Closed Bug 1794352 Opened 3 years ago Closed 2 years ago

Crash in [@ mozilla::PresShell::RecordFree]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/8159107f-2c41-4fd4-a8b0-c377e0221007

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(mAllocatedPointers->Contains(aPtr))

Top 10 frames of crashing thread:

0 libxul.so mozilla::PresShell::RecordFree layout/base/PresShell.h:1816
0 libxul.so mozilla::PresShell::FreeByObjectID layout/base/PresShell.h:301
0 libxul.so mozilla::PresShell::FreeFrame layout/base/PresShell.h:291
0 libxul.so nsIFrame::DestroyFrom layout/generic/nsIFrame.cpp:930
1 libxul.so nsFrameList::DestroyFramesFrom layout/generic/nsFrameList.cpp:50
1 libxul.so nsContainerFrame::DestroyFrom layout/generic/nsContainerFrame.cpp:228
2 libxul.so nsLineBox::DeleteLineList layout/generic/nsLineBox.cpp:369
2 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:482
3 libxul.so nsLineBox::DeleteLineList layout/generic/nsLineBox.cpp:369
3 libxul.so nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:482

I flagged this bug as regressed by 1759396 because the assertion was introduced there. Note that since diagnostic assertions are only hit on nightly and early beta the crash volume might be deceptively low.

Set release status flags based on info from the regressing bug 1759396

:dholbert, since you are the author of the regressor, bug 1759396, could you take a look?

For more information, please visit auto_nag documentation.

status-firefox105: --- → affected
status-firefox106: --- → affected
status-firefox107: --- → affected
status-firefox-esr102: --- → affected
Flags: needinfo?(dholbert)

(In reply to Gabriele Svelto [:gsvelto] from comment #0)

I flagged this bug as regressed by 1759396 because the assertion was introduced there.

Correction (and removing that association): that bug didn't introduce the assertion; it just touched that line, with an essentially nonfunctional tweak[1] to avert an OOM condition. That tweak wouldn't have had any chance of making the assertion fire more often.

The diagnostic assertion really goes back at least as far as https://hg.mozilla.org/mozilla-central/rev/a0414a6c423bd33ea684d97458eb7b85eb664afe for bug 1436505 (before which point it was a debug-only assertion, so really it goes back even further).

Flags: needinfo?(dholbert)
Keywords: regression
No longer regressed by: 1759396

It does look like there's been a suspicious recent spike in failures here.

18 reports in the past year (since 10/11/2021), which are:

  • 4 in May, June, early July, and late July (all on Android 102 prerelease builds)
  • 14 since the beginning of September (mostly on Windows, aside from 2 on Linux and 1 on Android. Firefox versions 105-107).

Still lowish frequency but worth keeping an eye on...

(I'm not seeing any repetitions or anything suspicious among the URLs, for the crash reports that include URLs. One is from YouTube, one is from eBay, one is from Roblox, and one is a Google search results page; and then there are 2 domains that I don't recognize but also look innocuous.)

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3

Some popular sites in recent reports (since comment 4) -- my redactions noted with [...]:

about:blank
about:newtab 
https://www.twitch.tv
https://www.facebook.com/profile.php?id=[...]
https://www.reddit.com/user/[...]/
https://www.youtube.com/watch?v=[...]
https://www.betking.com/sports/s/event/p/[...]
https://mastodon.[...]/@[...]

As emilio alluded to over in bug 1817078 comment 4: given the popularity of these sites (and eBay/Roblox/Google from comment 4), and the very small amount of crash volume, this bug seems to be consistent with users experiencing random bit flips, which cause them to trip this assertion, on whatever site they happen to be on at the time.

There's some overhead associated with this tracking, so emilio is making the associated structures and assertions debug-only in bug 1817078. That means this bug's diagnostic-assert crash volume will go away, via bug 1817078's patch.

So this is sort-of fixed-by bug 1817078 (in terms of the crash volume with this signature), and sort-of presumed INVALID as in random bit-flips (in terms of the underlying thing that we think was causing users to hit this).

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox110: --- → wontfix
status-firefox111: --- → wontfix
status-firefox112: --- → fixed
status-firefox-esr102: affectedwontfix
Depends on: 1817078
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.