIPresContext * 0x03d3fb08) line 156 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x037f6024, nsIPresContext * 0x03d3fb08) line 166 CanvasFrame::Destroy(CanvasFrame * const 0x037f6024, nsIPresContext * 0x03d3fb08) line 241 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x037f625c, nsIPresContext * 0x03d3fb08) line 166 nsBoxFrame::Destroy(nsBoxFrame * const 0x037f625c, nsIPresContext * 0x03d3fb08) line 1065 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x037f614c, nsIPresContext * 0x03d3fb08) line 166 nsBoxFrame::Destroy(nsBoxFrame * const 0x037f614c, nsIPresContext * 0x03d3fb08) line 1065 + 13 bytes nsGfxScrollFrame::Destroy(nsGfxScrollFrame * const 0x037f614c, nsIPresContext * 0x03d3fb08) line 429 nsFrameList::DestroyFrames(nsIPresContext * 0x03d3fb08) line 130 nsContainerFrame::Destroy(nsContainerFrame * const 0x037f5f28, nsIPresContext * 0x03d3fb08) line 166 ViewportFrame::Destroy(ViewportFrame * const 0x037f5f28, nsIPresContext * 0x03d3fb08) line 68 -- same object as Reflow(), below nsFrameManager::Destroy() line 347 PresShell::Destroy(PresShell * const 0x03884830) line 1903 -- same object as in ProcessReflowCommands(), below DocumentViewerImpl::Destroy(DocumentViewerImpl * const 0x03827018) line 1226 -- called by prevViewer->Destroy, and *not* the same object, you can see DocumentViewerImpl::Show(DocumentViewerImpl * const 0x03d28600) line 1474 nsPluginInstanceOwner::Init(nsPluginInstanceOwner * const 0x038bea60, nsIPresContext * 0x03d3fb08, nsObjectFrame * 0x03989ab0) line 3814 nsObjectFrame::Reflow(nsObjectFrame * const 0x03989ab0, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 1219708) line 1000 nsLineLayout::ReflowFrame(nsIFrame * 0x03989ab0, unsigned int & 1219708, nsHTMLReflowMetrics * 0x00000000, int & 0) line 994 + 43 bytes nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, nsIFrame * 0x03989ab0, unsigned char * 0x00129cb7) line 3552 + 22 bytes nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, int * 0x0012a3b4, unsigned char * 0x0012a18f, int 0, int 0) line 3419 + 32 bytes nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a3b4, unsigned char * 0x0012a18f, int 0, int 0) line 3320 + 46 bytes nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a3b4, int 0, int 0) line 3264 + 36 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012a3b4, int 0) line 2429 + 33 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2085 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0398997c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 801 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x0398997c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableCellFrame::Reflow(nsTableCellFrame * const 0x0398991c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 862 nsContainerFrame::ReflowChild(nsIFrame * 0x0398991c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableRowFrame::ReflowChildren(nsTableRowFrame * const 0x039898c4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, nsTableFrame & {...}, unsigned int & 0, int 0) line 957 + 45 bytes nsTableRowFrame::Reflow(nsTableRowFrame * const 0x039898c4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1382 + 37 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x039898c4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 1500, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableRowGroupFrame::ReflowChildren(nsTableRowGroupFrame * const 0x03d26778, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, nsRowGroupReflowState & {...}, unsigned int & 0, nsTableRowFrame * 0x00000000, int 0, nsTableRowFrame * * 0x00000000, int * 0x0012b138) line 378 + 45 bytes nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x03d26778, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1215 + 35 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x03d26778, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableFrame::ReflowChildren(nsTableFrame * const 0x03d266a4, nsIPresContext * 0x03d3fb08, nsTableReflowState & {...}, int 1, int 0, unsigned int & 0, nsIFrame * & 0x00000000, nsRect & {...}, int * 0x00000000) line 3248 + 50 bytes nsTableFrame::Reflow(nsTableFrame * const 0x03d266a4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1941 nsContainerFrame::ReflowChild(nsIFrame * 0x03d266a4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 3, unsigned int & 0) line 967 + 31 bytes nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x03d26560, nsIPresContext * 0x03d3fb08, nsIFrame * 0x03d266a4, const nsHTMLReflowState & {...}, nsHTMLReflowMetrics & {...}, int 1073741824, nsSize & {...}, nsMargin & {...}, nsMargin & {...}, nsMargin & {...}, nsReflowReason eReflowReason_Initial, unsigned int & 0, int * 0x00000000) line 1332 + 47 bytes nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x03d26560, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1997 + 76 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 529 + 42 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012c178) line 3042 + 56 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012c178, int 1) line 2300 + 27 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2085 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x03d2632c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 801 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x03d2632c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableCellFrame::Reflow(nsTableCellFrame * const 0x03d262cc, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 862 nsContainerFrame::ReflowChild(nsIFrame * 0x03d262cc, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableRowFrame::IR_TargetIsChild(nsTableRowFrame * const 0x03d26188, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, nsTableFrame & {...}, unsigned int & 0, nsIFrame * 0x03d262cc) line 1220 + 45 bytes nsTableRowFrame::IncrementalReflow(nsTableRowFrame * const 0x03d26188, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, nsTableFrame & {...}, unsigned int & 0) line 1107 + 46 bytes nsTableRowFrame::Reflow(nsTableRowFrame * const 0x03d26188, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1392 + 35 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x03d26188, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 1800, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableRowGroupFrame::IR_TargetIsChild(nsTableRowGroupFrame * const 0x038b02e4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, nsRowGroupReflowState & {...}, unsigned int & 0, nsIFrame * 0x03d26188) line 1622 + 45 bytes nsTableRowGroupFrame::IncrementalReflow(nsTableRowGroupFrame * const 0x038b02e4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, nsRowGroupReflowState & {...}, unsigned int & 0) line 1300 + 42 bytes nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x038b02e4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1206 + 31 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x038b02e4, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes nsTableFrame::IR_TargetIsChild(nsTableFrame * const 0x038b0144, nsIPresContext * 0x03d3fb08, nsTableReflowState & {...}, unsigned int & 0, nsIFrame * 0x038b02e4) line 2982 + 50 bytes nsTableFrame::IncrementalReflow(nsTableFrame * const 0x038b0144, nsIPresContext * 0x03d3fb08, const nsHTMLReflowState & {...}, unsigned int & 0) line 2691 + 38 bytes nsTableFrame::Reflow(nsTableFrame * const 0x038b0144, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1957 + 27 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x038b0144, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 3, unsigned int & 0) line 967 + 31 bytes nsTableOuterFrame::OuterReflowChild(nsTableOuterFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08, nsIFrame * 0x038b0144, const nsHTMLReflowState & {...}, nsHTMLReflowMetrics & {...}, int 13470, nsSize & {...}, nsMargin & {...}, nsMargin & {...}, nsMargin & {...}, nsReflowReason eReflowReason_Incremental, unsigned int & 0, int * 0x0012d3f8) line 1332 + 47 bytes nsTableOuterFrame::IR_InnerTableReflow(nsTableOuterFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1692 + 78 bytes nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsTableOuterFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1445 + 31 bytes nsTableOuterFrame::IR_TargetIsChild(nsTableOuterFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, nsIFrame * 0x038b0144) line 1418 + 31 bytes nsTableOuterFrame::IncrementalReflow(nsTableOuterFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1398 + 42 bytes nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x038affa8, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1955 + 31 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 546 + 42 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012de80) line 3042 + 56 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012de80, int 1) line 2300 + 27 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2085 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0380ee0c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 801 + 15 bytes nsBlockReflowContext::ReflowBlock(const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, nsHTMLReflowState & {...}, unsigned int & 0) line 546 + 42 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012e9d4) line 3042 + 56 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012e9d4, int 1) line 2300 + 27 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2085 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0380ec08, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 801 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x0380ec08, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes CanvasFrame::Reflow(CanvasFrame * const 0x037f6024, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 554 nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, int 0, int 0, int 13470, int 11970, int 1) line 880 nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x0380ea1c, nsBoxLayoutState & {...}) line 626 + 46 bytes nsBox::Layout(nsBox * const 0x0380ea1c, nsBoxLayoutState & {...}) line 994 nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x037f6294, nsBoxLayoutState & {...}) line 337 nsBox::Layout(nsBox * const 0x037f6294, nsBoxLayoutState & {...}) line 994 nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x037f6294, const nsRect & {...}) line 650 + 16 bytes nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIBox * 0x037f6294, const nsRect & {...}) line 1257 + 17 bytes nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1413 nsGfxScrollFrame::DoLayout(nsGfxScrollFrame * const 0x037f6184, nsBoxLayoutState & {...}) line 1265 + 15 bytes nsBox::Layout(nsBox * const 0x037f6184, nsBoxLayoutState & {...}) line 994 nsBoxFrame::Reflow(nsBoxFrame * const 0x037f614c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 868 nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x037f614c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 865 + 25 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x037f614c, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 967 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x037f5f28, nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 248 + 43 bytes IncrementalReflow::Dispatch(nsIPresContext * 0x03d3fb08, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 911 PresShell::ProcessReflowCommands(int 1) line 6355 ReflowEvent::HandleEvent() line 6180 HandlePLEvent(ReflowEvent * 0x02c22308) line 6194 PL_HandleEvent(PLEvent * 0x02c22308) line 692 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00c31bc8) line 627 + 9 bytes _md_EventReceiverProc(HWND__ * 0x000301dc, unsigned int 49476, unsigned int 0, long 12786632) line 1433 + 9 bytes USER32! 77d43a50() USER32! 77d43b1f() USER32! 77d43d79() USER32! 77d43ddf() nsAppShellService::Run(nsAppShellService * const 0x00cf3bf8) line 524 main1(int 5, char * * 0x002a25d0, nsISupports * 0x00c30a58) line 1302 + 32 bytes main(int 5, char * * 0x002a25d0) line 1779 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e814c With your suggested change it just skips this part nsObjectFrame::~nsObjectFrame() line 407 nsObjectFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsFrame::Destroy line 649 + 34 bytes nsSplittableFrame::Destroy line 72 nsContainerFrame::Destroy line 170 + 13 bytes going directly to nsPluginInstanceOwner::Destroy() (same place) from nsObjectFrame::Destroy line 736 (new call to mInstanceOwner->Destroy) , skipping frames 3-7 (numbering from 1)
Ugh. So the upshot is that something (the content viewer, sounds like) is confused and we're tearing down the exact same frame tree that we were just building up.... :(
Yes, I think that's it. From page 3, going to page 2 then page 1, I believe prevViewer is from page 2. It's still being built up as page 1 starts to load and destroy page 2.
Right. So the problem is that the previous document is still loading but the new document's content viewer is what's hanging off the docshell. I'm somewhat surprised that setting up the new viewer is not killing the old load (and clearing the reflow command cache on the old presshell). I'd think we want to do that. Another option (probably easier and safer) is to check that cv's prescontext is the same as ours. If it's not, then just bail out of here early, since the frame tree is about to get torn down anyway....
Note that prescontext lives on nsIDocumentViewer, though. I suppose we could check the document off nsIContentViewer, or we could just rely on the fact that all our nsIContentViewers are nsIDocumentViewers (that mess _so_ needs cleanup).
Adding M17rc1 to summary and topcrash keyword for tracking since there are a lot of these crashes for Mozilla 1.7 rc1. Sounds like you guys know what might be going on with this crash, but here are a few user comments in case people want to try to reproduce: (30698) URL: www.sohu.com (30698) Comments: tabbed browing (35954) Comments: I was browsing through Anandtech's site finished a review and hit the back button on my mouse (you know one of thsoe mice with 8291 buttons on it that can do everything) several times rapidly and it just died on me. Firefox didn't do this so I'm sort (35954) Comments: of hoping this is an isolated incident. (34411) quick successive back navigation (28918) xbit.com......blah I clicked back button many times in rapid succesion. (5162) www.planet.nl Going backwards with post-data.. (1109) http://www.gamekult.com Multi click on "Back".
Keywords: topcrash
Summary: crash quickly hitting back button → M17rc1 crash quickly hitting back button [@ nsPluginDOMContextMenuListener::Destroy]
Attached patch Patch to testSplinter Review
It does seem hard to reproduce -- I can't manage it... Timing issues? Dunno. Anyway, this patch should hopefully fix it. Can you try it?
Flags: blocking1.7?
Something unclean does seem to be going on with improperly stopping the previous doc load. I'd be happy to see that addressed. But this patch does stop the crash, which can't be a bad thing.
I'm not sure there's a problem with the stopping, per se. The basic sequence of events is: start loading page A, quickly start loading page B. When this happens, the content load of page A should be stopped as soon as the data for page B comes in. Even if this happens, though, there's a pending event on page A -- the reflow event posted when we constructed some frames (probably from InitialReflow()). At the same time, page B's data is coming in, and its own paint suppression interval is passing, so we're showing the content viewer for page A, while the "current" page is page B. Now when the reflow event for page A fires the code we're looking at in this bug will force page B visible, killing off page A. Now one could argue that this is a fragile and complicated system in general and that we need a cleaner solution to the "zombie document" problem.... we're sorta trying to find one. ;)
Attachment #147761 - Flags: superreview?(jst)
Attachment #147761 - Flags: review?(jst)
Comment on attachment 147761 [details] [diff] [review] Patch to test nsObjectFrame::~nsObjectFrame() { - if (nsnull != mInstanceOwner) { - mInstanceOwner->Destroy(); - } - - NS_IF_RELEASE(mInstanceOwner); - Woudln't you want to leave the NS_IF_RELEASE() here in case the destruction of this frame doesn't go as planned (or do we know that ::Destroy() is always called before a frame is destroyed)? r+sr=jst
Attachment #147761 - Flags: superreview?(jst)
Attachment #147761 - Flags: superreview+
Attachment #147761 - Flags: review?(jst)
Attachment #147761 - Flags: review+
>Wouldn't you want to leave the NS_IF_RELEASE() here Strictly speaking, only hunks 1 and 4 are necessary to stop the crash.
(In reply to comment #13) > Woudln't you want to leave the NS_IF_RELEASE() here in case the destruction of > this frame doesn't go as planned (or do we know that ::Destroy() is always > called before a frame is destroyed)? The only thing that ever calls an nsIFrame's destructor is nsFrame::Destroy, so we do in fact know that if a frame is destroyed at all it's destroyed via ::Destroy(). (In reply to comment #14) > Strictly speaking, only hunks 1 and 4 are necessary to stop the crash. True. The reason I made that change is that mInstanceOwner->Destroy() ends up referencing members of the frame, and I'd much rather this be happening in nsObjectFrame::Destroy (when we know for sure all the members are still there) than in ~nsObjectFrame (which is called rather late in the destruction process).
Taking. Checked in on trunk, leaving open pending 1.7 checkin.
Assignee: nobody → bzbarsky
Priority: -- → P1
Summary: M17rc1 crash quickly hitting back button [@ nsPluginDOMContextMenuListener::Destroy] → [FIXr]M17rc1 crash quickly hitting back button [@ nsPluginDOMContextMenuListener::Destroy]
Target Milestone: --- → mozilla1.7final
Comment on attachment 147761 [details] [diff] [review] Patch to test Could this please be approved for 1.7? This is a reasonably safe change that prevents us from tearing down a document from inside frame construction for the same document...
Attachment #147761 - Flags: approval1.7?
Comment on attachment 147761 [details] [diff] [review] Patch to test a=asa (on behalf of drivers) for checkin to 1.7
Attachment #147761 - Flags: approval1.7? → approval1.7+
Fixed.
Status: NEW → RESOLVED
Closed: 21 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Flags: blocking1.7?
Status: RESOLVED → VERIFIED
Keywords: fixed1.7verified1.7
Crash Signature: [@ nsPluginDOMContextMenuListener::Destroy]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: