Crash in nsDisplayListBuilder::EnterPresShell

RESOLVED DUPLICATE of bug 1297664

Status

()

--
critical
RESOLVED DUPLICATE of bug 1297664
2 years ago
2 years ago

People

(Reporter: kanru, Unassigned)

Tracking

({crash})

unspecified
x86
Windows 10
crash
Points:
---

Firefox Tracking Flags

(firefox48 affected, firefox49 affected, firefox-esr45 affected, firefox50 affected, firefox51 affected)

Details

(crash signature)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-63884170-e9fe-46e5-9183-0c9472160815.
=============================================================

Six crashes from single installation with following stack:

nsDisplayListBuilder::EnterPresShell(nsIFrame*, bool)
nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)
nsSVGForeignObjectFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
nsSVGUtils::PaintFrameWithEffects(nsIFrame*, gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
nsSVGDisplayContainerFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
nsSVGUtils::PaintSVGGlyph(mozilla::dom::Element*, gfxContext*)
gfxSVGGlyphs::RenderGlyph(gfxContext*, unsigned int, mozilla::SVGContextPaint*)
gfxFontEntry::RenderSVGGlyph(gfxContext*, unsigned int, mozilla::SVGContextPaint*)
gfxFont::RenderSVGGlyph(gfxContext*, gfxPoint, unsigned int, mozilla::SVGContextPaint*)
gfxFont::RenderSVGGlyph(gfxContext*, gfxPoint, unsigned int, mozilla::SVGContextPaint*, gfxTextRunDrawCallbacks*, bool&)
gfxFont::DrawOneGlyph(unsigned int, double, gfxPoint*, GlyphBufferAzure&, bool*)
gfxFont::DrawGlyphs(gfxShapedText const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams const&)
gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short)
gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, unsigned short)
mozilla::gfx::ScaledFontWin::`scalar deleting destructor'(unsigned int)
nsDisplayLayerEventRegions::AddFrame(nsDisplayListBuilder*, nsIFrame*)
nsDisplayListBuilder::IsAnimatedGeometryRoot(nsIFrame*, nsIFrame**)

But previously we had also seen following stack:

nsDisplayListBuilder::EnterPresShell(nsIFrame*, bool)
nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int)
PresShell::Paint(nsView*, nsRegion const&, unsigned int)
nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)
nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)
nsViewManager::ProcessPendingUpdates()

Not sure if this is a regression introduced by bug 1258510 or not but we probably want to null check aReferenceFrame->PresContext() or pc->GetDocShell() or make sure they live long enough.

ni? tnikkel and cjku for checking bug 1258510
Flags: needinfo?(tnikkel)
Flags: needinfo?(cku)

Comment 1

2 years ago
https://hg.mozilla.org/mozilla-unified/annotate/6e191a55c3d2/layout/svg/nsSVGUtils.cpp#l704
Here, what I do here is to keep the return value of svgChildFrame->PaintSVG, and forward result to the caller later:
-    svgChildFrame->PaintSVG(*target, aTransform, aDirtyRect);
+    result = svgChildFrame->PaintSVG(*target, aTransform, aDirtyRect);
I don't think this change leading to this crash.
Flags: needinfo?(tnikkel)
Flags: needinfo?(cku)
There are a bunch of crashes going back to before bug 1258510 landed, so this isn't a new issue.
(Reporter)

Comment 4

2 years ago
Yes, the stacks look similar! So the regression range goes way back to 2015?
at least the regression range of bug 1297664 is the following (unless I'm missing something)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ae5d04409cd9&tochange=0c2f7434c325
Crash volume for signature 'nsDisplayListBuilder::EnterPresShell':
 - nightly (version 51): 6 crashes from 2016-08-01.
 - aurora  (version 50): 3 crashes from 2016-08-01.
 - beta    (version 49): 16 crashes from 2016-08-02.
 - release (version 48): 13 crashes from 2016-07-25.
 - esr     (version 45): 9 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       6       0       0
 - aurora        2       0       0
 - beta          3       9       0
 - release       5       2       0
 - esr           0       1       0

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly
 - aurora            #1007
 - beta              #446
 - release #8435     #112
 - esr     #5355
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox51: --- → affected
status-firefox-esr45: --- → affected
Duplicate of this bug: 1297664
Maybe will get fixed from the patch in bug 1297664 which should land for the RC build by next Monday.
(Reporter)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1297664
You need to log in before you can comment on or make changes to this bug.