mozilla::PresShell::DoFlushPendingNotifications reentrancy during mozilla::VsyncRefreshDriverTimer::TickRefreshDriver, caused by nsMenuPopupFrame::DestroyFrom
Categories
(Core :: Layout, defect)
Tracking
()
People
(Reporter: yannis, Unassigned)
Details
(Whiteboard: [win:stability])
Crash Data
Attachments
(1 file)
20.47 KB,
text/plain
|
Details |
While iterating over the proto signatures of the attached crash signature, I found instances of a mozilla::PresShell::DoFlushPendingNotifications
reentrancy that seems to be still present in 117 nightly. It produces crashes on MOZ_DIAGNOSTIC_ASSERT(!mForbiddenToFlush) (This is bad!)
in nightly and early beta. I am not sure if there is currently a release crash associated to this reentrancy as it is hard to guess its consequences.
Example crash report in Nightly 117: here
Top frames in the call stack (will attach full stack in next comment):
# Child-SP RetAddr Call Site
00 (Inline Function) --------`-------- xul!AnnotateMozCrashReason+0x11 [/builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h @ 46]
01 000000b4`435f7460 00007ffd`339fcc35 xul!mozilla::PresShell::DoFlushPendingNotifications+0x25c4 [/builds/worker/checkouts/gecko/layout/base/PresShell.cpp @ 4184]
02 (Inline Function) --------`-------- xul!mozilla::PresShell::FlushPendingNotifications+0x3f [/builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h @ 1464]
03 000000b4`435f76c0 00007ffd`32d5019d xul!mozilla::dom::Document::FlushPendingNotifications+0xf5 [/builds/worker/checkouts/gecko/dom/base/Document.cpp @ 10916]
04 (Inline Function) --------`-------- xul!mozilla::dom::Document::FlushPendingNotifications+0x9 [/builds/worker/checkouts/gecko/dom/base/Document.cpp @ 10849]
05 (Inline Function) --------`-------- xul!mozilla::ContentEventHandler::InitBasic+0x1e [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 258]
06 000000b4`435f7720 00007ffd`32d50548 xul!mozilla::ContentEventHandler::InitCommon+0xed [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 335]
07 000000b4`435f77d0 00007ffd`32d5108e xul!mozilla::ContentEventHandler::Init+0x68 [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 403]
08 000000b4`435f7840 00007ffd`32d5098e xul!mozilla::ContentEventHandler::OnQueryTextContent+0x2e [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 1484]
09 000000b4`435f7930 00007ffd`32d59348 xul!mozilla::ContentEventHandler::HandleQueryContentEvent+0x8e [/builds/worker/checkouts/gecko/dom/events/ContentEventHandler.cpp @ 1318]
0a 000000b4`435f7970 00007ffd`32d4a827 xul!mozilla::IMEContentObserver::HandleQueryContentEvent+0xf8 [/builds/worker/checkouts/gecko/dom/events/IMEContentObserver.cpp @ 664]
Reporter | ||
Comment 1•1 year ago
|
||
Comment 2•1 year ago
|
||
Ideally we could cut this stack off as close to nsMenuPopupFrame::DestroyFrom as possible. Make whatever work we can async, and only do what we have to there.
Reporter | ||
Comment 3•1 year ago
•
|
||
To give an idea of the volume in recent versions, this bug explains 11 of the 45 crashes received in 116 early beta on this signature, so ~25% of the volume. Bug 1809492, where we think this signature is what causes the associated release crash, explains ~64% of the same volume.
Comment 4•11 months ago
|
||
bug 1845904 should fix this too.
Description
•