Closed Bug 532777 Opened 15 years ago Closed 7 years ago

Crash in [@ JS_RestoreFrameChain ]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.9.2 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: marcia, Unassigned)

Details

(Keywords: crash, Whiteboard: [crashkill])

Crash Data

chofmann suggested I spin this off into a separate bug in Bug 532565#c1.

Here is a link to the crash data for this stack in all versions of Firefox: http://tinyurl.com/yfyrerd

This crash is seen on 3.0.x, 3.5.x, in the 3.6 betas and on the trunk.

Common threads in comments include:

*Exiting Quake Live
*Evernote add-in

I have not yet been able to reproduce with this stack but I will try to get a better set.
we might be able to break out the quake specific crashes in this signature by the crash address.  here are two I spotted in comments

0xe0bc1 	I was playing Quake Live
0x207bc1   	i quit quake live and it crashed firefox

http://crash-stats.mozilla.com/report/index/f8e5b3ff-bb8c-43d4-b3fa-99c652091203
http://crash-stats.mozilla.com/report/index/050e4539-d2cb-4913-8ff9-7e97c2091201

stack traces in both reports look look the same.

Frame  	Module  	Signature [Expand]  	Source
0 	libmozjs.dylib 	JS_RestoreFrameChain 	js/src/jsapi.cpp:5295
1 	XUL 	XPCJSContextStack::Pop 	js/src/xpconnect/src/xpcthreadcontext.cpp:107
2 	XUL 	nsCxPusher::Pop 	content/base/src/nsContentUtils.cpp:2804
3 	XUL 	nsContentUtils::InitializeEventTable 	content/base/src/nsContentUtils.cpp:2669
4 	XUL 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1223
5 	XUL 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventDispatcher.cpp:236
6 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:271
7 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:514
8 	XUL 	FireFocusOrBlurEvent 	content/events/src/nsEventStateManager.cpp:328
9 	XUL 	nsEventStateManager::PreHandleEvent 	content/events/src/nsEventStateManager.cpp:1128
10 	XUL 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6313
11 	XUL 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6123
12 	XUL 	nsViewManager::HandleEvent 	view/src/nsViewManager.cpp:1400
13 	XUL 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:1359
14 	XUL 	HandleEvent 	view/src/nsView.cpp:168
15 	XUL 	nsChildView::DispatchEvent 	widget/src/cocoa/nsChildView.mm:2042
16 	XUL 	-[ChildView sendFocusEvent:] 	widget/src/cocoa/nsChildView.mm:2934
17 	XUL 	nsChildView::SetFocus 	widget/src/cocoa/nsChildView.mm:1137
18 	XUL 	nsGlobalWindow::Focus 	dom/src/base/nsGlobalWindow.cpp:4314
19 	XUL 	nsWebShellWindow::HandleEvent 	xpfe/appshell/src/nsWebShellWindow.cpp:512
20 	XUL 	nsCocoaWindow::DispatchEvent 	widget/src/cocoa/nsCocoaWindow.mm:1179
21 	XUL 	-[WindowDelegate sendFocusEvent:] 	widget/src/cocoa/nsCocoaWindow.mm:1672
22 	XUL 	-[WindowDelegate sendToplevelActivateEvents] 	widget/src/cocoa/nsCocoaWindow.mm:1711
23 	XUL 	+[TopLevelWindowData activateInWindow:] 	widget/src/cocoa/nsWindowMap.mm:265
24 	Foundation 	Foundation@0x15236 	
25 	CoreFoundation 	CoreFoundation@0x4b3d1 	
26 	CoreFoundation 	CoreFoundation@0x42b50 	
27 	Foundation 	Foundation@0xd7c7 	
28 	Foundation 	Foundation@0x14768 	
29 	AppKit 	AppKit@0xe73c0 	
30 	AppKit 	AppKit@0x90f06 	
31 	AppKit 	AppKit@0x38f7d 	
32 	AppKit 	AppKit@0x384c7 	
33 	AppKit 	AppKit@0x37939 	
34 	AppKit 	AppKit@0x378c9 	
35 	quakelive 	quakelive@0xdc3d6 	
36 	quakelive 	quakelive@0xdc4ef 	
37 	quakelive 	quakelive@0x140a2 	
38 	quakelive 	quakelive@0x5ea56 	
39 	quakelive 	quakelive@0x60b52 	
40 	quakelive 	quakelive@0x76bb9 	
41 	quakelive 	quakelive@0x74fd0 	
42 	quakelive 	quakelive@0x7a7fd 	
43 	quakelive 	quakelive@0xe1502 	
44 	quakelive 	quakelive@0xe39b0 	
45 	libSystem.B.dylib 	libSystem.B.dylib@0x24226
source lines at the top of the stack haven't changed in ages.

further down this change was made during 3.6 development.

http://hg.mozilla.org/releases/mozilla-1.9.1/annotate/57f71400f4cf/content/base/src/nsContentUtils.cpp#l2804

http://hg.mozilla.org/releases/mozilla-1.9.1/log/57f71400f4cf/content/base/src/nsContentUtils.cpp

Brandon Sterne - Bug 490760. Don't crash on changes to the child node list. r+sr=jst a191=beltzner

cc'ing some folks that might be able to take a quick look.
109 - 191  crashes per day for all JS_RestoreFrameChain on  200911 * -crashdata  with slight increase at the end of the month

Correlation to releases shows higher pct. numbers in 3.6b..  maybe more quake players using the beta? 

checking --- 20091130-crashdata.csv JS_RestoreFrameChain
release total-crashes
              JS_RestoreFrameChain crashes
                         pct.
all     233706  191     0.000817266
3.0.15  50334   37      0.00073509
3.5.5   122547  104     0.000848654
3.6b4   16576   18      0.00108591
3.6b3   2703    3       0.00110988
3.6b2   1193            0
3.6b1   2776    3       0.00108069

os breakdown
77      0.403141        Windows NT5.1.2600 Service Pack 3
41      0.21466 Windows NT5.1.2600 Service Pack 2
23      0.120419        Windows NT6.0.6002 Service Pack 2
13      0.0680628       Windows NT6.0.6001 Service Pack 1
13      0.0680628       Windows NT6.0.6000
4       0.0209424       Windows NT6.1.7600
4       0.0209424       Mac OS X10.5.8 9L30
3       0.0157068       Mac OS X10.5.8 9L31a
2       0.0104712       Windows NT5.1.2600 Service Pack 1
2       0.0104712       Windows NT5.1.2600 Dodatek Service Pack 3
2       0.0104712       Windows NT5.1.2600 Dodatek Service Pack 2
2       0.0104712       Mac OS X10.6.2 10C540
2       0.0104712       Mac OS X10.4.11 8S2167
1       0.0052356       Windows NT6.1.7100
1       0.0052356       Windows NT5.1.2600
Chromebug crashes on exit with the top frame JS_RestoreFrameChain

http://crash-stats.mozilla.com/report/index/bp-b6025c4c-c3db-4f49-81e3-829ad2091204

I was investigating problems on a page with Worker objects. I wonder if the Quake thing uses Worker?  Otherwise I see no connection, maybe different bugs.
Summary: Crash in [ @ JS_RestoreFrameChain ] → Crash in [@ JS_RestoreFrameChain ]
Crash Signature: [@ JS_RestoreFrameChain ]
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) in Firefox.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.