Closed Bug 599341 Opened 15 years ago Closed 15 years ago

Firefox 4.0b5 and b6 crash [@ PL_DHashTableOperate | nsObjectFrame::StopPluginInternal ][@ PL_DHashTableOperate | nsPresContext::GetRootPresContext()]

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(blocking2.0 beta8+)

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b7
Tracking Flags:
Tracking Status
blocking2.0 --- beta8+

People

(Reporter: scoobidiver, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, Whiteboard: [crashkill])

Crash Data

Attachments

(3 files)

Patch rev. 1
2.61 KB, patch
Details | Diff | Splinter Review
Patch rev. 1 (wdiff)
2.42 KB, patch
roc
: review+
dbaron
: approval2.0+
Details | Diff | Splinter Review
WIP strong ref solution
51.80 KB, patch
Details | Diff | Splinter Review
This new crash signature first appeared on 09/14th in 4.0b5, b6 and is still there in b7pre. So it is not linked to a build, but to an update. An add-on update is the most plausible. Indeed, there are also 3 crashes on Linux, so it is not an OS or a driver update. It could be the new flash player square 10.2 which is in alpha state. It is #44 top crasher in 4.0b6 for the last 2 weeks. Here is a list of user's comment : "The crash seems to be an issue with the flash plugin. I have yet to determine whether any of the addons are responsible (the issue is rare enough to make troubleshooting difficult). The primary indicator of the problem is when I go to one page with an embedded flash video, then navigate somewhere else. Sometimes there appears to be a an empty frame folating on top of the new page whose size and location coincides with the flash object. " "The background of www.warriordash.com started displaying over all the text, then the background would not disappear and overlaid other websites. I've had this happen before, it seems to be related to websites that have large animated (Flash?) ads." "Trying to open a birthday card collection on cardfountain.com with google mail open in another tab." "Closing tab that had a white block stuck overlaying it (which has something to do with a plugin further down on the page)" Signature PL_DHashTableOperate | nsObjectFrame::StopPluginInternal UUID 748d9081-244f-462b-a305-e54952100921 Time 2010-09-21 02:26:02.741392 Uptime 502112 Last Crash 1118361 seconds (1.8 weeks) before submission Install Age 502163 seconds (5.8 days) since version was first installed. Product Firefox Version 4.0b6 Build ID 20100914072643 Branch 2.0 OS Mac OS X OS Version 10.6.4 10F569 CPU x86 CPU Info family 6 model 23 stepping 6 Crash Reason EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash Address 0x2c4 User Comments Reloaded a Site (hit the reload-Button) Crashing Thread Frame Module Signature [Expand] Source 0 XUL PL_DHashTableOperate pldhash.c:615 1 XUL nsObjectFrame::StopPluginInternal layout/generic/nsObjectFrame.cpp:2306 2 XUL nsObjectFrame::DestroyFrom layout/generic/nsObjectFrame.cpp:642 3 XUL nsFrameList::DestroyFramesFrom layout/generic/nsFrameList.cpp:98 4 XUL nsContainerFrame::DestroyFrom layout/generic/nsContainerFrame.cpp:272 5 XUL nsLineBox::DeleteLineList layout/generic/nsLineBox.cpp:336 6 XUL nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:316 7 XUL nsFrameList::DestroyFramesFrom layout/generic/nsFrameList.cpp:98 8 XUL nsContainerFrame::DestroyFrom layout/generic/nsContainerFrame.cpp:272 .... and like 7, 8 ... 17 XUL nsLineBox::DeleteLineList layout/generic/nsLineBox.cpp:336 18 XUL nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:316 19 XUL nsFrameList::DestroyFramesFrom layout/generic/nsFrameList.cpp:98 20 XUL nsContainerFrame::DestroyFrom layout/generic/nsContainerFrame.cpp:272 .... and like 19, 20 ... 29 XUL nsLineBox::DeleteLineList layout/generic/nsLineBox.cpp:336 30 XUL nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:316 31 XUL nsLineBox::DeleteLineList layout/generic/nsLineBox.cpp:336 32 XUL nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:316 33 XUL nsFrameList::DestroyFramesFrom layout/generic/nsFrameList.cpp:98 34 XUL nsContainerFrame::DestroyFrom layout/generic/nsContainerFrame.cpp:272 ... and like 33, 34 ... 39 XUL nsFrameManager::Destroy layout/generic/nsIFrame.h:535 40 XUL PresShell::Destroy layout/base/nsPresShell.cpp:1958 41 XUL DocumentViewerImpl::DestroyPresShell layout/base/nsDocumentViewer.cpp:4298 42 XUL DocumentViewerImpl::Destroy layout/base/nsDocumentViewer.cpp:1621 43 XUL nsSHistory::EvictContentViewersInRange docshell/shistory/src/nsSHistory.cpp:890 44 XUL nsSHistory::EvictAllContentViewers docshell/shistory/src/nsSHistory.cpp:681 45 XUL nsDocShell::Destroy docshell/base/nsDocShell.cpp:4492 46 XUL nsFrameLoader::Finalize content/base/src/nsFrameLoader.cpp:461 47 XUL nsDocument::MaybeInitializeFinalizeFrameLoaders content/base/src/nsDocument.cpp:5402 48 XUL nsDocument::EndUpdate content/base/src/nsDocument.cpp:3908 49 XUL nsXULDocument::EndUpdate content/xul/document/src/nsXULDocument.cpp:3318 50 XUL nsINode::doRemoveChildAt content/base/src/mozAutoDocUpdate.h:66 51 XUL nsGenericElement::RemoveChildAt content/base/src/nsGenericElement.cpp:3634 52 XUL nsXULElement::RemoveChildAt content/xul/content/src/nsXULElement.cpp:1008 53 XUL nsIDOMNode_RemoveChild nsINode.h:485 54 XUL js::Interpret js/src/jsinterp.cpp:4696 55 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:577 56 XUL js::Invoke js/src/jsinterp.cpp:696 57 XUL js::InternalInvoke js/src/jsinterp.cpp:736 58 XUL JS_CallFunctionValue js/src/jsinterp.h:651 59 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2248 60 XUL nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:228 61 XUL nsXBLPrototypeHandler::ExecuteHandler content/xbl/src/nsXBLPrototypeHandler.cpp:332 62 XUL nsXBLEventHandler::HandleEvent content/xbl/src/nsXBLEventHandler.cpp:88 63 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1112 64 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1208 65 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:146 66 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:628 67 XUL nsTransitionManager::WillRefresh layout/style/nsTransitionManager.cpp:946 68 XUL nsRefreshDriver::Notify layout/base/nsRefreshDriver.cpp:253 69 XUL nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:428 70 XUL nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:517 71 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:547 72 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:200 73 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:126 74 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:394 .... More reports at : http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=PL_DHashTableOperate%20|%20nsObjectFrame%3A%3AStopPluginInternal
Forget about the addons update, the crash reports were presented on two pages and I misunderstood that.
Summary: Firefox 4.0b5 and b6 crash after an unknown addon update on 09/14th [@ PL_DHashTableOperate | nsObjectFrame::StopPluginInternal ] → Firefox 4.0b5 and b6 crash [@ PL_DHashTableOperate | nsObjectFrame::StopPluginInternal ]
happened to me too while clicking on one link and boom -> http://crash-stats.mozilla.com/report/index/bp-8af2ceb1-77bd-40c9-96fa-7187b2101006
Whiteboard: [crashkill]
Tomcat, can you try to figure out a way to reproduce?
I have been running Flash Version: 10.2.161.22 and I have yet to be able to reproduce this bug using many of the sites listed. Will keep trying. I also tried on 10.5 with the same Flash version.
Component: Layout → Plug-ins
QA Contact: layout → plugins
This also just happened to me: bp-c53c3539-fa34-45ec-9ce0-5012e2101020 Let me know if I can help in providing more information to diagnose this.
> Let me know if I can help in providing more information to diagnose this. Please try to figure out how to reproduce this crash. If we can't reproduce it, there's not much we can do about it. Also, what Flash version are you using? Marcia says she doesn't see this crash with Flash 10.2.161.22 (a beta version).
> Also, what Flash version are you using? Marcia says she doesn't see this crash > with Flash 10.2.161.22 (a beta version). Actually Flash probably isn't involved. There's only a weak correlation between these crashes and the Flash plugin.
(In reply to comment #6) > > Let me know if I can help in providing more information to diagnose this. > > Please try to figure out how to reproduce this crash. > > If we can't reproduce it, there's not much we can do about it. I've got this crash only one time so far in my main browsing profile, right when I clicked inside the comment field on a bug page. I don't have any idea how to reproduce this, unfortunately. > Also, what Flash version are you using? Marcia says she doesn't see this crash > with Flash 10.2.161.22 (a beta version). My Flash player version is 10.1.82.76.
Hmm, I wonder if nsPresContext::GetRootPresContext using frames is a problem as they are not always around. It could easily use views.
Actually, probably not, DocumentViewerImpl::Destroy disconnects the root view as well.
I think what's happening here is that, in nsObjectFrame::StopPluginInternal, rootPC is null, and we call rootPC->UnregisterPluginForGeometryUpdates(this) anyway.
blocking2.0: --- → beta8+
Summary: Firefox 4.0b5 and b6 crash [@ PL_DHashTableOperate | nsObjectFrame::StopPluginInternal ] → Firefox 4.0b5 and b6 crash [@ PL_DHashTableOperate | nsObjectFrame::StopPluginInternal ][@ PL_DHashTableOperate | nsPresContext::GetRootPresContext()]
I suspect that this PresShell is Frozen and thus that StopPlugin has already been called. If so, it should be safe to null-check and skip the UnregisterPluginForGeometryUpdates. If not, then we have a dangling frame pointer in the root pres context. If we don't want to depend on ancestor frames/views to get the root pres context, we could add this to nsPresContext (given as arg to the ctor): nsRefPtr<nsPresContext> mRootPresContext; the only time we need to update it is when swapping doc shells (I think). Or we could fallback and go through the docshell tree, like PresShell::GetParentPresShell() which uses mForwardingContainer when detached.
I don't think we want to use the docshell tree, it doesn't always match what we draw on the screen, see bug 593286 comment 5. In bug 473178 comment 49 it was suggested to cache the root prescontext pointer for perf reasons, so that might be a good idea. Just need to make sure we cover all situations when it might change.
looks like there might have been a volume increase on the trunk for PL_DHashTableOperate...nsObjectFrame::StopPluginInternal crashes going from about 2-5 crashes per day to 20-25 crashes per day. date tl crashes at, count build, count build, ... PL_DHashTableOperate...nsObjectFrame::StopPluginInternal 20101010 57 53 4.0b6^\2010091407, 1 4.0b8pre^\2010101003, 1 4.0b8pre^\2010100703, 1 4.0b7pre^\2010100603, 1 4.0b5^\2010083107, 20101011 63 60 4.0b6^\2010091407, 1 4.0b8pre^\2010101103, 1 4.0b8pre^\2010100703, 1 4.0b5^\2010083107, 20101012 66 62 4.0b6^\2010091407, 2 4.0b8pre^\2010101203, 2 4.0b8pre^\2010101003, 20101013 45 41 4.0b6^\2010091407, 2 4.0b8pre^\2010101307, 1 4.0b8pre^\2010101203, 1 4.0b7pre^\2010100603, 20101014 59 54 4.0b6^\2010091407, 2 4.0b8pre^\2010101403, 1 4.0b8pre^\2010101307, 1 4.0b8pre^\2010101203, 1 4.0b7pre^\2010100603, 20101015 56 44 4.0b6^\2010091407, 8 4.0b8pre^\2010101503, 2 4.0b8pre^\2010101403, 1 4.0b8pre^\2010101307, 1 4.0b7pre^\2010100603, 20101016 76 57 4.0b6^\2010091407, 13 4.0b8pre^\2010101603, 2 4.0b8pre^\2010101503, 1 4.0b8pre^\2010101602, 1 4.0b8pre^\2010101307, 1 4.0b7pre^\2010091603, 1 4.0b5^\2010083107, 20101017 76 57 4.0b6^\2010091407, 8 4.0b8pre^\2010101703, 8 4.0b8pre^\2010101603, 3 4.0b8pre^\2010101503, ... 20101023 73 51 4.0b6^\2010091407, 10 4.0b8pre^\2010102303, 9 4.0b8pre^\2010102203, 2 4.0b8pre^\2010101803, 1 4.0b8pre^\2010102302, the new mostly Mac reports on the trunk can be isolated with this query. http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A4.0b8pre&query_search=signature&query_type=contains&query=PL_DHashTableOperate%20|%20nsObjectFrame%3A%3AStopPluginInternal&date=10%2F24%2F2010%2016%3A46%3A19&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=PL_DHashTableOperate%20|%20nsObjectFrame%3A%3AStopPluginInternal regression/different bug that should be spun off?
Are you accounting for all signatures that this shows up as? The bouncing between signatures may appear random for various reasons.
(In reply to comment #21) > Are you accounting for all signatures that this shows up as? The bouncing > between signatures may appear random for various reasons. If I combine all 3 signatures (from this bug and bug 606860) and look at only those reported on 4.0b8pre I still see a bit of a spike on oct 15 count date oct 1-9 77-113 crashes per day 85 20101010-crashdata.csv 94 20101011-crashdata.csv 108 20101012-crashdata.csv 81 20101013-crashdata.csv 89 20101014-crashdata.csv 153 20101015-crashdata.csv 179 20101016-crashdata.csv 205 20101017-crashdata.csv 223 20101018-crashdata.csv 185 20101019-crashdata.csv 100 20101020-crashdata.csv 145 20101021-crashdata.csv 174 20101022-crashdata.csv 185 20101023-crashdata.csv
growth in adu's could also explain the shift but its a more gradual ramp on number of trunk users over this time rather than a sharp jump around the 15h. date Firefox adus date crashes 2010-10-20 4148 44407 2010-10-19 3641 43596 2010-10-18 3805 41922 2010-10-17 4069 33112 2010-10-16 4521 31672 2010-10-15 5519 36384 2010-10-14 4522 35221 2010-10-13 1427 32942 2010-10-12 1427 28126 2010-10-11 1144 25646 2010-10-10 874 17826 2010-10-09 815 15827 2010-10-08 636 14854 2010-10-07 219 4054
oops, those are numbers for all versions. here are numbers for just b8pre 1 20101008-crashdata.csv 4 20101009-crashdata.csv 2 20101010-crashdata.csv 2 20101011-crashdata.csv 4 20101012-crashdata.csv 5 20101013-crashdata.csv 5 20101014-crashdata.csv 69 20101015-crashdata.csv 95 20101016-crashdata.csv 120 20101017-crashdata.csv 123 20101018-crashdata.csv 72 20101019-crashdata.csv 33 20101020-crashdata.csv 65 20101021-crashdata.csv 74 20101022-crashdata.csv 114 20101023-crashdata.csv also b7pre has run from around 1-9 crashes per day for all of oct including before oct 7 when most trunk users were on that version.
I crashed in this stack today, and it happened just like Tomcat described in Comment 2 - I clicked on a link and then crashed. https://crash-stats.mozilla.com/report/index/bp-83708678-80d9-4fff-9697-2968e2101025 is my report and I had a number of addons installed. If I am able to reproduce I will report back.
Attached patch Patch rev. 1Splinter Review
Don't try to unregister or set widget geometry if we can't find the root pres context. This should only occur when the shell is frozen in which case those operations aren't needed.
Attachment #486079 - Flags: review?(roc)
WIP on a strong ref solution as outlined in comment 18 just to get a sense of the risks involved. Let me know if you think this would be better and I'll polish it a bit more...
Comment on attachment 486079 [details] [diff] [review] Patch rev. 1 (wdiff) nsIPresShell will need an IID bump. Do we want/need to not make the ConfigureChildren call if we don't have a root prescontext?
Good point. I think we should still call ConfigureChildren.
Oh but the GetEmptyConfiguration call needs a root prescontext too or it does nothing.
(In reply to comment #32) > nsIPresShell will need an IID bump. Why is that necessary? There's no change to the vtable, nor the object size. > Do we want/need to not make the ConfigureChildren call if we don't > have a root prescontext? My understanding is that the root pres context can only be null in the case this shell is frozen in which case we have already been here once, through nsObjectFrame::StopPlugin() from FreezeElement in nsPresShell.cpp. So it should have been done already, and more importantly we should have unregistered the frame already (that's why I added the assertion). If I'm wrong and the root pres context can be null in other cases, then this patch is flawed, and we must do something more robust like having a strong ref.
Oh, ok.
Comment on attachment 486079 [details] [diff] [review] Patch rev. 1 (wdiff) Tree rules says I need explicit beta7 approval to land.
Attachment #486079 - Flags: approval2.0?
Comment on attachment 486079 [details] [diff] [review] Patch rev. 1 (wdiff) a2.0b7=dbaron (This boils down to a null-check.)
Attachment #486079 - Flags: approval2.0? → approval2.0+
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/5cc1a77ffbad
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [crashkill] → [crashkill][needs landing on beta7 branch]
Target Milestone: --- → mozilla2.0b8
Whiteboard: [crashkill][needs landing on beta7 branch] → [crashkill]
Target Milestone: mozilla2.0b8 → mozilla2.0b7
Crash Signature: [@ PL_DHashTableOperate | nsObjectFrame::StopPluginInternal ] [@ PL_DHashTableOperate | nsPresContext::GetRootPresContext()]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: