Closed Bug 1295940 Opened 4 years ago Closed 3 years ago

Crash in nsDisplayListBuilder::EnterPresShell

Categories

(Core :: Layout, defect, critical)

x86
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1297664
Tracking Status
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected

People

(Reporter: kanru, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-63884170-e9fe-46e5-9183-0c9472160815.
=============================================================

Six crashes from single installation with following stack:

nsDisplayListBuilder::EnterPresShell(nsIFrame*, bool)
nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags)
nsSVGForeignObjectFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
nsSVGUtils::PaintFrameWithEffects(nsIFrame*, gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
nsSVGDisplayContainerFrame::PaintSVG(gfxContext&, gfxMatrix const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*)
nsSVGUtils::PaintSVGGlyph(mozilla::dom::Element*, gfxContext*)
gfxSVGGlyphs::RenderGlyph(gfxContext*, unsigned int, mozilla::SVGContextPaint*)
gfxFontEntry::RenderSVGGlyph(gfxContext*, unsigned int, mozilla::SVGContextPaint*)
gfxFont::RenderSVGGlyph(gfxContext*, gfxPoint, unsigned int, mozilla::SVGContextPaint*)
gfxFont::RenderSVGGlyph(gfxContext*, gfxPoint, unsigned int, mozilla::SVGContextPaint*, gfxTextRunDrawCallbacks*, bool&)
gfxFont::DrawOneGlyph(unsigned int, double, gfxPoint*, GlyphBufferAzure&, bool*)
gfxFont::DrawGlyphs(gfxShapedText const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, FontDrawParams const&)
gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, gfxPoint*, TextRunDrawParams const&, unsigned short)
gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, gfxPoint*, gfxTextRun::PropertyProvider*, gfxTextRun::Range, TextRunDrawParams&, unsigned short)
mozilla::gfx::ScaledFontWin::`scalar deleting destructor'(unsigned int)
nsDisplayLayerEventRegions::AddFrame(nsDisplayListBuilder*, nsIFrame*)
nsDisplayListBuilder::IsAnimatedGeometryRoot(nsIFrame*, nsIFrame**)

But previously we had also seen following stack:

nsDisplayListBuilder::EnterPresShell(nsIFrame*, bool)
nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int)
PresShell::Paint(nsView*, nsRegion const&, unsigned int)
nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)
nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)
nsViewManager::ProcessPendingUpdates()

Not sure if this is a regression introduced by bug 1258510 or not but we probably want to null check aReferenceFrame->PresContext() or pc->GetDocShell() or make sure they live long enough.

ni? tnikkel and cjku for checking bug 1258510
Flags: needinfo?(tnikkel)
Flags: needinfo?(cku)
https://hg.mozilla.org/mozilla-unified/annotate/6e191a55c3d2/layout/svg/nsSVGUtils.cpp#l704
Here, what I do here is to keep the return value of svgChildFrame->PaintSVG, and forward result to the caller later:
-    svgChildFrame->PaintSVG(*target, aTransform, aDirtyRect);
+    result = svgChildFrame->PaintSVG(*target, aTransform, aDirtyRect);
I don't think this change leading to this crash.
Flags: needinfo?(tnikkel)
Flags: needinfo?(cku)
There are a bunch of crashes going back to before bug 1258510 landed, so this isn't a new issue.
Yes, the stacks look similar! So the regression range goes way back to 2015?
at least the regression range of bug 1297664 is the following (unless I'm missing something)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ae5d04409cd9&tochange=0c2f7434c325
Crash volume for signature 'nsDisplayListBuilder::EnterPresShell':
 - nightly (version 51): 6 crashes from 2016-08-01.
 - aurora  (version 50): 3 crashes from 2016-08-01.
 - beta    (version 49): 16 crashes from 2016-08-02.
 - release (version 48): 13 crashes from 2016-07-25.
 - esr     (version 45): 9 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       6       0       0
 - aurora        2       0       0
 - beta          3       9       0
 - release       5       2       0
 - esr           0       1       0

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly
 - aurora            #1007
 - beta              #446
 - release #8435     #112
 - esr     #5355
Maybe will get fixed from the patch in bug 1297664 which should land for the RC build by next Monday.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1297664
You need to log in before you can comment on or make changes to this bug.