Closed Bug 1431147 Opened 6 years ago Closed 4 months ago

Crash in nsIFrame::RemoveDisplayItemDataForDeletion

Categories

(Core :: Web Painting, defect, P3)

Product:
Core
Component:
Web Painting
Version:
59 Branch
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox57 --- unaffected
firefox58 --- unaffected
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Crash Data

This bug was filed from the Socorro interface and is
report bp-3b3b5a41-f4b9-409a-890b-77d7a0180117.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so nsIFrame::RemoveDisplayItemDataForDeletion [clone .cold.853] 
1 libxul.so mozilla::PresShell::NotifyDestroyingFrame 
2 libxul.so nsFrame::DestroyFrom 
3 libxul.so nsCanvasFrame::DestroyFrom 
4 libxul.so nsContainerFrame::DestroyFrom 
5 libxul.so nsContainerFrame::DestroyFrom 
6 libxul.so nsIFrame::Destroy layout/generic/nsIFrame.h:687
7 libxul.so nsFrameManager::Destroy 
8 libxul.so mozilla::PresShell::Destroy 
9 libxul.so nsDocumentViewer::DestroyPresShell 

=============================================================

There are 59 crashes in nightly 59 with buildid 20180117100129. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1429961. 

[1] https://hg.mozilla.org/mozilla-central/rev/5bceb041669b
Flags: needinfo?(emilio)
There are crashes that were way older than that bug (which was fixed yesterday), so it seems somewhat unlikely.

That function was added for retained-dl. The crash looks like a null deref, maybe from the root frame's ModifiedFrameProperty Matt, Miko, does that ring any bell? Should we land a couple diagnostic asserts around there?
Component: DOM → Layout: Web Painting
Flags: needinfo?(mikokm)
Flags: needinfo?(matt.woodrow)
Flags: needinfo?(emilio)
Possibly related to bug 1418807. I'll look into adding some assertions for bugs like this.
Blocks: 1404181
Flags: needinfo?(mikokm)
I'm reproducing this crash on messenger.com. Each time it loads I get a crash in Firefox 59.0a1 (2018-01-17) for OSX 10.12.6

Was brought to my attention here: https://webcompat.com/issues/14905
The spike (and reproducible crash) here was because of the first version of bug 1420737, which should be fixed now.
Flags: needinfo?(matt.woodrow)
Dropping the priority, since this is a very low volume crash normally.
Priority: -- → P3
This seems like a serious regression. I just opened a fiddle https://jsfiddle.net/jib1/nu2psx9q/ in Nightly today, and I think I tabbed away or something and came back, and the page was black, and every second or so flipping to white and then back to black. After a few seconds of that it crashed with bp-3eefaede-8778-4909-b185-f005b0180118

I haven't tried to reproduce yet, but I use jsfiddle frequently enough to suspect a recent regression.
(In reply to Matt Woodrow (:mattwoodrow) from comment #4)
> The spike (and reproducible crash) here was because of the first version of
> bug 1420737, which should be fixed now.

I can confirm that this spike has gone away in the 1-18 build. I don't think it is worthwhile to leave this bug open for a low volume crash that has been around for a while...
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Well, maybe the 1-18 builds haven't gone out yet.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
As expected, the crash rate has dropped away here.

I see 13 crashes for 59.0b in the past week, and 6 are from the same install time. I don't think there's much more we need to do here.
Assigning unowned critical/high security bugs to triage owner. Please find an appropriate assignee for this bug.
Assignee: nobody → matt.woodrow
Group: core-security → layout-core-security
All but 1 crash (of 9) in the last two weeks in 60a1 was a BREAKPOINT (or DUMP_REQUESTED).  The one READ error was an 0xfffffff :-(  Did we land a new assertion there?  Does that help?  If this continues, it helps from a sec perspective.

Quite a few 59bN crashes with wildptrs - if the assertion is a) cheap and b) low-risk, maybe we can uplift it?

Total crashes is ~40/week; not high.
Flags: needinfo?(matt.woodrow)
There are still READ and write crashes for Firefox 60. I don't think we caught this with a new assertion.
Blocks: 1467514
No longer blocks: 1467514
The initial spike that caused this bug to be reported has been fixed, and now we just have a low volume crash that has been around a while.

It looks like an invalid pointer in the frame tree, and we're crashing trying to access frame properties on it, similar to other crashes.

No URLs or STR in the reports, so marking this as stalled for now.
Flags: needinfo?(matt.woodrow)
Keywords: stalled
Group: layout-core-security → gfx-core-security

Removing employee no longer with company from CC list of private bugs.

The bug assignee didn't login in Bugzilla in the last 7 months and this bug has severity 'critical'.
:miko, could you have a look please?
For more information, please visit auto_nag documentation.

Assignee: matt.woodrow → nobody
Flags: needinfo?(mikokm)
Flags: needinfo?(mikokm)
Severity: critical → S2

Still a steady stream of 60-80 crashes per release, but a generally high confidence that there are bit-flip related errors. No movement in years, we are trying remove unactionable issues.

Status: REOPENED → RESOLVED
Closed: 6 years ago4 months ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.

Keywords: stalled
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.