Closed Bug 1276356 Opened 8 years ago Closed 5 years ago

Crash in PresShell::DecApproximateVisibleCount

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
Unspecified
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dbaron, Unassigned, NeedInfo)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-712b934f-1e96-47a2-b2c8-a24052160526.
=============================================================

There are occasional crashes in crash-stats with this signature.  I debugged this one briefly.  It has this stack:

0 	xul.dll 	nsIFrame::DecVisibilityCount(mozilla::VisibilityCounter, mozilla::Maybe<mozilla::OnNonvisible>) 	layout/generic/nsFrame.cpp:1622
1 	xul.dll 	ForAllTrackedFramesInVisibleSet<<lambda_2e5a3d487c964ca8e2d172a968b93253> >(nsTHashtable<nsPtrHashKey<nsIFrame> > const&, <lambda_2e5a3d487c964ca8e2d172a968b93253>) 	layout/base/nsPresShell.cpp:4655
2 	xul.dll 	AutoUpdateVisibility::~AutoUpdateVisibility() 	layout/base/nsPresShell.cpp:6013
3 	xul.dll 	PresShell::Paint(nsView*, nsRegion const&, unsigned int) 	layout/base/nsPresShell.cpp:6605


The crash in this case is due to the frame's style context being filled with the frame poison pattern.  In particular, the function starts with:


000007FEE0793634 48 89 5C 24 18       mov         qword ptr [rsp+18h],rbx  
000007FEE0793639 48 89 6C 24 20       mov         qword ptr [rsp+20h],rbp  
000007FEE079363E 56                   push        rsi  
000007FEE079363F 57                   push        rdi  
000007FEE0793640 41 56                push        r14  
000007FEE0793642 48 83 EC 30          sub         rsp,30h  
000007FEE0793646 48 8B 41 20          mov         rax,qword ptr [rcx+20h]  
000007FEE079364A 49 8B F8             mov         rdi,r8  
000007FEE079364D 8A DA                mov         bl,dl  
000007FEE079364F 48 8B F1             mov         rsi,rcx  
000007FEE0793652 4C 8B 48 38          mov         r9,qword ptr [rax+38h]  
000007FEE0793656 4D 8B 71 18          mov         r14,qword ptr [r9+18h]  
000007FEE079365A E8 D9 01 00 00       call        nsIFrame::VisibilityStateProperty (07FEE0793838h)  
000007FEE079365F 48 8B D1             mov         rdx,rcx  
000007FEE0793662 4C 8D 4C 24 58       lea         r9,[rsp+58h]  
000007FEE0793667 4C 8B C0             mov         r8,rax  
000007FEE079366A 49 8D 8E E0 00 00 00 lea         rcx,[r14+0E0h]  
000007FEE0793671 E8 52 00 C1 FF       call        mozilla::FramePropertyTable::GetInternal (07FEE03A36C8h) 

and we're crashing with RIP 0x000007fee0793652 and RAX 0x7ffffffff0de7fff.

Since nsIFrame::mStyleContext is at 0x20, nsStyleContext::mRuleNode is at 0x38, and nsRuleNode::mPresContext is at 0x18, this appears to be a crash because the style context of the frame has been destroyed and is frame poisoned.

Seth, any idea what's going on here?
Flags: needinfo?(seth)
nsIFrame::DecVisibilityCount doesn't exist anymore.  I think it corresponds to
nsIFrame::DecApproximateVisibleCount now, which I think shows up as
[@ PresShell::DecApproximateVisibleCount ] likely because it was inlined.
bp-499de0c4-4a19-4ab6-952e-f1b2d2161125


There's also a crash [@ nsIFrame::IncApproximateVisibleCount ] in
bp-4752e68f-5090-4250-b4c9-276122161121
Perhaps that's related to the same underlying issue.

All these signatures have pretty low volume though, fwiw.
Crash Signature: [@ nsIFrame::DecVisibilityCount] → [@ nsIFrame::DecApproximateVisibleCount ] [@ PresShell::DecApproximateVisibleCount ]
Summary: Crash in nsIFrame::DecVisibilityCount → Crash in PresShell::DecApproximateVisibleCount

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.