Closed Bug 458961 Opened 17 years ago Closed 17 years ago

[10.4] top crash [@ 0xfffeff20][@ libobjc.A.dylib@0x24c7][@ objc_msgSend][@ nsObjCExceptionLogAbort][@ nsNativeThemeCocoa::DrawCellWithScaling]

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: samuel.sidler+old, Assigned: smichaud)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(2 files, 2 obsolete files)

Another experimental patch
4.82 KB, patch
mstange
: review+
stuart.morgan+bugzilla
: review+
vlad
: superreview+
Details | Diff | Splinter Review
1.9.0-branch version of patch, rev1
4.75 KB, patch
mstange
: review+
dveditz
: approval1.9.0.6+
Details | Diff | Splinter Review
I'm still digging into this one, but there's a topcrash (currently #7) that only affects PPC Macs. The comments are relatively spread out with a few talking about searching and a few talking about printing. The stack is a bit more informative: From bp-a3654c07-94b6-11dd-b908-001cc45a2c28 Crashing Thread Frame Module Signature [Expand] Source 0 @0xfffeff20 1 XUL nsNativeThemeCocoa::DrawCellWithScaling mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm:291 2 XUL nsNativeThemeCocoa::DrawPushButton mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm:460 3 XUL nsNativeThemeCocoa::DrawWidgetBackground mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm:1115 4 XUL nsCSSRendering::PaintBackgroundWithSC mozilla/layout/base/nsCSSRendering.cpp:3491 5 XUL nsCSSRendering::PaintBackground mozilla/layout/base/nsCSSRendering.cpp:3343 6 XUL nsButtonFrameRenderer::PaintBorderAndBackground mozilla/layout/forms/nsButtonFrameRenderer.cpp:228 7 XUL nsDisplayButtonBorderBackground::Paint mozilla/layout/forms/nsButtonFrameRenderer.cpp:145 8 XUL nsDisplayList::Paint const mozilla/layout/base/nsDisplayList.cpp:296 9 XUL PresShell::RenderDocument mozilla/layout/base/nsPresShell.cpp:5000 10 XUL nsCanvasRenderingContext2D::DrawWindow mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:2391 11 libgoogleintercept.dylib libgoogleintercept.dylib@0x4340 12 libgoogleintercept.dylib libgoogleintercept.dylib@0x3ccc 13 XUL nsDocLoader::FireOnStateChange mozilla/uriloader/base/nsDocLoader.cpp:1235 14 XUL nsDocLoader::FireOnStateChange mozilla/uriloader/base/nsDocLoader.cpp:1242 15 XUL nsDocLoader::FireOnStateChange mozilla/uriloader/base/nsDocLoader.cpp:1242 16 XUL nsDocLoader::doStopDocumentLoad mozilla/uriloader/base/nsDocLoader.cpp:858 17 XUL nsDocLoader::DocLoaderIsEmpty mozilla/uriloader/base/nsDocLoader.cpp:763 18 XUL nsDocLoader::OnStopRequest mozilla/uriloader/base/nsDocLoader.cpp:679 19 XUL nsLoadGroup::RemoveRequest mozilla/netwerk/base/src/nsLoadGroup.cpp:688 20 XUL nsDocument::DoUnblockOnload mozilla/content/base/src/nsDOMSerializer.cpp:5741 21 XUL nsImageLoadingContent::Event::~Event mozilla/gfx/cairo/libpixman/src/pixman-access-accessors.c:786 22 XUL nsRunnable::Release nsThreadUtils.cpp:51 23 XUL nsThread::ProcessNextEvent mozilla/xpcom/threads/nsThread.cpp:542 24 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 25 XUL nsBaseAppShell::NativeEventCallback mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121 26 XUL nsAppShell::ProcessGeckoEvents mozilla/widget/src/cocoa/nsAppShell.mm:302 27 CoreFoundation CoreFoundation@0x242fc 28 CoreFoundation CoreFoundation@0x2382c 29 CoreFoundation CoreFoundation@0x232ac 30 HIToolbox HIToolbox@0x8b1c 31 HIToolbox HIToolbox@0x81b0 32 HIToolbox HIToolbox@0x801c 33 AppKit AppKit@0x8730 34 AppKit AppKit@0x83f4 35 AppKit AppKit@0x4938 36 XUL nsAppShell::Run mozilla/widget/src/cocoa/nsAppShell.mm:591 37 XUL nsAppStartup::Run mozilla/toolkit/components/startup/src/nsAppStartup.cpp:181 38 XUL XRE_main mozilla/toolkit/xre/nsAppRunner.cpp:3174 39 firefox-bin main mozilla/browser/app/nsBrowserApp.cpp:158 40 firefox-bin start crt.c:272 41 firefox-bin start 42 @0xfffffffe The implication, to me, is that it's happening when drawing buttons, potentially when zoomed in? I could be wrong, but that's a guess based on the stack. Still digging, as I said...
Flags: wanted1.9.0.x+
CVS blame for the first three files points to bug 422248 (vlad), bug 418497 (vlad again), and a backout of bug 54488 in May (Josh did the backing out).
Note also: While the crash report in comment 0 includes libgoogleintercept.dll, other reports don't, but do include the first three lines (after 0xfffeff20). For example, bp-b3984b00-9477-11dd-942e-001a4bd43ed6 (expanded for reference): Crashing Thread Frame Module Signature Source 0 @0xfffeff20 1 XUL nsNativeThemeCocoa::DrawCellWithScaling(NSCell*, CGContext*, CGRect const&, _NSControlSize, float, float, float, float, float const (*) [3][4], int) mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm:291 2 XUL nsNativeThemeCocoa::DrawPushButton(CGContext*, CGRect const&, int, int, int) mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm:460 3 XUL nsNativeThemeCocoa::DrawWidgetBackground(nsIRenderingContext*, nsIFrame*, unsigned char, nsRect const&, nsRect const&) mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm:1115 4 XUL nsCSSRendering::PaintBackgroundWithSC(nsPresContext*, nsIRenderingContext&, nsIFrame*, nsRect const&, nsRect const&, nsStyleBackground const&, nsStyleBorder const&, nsStylePadding const&, int, nsRect*) mozilla/layout/base/nsCSSRendering.cpp:3491
Summary: PPC-only top crash [@ 0xfffeff20] → PPC-only top crash [@ 0xfffeff20] [@ nsNativeThemeCocoa::DrawCellWithScaling]
Yesterday I landed a patch (for bug 444864) on the 1.9.0 branch that changes nsNativeThemeCocoa::DrawCellWithScaling(). Let's see if that makes any difference here.
Yeah, you would. ;) Stephen, do you remember what you're doing when it happens? Anything special? Certain types of pages open? Zooming? Printing? If you were using a build from Oct 12, it's clearly not fixed yet even though bug 444864 landed on Sept 17 (on m-c)...
Here's a search for crashes in nsNativeThemeCocoa::DrawCellWithScaling on the 1.9.1 branch (and limited to OS X), over the last two weeks: http://crash-stats.mozilla.com/?do_query=1&branch=1.9.1&platform=mac&query_search=stack&query_type=contains&query=nsNativeThemeCocoa%3A%3ADrawCellWithScaling&date=&range_value=2&range_unit=weeks It returns a grand total of 16 crashes :-) If this is all, then clearly something else is going on (outside of nsNativeThemeCocoa::DrawCellWithScaling) to trigger these crashes. But could Socorro be miscounting (or missing) 1.9.1-branch crashes?
Those 16 crashes make it a topcrash on 1.9.1 (in the top 20). My guess is also that people who use beta builds are more likely to have Intel processors ("cutting edge") while regular users are still split pretty evenly (or were last I knew, anyway).
(In reply to comment #5) > Yeah, you would. ;) > > Stephen, do you remember what you're doing when it happens? Anything special? > Certain types of pages open? Zooming? Printing? If you were using a build from > Oct 12, it's clearly not fixed yet even though bug 444864 landed on Sept 17 (on > m-c)... Sadly, I can't remember anything helpful, but I can say that it's not when printing, although I do zoom a fair amount, so it could be related to that; I'll keep my eyes open. Also, it would help if we could extract the URL that's automatically submitted with the incident listed in comment 4; I remember that at least one time I crashed, I only had two tabs open...
Ah ha! I was confused for a second, but this isn't a PPC-only crash. The top frame 0xfffeff20 is the PPC frame while libobjc.A.dylib@0x24c7 is the Intel summary. Combined, that makes this crash #5 overall.
Summary: PPC-only top crash [@ 0xfffeff20] [@ nsNativeThemeCocoa::DrawCellWithScaling] → top crash [@ 0xfffeff20][@ libobjc.A.dylib@0x24c7][@ nsNativeThemeCocoa::DrawCellWithScaling]
Ok, I've hit this thing as well. I've got a nearly reproducible setup for it, happens about 90% of the time. Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1b2pre) Gecko/20081014 Minefield/3.1b2pre 1. Turn on both jit engines 2. go to maps.google.com (seems to help to have several tabs open of other things). 3. do a directions from point a to point b map -> it might crash there, if not keep going 4. quit minefield 5. session restore to your old setup, ensure that the active tab you're coming back to is the google maps tab. While tracking this down I also encountered another crash inside the javascript engine, not sure if it is somehow related to this one those reports are here: * http://crash-stats.mozilla.com/report/index/710dd151-9ca5-11dd-aac0-0013211cbf8a?p=1 * http://crash-stats.mozilla.com/report/index/74bace8f-9ca5-11dd-bfd0-001a4bd43ef6?p=1 it does not seem to happen if you turn off either of the jits. Extensions installed: Dom Inspector, Feedly, Geolocation, Venkman, JS Bridge, Mozmill, QA Companion, Ubiquity It does not seem to happen on a clean profile.
(In reply to comment #10) > 1. Turn on both jit engines Just a word of note: This is a topcrash for Firefox 3.0.3, which doesn't have JIT. It's certainly possible (and likely?) that JIT makes this crash occur more frequently, but whatever fix should *not* be in JIT, but should happen in (probably) widget code. Your other crashes look like JS crashes, possibly JIT crashes. I'd file them separately.
The libobjc crashes might also show up as objc_msgSend, and these crashes also show up under nsObjCExceptionLogAbort. http://crash-stats.mozilla.com/?do_query=1&branch=1.9&version=Firefox%3A3.0.3&platform=mac&query_search=stack&query_type=contains&query=nsNativeThemeCocoa%3A%3ADrawCellWithScaling&date=&range_value=1&range_unit=days shows that in the past *day* there have been over 700 crashes just from Firefox 3.0.3 alone that are very highly likely to be this bug.* * We can't search by "Frame 1 is foo", alas, so it's possible that there are other stacks there that just happen to contain nsNativeThemeCocoa::DrawCellWithScaling somewhere else in the top 10 frames, but still, probability is strongly in this bug's "favor".
Summary: top crash [@ 0xfffeff20][@ libobjc.A.dylib@0x24c7][@ nsNativeThemeCocoa::DrawCellWithScaling] → top crash [@ 0xfffeff20][@ libobjc.A.dylib@0x24c7][@ objc_msgSend][@ nsObjCExceptionLogAbort][@ nsNativeThemeCocoa::DrawCellWithScaling]
As far as I can see this is a 10.4-only crash. It occurs in this line: [NSGraphicsContext setCurrentContext:savedContext]; and only when nsCanvasRenderingContext2D::DrawWindow or nsPrintEngine::PrintPage are on the stack - i.e. only when painting into an invisible context. Over the weekend I hit this crash about 10 times on my Macbook, but when I finally decided to track it down I couldn't reproduce it anymore...
Assignee: joshmoz → mstange
Status: NEW → ASSIGNED
Hardware: Macintosh → All
Blocks: 458205
Using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1b2pre) Gecko/20081104 Minefield/3.1b2pre, I am crashing quite a bit in this stack. I have been switching in and out of Private Browsing, and when I put focus back on a tab I seem to crash pretty regularly. Breakpad is http://crash-stats.mozilla.com/report/index/62d4161c-aa99-11dd-bda9-001cc45a2c28. As Markus states in Comment 13, I have only hit this on Tiger and not on Leopard.
Here are a fairly good set of STR to reproduce this bug using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1b2pre) Gecko/20081104 Minefield/3.1b2pre. 1. Open a set of tabs in regular browsing mode. 2. Switch to PB mode by using the Tools menu item. Open a few more tabs. 3. Switch back to regular browsing mode. Click on a tab. Crash. Ack.
(In reply to comment #16) I've tried this a couple of times, and didn't see any crash (testing with today's Minefield nightly on OS X 10.4.11). More detail, please :-) > Click on a tab. Click where on the tab?
I am having a crashfest today with this stack on Tiger, nominating for blocking so it gets some additional consideration.
Flags: blocking1.9.1?
I just crashed with a different set of STR. Here they are. Testing with a relatively fresh profile with no extensions, JIT content enabled (as it is now by default). 1. View | Sidebar History (Open the history sidebar) 2. Tools | Private Browsing (Pref it on by selecting the menu item) 3. After the Private browsing session launches, Ctrl+T to open a new tab. 4. Focus the location bar. Start typing some text. As soon as I hit Step 4, I crashed. The odd thing about this bug is that the crashes seem to come at different times - when typing in the location bar, once when just focusing a tab that had cnn.com loaded, and the first time I crashed was merely switching in and out of the Private Browsing mode.
(In reply to comment #19) I assume you mean cmd-t in step 3. > 4. Focus the location bar. Start typing some text. The location bar should already be focused (after you did cmd-t in step 3). Something else going on?
Attached patch experimental patch (obsolete) — Splinter Review
I just started try server builds with this patch. I haven't had a chance to test it yet.
(In reply to comment #21) Looks worth a try.
Yes, sorry cmd+t. You are right that the location bar is focused. When I just tested again I then opened another tab and started typing a new URL in the location bar, and it crashed immediately. > (In reply to comment #19) > > I assume you mean cmd-t in step 3. > > > 4. Focus the location bar. Start typing some text. > > The location bar should already be focused (after you did cmd-t in > step 3). Something else going on?
Marcia, looks like I can't reproduce either of your STRs (from comment #16 and comment #19). But you can try Markus' tryserver build (of the patch from comment #21) once it's done. That may take a while, though -- the tryservers are very popular today.
I will also try to reproduce this on the Lab machine running Tiger.
Er... somehow the Mac tryserver build has skipped me.
I created my own build: http://tests.themasta.com/fastscrolling_firefox-3.1b2pre.en-US.mac.dmg Marcia, could you test if you can reproduce the crash with this build?
I tested on a machine in the lab with a new profile and also can reproduce this crash using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1b2pre) Gecko/20081104 Minefield/3.1b2pre. I will try the build in Comment 29 and report back with my findings.
BTW, I forgot the post a better set of STR: 1. Start with a fresh profile and fire up the browser 2. Tools ->Private Browsing to turn on the feature. 3. After the Private Browsing Session launches, open one new tab. Immediately open a second tab. 4. After Step 3, I crash 99% of the time. Although Bug 461715 was filed on Camino, it has a similar stack and the trigger point seems to involve two tabs.
Unfortunately the Build noted in Comment 29 gives me a 404 :(
I gave the build in Comment 33 a quick whirl and it looks much better - I have not yet been able to crash following the STR in Comment 31.
(In reply to comment #34) One question for you, Marcia: Do you see error messages in the system console testing with Markus' test build (from comment #33), especially where you'd normally crash using other builds? The errors I'm looking for (the ones you might be seeing) are complaints about failures to restore a graphics state (because a call was made to [NSGraphicsContext restoreGraphicsState] without a matching (prior) call to [NSGraphicsContext saveGraphicsState]).
> The errors I'm looking for (the ones you might be seeing) are > complaints about failures to restore a graphics state (because a > call was made to [NSGraphicsContext restoreGraphicsState] without a > matching (prior) call to [NSGraphicsContext saveGraphicsState]). Or errors that happened because the "current graphics context" (the result of [NSGraphicsContext currentContext]) changed between a call to [NSGraphicsContext saveGraphicsState] and the matching call to [NSGraphicsContext restoreGraphicsState].
Steven: here are the two errors I saw this AM while running the build: 2008-11-05 10:00:59.111 firefox-bin[1527] *** -[NSImage isDrawingToScreen]: selector not recognized [self = 0x117efc70] 2008-11-05 10:00:59.114 firefox-bin[1527] Mozilla has caught an Obj-C exception [NSInvalidArgumentException: *** -[NSImage isDrawingToScreen]: selector not recognized [self = 0x117efc70]]
I'd love to see a fix but I don't think we need to block on this. It is not a regression and it is PPC only. If we don't have a fix by the release we can always fix it in an update.
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
Josh, see comment 9. This isn't PPC-only. This needs more attention and I really think it should block. This is a topcrash that should get looked at all around. Re-nominating since this affects all Mac platforms (but might be 10.4-only).
Flags: blocking1.9.1- → blocking1.9.1?
Attachment #346300 - Flags: review?(smichaud)
Yes, this is a bad problem (and yes it also happens on Intel). But it's not yet reproducible (despite Marcia's best efforts). And, though it may be possible to work around the problem (as Markus' patch might do), we very likely won't be able to *fix* it until we can reproduce it (it's unlikely that we'll fully understand this problem until we can reproduce it).
Comment on attachment 346300 [details] [diff] [review] experimental patch I can't r+ this until I better understand the error messages Marcia reported in comment #37. I should be able to spend several hours on this today.
(Following up comment #40) Furthermore, since this seems to be 10.4-only, it's probably caused by an Apple bug. So whatever "fix" we come up with will probably just work around Apple's bug.
blocking1.9.1- again based Steven's info (comment #40 and comment #42). This should be a priority because it is a topcrash in a shipping product - the release of Gecko 1.9.1 is not as relevant as this is not a regression.
Flags: blocking1.9.1? → blocking1.9.1-
Comment on attachment 346300 [details] [diff] [review] experimental patch Marcia's errors from comment #37 tell me that something is trying to call a method on ("send a message to") the address of an object that was deleted, then allocated as another (different kind of) object. If that's truly a consequence of Markus' patch (if all Markus' patch does is to shift this bug's problem elsewhere), I don't think we can use it. So I'm r-minusing it. Markus, barring unforeseen interruptions, I'm going to be spending the rest of today on this bug. Between the two of us, we may be able to come up with something :-) 'isDrawingToScreen' isn't an NSImage method. But it *is* an NSGraphicsContext method (and also a method of a bunch of undocumented classes that seem related to NSGraphicsContext). So the object that was deleted and replaced was presumably an NSGraphicsContext object (or it belonged to one of those other, undocumented classes).
Attachment #346300 - Flags: review?(smichaud) → review-
This patch certainly looks like a good step forward in terms of code correctness though, even if it's not the whole fix; there doesn't appear to be anything in the current code that would guarantee that savedContext is actually still valid by the end of the function. I'd also suggest making a build that nil-checks cgContext, ctx, and the return values of graphicsContextWithGraphicsPort:flipped: and logs problems to see if that's happening, since the methods that take them may not handle nil arguments (as is often the case for Apple's frameworks). Steven, can you explain the source of this comment? // [NSView focusView] may return nil here, but // [NSCell drawWithFrame:inView:] can deal with that. The docs for the method don't say that; is it just based on testing? If so, I strongly recommend nil-checking that as well.
(In reply to comment #45) > Steven, can you explain the source of this comment? > // [NSView focusView] may return nil here, but > // [NSCell drawWithFrame:inView:] can deal with that. > The docs for the method don't say that; is it just based on testing? It's based on testing. See bug 444864 (that's security related, but I can give you access if you want). Null-checking wherever we can (in a test build) isn't a bad idea. I'm still trying to reproduce this. If I fail I'll put together some kind of testing patch for someone (like Marcia) to use who can reproduce this problem, to gather extra information. > This patch certainly looks like a good step forward in terms of code > correctness though, even if it's not the whole fix As best I can tell, Markus' patch is just a different way of doing the same thing. Which isn't a bad idea ... but it doesn't seem to have avoided the underlying problem.
(In reply to comment #46) > It's based on testing. See bug 444864 (that's security related, but I > can give you access if you want). I read that bug before I asked, but I didn't see anything about how you came to that conclusion, just that it was true. Passing nil to a method that doesn't explicitly say it accepts it is asking for trouble. I would very, very strongly urge you not to rely on one of Apple's frameworks to handle a nil argument based solely on empirical testing. The general rule is that they do not, and they can (and do) change nil handling if it's not documented, so even if it works in all current version of 10.4.x and 10.5.x in certain test scenarios, there's no guarantee at all that it will work in general, or in future versions. Even if it's unrelated to this bug, it's not unlikely to be a source of bugs in the future.
(In reply to comment #46) > As best I can tell, Markus' patch is just a different way of doing the > same thing. Which isn't a bad idea ... but it doesn't seem to have > avoided the underlying problem. Markus's patch avoid the dangerous assumption that savedContext would remain valid, but there were still some explicit setContext: calls that weren't about saving/restoring the old state. I was suggesting Markus's patch *plus* nil checking of the remaining calls to setContext:
(In reply to comment #47) > (In reply to comment #46) > > It's based on testing. See bug 444864 (that's security related, but I > > can give you access if you want). > > I read that bug before I asked, but I didn't see anything about how you came to > that conclusion, just that it was true. IIRC Steven first added the null check but then removed it because reftests were failing; so there are cases when the focusView is nil but we still want to draw. But maybe that's just another bug.
If there are reftests that end up requiring making OS framework calls with nil arguments (that aren't explicitly documented to accept them), that should absolutely be considered a bug in the tests.
Here's a slight modification to Markus' patch. I'm not able to test it (because I'm still not able to reproduce this bug), but Marcia's promised to try it out. I re-read Apple's docs on the NSGraphicsContext class, and particularly on setCurrentContext: and the two sets of saveGraphicsState/restoreGraphicsState methods (the class and instance methods). I also followed the docs' links to Apple sample code that uses these functions. I noticed that, whenever an attempt was made to save and restore "state" around calls to setCurrentContext, the "state" was always saved just beforehand and restored just afterwards. In one case [NSGraphicsContext saveGraphicsState] and [NSGraphicsState restoreGraphicsState] were used. But in the other the currentContext was saved in a variable and restored afterwards (using another call to setCurrentContext). Since Markus had trouble wrapping calls to setCurrentContext with calls to saveGraphicsState and restoreGraphicsState, I took the other approach (as we do in the original code) -- though I made sure to save and restore just before and after the calls to setCurrentContext. I also wrapped both calls to setCurrentContext -- not just the one Markus' patch wraps. Though (as I've just explained) I have reasons for the changes I've made, I'm only guessing that they'll make any difference. Here's a tryserver build made with my patch. https://build.mozilla.org/tryserver-builds/2008-11-07_15:12-smichaud@pobox.com-bugzilla458961-test2/smichaud@pobox.com-bugzilla458961-test2-firefox-try-mac.dmg Marcia, please bang away at it and let us know your results. Tell us whether you see any crashes (and what they are). Also tell us what error messages (if any) you see in the system console. Thanks in advance!
I tested Steve's build in Comment 51. Following the same STR in Comment 31 which crash my Tiger Intel Mac reliably every time, I was not able to crash using this build during my initial test run. Also, I observed no errors in the Error Console or the System Console. I will report back if I encounter any crashes or issues, but so far this build looks as if it has resolved the issue.
Comment on attachment 346998 [details] [diff] [review] Another experimental patch Markus: On the strength of Marcia's good results, I'm asking you to review my patch.
Attachment #346998 - Flags: review?(mstange)
Attachment #346998 - Flags: review?(stuart.morgan+bugzilla)
Marcia, your STR in comment 31 are excellent. I *can* reliably reproduce the crash on my 10.4 machine if I add another step after opening the tabs: 4. Press Ctrl+Tab. Steven, does that work for you, too? Your patch indeed fixes it for me. And I don't see any messages in the console either.
I can confirm that STR from comment 31 with adjustment from comment 54 work for me 100% too. I can reproduce it in a debugger. The second patch fixes the problem for me.
Attachment #346998 - Flags: review?(stuart.morgan+bugzilla) → review+
Attachment #346998 - Flags: superreview?(vladimir)
Attachment #346998 - Flags: review?(mstange)
Attachment #346998 - Flags: review+
I, too, can now reproduce this problem (using Marcia's STR from comment #31 plus Markus' addition from comment #54) -- but only with today's (2008-11-08-02-mozilla-central) and yesterday's (2008-11-07-02-mozilla-central) Minefield nightlies. I can't repro using the 2008-11-06-02-mozilla-central or 2008-11-04-02-mozilla-central nightlies. And (as it happens) yesterday I was testing builds made from code pulled around noon of 2008-11-06 (the rough equivalent of the 2008-11-06 nightly). And I, too, see no problems with my tryserver build (from comment #51, the rough equivalent of today's nightly) -- no crashes, and no errors in the system console. So it looks like this problem's been fixed (or actually that we've worked around the Apple bug, which may be as simple as not retaining and releasing an NSGraphicsContext object on 10.4).
(Following up comment #56) So it looks like, as of the 2008-11-07 Minefield nightly, this problem got much easier to reproduce -- which probably means that, unless we do something now, we'll see a lot more of these crashes. So I'm again requesting blocking. And I think we need to get this patch into beta2.
Flags: blocking1.9.1- → blocking1.9.1?
Comment on attachment 346998 [details] [diff] [review] Another experimental patch odd, but sure, looks good! guess something internally was being twiddled that wasn't being reset properly.
Attachment #346998 - Flags: superreview?(vladimir) → superreview+
Approved for 1.9.1 btw -- add it to https://wiki.mozilla.org/1.9.1_beta_2_checkins and try to get it in today ideally, tomorrow morning at the latest. Thanks!
Flags: blocking1.9.1? → blocking1.9.1+
Landed on mozilla-central (changeset b5dc0e849959).
Assignee: mstange → smichaud
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Nominating for blocking1.9.0.5 since there's now a patch. Note that we won't take this for 1.9.0.5, but will consider it for 1.9.0.6 after it's had sufficient baking (there's just no 1.9.0.6 flags yet).
Flags: blocking1.9.0.5?
Flags: blocking1.9.0.5? → blocking1.9.0.6+
Whiteboard: [needs trunk baking]
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1b2pre) Gecko/20081110 Minefield/3.1b2pre. I am no longer able to reproduce this crash, which I was able to reproduce rather easily using the STR from Comment 31.
Status: RESOLVED → VERIFIED
Reminder to myself: FF3.1b2 was released yesterday, so let's let this patch bake there for a while before seeking 1.9.0-branch approval. http://crash-stats.mozilla.com/ is still pretty flaky (today it won't give me any results for a range of 1-day or greater). And it no longer lists nightly build-dates in its reports (only the build dates of alphas or betas). But if (say) a week passes and there are no reports of this crash for beta2, this patch should land on the 1.9.0 branch.
Comment on attachment 346998 [details] [diff] [review] Another experimental patch Josh suggests I should seek approval now. And in fact this has been on the trunk (and 1.9.1 branch) for a while without any apparent problems.
Attachment #346998 - Flags: approval1.9.0.6?
Don't we need a new patch for 1.9.0 here? I would think so because bug 394892 didn't land on 1.9.0.
> Don't we need a new patch for 1.9.0 here? Yes, it'll need to be rewritten a bit. I'll post a new one soon.
Attached patch 1.9.0-branch version of patch (obsolete) — Splinter Review
How does this look to you, Markus? It ignores the doSaveCTM parameter. But that shouldn't matter, right?
Attachment #352194 - Flags: review?(mstange)
Attachment #352194 - Flags: approval1.9.0.6?
Attachment #346998 - Flags: approval1.9.0.6?
(In reply to comment #68) > How does this look to you, Markus? Good, except for this: >+ NSGraphicsContext* savedContext = [NSGraphicsContext currentContext]; >+ > // Set up the graphics context we've been asked to draw to. > savedContext = [NSGraphicsContext currentContext]; One of them should be enough. :) > It ignores the doSaveCTM parameter. But that shouldn't matter, right? Right.
> One of them should be enough. :) Argh, yes. Thanks for catching my mistake.
Attachment #352539 - Flags: review?(mstange)
Attachment #352539 - Flags: approval1.9.0.6?
Attachment #352539 - Flags: review?(mstange) → review+
Attachment #352194 - Attachment is obsolete: true
Attachment #352194 - Flags: review?(mstange)
Attachment #352194 - Flags: approval1.9.0.6?
Attachment #346300 - Attachment is obsolete: true
This has been already verfied on 1.9.1 by Marcia a month ago. Setting verified1.9.1 keyword.
Keywords: fixed1.9.1verified1.9.1
Whiteboard: [needs trunk baking]
Comment on attachment 352539 [details] [diff] [review] 1.9.0-branch version of patch, rev1 Approved for 1.9.0.6, a=dveditz for release-drivers.
Attachment #352539 - Flags: approval1.9.0.6? → approval1.9.0.6+
Landed on the 1.9.0 branch: Checking in widget/src/cocoa/nsNativeThemeCocoa.mm; /cvsroot/mozilla/widget/src/cocoa/nsNativeThemeCocoa.mm,v <-- nsNativeThemeCocoa.mm new revision: 1.95; previous revision: 1.94 done
Keywords: fixed1.9.0.6
I wonder if fix will resolve the reports with the stack signature libobjc.A.dylib@0x15688 http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.1b2&query_search=signature&query_type=contains&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=libobjc.A.dylib%400x15688 comments in the crash reports sound similar but the stack traces vary widely from what is in this report
Chris, this landed on mozilla-central prior to the branch for 1.9.1. If it's not fixed now, there's nothing in this bug that can fix it. :)
Target Milestone: --- → mozilla1.9.1b2
(In reply to comment #74) This bug is 10.4-specific. All of the crash reports in your list are on 10.5. They're probably completely unrelated. Indeed, they probably represent several different (unrelated) bugs. In general, crashes in a given system library are unlikely to be related (even if the address is available, as in this case). It's much better to search by something higher "up" the stack.
Summary: top crash [@ 0xfffeff20][@ libobjc.A.dylib@0x24c7][@ objc_msgSend][@ nsObjCExceptionLogAbort][@ nsNativeThemeCocoa::DrawCellWithScaling] → [10.4] top crash [@ 0xfffeff20][@ libobjc.A.dylib@0x24c7][@ objc_msgSend][@ nsObjCExceptionLogAbort][@ nsNativeThemeCocoa::DrawCellWithScaling]
There are no related crashes listed on 1.9.0. Will mark this verfied1.9.0.6 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6.
Keywords: fixed1.9.0.6verified1.9.0.6
No longer blocks: 458205
Crash Signature: [@ 0xfffeff20] [@ libobjc.A.dylib@0x24c7] [@ objc_msgSend] [@ nsObjCExceptionLogAbort] [@ nsNativeThemeCocoa::DrawCellWithScaling]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: