Closed
Bug 1295940
Opened 8 years ago
Closed 8 years ago
Crash in nsDisplayListBuilder::EnterPresShell
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1297664
People
(Reporter: kanru, Unassigned)
References
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is report bp-63884170-e9fe-46e5-9183-0c9472160815. ============================================================= Six crashes from single installation with following stack: nsDisplayListBuilder::EnterPresShell(nsIFrame*, bool) nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) nsSVGForeignObjectFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) nsSVGUtils::PaintFrameWithEffects(nsIFrame*, gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) nsSVGDisplayContainerFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) nsSVGUtils::PaintSVGGlyph(mozilla::dom::Element*, gfxContext*) gfxSVGGlyphs::RenderGlyph(gfxContext*, unsigned int, mozilla::SVGContextPaint*) gfxFontEntry::RenderSVGGlyph(gfxContext*, unsigned int, mozilla::SVGContextPaint*) gfxFont::RenderSVGGlyph(gfxContext*, gfxPoint, unsigned int, mozilla::SVGContextPaint*) gfxFont::RenderSVGGlyph(gfxContext*, gfxPoint, unsigned int, mozilla::SVGContextPaint*, gfxTextRunDrawCallbacks*, bool&) gfxFont::DrawOneGlyph(unsigned int, double, gfxPoint*, GlyphBufferAzure&, bool*) gfxFont::DrawGlyphs(gfxShapedText const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams const&) gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short) gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, unsigned short) mozilla::gfx::ScaledFontWin::`scalar deleting destructor'(unsigned int) nsDisplayLayerEventRegions::AddFrame(nsDisplayListBuilder*, nsIFrame*) nsDisplayListBuilder::IsAnimatedGeometryRoot(nsIFrame*, nsIFrame**) But previously we had also seen following stack: nsDisplayListBuilder::EnterPresShell(nsIFrame*, bool) nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) PresShell::Paint(nsView*, nsRegion const&, unsigned int) nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) nsViewManager::ProcessPendingUpdates() Not sure if this is a regression introduced by bug 1258510 or not but we probably want to null check aReferenceFrame->PresContext() or pc->GetDocShell() or make sure they live long enough. ni? tnikkel and cjku for checking bug 1258510
Flags: needinfo?(tnikkel)
Flags: needinfo?(cku)
https://hg.mozilla.org/mozilla-unified/annotate/6e191a55c3d2/layout/svg/nsSVGUtils.cpp#l704 Here, what I do here is to keep the return value of svgChildFrame->PaintSVG, and forward result to the caller later: - svgChildFrame->PaintSVG(*target, aTransform, aDirtyRect); + result = svgChildFrame->PaintSVG(*target, aTransform, aDirtyRect); I don't think this change leading to this crash.
Flags: needinfo?(tnikkel)
Flags: needinfo?(cku)
|
||
Comment 2•8 years ago
|
||
There are a bunch of crashes going back to before bug 1258510 landed, so this isn't a new issue.
|
||
Comment 3•8 years ago
|
||
I got crashes with same signature with the testcase in bug 1297664. https://crash-stats.mozilla.com/report/index/7cdf1b8c-49e3-4a88-9b8f-c09102160824 https://crash-stats.mozilla.com/report/index/f4570328-a451-4b49-ae6e-a449f2160824 https://crash-stats.mozilla.com/report/index/a2ba05e7-0295-48ec-ba2f-865b92160824 maybe it's a dupe of this bug?
See Also: → 1297664
|
Reporter | |
Comment 4•8 years ago
|
||
Yes, the stacks look similar! So the regression range goes way back to 2015?
|
|
||
Comment 5•8 years ago
|
||
at least the regression range of bug 1297664 is the following (unless I'm missing something) https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ae5d04409cd9&tochange=0c2f7434c325
|
||
Comment 6•8 years ago
|
||
Crash volume for signature 'nsDisplayListBuilder::EnterPresShell':
- nightly (version 51): 6 crashes from 2016-08-01.
- aurora (version 50): 3 crashes from 2016-08-01.
- beta (version 49): 16 crashes from 2016-08-02.
- release (version 48): 13 crashes from 2016-07-25.
- esr (version 45): 9 crashes from 2016-05-02.
Crash volume on the last weeks (Week N is from 08-22 to 08-28):
W. N-1 W. N-2 W. N-3
- nightly 6 0 0
- aurora 2 0 0
- beta 3 9 0
- release 5 2 0
- esr 0 1 0
Affected platforms: Windows, Mac OS X, Linux
Crash rank on the last 7 days:
Browser Content Plugin
- nightly
- aurora #1007
- beta #446
- release #8435 #112
- esr #5355
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox51:
--- → affected
status-firefox-esr45:
--- → affected
|
||
Comment 8•8 years ago
|
||
Maybe will get fixed from the patch in bug 1297664 which should land for the RC build by next Monday.
|
|
Reporter | |
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•