Closed Bug 561277 Opened 14 years ago Closed 6 years ago

Firefox Crash @ nsGenericElement::UnbindFromTree

Categories

(Core :: DOM: Core & HTML, defect, P5)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
blocking2.0 --- -

People

(Reporter: chofmann, Unassigned)

References

Details

(Keywords: crash)

Crash Data

spotted while digging for 3.6.4 crashes, but looks like it has been around for a while. maybe some code inspection can figure out what's going in with these. http://crash-stats.mozilla.com/report/index/43813bda-ee3d-445b-b857-080a92100422 Frame Module Signature [Expand] Source 0 xul.dll nsGenericElement::UnbindFromTree content/base/src/nsGenericElement.cpp:2725 1 xul.dll nsGenericDOMDataNode::UnbindFromTree content/base/src/nsGenericDOMDataNode.cpp:609 2 xul.dll nsGenericElement::UnbindFromTree content/base/src/nsGenericElement.cpp:2725 3 xul.dll nsXULElement::UnbindFromTree content/xul/content/src/nsXULElement.cpp:913 4 xul.dll nsXULElement::UnbindFromTree content/xul/content/src/nsXULElement.cpp:913 5 xul.dll nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:98 6 xul.dll nsXBLBinding::ChangeDocument content/xbl/src/nsXBLBinding.cpp:1184 7 xul.dll nsSubDocumentFrame::`scalar deleting destructor' 8 xul.dll nsINode::GetFlags obj-firefox/dist/include/nsINode.h:736 9 xul.dll nsGenericElement::DestroyContent content/base/src/nsGenericElement.cpp:3450 ... ... repeated frames like 9 seen in 10-38 ... 39 xul.dll nsGenericElement::DestroyContent content/base/src/nsGenericElement.cpp:3461 40 xul.dll nsDocument::Destroy content/base/src/nsDocument.cpp:6920 41 xul.dll DocumentViewerImpl::Destroy layout/base/nsDocumentViewer.cpp:1578 42 xul.dll DocumentViewerImpl::Show layout/base/nsDocumentViewer.cpp:1918 43 xul.dll nsPresContext::EnsureVisible layout/base/nsPresContext.cpp:1588 44 xul.dll PresShell::UnsuppressAndInvalidate layout/base/nsPresShell.cpp:4647 45 xul.dll PresShell::ProcessReflowCommands layout/base/nsPresShell.cpp:7470 46 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4910 47 xul.dll PresShell::ReflowEvent::Run layout/base/nsPresShell.cpp:7099 48 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 49 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:118 50 xul.dll xul.dll@0x9a4307 51 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:199 52 xul.dll nsComponentManagerImpl::GetServiceByContractID xpcom/components/nsComponentManager.cpp:2199 53 xul.dll xul.dll@0x307d13 54 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:173 55 nspr4.dll _PR_MD_CLEAN_THREAD nsprpub/pr/src/md/windows/w95thred.c:21 more at http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=nsGenericElement%3A%3AUnbindFromTree%28int%2C%20int%29&version=Firefox%3A3.6.4 possible related signature list 42 nsGenericElement::UnbindFromTree(int, int) 4 nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsGenericElement::UnbindFromTree(int, int) 1 _purecall | nsGenericElement::UnbindFromTree(int, int) Correlation to releases checking --- nsGenericElement::UnbindFromTree.int 20100421-crashdata.csv found in: 3.6.3 3.5.9 3.6.4 3.6.3plugin1 3.6 3.5.6 3.5.4 3.0.8 3.0.19 release total-crashes nsGenericElement::UnbindFromTree.int crashes pct. all 383147 47 0.000122668 3.6.3 257898 32 0.00012408 3.5.9 34290 6 0.000174978 3.6.4 16781 3 0.000178774 3.6.3plugin1 397 1 0.00251889 3.6 17989 1 5.55895e-05 3.5.6 1028 1 0.000972763 3.5.4 1294 1 0.000772798 3.0.8 644 1 0.0015528 3.0.19 11658 1 8.5778e-05 os breakdown nsGenericElement::UnbindFromTree.intTotal 42 Win5.1 0.79 Win6.0 0.07 Win6.1 0.12 1 https://finanzportal.fiducia.de/ebpp01/entry?rzid=XC&rzbk=1814 1 https://connect.delta.com/f5-w-687474703a2f2f69637265772e64656c74612e636f6d3a3130303830$$/icrew.html 1 http://www.webtvenvivo.com/ 1 http://www.tvn24.pl/ 1 http://www.qvc.com/qic/qvcapp.aspx/app.detail/params.item.tsv!.tpl.tsv.cm_scid.TSV?cm_re=PROMOTIONS-_-TSV-_-TSV,TSV&cm_sp=TSV-_-HP-_-IMAGE 1 http://www.prosieben.de/video/ 1 http://www.orkut.com/Logout?msg=0&hl=pt-BR 1 http://www.orkut.com.br/Main#Home 1 http://www.orkut.co.in/Main#Home 1 http://www.myz99.com/what_song_was_that/view/
Severity: normal → critical
Keywords: crash
OS: Mac OS X → All
Component: DOM: Other → DOM
blocking2.0: --- → ?
In trunk, since JM merge on 09/12/2010, the crash daily rate has increased from 1 crash/day to 5-21 crashes/day
we might need skip listing to help sort out the new regression. looks like there are several forms of the stack with these being the top 3. many of the b7pre stacks I looked at are like this first one. 10 Firefox xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsStyledElement::UnbindFromTree(int,int) xul.dll nsGenericHTMLElement::UnbindFromTree(int,int) xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsStyledElement::UnbindFromTree(int,int) xul.dll nsGenericHTMLElement::UnbindFromTree(int,int) like http://crash-stats.mozilla.com/report/index/39afdf3b-fe4e-471a-8ff0-1df212100919 many of the 3.6.x reports look like this one. 9 Firefox xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsContentUtils::AddScriptBlocker() xul.dll nsINode::nsSlots::`scalar deleting destructor'(unsigned int) like 98 http://crash-stats.mozilla.com/report/index/bd46b469-4a32-49df-b9de-da88a2100919 this next one looks like mostly 3.6.x as well. 5 Firefox xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsGenericElement::UnbindFromTree(int,int) xul.dll nsContentUtils::AddScriptBlocker() like http://crash-stats.mozilla.com/report/index/d3a950c4-ebeb-487d-b001-44a552100919
Not blocking Firefox 4 on this unless this raises significantly in frequency.
blocking2.0: ? → -
Is it a dupe of bug 485941 as bug 657455 is?
Crash Signature: [@ nsGenericElement::UnbindFromTree(int, int) ]
Crash Signature: [@ nsGenericElement::UnbindFromTree(int, int) ] → [@ nsGenericElement::UnbindFromTree(int, int) ] [@ nsGenericElement::UnbindFromTree(bool, bool) ]
There's a spike in crashes from 14.0a1/20120315. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8d1c74566a0b&tochange=082d016c341f It's #2 top crasher in 14.0a1 over the last day. The stack looks like: Frame Module Signature [Expand] Source 0 xul.dll nsGenericElement::UnbindFromTree content/base/src/nsGenericElement.cpp:3276 1 xul.dll nsXULElement::UnbindFromTree content/xul/content/src/nsXULElement.cpp:925 2 xul.dll nsGenericElement::UnbindFromTree content/base/src/nsGenericElement.cpp:3326 3 xul.dll nsXULElement::UnbindFromTree content/xul/content/src/nsXULElement.cpp:925 4 xul.dll nsGenericElement::RemoveChildAt content/base/src/nsGenericElement.cpp:3845 5 xul.dll nsXULElement::RemoveChildAt content/xul/content/src/nsXULElement.cpp:997 6 xul.dll nsINode::ReplaceOrInsertBefore content/base/src/nsGenericElement.cpp:4260 7 xul.dll nsINode::ReplaceOrInsertBefore obj-firefox/dist/include/nsINode.h:1480 8 xul.dll nsINode::ReplaceChild obj-firefox/dist/include/nsINode.h:527 9 xul.dll nsIDOMNode_ReplaceChild obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:5311 10 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:514 11 mozjs.dll js::Interpret js/src/jsinterp.cpp:2710 12 mozjs.dll js::ContextStack::pushInvokeFrame js/src/vm/Stack.cpp:778 13 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:529 14 mozjs.dll mozjs.dll@0x789f More reports at: https://crash-stats.mozilla.com/report/list?signature=nsGenericElement%3A%3AUnbindFromTree%28bool%2C+bool%29
Depends on: CVE-2009-1232
Keywords: topcrash
Hardware: x86 → All
Summary: Firefox Crash [@ nsGenericElement::UnbindFromTree(int, int) ] → Firefox Crash @ nsGenericElement::UnbindFromTree
Crash Signature: [@ nsGenericElement::UnbindFromTree(int, int) ] [@ nsGenericElement::UnbindFromTree(bool, bool) ] → [@ nsGenericElement::UnbindFromTree(int, int) ] [@ nsGenericElement::UnbindFromTree(bool, bool) ] [@ nsGenericElement::UnbindFromTree ]
Crashes after the spike are correlated to Video DownloadHelper: 100% (29/29) vs. 17% (64/376) {b9db16a4-6edc-47ec-a1f4-b86292ed211d} (Video DownloadHelper, https://addons.mozilla.org/addon/3006)
Depends on: 736695
Keywords: topcrash
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.