781279 - crash in nsRootPresContext::UpdatePluginGeometry

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Scoobidiver (away)]

There's a spike in crashes from 17.0a1/20120808. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=e55638d4037a
It's likely related to bug 781272.

Stack traces are various:
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	PresShell::DidPaint 	layout/base/nsPresShell.cpp:7068
2 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:770
3 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:159
4 	xul.dll 	nsWindow::DispatchEvent 	widget/windows/nsWindow.cpp:3520
5 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/windows/nsWindow.cpp:3546
6 	xul.dll 	nsWindow::OnPaint 	widget/windows/nsWindowGfx.cpp:606
...

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	UpdatePluginGeometryCallback 	layout/base/nsPresContext.cpp:2742
2 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:473
3 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:624
4 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:116
5 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
...

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:3898
2 	xul.dll 	nsDocument::FlushPendingNotifications 	content/base/src/nsDocument.cpp:6314
3 	xul.dll 	nsGlobalWindow::FlushPendingNotifications 	dom/base/nsGlobalWindow.cpp:10245
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsRootPresContext%3A%3AUpdatePluginGeometry%28%29

Comment 1

[Scoobidiver (away)]

It's #3 top crasher in today's build.

Comment 2

[Robert Kaiser]

I think this is a dupe of bug 781272.

Comment 4

[Andrew McCreight [:mccr8]]

Currently the #6 crasher.  It looks like a regression from bug 775965.

Here's my comment from bug 781265 which has more information:

I happened across a way to reproduce this on the latest Nightly.

Clean profile with just Flash active.

1. open youtube.com, start playing a video
2. While the youtube video is still playing, go to rng.io and let it run.

It crashes quickly.

here are a few examples:
https://crash-stats.mozilla.com/report/index/bp-a588de12-8443-41e0-911c-1dd942120820
https://crash-stats.mozilla.com/report/index/bp-69f75b50-8a16-4b9c-9d44-65cb92120820

Comment 5

[Andrew McCreight [:mccr8]]

This was initially being caused by bug 781272, but then that was fixed and a new regression came up, from bug 775965 judging by Alice's bisection of my steps to reproduce given in comment 4.

Comment 7

[Scoobidiver (away)]

With combined signatures, it's #1 top crasher in the trunk.

Comment 8

[Stephen Donner [:stephend] Not actively reading bugmail]

I'm hitting this just running through "all tests" on http://browserscope.org/, with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0

Comment 9

[Chris Pearce [:cpearce (Not reading bugmail)]]

The crash I see is caused by loading
http://www.zataz.com/news/22329/photobucket_-photo_-hack_-fusking.html

Stack is:

#0  0x00007f403184303d in nanosleep () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f4031842edc in sleep () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f402be3193e in ah_crap_handler (signum=11)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsSigHandlers.cpp:87
#3  0x00007f402be3b976 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffe1d45b30, 
    context=0x7fffe1d45a00) at /obj/orange/toolkit/profile/nsProfileLock.cpp:190
#4  <signal handler called>
#5  0x00007f402c0ce5e6 in nsStyleContext::GetRuleNode (this=0x5a5a5a5a5a5a5a5a)
    at ../../dist/include/nsStyleContext.h:190
#6  0x00007f402c0ce60c in nsIFrame::PresContext (this=0x7f400b8d41e8) at ../../dist/include/nsIFrame.h:547
#7  0x00007f402c1d72d6 in nsRootPresContext::RequestUpdatePluginGeometry (this=0x7f400db0a400, 
    aFrame=0x7f4009ca51e8) at /home/cpearce/src/mozilla/orange/layout/base/nsPresContext.cpp:2665
#8  0x00007f402c1f5592 in PresShell::DoReflow (this=0x7f400ddbdb20, target=0x7f4009ca51e8, aInterruptible=true)
    at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7501
#9  0x00007f402c1f58b6 in PresShell::ProcessReflowCommands (this=0x7f400ddbdb20, aInterruptible=true)
    at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7577
#10 0x00007f402c1e9494 in PresShell::FlushPendingNotifications (this=0x7f400ddbdb20, 
    aType=Flush_InterruptibleLayout) at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:3898
#11 0x00007f402c201ac6 in nsRefreshDriver::Notify (this=0x7f400ba7c210, aTimer=0x7f4005ff1fe0)
    at /home/cpearce/src/mozilla/orange/layout/base/nsRefreshDriver.cpp:398
#12 0x00007f402d8b9c6d in nsTimerImpl::Fire (this=0x7f4005ff1fe0)
    at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:476
#13 0x00007f402d8ba053 in nsTimerEvent::Run (this=0x7f402247a788)
    at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:556
#14 0x00007f402d8b1f3a in nsThread::ProcessNextEvent (this=0x7f403146f300, mayWait=false, 
    result=0x7fffe1d4662f) at /home/cpearce/src/mozilla/orange/xpcom/threads/nsThread.cpp:624
#15 0x00007f402d84317b in NS_ProcessNextEvent_P (thread=0x7f403146f300, mayWait=false)
    at /obj/orange/xpcom/build/nsThreadUtils.cpp:220
#16 0x00007f402d65b910 in mozilla::ipc::MessagePump::Run (this=0x7f402245cac0, aDelegate=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/glue/MessagePump.cpp:82
#17 0x00007f402d9032a7 in MessageLoop::RunInternal (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:208
#18 0x00007f402d903238 in MessageLoop::RunHandler (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:201
#19 0x00007f402d903211 in MessageLoop::Run (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:175
#20 0x00007f402d4d3038 in nsBaseAppShell::Run (this=0x7f401d93fa20)
    at /home/cpearce/src/mozilla/orange/widget/xpwidgets/nsBaseAppShell.cpp:163
#21 0x00007f402d200dd0 in nsAppStartup::Run (this=0x7f401d94d420)
    at /home/cpearce/src/mozilla/orange/toolkit/components/startup/nsAppStartup.cpp:273
#22 0x00007f402be23349 in XREMain::XRE_mainRun (this=0x7fffe1d46b00)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3800
#23 0x00007f402be23639 in XREMain::XRE_main (this=0x7fffe1d46b00, argc=4, argv=0x7fffe1d48f68, 
    aAppData=0x637c40) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3877
#24 0x00007f402be23882 in XRE_main (argc=4, argv=0x7fffe1d48f68, aAppData=0x637c40, aFlags=0)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3953
#25 0x0000000000402a7f in do_main (argc=4, argv=0x7fffe1d48f68)
    at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:174
#26 0x0000000000402d35 in main (argc=4, argv=0x7fffe1d48f68)
    at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:279

Reverting the patches from bug 775965 indeed fixes the crash, so it it a regression from bug 775965.

Comment 10

[Chris Pearce [:cpearce (Not reading bugmail)]]

Attachment: Patch

Forget the plugin for geometry updates in the root PresContext right before we we detach the sub doc's presentation.

This fixes the crashes reported as best as I can tell; it was not deterministic. I tested the URLs the Marcia listed in bug 781272 comment #3, and we no longer crash with this patch.

Looks promising so far on Try:

https://tbpl.mozilla.org/?tree=Try&rev=3440d9ef242b

Comment 11

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 654091 [details] [diff] [review]
Patch

Review of attachment 654091 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/generic/nsSubDocumentFrame.cpp
@@ +818,5 @@
> +    if (presContext) {
> +      nsRootPresContext* rootPresContext = presContext->GetRootPresContext();
> +      if (rootPresContext) {
> +        rootPresContext->
> +          RootForgetUpdatePluginGeometryFrameForPresContext(presContext);

I think we should do this when we destroy the original nsSubdocumentFrame.

Comment 12

[Chris Pearce [:cpearce (Not reading bugmail)]]

Attachment: Patch v2

Forget update plugin geometry in nsSubDocumentFrame::DestroyFrom().

I was also forgetting the update-plugin-geometry-frame the outer-frame's PresContext(), not the sub frame's PresContext(), so we were actually still crashing sporadically. This version of the patch forgets in the subframe's PresContext.

https://tbpl.mozilla.org/?tree=Try&rev=95d0e0d01bbd

Comment 13

[Chris Pearce [:cpearce (Not reading bugmail)]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/fe4538ef86c5

Comment 14

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/fe4538ef86c5

Comment 16

[Virgil Dicu [:virgil] [QA]]

Could not reproduce crash from comment 4 but crash from comment 9 reproducible for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20120808030529

No crashes for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 beta 4
Build ID: 20121031065642

I can still see 83 crashes for Beta 3 with this signature and 40 for Beta 4. 
There are 2 other bugs however which track crashes with this signature: bug 754380 and bug 798760 so setting this to verified for Beta.

Comment 17

[Tracy Walker [:tracy]]

mass remove verifyme requests greater than 4 months old