Closed Bug 1744147 Opened 2 years ago Closed 1 year ago

Crash in [@ nsObserverService::RemoveObserver] from calling nsBaseWidget::FreeShutdownObserver off the main thread

Categories

(Core :: Widget: Gtk, defect, P3)

Product:
Core
Component:
Widget: Gtk
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mccr8, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/161701d4-5730-491e-8424-aa5fb0211202

MOZ_CRASH Reason: MOZ_CRASH(Using observer service off the main thread!)

Top 10 frames of crashing thread:

0 libxul.so nsObserverService::RemoveObserver xpcom/ds/nsObserverService.cpp:238
1 libxul.so nsBaseWidget::FreeShutdownObserver widget/nsBaseWidget.cpp:397
2 libxul.so nsBaseWidget::~nsBaseWidget widget/nsBaseWidget.cpp:419
3 libxul.so nsWindow::~nsWindow widget/gtk/nsWindow.cpp:529
4 libxul.so nsWindow::~nsWindow widget/gtk/nsWindow.cpp:522
5 libxul.so nsBaseWidget::Release widget/nsBaseWidget.cpp:137
6 libxul.so mozilla::widget::GtkCompositorWidget::~GtkCompositorWidget widget/gtk/GtkCompositorWidget.cpp:60
7 libxul.so mozilla::widget::InProcessGtkCompositorWidget::~InProcessGtkCompositorWidget widget/gtk/InProcessGtkCompositorWidget.h:16
8 libxul.so mozilla::layers::WebRenderBridgeParent::~WebRenderBridgeParent gfx/layers/wr/WebRenderBridgeParent.cpp:361
9 libxul.so {virtual override thunk}
Summary: Crash in [@ nsObserverService::RemoveObserver] → Crash in [@ nsObserverService::RemoveObserver] from calling nsBaseWidget::FreeShutdownObserver off the main thread
Priority: -- → P2

Looks like GtkCompositorWidget is deleted after nsWindow in main thread. As GtkCompositorWidget obviously hold reference to nsWindow we call ~nsWindow from compositor thread here.

May we call FreeShutdownObserver() (and other thread dependent code) from nsWindow::Destroy() ?

I see only two crashed on Linux, rest is on Windows.

Ah, the nsObserverService::RemoveObserver() crashed on Windows has different source of RemoveObserver() call.

Priority: P2 → P3

Inlined function support in crash reports is changing this signatures a bit, I think it might be worth adding it to the prefix list so we can tell different crashes calling into the observer service apart, I'll file a bug for that.

Should be already fixed on Linux side. Please let me know if you see any new reports.

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.