Closed Bug 756883 Opened 12 years ago Closed 8 years ago

crash in nsGfxScrollFrameInner::ScrollToImpl @ mozilla::FrameLayerBuilder::GetThebesLayerScaleForFrame

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
15 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

It first appeared in 15.0a1/20120513 at a low volume. The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22a58090fa70&tochange=c758cc9b60e5

Signature 	mozilla::FrameLayerBuilder::GetThebesLayerResolutionForFrame(nsIFrame*, double*, double*, gfxPoint*) More Reports Search
UUID	655c59e3-c0e9-41ee-8742-911692120519
Date Processed	2012-05-19 15:33:57
Uptime	1035
Last Crash	17.3 minutes before submission
Install Age	19.7 minutes since version was first installed.
Install Time	2012-05-19 20:14:02
Product	Firefox
Version	15.0a1
Build ID	20120519030527
Release Channel	nightly
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x5b840fc0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x29c2, AdapterSubsysID: 31031565, AdapterDriverVersion: 6.14.10.4926
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True	
Total Virtual Memory	2147352576
Available Virtual Memory	1764982784
System Memory Use Percentage	60
Available Page File	2066759680
Available Physical Memory	425005056

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::FrameLayerBuilder::GetThebesLayerResolutionForFrame 	layout/base/FrameLayerBuilder.cpp:2324
1 	xul.dll 	mozilla::FrameLayerBuilder::GetThebesLayerResolutionForFrame 	layout/base/FrameLayerBuilder.cpp:2350
2 	xul.dll 	mozilla::FrameLayerBuilder::GetThebesLayerResolutionForFrame 	layout/base/FrameLayerBuilder.cpp:2350
3 	xul.dll 	mozilla::FrameLayerBuilder::GetThebesLayerResolutionForFrame 	layout/base/FrameLayerBuilder.cpp:2350
4 	xul.dll 	nsGfxScrollFrameInner::ScrollToImpl 	layout/generic/nsGfxScrollFrame.cpp:2113
5 	xul.dll 	nsGfxScrollFrameInner::ReflowFinished 	layout/generic/nsGfxScrollFrame.cpp:3529
6 	xul.dll 	PresShell::HandlePostedReflowCallbacks 	layout/base/nsPresShell.cpp:3706
7 	xul.dll 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:7572
8 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:3877
9 	xul.dll 	nsEventStateManager::FlushPendingEvents 	content/events/src/nsEventStateManager.cpp:4876
10 	xul.dll 	nsEventStateManager::PreHandleEvent 	content/events/src/nsEventStateManager.cpp:1182
11 	xul.dll 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6412
12 	xul.dll 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6163
13 	xul.dll 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:5960
14 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:901
15 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:190
16 	xul.dll 	nsWindow::DispatchEvent 	widget/windows/nsWindow.cpp:3516
17 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/windows/nsWindow.cpp:3542
18 	xul.dll 	nsWindow::DispatchMouseEvent 	widget/windows/nsWindow.cpp:3937
19 	xul.dll 	nsWindow::ProcessMessage 	widget/windows/nsWindow.cpp:4816
20 	xul.dll 	nsWindow::WindowProcInternal 	widget/windows/nsWindow.cpp:4337
21 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp:65
22 	xul.dll 	xul.dll@0x69f8f

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3AFrameLayerBuilder%3A%3AGetThebesLayerResolutionForFrame%28nsIFrame*%2C+double*%2C+double*%2C+gfxPoint*%29
The FrameLayerBuilder::GetThebesLayerResolutionForFrame call was added to
nsGfxScrollFrameInner::ScrollToImpl in bug 681192, part 1:
http://hg.mozilla.org/mozilla-central/rev/9e1f8d125acc

Merged to m-c on May 10:
http://hg.mozilla.org/mozilla-central/pushloghtml?changeset=b7b6565d12a0

We have known crashes with ScrollToImpl near the top so it could be one
of those that changed its top signature, or it might be a new problem...
Blocks: 681192
The crashing line is usually "nsTArray<DisplayItemData> *array = GetDisplayItemDataArrayForFrame(aFrame);". I don't see how that function could crash unless the frame tree is corrupt or maybe the LayerManagerData is corrupt.
It looks like GetThebesLayerResolutionForFrame was replaced by
GetThebesLayerScaleForFrame.
http://hg.mozilla.org/releases/mozilla-beta/annotate/995480afdf3e/layout/generic/nsGfxScrollFrame.cpp#l1963

Crash still occurs in low volume: ~260 crashes in past 4 weeks.
E.g. bp-d3e8a81a-299b-45b1-966d-371622130821
Crash Signature: [@ mozilla::FrameLayerBuilder::GetThebesLayerResolutionForFrame(nsIFrame*, double*, double*, gfxPoint*)] → [@ mozilla::FrameLayerBuilder::GetThebesLayerScaleForFrame(nsIFrame *)]
Summary: crash in nsGfxScrollFrameInner::ScrollToImpl @ mozilla::FrameLayerBuilder::GetThebesLayerResolutionForFrame → crash in nsGfxScrollFrameInner::ScrollToImpl @ mozilla::FrameLayerBuilder::GetThebesLayerScaleForFrame
Crash Signature: [@ mozilla::FrameLayerBuilder::GetThebesLayerScaleForFrame(nsIFrame *)] → [@ mozilla::FrameLayerBuilder::GetThebesLayerScaleForFrame(nsIFrame *)] [@ mozilla::FrameLayerBuilder::GetThebesLayerScaleForFrame]
FrameLayerBuilder::GetThebesLayerScaleForFrame no longer exists.
I think this signature moved to FrameLayerBuilder::GetPaintedLayerScaleForFrame
so let's handle this in bug 1134771 instead.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.