Closed Bug 1429314 Opened 6 years ago Closed 2 years ago

Crash in AnimatedGeometryRoot::Release

Categories

(Core :: Web Painting, defect, P2)

Product:
Core
Component:
Web Painting
Version:
58 Branch
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- ?

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is
report bp-dd8901d6-1e09-440d-a4ff-1f6c60180110.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll AnimatedGeometryRoot::Release layout/painting/nsDisplayList.h:188
1 xul.dll nsTHashtable<nsBaseHashtableET<nsPtrHashKey<nsIFrame>, RefPtr<AnimatedGeometryRoot> > >::s_ClearEntry xpcom/ds/nsTHashtable.h:444
2 xul.dll PLDHashTable::~PLDHashTable xpcom/ds/PLDHashTable.cpp:325
3 xul.dll PLDHashTable::ClearAndPrepareForLength xpcom/ds/PLDHashTable.cpp:338
4 xul.dll nsDisplayListBuilder::EndFrame layout/painting/nsDisplayList.cpp:998
5 xul.dll nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:4036
6 xul.dll mozilla::PresShell::Paint layout/base/PresShell.cpp:6489
7 xul.dll nsViewManager::ProcessPendingUpdatesPaint view/nsViewManager.cpp:480
8 xul.dll nsViewManager::ProcessPendingUpdatesForView view/nsViewManager.cpp:412
9 xul.dll nsViewManager::ProcessPendingUpdates view/nsViewManager.cpp:1102

=============================================================

this content crash signature is newly showing up since firefox 58 in code that seems to have been touched by code landing for the retained display list.
Setting P2 since this is super low volume.

Had a look at a crash dump, we're calling AnimatedGeometryRoot::Release with this==0xe5.

I can't see any way that value could have ever got into the hashtable (especially since we'd have crashed trying to call AddRef when adding it), so this seems like our hashtable entry got corrupted :(
Priority: -- → P2
Too late to fix in 59, but we can still take a patch for 60/61 if they are affected.
status-firefox58: fix-optionalwontfix
status-firefox59: affectedwontfix
status-firefox60: --- → ?
Blocks: 1467514
No longer blocks: 1467514
QA Whiteboard: qa-not-actionable

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.