Closed Bug 1845266 Opened 1 year ago Closed 11 months ago

mozilla::PresShell::DoFlushPendingNotifications reentrancy during mozilla::VsyncRefreshDriverTimer::TickRefreshDriver, caused by nsMenuPopupFrame::DestroyFrom

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
Desktop
Windows
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1845904

People

(Reporter: yannis, Unassigned)

Details

(Whiteboard: [win:stability])

Crash Data

Attachments

(1 file)

Full stack of the example crash in Nightly 117
20.47 KB, text/plain
Details

While iterating over the proto signatures of the attached crash signature, I found instances of a mozilla::PresShell::DoFlushPendingNotifications reentrancy that seems to be still present in 117 nightly. It produces crashes on MOZ_DIAGNOSTIC_ASSERT(!mForbiddenToFlush) (This is bad!) in nightly and early beta. I am not sure if there is currently a release crash associated to this reentrancy as it is hard to guess its consequences.

Example crash report in Nightly 117: here

Top frames in the call stack (will attach full stack in next comment):

 # Child-SP          RetAddr               Call Site
00 (Inline Function) --------`--------     xul!AnnotateMozCrashReason+0x11 [/builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h @ 46] 
01 000000b4`435f7460 00007ffd`339fcc35     xul!mozilla::PresShell::DoFlushPendingNotifications+0x25c4 [/builds/worker/checkouts/gecko/layout/base/PresShell.cpp @ 4184] 
02 (Inline Function) --------`--------     xul!mozilla::PresShell::FlushPendingNotifications+0x3f [/builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h @ 1464] 
03 000000b4`435f76c0 00007ffd`32d5019d     xul!mozilla::dom::Document::FlushPendingNotifications+0xf5 [/builds/worker/checkouts/gecko/dom/base/Document.cpp @ 10916] 
04 (Inline Function) --------`--------     xul!mozilla::dom::Document::FlushPendingNotifications+0x9 [/builds/worker/checkouts/gecko/dom/base/Document.cpp @ 10849] 
05 (Inline Function) --------`--------     xul!mozilla::ContentEventHandler::InitBasic+0x1e [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 258] 
06 000000b4`435f7720 00007ffd`32d50548     xul!mozilla::ContentEventHandler::InitCommon+0xed [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 335] 
07 000000b4`435f77d0 00007ffd`32d5108e     xul!mozilla::ContentEventHandler::Init+0x68 [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 403] 
08 000000b4`435f7840 00007ffd`32d5098e     xul!mozilla::ContentEventHandler::OnQueryTextContent+0x2e [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 1484] 
09 000000b4`435f7930 00007ffd`32d59348     xul!mozilla::ContentEventHandler::HandleQueryContentEvent+0x8e [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 1318] 
0a 000000b4`435f7970 00007ffd`32d4a827     xul!mozilla::IMEContentObserver::HandleQueryContentEvent+0xf8 [/builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp @ 664]

Ideally we could cut this stack off as close to nsMenuPopupFrame::DestroyFrom as possible. Make whatever work we can async, and only do what we have to there.

To give an idea of the volume in recent versions, this bug explains 11 of the 45 crashes received in 116 early beta on this signature, so ~25% of the volume. Bug 1809492, where we think this signature is what causes the associated release crash, explains ~64% of the same volume.

See Also: → 1809492
See Also: → 1845904
See Also: 1845904

bug 1845904 should fix this too.

Status: NEW → RESOLVED
Closed: 11 months ago
Duplicate of bug: 1845904
Resolution: --- → DUPLICATE
See Also: 1809492
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: