Closed
Bug 597343
Opened 14 years ago
Closed 14 years ago
Crash [@ nsCoreUtils::IsRootDocument(nsIDocument*) ]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: scoobidiver, Assigned: surkov)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file, 1 obsolete file)
1.01 KB,
patch
|
ginnchen+exoracle
:
review+
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Build : Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100916 Firefox/4.0b7pre
This is a new crash signature that is present at different daily rate depending on builds :
20100909, 20100910, 20100911, 20100912, 2010913 : 1 crash/day
20100914, 20100915, 20100916 : 10 crashes/day
It is #15 top crasher for this build.
Signature nsCoreUtils::IsRootDocument(nsIDocument*)
UUID b5530da3-d1e8-4f27-9858-e14522100915
Process Type
Time 2010-09-15 03:21:53.243346
Uptime 17852
Install Age 21103 seconds (5.9 hours) since version was first installed.
Product Firefox
Version 4.0b7pre
Build ID 20100914041908
Branch 2.0
OS Windows NT
OS Version 6.1.7600
CPU x86
CPU Info GenuineIntel family 6 model 23 stepping 10
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0
App Notes AdapterVendorID: 1002, AdapterDeviceID: 9553
Crashing Thread
Frame Module Signature [Expand] Source
0 xul.dll nsCoreUtils::IsRootDocument accessible/src/base/nsCoreUtils.cpp:486
1 xul.dll nsAccDocManager::CreateDocOrRootAccessible accessible/src/base/nsAccDocManager.cpp:456
2 xul.dll nsAccDocManager::GetDocAccessible accessible/src/base/nsAccDocManager.cpp:80
3 xul.dll nsAccessibilityService::InvalidateSubtreeFor accessible/src/base/nsAccessibilityService.cpp:1706
4 xul.dll nsFrameManager::ReResolveStyleContext
5 xul.dll nsFrameManager::ComputeStyleChangeFor layout/base/nsFrameManager.cpp:1552
6 xul.dll mozilla::css::RestyleTracker::ProcessOneRestyle layout/base/RestyleTracker.cpp:156
7 xul.dll mozilla::css::RestyleTracker::ProcessRestyles layout/base/RestyleTracker.cpp:240
8 xul.dll nsCSSFrameConstructor::ProcessPendingRestyles layout/base/nsCSSFrameConstructor.cpp:11566
9 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4790
10 xul.dll PresShell::HandlePostedReflowCallbacks layout/base/nsPresShell.cpp:4683
11 xul.dll PresShell::ProcessReflowCommands layout/base/nsPresShell.cpp:7712
12 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4821
13 xul.dll nsRefreshDriver::Notify layout/base/nsRefreshDriver.cpp:310
14 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:428
15 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:517
16 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:547
17 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110
18 xul.dll xul.dll@be68db
19 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219
20 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202
21 xul.dll UpdateDepth js/src/jsemit.cpp:246
22 xul.dll _SEH_epilog4
23 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176
24 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:180
25 xul.dll nsAppShell::Run widget/src/windows/nsAppShell.cpp:243
Assignee | ||
Comment 1•14 years ago
|
||
It sounds like nsCOMPtr<nsIDocShellTreeItem> treeitem =
do_QueryInterface(nsIDocument->GetContainer()) is null
(http://hg.mozilla.org/mozilla-central/annotate/5588c9796f0b/accessible/src/base/nsCoreUtils.cpp#l486).
Boris do you have any idea why I can't get docshell treeitem from the document,
what's the possible cases when it happens? It must be a document we want to
create an accessible for, it's not initial, it's visible, it has presshell
(http://hg.mozilla.org/mozilla-central/annotate/5588c9796f0b/accessible/src/base/nsAccDocManager.cpp#l456).
Comment 3•14 years ago
|
||
> Boris do you have any idea why I can't get docshell treeitem from the document,
> what's the possible cases when it happens?
Hmm... There are all sorts of cases where it can happen: The document never had a docshell (e.g. a resource document or data document of some sort), the document used to be in a docshell and then got unloaded.
> It must be a document we want to create an accessible for, it's not initial,
> it's visible, it has presshell
I dunno what you use to decide whether you want to create an accessible.
An obvious document that would pass your check but have no docshell is SVG-as-<img>. To catch those, you want to check IsResourceDoc() as opposed to GetDisplayDocument().
Comment 4•14 years ago
|
||
Do we have any URIs to work with here?
Comment 5•14 years ago
|
||
Note we used to null check prior to:
http://hg.mozilla.org/mozilla-central/rev/a2ba3a7cec03
Seems like we need to add those back.
blocking2.0: ? → final+
The patch in Bug 597963 should fix the crash.
I can reproduce the crash with make reftest with a11y on Solaris.
Reproduce step:
dist/bin/firefox -no-remote -reftest ../layout/reftests/backgrounds/reftest.list
Stack:
fd78d61c int nsCoreUtils::IsRootDocument(nsIDocument*) (a636cc8, 23, 1, fd77b1de) + 74
fd77b244 nsDocAccessible*nsAccDocManager::CreateDocOrRootAccessible(nsIDocument*) (8e0c5f8, a636cc8, 0, fd77a021) + 74
fd77a061 nsDocAccessible*nsAccDocManager::GetDocAccessible(nsIDocument*) (8e0c5f8, a636cc8, 8045f68, fd79c620) + 5d
fd79c63c unsigned nsAccessibilityService::InvalidateSubtreeFor(nsIPresShell*,nsIContent*,unsigned) (8e0c5f8, a5fc3f8, a6113b8, 5) + 28
fc87cc2a nsChangeHint nsFrameManager::ReResolveStyleContext(nsPresContext*,nsIFrame*,nsIContent*,nsStyleChangeList*,nsChangeHint,nsRestyleHint,int,mozilla::css::RestyleTracker&) (a5fc414, a5fb978, a639098, 0, 8046000, 0) + c46
fc87cecf void nsFrameManager::ComputeStyleChangeFor(nsIFrame*,nsStyleChangeList*,nsChangeHint,mozilla::css::RestyleTracker&,int) (a5fc414, a639098, 8046000, 0, a5fc788, 0) + 7f
fc841902 void nsCSSFrameConstructor::RestyleElement(mozilla::dom::Element*,nsIFrame*,nsChangeHint,mozilla::css::RestyleTracker&,int) (a5fc730, a6113b8, a639098, 0, a5fc788, 0) + 62
fc8331d2 void mozilla::css::RestyleTracker::ProcessRestyles() (a5fc788, fcb194dc, 8046ae4, fc848d5a) + 786
fc848d80 void nsCSSFrameConstructor::ProcessPendingRestyles() (a5fc730, fdfc2068, 8046b98, fc8a20c0) + 30
fc8a20e2 void PresShell::FlushPendingNotifications(mozFlushType) (a5fc3f8, 5, a606398, fc8ad0b3) + 1ea
fc8ad178 int PresShell::ProcessReflowCommands(int) (a5fc3f8, 0, 8046e58, fc8a2147) + b0c
fc8a21b1 void PresShell::FlushPendingNotifications(mozFlushType) (a5fc3f8, 5, fe0aa6d0, fc8056fa) + 2b9
fc805783 unsigned mozilla::imagelib::SVGDocumentWrapper::OnStopRequest(nsIRequest*,nsISupports*,unsigned) (a5e67a8) + 97
fc806fd5 unsigned mozilla::imagelib::VectorImage::OnStopRequest(nsIRequest*,nsISupports*,unsigned) (a63fde8) + 45
fc813fe2 unsigned imgRequest::OnStopRequest(nsIRequest*,nsISupports*,unsigned) (a6375e8, a60f0b4, 0, 0) + 112
fc80f53f unsigned ProxyListener::OnStopRequest(nsIRequest*,nsISupports*,unsigned) (9fc7f68, a60f0b4) + 1f
fc66c877 unsigned nsBaseChannel::OnStopRequest(nsIRequest*,nsISupports*,unsigned) (a60f088, a63fae8) + 63
fc67846d unsigned nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (a63fae8, a62b9a8, 0, fd8b3fe2) + 35d
fd8b4007 unsigned nsInputStreamReadyEvent::Run() (a61deb0, 1, 804707c, 0) + 2f
fd8d6a89 unsigned nsThread::ProcessNextEvent(int,int*) (80fcd70, 1, 80470bc, fd87fb05) + 151
fd87fb3a int NS_ProcessNextEvent_P(nsIThread*,int) (80fcd70, 1, 80470f8, fd74db2f) + 42
fd74db47 unsigned nsBaseAppShell::Run() (813ed18, 0, 0, fd4f4714) + 47
fd4f473a unsigned nsAppStartup::Run() (84a4d78, 806a790, 80fe3f0, 0) + 32
fc656e3e XRE_main (4) + 25da
08051e23 main (4, 80475b4, 80475c8, 8051a68) + 263
08051afd _start (4, 8047724, 8047744, 804774d, 0, 0) + 7d
Comment 8•14 years ago
|
||
Assigning to Ginn based on comment 6. Ginn can you work on this? Let us know.
Assignee: nobody → ginn.chen
Assignee | ||
Comment 10•14 years ago
|
||
(In reply to comment #3)
> An obvious document that would pass your check but have no docshell is
> SVG-as-<img>. To catch those, you want to check IsResourceDoc() as opposed to
> GetDisplayDocument().
just to make things clear, we should replace GetDisplayDocument() check on IsResourceDoc() check, right?
Assignee | ||
Comment 11•14 years ago
|
||
(In reply to comment #10)
> just to make things clear, we should replace GetDisplayDocument() check on
> IsResourceDoc() check, right?
I see IsResourceDoc is enough (http://mxr.mozilla.org/mozilla-central/source/content/base/public/nsIDocument.h#1160)
Assignee | ||
Comment 12•14 years ago
|
||
(In reply to comment #7)
> Reproduce step:
>
> dist/bin/firefox -no-remote -reftest
> ../layout/reftests/backgrounds/reftest.list
(In reply to comment #3)
> An obvious document that would pass your check but have no docshell is
> SVG-as-<img>. To catch those, you want to check IsResourceDoc() as opposed to
> GetDisplayDocument().
You're right. That's the case of IsResourceDoc(), mIsBeingUsedAsImage is true.
Assignee | ||
Comment 13•14 years ago
|
||
Assignee: ginn.chen → surkov.alexander
Status: NEW → ASSIGNED
Attachment #480074 -
Flags: review?(ginn.chen)
Comment 14•14 years ago
|
||
> we should replace GetDisplayDocument() check on IsResourceDoc() check, right?
Yep.
Comment 15•14 years ago
|
||
surkov, the patch works.
I think we'd better also add null check and assertion after GetContainer().
What do you think?
Assignee | ||
Comment 16•14 years ago
|
||
(In reply to comment #15)
> surkov, the patch works.
> I think we'd better also add null check and assertion after GetContainer().
> What do you think?
I'm not sure whether this is going to happen ever. Though we might want to have this since Boris mentioned the case "the document used to be in a docshell and then got unloaded."
Boris, why and when does this happen?
Comment 17•14 years ago
|
||
> Boris, why and when does this happen?
Any time you navigate away from a page?
Assignee | ||
Comment 18•14 years ago
|
||
(In reply to comment #17)
> > Boris, why and when does this happen?
>
> Any time you navigate away from a page?
the presshell should be destroyed as well, right? We have check for null presshell and check for IsVisible, is this enough?
Comment 19•14 years ago
|
||
I _think_ so.... The ordering there is a bit hairy. :(
Assignee | ||
Comment 20•14 years ago
|
||
Ok, then it makes sense to put additional GetContainer() check just to be safe.
Assignee | ||
Comment 21•14 years ago
|
||
(In reply to comment #19)
> I _think_ so.... The ordering there is a bit hairy. :(
Boris, would it be ok to check nsIDocument::IsActive() instead of nsIDocument::GetContainer()?
Comment 22•14 years ago
|
||
I don't know offhand.
Assignee | ||
Comment 23•14 years ago
|
||
IsActive should fine here, it returns false for document that doesn't have docshell and for document with removed docshell. Asking additional reivew from Boris to be sure.
Attachment #480074 -
Attachment is obsolete: true
Attachment #483054 -
Flags: review?(ginn.chen)
Attachment #483054 -
Flags: review?(bzbarsky)
Attachment #480074 -
Flags: review?(ginn.chen)
Attachment #483054 -
Flags: review?(ginn.chen) → review+
Comment 24•14 years ago
|
||
Comment on attachment 483054 [details] [diff] [review]
patch2
r=me
Attachment #483054 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 25•14 years ago
|
||
landed on 2.0 - http://hg.mozilla.org/mozilla-central/rev/9f342c85157a
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Crash Signature: [@ nsCoreUtils::IsRootDocument(nsIDocument*) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•