Open Bug 1022786 Opened 10 years ago Updated 1 year ago

crash in nsLayoutUtils::GetFramesForArea(nsIFrame*, nsRect const&, nsTArray<nsIFrame*>&, unsigned int)

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Version:
32 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected

People

(Reporter: jbecerra, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-0c5e2edd-fbb0-4aae-9297-d74f22140608.
=============================================================

This startup crash started showing up this week in the list of explosive reports for nightly 32.0a1 (https://crash-analysis.mozilla.com/rkaiser/0000.overview.html). It's not a recent signature, as it exists in 29 and 30, for example, but it had a spike this week.

Mostly happening in Win7 installations, but it happens in all platforms. 

More reports can be found here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsLayoutUtils%3A%3AGetFramesForArea%28nsIFrame%2A%2C+nsRect+const%26%2C+nsTArray%3CnsIFrame%2A%3E%26%2C+unsigned+int%29

0 		@0x736e518b 	
1 	xul.dll 	nsLayoutUtils::GetFramesForArea(nsIFrame *,nsRect const &,nsTArray<nsIFrame *> &,unsigned int) 	layout/base/nsLayoutUtils.cpp
2 	xul.dll 	nsLayoutUtils::GetFrameForPoint(nsIFrame *,nsPoint,unsigned int) 	layout/base/nsLayoutUtils.cpp
3 	xul.dll 	mozilla::FindFrameTargetedByInputEvent(mozilla::WidgetGUIEvent const *,nsIFrame *,nsPoint const &,unsigned int) 	layout/base/PositionedEventTargeting.cpp
4 	xul.dll 	PresShell::HandleEvent(nsIFrame *,mozilla::WidgetGUIEvent *,bool,nsEventStatus *) 	layout/base/nsPresShell.cpp
5 	xul.dll 	nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent *,nsView *,nsEventStatus *) 	view/src/nsViewManager.cpp
6 	xul.dll 	nsView::HandleEvent(mozilla::WidgetGUIEvent *,bool) 	view/src/nsView.cpp
7 	xul.dll 	nsWindow::DispatchEvent(mozilla::WidgetGUIEvent *,nsEventStatus &) 	widget/windows/nsWindow.cpp
8 	xul.dll 	nsWindow::DispatchWindowEvent(mozilla::WidgetGUIEvent *) 	widget/windows/nsWindow.cpp
9 	xul.dll 	nsWindow::DispatchMouseEvent(unsigned int,unsigned int,long,bool,short,unsigned short) 	widget/windows/nsWindow.cpp
10 	xul.dll 	nsWindow::DispatchMouseEvent(unsigned int,unsigned int,long,bool,short,unsigned short) 	widget/windows/nsWindow.cpp
11 	xul.dll 	nsWindow::ProcessMessage(unsigned int,unsigned int &,long &,long *) 	widget/windows/nsWindow.cpp
12 	xul.dll 	nsWindow::WindowProcInternal(HWND__ *,unsigned int,unsigned int,long) 	widget/windows/nsWindow.cpp
13 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
14 	xul.dll 	nsWindow::WindowProc(HWND__ *,unsigned int,unsigned int,long) 	widget/windows/nsWindow.cpp
15 	user32.dll 	InternalCallWinProc 	
16 	user32.dll 	UserCallWinProcCheckWow 	
17 	user32.dll 	DispatchMessageWorker 	
18 	user32.dll 	DispatchMessageW 	
19 	xul.dll 	nsAppShell::ProcessNextNativeEvent(bool) 	widget/windows/nsAppShell.cpp
20 	xul.dll 	nsBaseAppShell::DoProcessNextNativeEvent(bool,unsigned int) 	widget/xpwidgets/nsBaseAppShell.cpp
21 	xul.dll 	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal *,bool,unsigned int) 	widget/xpwidgets/nsBaseAppShell.cpp
22 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
23 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
24 	xul.dll 	nsXULWindow::ShowModal() 	xpfe/appshell/src/nsXULWindow.cpp
25 	xul.dll 	nsContentTreeOwner::ShowAsModal() 	xpfe/appshell/src/nsContentTreeOwner.cpp
26 	xul.dll 	nsWindowWatcher::OpenWindowInternal(nsIDOMWindow *,char const *,char const *,char const *,bool,bool,bool,nsIArray *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
27 	xul.dll 	nsWindowWatcher::OpenWindow(nsIDOMWindow *,char const *,char const *,char const *,nsISupports *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
28 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp
29 	xul.dll 	XPC_WN_CallMethod(JSContext *,unsigned int,JS::Value *) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
30 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
31 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
32 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
33 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
34 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
35 	mozjs.dll 	JS_CallFunctionValue(JSContext *,JS::Handle<JSObject *>,JS::Handle<JS::Value>,JS::HandleValueArray const &,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
36 	xul.dll 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *,unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) 	js/xpconnect/src/XPCWrappedJSClass.cpp
37 	xul.dll 	nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) 	js/xpconnect/src/XPCWrappedJS.cpp
38 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
39 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
40 	xul.dll 	nsObserverList::NotifyObservers(nsISupports *,char const *,wchar_t const *)
The spike on 32.0a1 appears to have all come from the same user. In those reports the top frames are garbage, so we don't have much information to go on.

Since 32.0a1 doesn't exist anymore, and we're not seeing this in 33.0a1 or 32.0a2, it's probably not worth worrying about.
Fwiw, there's now one crash in 32.0a2: bp-c254d80e-215f-417d-a532-8c33c2140714
(still zero in 33.0a1)
Crash Signature: [@ nsLayoutUtils::GetFramesForArea(nsIFrame*, nsRect const&, nsTArray<nsIFrame*>&, unsigned int)] → [@ nsLayoutUtils::GetFramesForArea(nsIFrame*, nsRect const&, nsTArray<nsIFrame*>&, unsigned int)] [@ nsLayoutUtils::GetFramesForArea]
Crash volume for signature 'nsLayoutUtils::GetFramesForArea':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 0 crash from 2016-06-07.
 - beta    (version 48): 11 crashes from 2016-06-06.
 - release (version 47): 31 crashes from 2016-05-31.
 - esr     (version 45): 0 crash from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          0          0          0          0          0
 - beta             0          2          2          2          1          3          0
 - release          6          3          6          3          7          5          0
 - esr              0          0          0          0          0          0          0

Affected platform: Windows
status-firefox47: --- → affected
status-firefox48: --- → affected
Component: Layout: View Rendering → Layout: Web Painting
QA Whiteboard: qa-not-actionable
Severity: critical → S2

Very few crashes on crash stats -> S3.

Severity: S2 → S3
Crash Signature: [@ nsLayoutUtils::GetFramesForArea(nsIFrame*, nsRect const&, nsTArray<nsIFrame*>&, unsigned int)] [@ nsLayoutUtils::GetFramesForArea] → [@ nsLayoutUtils::GetFramesForArea] [@ nsLayoutUtils::GetFramesForArea]
You need to log in before you can comment on or make changes to this bug.