Closed Bug 561277 Opened 14 years ago Closed 6 years ago

Firefox Crash @ nsGenericElement::UnbindFromTree

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: chofmann, Unassigned)

References

Details

(Keywords: crash)

Crash Data

spotted while digging for 3.6.4 crashes, but looks like it has been around for a while.  maybe some code inspection can figure out what's going in with these.

http://crash-stats.mozilla.com/report/index/43813bda-ee3d-445b-b857-080a92100422

Frame  	Module  	Signature [Expand]  	Source
0 	xul.dll 	nsGenericElement::UnbindFromTree 	content/base/src/nsGenericElement.cpp:2725
1 	xul.dll 	nsGenericDOMDataNode::UnbindFromTree 	content/base/src/nsGenericDOMDataNode.cpp:609
2 	xul.dll 	nsGenericElement::UnbindFromTree 	content/base/src/nsGenericElement.cpp:2725
3 	xul.dll 	nsXULElement::UnbindFromTree 	content/xul/content/src/nsXULElement.cpp:913
4 	xul.dll 	nsXULElement::UnbindFromTree 	content/xul/content/src/nsXULElement.cpp:913
5 	xul.dll 	nsCOMPtr_base::assign_from_qi 	obj-firefox/xpcom/build/nsCOMPtr.cpp:98
6 	xul.dll 	nsXBLBinding::ChangeDocument 	content/xbl/src/nsXBLBinding.cpp:1184
7 	xul.dll 	nsSubDocumentFrame::`scalar deleting destructor' 	
8 	xul.dll 	nsINode::GetFlags 	obj-firefox/dist/include/nsINode.h:736
9 	xul.dll 	nsGenericElement::DestroyContent 	content/base/src/nsGenericElement.cpp:3450
...
... repeated frames like 9 seen in 10-38
...
39 	xul.dll 	nsGenericElement::DestroyContent 	content/base/src/nsGenericElement.cpp:3461
40 	xul.dll 	nsDocument::Destroy 	content/base/src/nsDocument.cpp:6920
41 	xul.dll 	DocumentViewerImpl::Destroy 	layout/base/nsDocumentViewer.cpp:1578
42 	xul.dll 	DocumentViewerImpl::Show 	layout/base/nsDocumentViewer.cpp:1918
43 	xul.dll 	nsPresContext::EnsureVisible 	layout/base/nsPresContext.cpp:1588
44 	xul.dll 	PresShell::UnsuppressAndInvalidate 	layout/base/nsPresShell.cpp:4647
45 	xul.dll 	PresShell::ProcessReflowCommands 	layout/base/nsPresShell.cpp:7470
46 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4910
47 	xul.dll 	PresShell::ReflowEvent::Run 	layout/base/nsPresShell.cpp:7099
48 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
49 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:118
50 	xul.dll 	xul.dll@0x9a4307 	
51 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:199
52 	xul.dll 	nsComponentManagerImpl::GetServiceByContractID 	xpcom/components/nsComponentManager.cpp:2199
53 	xul.dll 	xul.dll@0x307d13 	
54 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:173
55 	nspr4.dll 	_PR_MD_CLEAN_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:21

more at
http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=nsGenericElement%3A%3AUnbindFromTree%28int%2C%20int%29&version=Firefox%3A3.6.4

possible related signature list
  42 nsGenericElement::UnbindFromTree(int, int)
   4 nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsGenericElement::UnbindFromTree(int, int)
   1 _purecall | nsGenericElement::UnbindFromTree(int, int)

Correlation to releases

checking --- nsGenericElement::UnbindFromTree.int 20100421-crashdata.csv
found in: 3.6.3 3.5.9 3.6.4 3.6.3plugin1 3.6 3.5.6 3.5.4 3.0.8 3.0.19
release total-crashes
              nsGenericElement::UnbindFromTree.int crashes
                         pct.
all     383147  47      0.000122668
3.6.3   257898  32      0.00012408
3.5.9   34290   6       0.000174978
3.6.4   16781   3       0.000178774
3.6.3plugin1    397     1       0.00251889
3.6     17989   1       5.55895e-05
3.5.6   1028    1       0.000972763
3.5.4   1294    1       0.000772798
3.0.8   644     1       0.0015528
3.0.19  11658   1       8.5778e-05

os breakdown
nsGenericElement::UnbindFromTree.intTotal 42
Win5.1  0.79
Win6.0  0.07
Win6.1  0.12


   1 https://finanzportal.fiducia.de/ebpp01/entry?rzid=XC&rzbk=1814
   1 https://connect.delta.com/f5-w-687474703a2f2f69637265772e64656c74612e636f6d3a3130303830$$/icrew.html
   1 http://www.webtvenvivo.com/
   1 http://www.tvn24.pl/
   1 http://www.qvc.com/qic/qvcapp.aspx/app.detail/params.item.tsv!.tpl.tsv.cm_scid.TSV?cm_re=PROMOTIONS-_-TSV-_-TSV,TSV&cm_sp=TSV-_-HP-_-IMAGE
   1 http://www.prosieben.de/video/
   1 http://www.orkut.com/Logout?msg=0&hl=pt-BR
   1 http://www.orkut.com.br/Main#Home
   1 http://www.orkut.co.in/Main#Home
   1 http://www.myz99.com/what_song_was_that/view/
Severity: normal → critical
Keywords: crash
OS: Mac OS X → All
Component: DOM: Other → DOM
blocking2.0: --- → ?
In trunk, since JM merge on 09/12/2010, the crash daily rate has increased from 1 crash/day to 5-21 crashes/day
we might need skip listing to help sort out the new regression.

looks like there are several forms of the stack with these being the top 3.

many of the b7pre stacks I looked at are like this first one.

  10 Firefox    
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsStyledElement::UnbindFromTree(int,int)        
xul.dll nsGenericHTMLElement::UnbindFromTree(int,int)   
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsStyledElement::UnbindFromTree(int,int)        
xul.dll nsGenericHTMLElement::UnbindFromTree(int,int)   

like http://crash-stats.mozilla.com/report/index/39afdf3b-fe4e-471a-8ff0-1df212100919


many of the 3.6.x reports look like this one.

   9 Firefox    
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsContentUtils::AddScriptBlocker()      
xul.dll nsINode::nsSlots::`scalar deleting destructor'(unsigned int)

like  98 http://crash-stats.mozilla.com/report/index/bd46b469-4a32-49df-b9de-da88a2100919


this next one looks like mostly 3.6.x as well.

   5 Firefox            
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsGenericElement::UnbindFromTree(int,int)
xul.dll nsGenericElement::UnbindFromTree(int,int)       
xul.dll nsContentUtils::AddScriptBlocker()

like http://crash-stats.mozilla.com/report/index/d3a950c4-ebeb-487d-b001-44a552100919
Not blocking Firefox 4 on this unless this raises significantly in frequency.
blocking2.0: ? → -
Is it a dupe of bug 485941 as bug 657455 is?
Crash Signature: [@ nsGenericElement::UnbindFromTree(int, int) ]
Crash Signature: [@ nsGenericElement::UnbindFromTree(int, int) ] → [@ nsGenericElement::UnbindFromTree(int, int) ] [@ nsGenericElement::UnbindFromTree(bool, bool) ]
There's a spike in crashes from 14.0a1/20120315. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8d1c74566a0b&tochange=082d016c341f

It's #2 top crasher in 14.0a1 over the last day.

The stack looks like:
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsGenericElement::UnbindFromTree 	content/base/src/nsGenericElement.cpp:3276
1 	xul.dll 	nsXULElement::UnbindFromTree 	content/xul/content/src/nsXULElement.cpp:925
2 	xul.dll 	nsGenericElement::UnbindFromTree 	content/base/src/nsGenericElement.cpp:3326
3 	xul.dll 	nsXULElement::UnbindFromTree 	content/xul/content/src/nsXULElement.cpp:925
4 	xul.dll 	nsGenericElement::RemoveChildAt 	content/base/src/nsGenericElement.cpp:3845
5 	xul.dll 	nsXULElement::RemoveChildAt 	content/xul/content/src/nsXULElement.cpp:997
6 	xul.dll 	nsINode::ReplaceOrInsertBefore 	content/base/src/nsGenericElement.cpp:4260
7 	xul.dll 	nsINode::ReplaceOrInsertBefore 	obj-firefox/dist/include/nsINode.h:1480
8 	xul.dll 	nsINode::ReplaceChild 	obj-firefox/dist/include/nsINode.h:527
9 	xul.dll 	nsIDOMNode_ReplaceChild 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:5311
10 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:514
11 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2710
12 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:778
13 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:529
14 	mozjs.dll 	mozjs.dll@0x789f 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsGenericElement%3A%3AUnbindFromTree%28bool%2C+bool%29
Depends on: CVE-2009-1232
Keywords: topcrash
Hardware: x86 → All
Summary: Firefox Crash [@ nsGenericElement::UnbindFromTree(int, int) ] → Firefox Crash @ nsGenericElement::UnbindFromTree
Crash Signature: [@ nsGenericElement::UnbindFromTree(int, int) ] [@ nsGenericElement::UnbindFromTree(bool, bool) ] → [@ nsGenericElement::UnbindFromTree(int, int) ] [@ nsGenericElement::UnbindFromTree(bool, bool) ] [@ nsGenericElement::UnbindFromTree ]
Crashes after the spike are correlated to Video DownloadHelper:
    100% (29/29) vs.  17% (64/376) {b9db16a4-6edc-47ec-a1f4-b86292ed211d} (Video DownloadHelper, https://addons.mozilla.org/addon/3006)
tracking-firefox14: --- → ?
tracking-firefox14: ? → ---
Depends on: 736695
Keywords: topcrash
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.