Crash in mozilla::ContainerState::GetLayerCreationHint

RESOLVED FIXED in Firefox 49

Status

()

--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: philipp, Assigned: tnikkel)

Tracking

({crash, regression})

45 Branch
mozilla51
crash, regression
Points:
---

Firefox Tracking Flags

(firefox48 wontfix, firefox49 fixed, firefox-esr45 affected, firefox50 fixed, firefox51 fixed)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-48bddb54-1e56-41c0-b6bd-db8c12160810.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::ContainerState::GetLayerCreationHint(AnimatedGeometryRoot*) 	layout/base/FrameLayerBuilder.cpp:2193
1 	xul.dll 	mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) 	layout/base/FrameLayerBuilder.cpp:4029
2 	xul.dll 	mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) 	layout/base/FrameLayerBuilder.cpp:5289
3 	xul.dll 	mozilla::dom::XULDocument::ResumeWalk() 	dom/xul/XULDocument.cpp:2801
4 	xul.dll 	js::detail::HashTable<js::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> >, js::HashMap<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*>, js::jit::CacheIRStubKey, js::RuntimeAllocPolicy>::MapHashPolicy, js::RuntimeAllocPolicy>::prepareHash(js::jit::CacheIRStubKey::Lookup const&) 	obj-firefox/dist/include/js/HashTable.h:1205
5 	mozglue.dll 	arena_dalloc_small 	memory/mozjemalloc/jemalloc.c:4609
6 	mozglue.dll 	je_free 	memory/mozjemalloc/jemalloc.c:6479
7 	xul.dll 	mozilla::Vector<RefPtr<js::PerformanceGroup>, 0, mozilla::MallocAllocPolicy>::growStorageBy(unsigned int) 	obj-firefox/dist/include/mozilla/Vector.h:948
8 	xul.dll 	js::AutoStopwatch::addToGroup(JSRuntime*, unsigned __int64, unsigned __int64, js::PerformanceGroup*) 	js/src/vm/Stopwatch.cpp:389
9 		@0x44e773 	
10 		@0x2 	
11 	xul.dll 	AutoGCIfRequested::~AutoGCIfRequested() 	js/src/vm/Interpreter.cpp:408
12 	xul.dll 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp:473
13 	xul.dll 	InternalCall 	js/src/vm/Interpreter.cpp:497
14 	xul.dll 	mozilla::dom::AutoJSAPI::ReportException() 	dom/base/ScriptSettings.cpp:615

crashes with this signature are appearing in crash stats data since firefox 45 and it looks related to the new code in bug 1222880. 
also, it's frequency is on rise with 49.0b1, where the signature is currently making up 0.14% of browser crashes.
(Assignee)

Comment 2

2 years ago
Created attachment 8779899 [details] [diff] [review]
nullagr
Assignee: nobody → tnikkel
Attachment #8779899 - Flags: review?(matt.woodrow)
Attachment #8779899 - Flags: review?(matt.woodrow) → review+

Comment 3

2 years ago
Pushed by tnikkel@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0bd27824832d
Null check animated geometry root. r=mattwoodrow
Small crash volume, so, we won't take a fix in 48 as ride along.
However, happy to take the fix in 49 (beta)
status-firefox48: affected → wontfix

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/0bd27824832d
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Hi :tnikkel,
Since this bug is a regression and also affects 49/50, are you also considering to uplift this patch to 49/50?
Flags: needinfo?(tnikkel)
(Assignee)

Comment 7

2 years ago
Comment on attachment 8779899 [details] [diff] [review]
nullagr

Approval Request Comment
[Feature/regressing bug #]: bug 1222880
[User impact if declined]: crashes
[Describe test coverage new/current, TreeHerder]: none, we don't have a testcase
[Risks and why]: safe, it's a null check
[String/UUID change made/needed]: none
Flags: needinfo?(tnikkel)
Attachment #8779899 - Flags: approval-mozilla-beta?
Attachment #8779899 - Flags: approval-mozilla-aurora?
Comment on attachment 8779899 [details] [diff] [review]
nullagr

Review of attachment 8779899 [details] [diff] [review]:
-----------------------------------------------------------------

This patch fixes a crash. Take it in 49 beta and 50 aurora. Should be in 49 beta 5.
Attachment #8779899 - Flags: approval-mozilla-beta?
Attachment #8779899 - Flags: approval-mozilla-beta+
Attachment #8779899 - Flags: approval-mozilla-aurora?
Attachment #8779899 - Flags: approval-mozilla-aurora+

Comment 9

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/3776dd28c3cb
status-firefox50: affected → fixed
Crash volume for signature 'mozilla::ContainerState::GetLayerCreationHint':
 - nightly (version 51): 3 crashes from 2016-08-01.
 - aurora  (version 50): 43 crashes from 2016-08-01.
 - beta    (version 49): 391 crashes from 2016-08-02.
 - release (version 48): 7 crashes from 2016-07-25.
 - esr     (version 45): 82 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       0       0       3
 - aurora       13      18      12
 - beta        146     185      55
 - release       2       3       1
 - esr          12       3       8

Affected platform: Windows

Crash rank on the last 7 days:
           Browser     Content   Plugin
 - nightly
 - aurora  #632
 - beta    #287
 - release #4990
 - esr     #918
status-firefox-esr45: --- → affected
You need to log in before you can comment on or make changes to this bug.