Closed Bug 1256745 Opened 4 years ago Closed 4 years ago

crashes in nsPresContext::NotifyDidPaintForSubtree because nsPresContext::mShell is null

Categories

(Core :: Layout, defect, critical)

Unspecified
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox45 --- affected
firefox46 --- affected
firefox47 --- fixed
firefox48 --- fixed

People

(Reporter: dbaron, Assigned: dbaron)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-6a1a3ae0-7419-40e5-8ee1-67e312160315.
=============================================================

There are a decent number of crashes in nsPresContext::NotifyDidPaintForSubtree in crash-stats:
https://crash-stats.mozilla.com/signature/?product=Firefox&release_channel=nightly&platform=Windows&date=%3E%3D2016-01-01&signature=nsPresContext%3A%3ANotifyDidPaintForSubtree&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1#reports

I looked at the minidump for this one in particular and confirmed that we're dealing with a pres context whose mShell is null.

So we end up with a null-dereference crash that's a regression from bug 1078005.
(A question is why the various CancelDidPaintTimer calls don't prevent this from happening -- most importantly, the one in nsRootPresContext::Detach.  Though the whole thing is sort of a mess...)
Comment on attachment 8730843 [details]
MozReview Request: Bug 1256745 - Cancel the DidPaint timer in SetShell(nullptr).  r?mattwoodrow

https://reviewboard.mozilla.org/r/40185/#review36747
Attachment #8730843 - Flags: review?(matt.woodrow) → review+
https://hg.mozilla.org/mozilla-central/rev/fd6c1f7f3e4e
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Based on:
https://crash-stats.mozilla.com/signature/?product=Firefox&signature=nsPresContext%3A%3ANotifyDidPaintForSubtree&date=%3E%3D2016-01-01&release_channel=nightly#aggregations
this does appear to have fixed the crash.  This crash hasn't occured on nightly since March 14, and prior to the patch landing (March 17), it appears to have happened at least once a week since the beginning of the year (though the biggest gap was March 6-14).
Comment on attachment 8730843 [details]
MozReview Request: Bug 1256745 - Cancel the DidPaint timer in SetShell(nullptr).  r?mattwoodrow

Approval Request Comment
[Feature/regressing bug #]: unknown
[User impact if declined]: crashes
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: relatively low risk patch to cancel the timer that needs to be canceled so that we don't crash when it runs
[String/UUID change made/needed]: no
Attachment #8730843 - Flags: approval-mozilla-aurora?
Assignee: nobody → dbaron
Comment on attachment 8730843 [details]
MozReview Request: Bug 1256745 - Cancel the DidPaint timer in SetShell(nullptr).  r?mattwoodrow

Verified on Nightly (as per comment 6 though I wasn't able to find any reports of this crash signature on 48.0a2 but I might be mistaken), Aurora47+
Attachment #8730843 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.