Closed Bug 604734 Opened 11 years ago Closed 11 years ago

Crash in [@ nsPresContext::IsRootContentDocument ]

Categories

(Core :: Layout, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla2.0b7
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: marcia, Assigned: mats)

References

()

Details

(5 keywords)

Crash Data

Attachments

(1 file, 2 obsolete files)

Seen while running Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b8pre) Gecko/20101015 Firefox/4.0b8pre. http://tinyurl.com/3ysh6ku links to the other crashes, which are all Mac.

https://crash-stats.mozilla.com/report/index/bp-c7eeb739-fe73-4c63-aae9-defda2101015

1. Load https://www.google.com/analytics/ (site requires a login)
2. Click on/off the Intelligence Beta link. Eventually you will crash. Sometimes you crash the first time.

Frame
Module 	Signature [Expand] 	Source
0 	XUL 	nsPresContext::IsRootContentDocument 	layout/base/nsPresContext.cpp:2371
1 	XUL 	nsGfxScrollFrameInner::IsScrollingActive 	layout/generic/nsGfxScrollFrame.cpp:1570
2 	XUL 	nsHTMLScrollFrame::InvalidateInternal 	layout/generic/nsGfxScrollFrame.cpp:202
3 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
4 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
5 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
6 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
7 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
8 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
9 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
10 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
11 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
12 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
13 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
14 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
15 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
16 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
17 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
18 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
19 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
20 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
21 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
22 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
23 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
24 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
25 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
26 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
27 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
28 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
29 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
30 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
31 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
32 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
33 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
34 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
35 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
36 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
37 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
38 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
39 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
40 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
41 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
42 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
43 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
44 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
45 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
46 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
47 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
48 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
49 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
50 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
51 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
52 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
53 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
54 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
55 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
56 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
57 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
58 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
59 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
60 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
61 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
62 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
63 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
64 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
65 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
66 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
67 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
68 	XUL 	nsHTMLScrollFrame::InvalidateInternal 	layout/generic/nsGfxScrollFrame.cpp:209
69 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
70 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
71 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
72 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
73 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
74 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
75 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
76 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
77 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
78 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
79 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
80 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
81 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
82 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
83 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
84 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
85 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
86 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
87 	XUL 	nsBlockFrame::InvalidateInternal 	layout/generic/nsBlockFrame.cpp:543
88 	XUL 	nsIFrame::InvalidateInternalAfterResize 	layout/generic/nsFrame.cpp:4116
89 	XUL 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:4137
90 	XUL 	nsPluginInstanceOwner::InvalidateRect 	layout/generic/nsIFrame.h:1969
91 	XUL 	nsNPAPIPluginInstance::InvalidateRect 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1142
92 	XUL 	mozilla::plugins::parent::_invalidaterect 	modules/plugin/base/src/nsNPAPIPlugin.cpp:1249
93 	XUL 	mozilla::plugins::PluginInstanceParent::RecvNPN_InvalidateRect 	dom/plugins/PluginInstanceParent.cpp:470
94 	XUL 	mozilla::plugins::PPluginInstanceParent::OnMessageReceived 	PPluginInstanceParent.cpp:846
95 	XUL 	mozilla::plugins::PPluginModuleParent::OnMessageReceived 	PPluginModuleParent.cpp:357
96 	XUL 	mozilla::ipc::AsyncChannel::OnDispatchMessage 	ipc/glue/AsyncChannel.cpp:262
97 	XUL 	mozilla::ipc::RPCChannel::Call 	ipc/glue/RPCChannel.cpp:244
98 	XUL 	mozilla::plugins::PPluginInstanceParent::CallNPP_SetWindow 	PPluginInstanceParent.cpp:206
99 	XUL 	mozilla::plugins::PluginInstanceParent::NPP_SetWindow 	dom/plugins/PluginInstanceParent.cpp:652
100 	XUL 	mozilla::plugins::PluginModuleParent::NPP_SetWindow 	dom/plugins/PluginModuleParent.cpp:439
101 	XUL 	nsNPAPIPluginInstance::SetWindow 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:469
102 	XUL 	nsPluginInstanceOwner::FixUpPluginWindow 	layout/generic/nsObjectFrame.cpp:6366
103 	XUL 	nsObjectFrame::StopPluginInternal 	layout/generic/nsObjectFrame.cpp:1360
104 	XUL 	nsObjectFrame::DestroyFrom 	layout/generic/nsObjectFrame.cpp:675
105 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
106 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
107 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
108 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
109 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
110 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
111 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
112 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
113 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
114 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
115 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
116 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
117 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
118 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
119 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
120 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
121 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
122 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
123 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
124 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
125 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
126 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
127 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
128 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
129 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
130 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
131 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
132 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
133 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
134 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:312
135 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
136 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
137 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
138 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
139 	XUL 	nsLineBox::DeleteLineList 	layout/generic/nsLineBox.cpp:342
140 	XUL 	nsBlockFrame::DestroyFrom 	layout/generic/nsBlockFrame.cpp:316
141 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
142 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
143 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
144 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
145 	XUL 	nsFrameList::DestroyFramesFrom 	layout/generic/nsFrameList.cpp:98
146 	XUL 	nsContainerFrame::DestroyFrom 	layout/generic/nsContainerFrame.cpp:272
147 	XUL 	nsFrameManager::Destroy 	layout/generic/nsIFrame.h:538
148 	XUL 	PresShell::Destroy 	layout/base/nsPresShell.cpp:2025
149 	XUL 	DocumentViewerImpl::DestroyPresShell 	layout/base/nsDocumentViewer.cpp:4300
150 	XUL 	DocumentViewerImpl::Destroy 	layout/base/nsDocumentViewer.cpp:1619
151 	XUL 	DocumentViewerImpl::Show 	layout/base/nsDocumentViewer.cpp:1935
152 	XUL 	nsPresContext::EnsureVisible 	layout/base/nsPresContext.cpp:1665
153 	XUL 	nsPluginInstanceOwner::Init 	layout/generic/nsObjectFrame.cpp:6040
154 	XUL 	nsObjectFrame::PrepareInstanceOwner 	layout/generic/nsObjectFrame.cpp:2241
155 	XUL 	nsObjectFrame::Instantiate 	layout/generic/nsObjectFrame.cpp:2299
156 	XUL 	nsObjectLoadingContent::Instantiate 	content/base/src/nsObjectLoadingContent.cpp:1895
157 	XUL 	nsAsyncInstantiateEvent::Run 	content/base/src/nsObjectLoadingContent.cpp:166
158 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:547
159 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:200
160 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:131
161 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:394
162 	CoreFoundation 	CoreFoundation@0x4de90
I also reproduced this with a completely clean profile.
Looking at the stack I would guess this is a regression from bug 587534.
http://hg.mozilla.org/mozilla-central/rev/b9682fe6cfcd

The FixUpPluginWindow in the stack above is from DidSetWidgetGeometry
http://hg.mozilla.org/mozilla-central/annotate/19cb42fa4554/layout/generic/nsObjectFrame.cpp#l1360

We could do an early return in nsPresContext::IsRootContentDocument
if the pres shell IsDestroying, but I think it would be safer to not
enter into frame related code at all.

I think it should work if we just skip the block added in bug 587534
if 'aDelayedStop' is true (ie. when we're destroying the frame).
blocking2.0: --- → ?
Attached patch Like so? (wdiff) (obsolete) — Splinter Review
Would this work w/o regressing bug 587534?
I also crashed in this stack trying to repro another bug that involved plugins: http://crash-stats.mozilla.com/report/index/bp-ebc69c0b-ce4f-429a-b28c-b64a12101015
I think the bug only occurs on OSX since DidSetWidgetGeometry is empty
on other platforms:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsObjectFrame.cpp#1356
Keywords: pp
I also see the OS X crash report dialog for the plugin process when I crash here. BestBuy.com triggers this in today's nightly with IPC enabled.
If the plugin isn't hidden and we unregister for geometry updates here, what hides the plugin in the aDelayedStop case?
Here is another easy way to reproduce this bug:

1. Load http://videos.tf1.fr/
2. Click on the Videos link

I crash 100% following these steps using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b8pre) Gecko/20101018 Firefox/4.0b8pre
Let's get this in please. It's crashing my nightly very frequently.
> I think the bug only occurs on OSX since DidSetWidgetGeometry is empty
> on other platforms:

the distribution of OSes of trunk users might also affect this but it also looks like this is only 10.6

os breakdown
nsPresContext::IsRootContentDocumentTotal 80
Win5.1  0.00
Win6.0  0.00
Win6.1  0.00
Mac10.4 0.00
Mac10.5 0.00
Mac10.6 1.00
Lin2.4  0.00

  80 Mac OS X 10.6 nsPresContext::IsRootContentDocument

74      0.925   Mac OS X10.6.4 10F569
3       0.0375  Mac OS X10.6.5 10H548
3       0.0375  Mac OS X10.6.5 10H542

Its also see on a wide variety of high profile sites
(In reply to comment #8)
> If the plugin isn't hidden and we unregister for geometry updates here, what
> hides the plugin in the aDelayedStop case?

There's a call to mWidget->Show(PR_FALSE) in PrepareToStop with aDelayedStop true --- for non-Mac.

What I don't understand is that StopPluginInternal calls DoStopPlugin which calls SetWindow on the plugin. Why doesn't that trigger a crash exactly like the one reported here? Mats, can you figure out why?
(In reply to comment #12)
> What I don't understand is that StopPluginInternal calls DoStopPlugin which
> calls SetWindow on the plugin. Why doesn't that trigger a crash exactly like
> the one reported here?

SetWindow(nsnull) appears to be a NOP:
http://mxr.mozilla.org/mozilla-central/source/modules/plugin/base/src/nsNPAPIPluginInstance.cpp#435

> Mats, can you figure out why?

Sorry, I'm on OSX 10.5.8 and can't trigger any of the reported crashes :(
So basically the problem is that on Mac, there are a few cases (Quickdraw plugins, Quicktime doing weird things in our window on its own) where we need to tell the plugin that it's hidden. But it's not safe to do so under nsObjectFrame::DestroyFrom. OK, so how about we hide it off an event? We already are calling into DoDelayedStop, which either stops the plugin immediately (for some plugins), which means they're OK, or else we dispatch a nsStopPluginRunnable. So how about we have nsStopPluginRunnable::Run do the FixUpPluginWindow as its first action, instead of calling DidSetWidgetGeometry from StopPluginInternal?
At the end of StopPluginInternal there is "owner->SetOwner(nsnull)":
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsObjectFrame.cpp#2575
which will set 'mObjectFrame' to NULL:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsObjectFrame.cpp#388
which makes FixUpPluginWindow take the early return:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsObjectFrame.cpp#6252

Note: I haven't debugged this, I'm just guessing (which goes for the
attached patch too!)
blocking final+
blocking2.0: ? → final+
I think we can try comment #14 without going through the frame, we just need the plugin instance so we can call SetWindow on it.
Given that this is >100 crashes per day on *Mac* nightlies, it should block beta8.
blocking2.0: final+ → beta8+
Attachment #483614 - Flags: approval2.0? → approval2.0+
That patch is broken. Mats, please try comment #17.
Assignee: nobody → matspal
Keywords: checkin-needed
Duplicate of this bug: 605794
the patch for bug 587534 landed on mozilla central 2010-08-19 21:15:01

are there other intervening patches that caused the spike in crashes around oct 15?


date     tl crashes at, count build, count build, ...
         nsPresContext::IsRootContentDocument  
20101013   
20101014   
20101015 56 4.0b8pre2010101503 56 , 
20101016 80  40 4.0b8pre2010101603, 
	        40 4.0b8pre2010101503, 
20101017 121  60 4.0b8pre2010101703, 
	        54 4.0b8pre2010101603, 7 4.0b8pre2010101503, 
20101018 130  60 4.0b8pre2010101803, 
	        56 4.0b8pre2010101703, 8 4.0b8pre2010101603, 
	        6 4.0b8pre2010101503, 
20101019 127  57 4.0b8pre2010101803, 
	        50 4.0b8pre2010101903, 18 4.0b8pre2010101703, 
	        1 4.0b8pre2010101603, 1 4.0b8pre2010101503, 
20101020 120  61 4.0b8pre2010101903, 
	        23 4.0b8pre2010102003, 16 4.0b8pre2010102010, 
	        13 4.0b8pre2010101803, 6 4.0b8pre2010101703, 
	        1 4.0b8pre2010101603, 
20101021 120  46 4.0b8pre2010102103, 
	        32 4.0b8pre2010102010, 18 4.0b8pre2010102003, 
	        15 4.0b8pre2010101903, 4 4.0b8pre2010101803, 
	        4 4.0b8pre2010101703, 1 4.0b8pre2010101503, 

all the crashes reported appear to to be b8pre, but we should verify that none of the fixes or backouts to reduce the volume on this need to make it on to the b7pre branch.
Build identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b8pre) Gecko/20101025 Firefox/4.0b8pre

+1 on hitting the crash:
http://crash-stats.mozilla.com/report/index/d679d4f6-b70d-4b8f-af2e-04a0a2101025
Number #3 Topcrash from the last 3 days for Beta8pre
Keywords: topcrash
Moving this up to beta7 - git'er done.
blocking2.0: beta8+ → beta7+
I can reproduce this bug at will with my saved session -- it's killing my dogfooding. I'm loath to turn off flash. Any tips on how to work around? FWIW, I'm running the mac64 flash plugin from labs.adobe.com.

/be
OS: Mac OS X → Windows 7
OS: Windows 7 → Mac OS X
I don't see any workaround short of disabling Flash.
Attached patch wip2 (obsolete) — Splinter Review
nsStopPluginRunnable::Run() has code reschedule the event in case
there are nested event loops.  I'd prefer to run the SetWindow call
after that, so we might as well do it in DoStopPlugin.

There should be TryServer builds available for testing in a few hours:
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/mpalmgren@mozilla.com-c774d2e36012/

Does it fix the crash? without regressing bug 587534?
It shouldn't regress bug 587534 on Windows and Linux (the DidSetWindow call is a no-op there). The equivalent bug for Mac is bug 592563 though.
I just had a crash in [@ nsPresContext::CheckForInterrupt ]. Could they be related?

bp-49a0131c-1198-4b43-ba89-9af0e2101026
Mats, that patch does fix the crash I'm seeing in this signature. (Tiny bit of bitrot-fix needed, is all.)
Attachment #483614 - Attachment is obsolete: true
Great, thanks for testing!
Attached patch wip2Splinter Review
Updated to tip.
Attachment #486233 - Attachment is obsolete: true
Comment on attachment 486416 [details] [diff] [review]
wip2

Steven, I'd appreciate your feedback on this patch, in particular
any risk of regressing bug 592563.
Attachment #486416 - Flags: feedback?(smichaud)
(In reply to comment #30)
Gordon, that stack looks like a separate problem; please file a new bug.
(In reply to comment #35)
> (In reply to comment #30)
> Gordon, that stack looks like a separate problem; please file a new bug.

Done: bug 607778.
Comment on attachment 486416 [details] [diff] [review]
wip2

I tested this patch with my DebugEventsPlugin (using one of your
tryserver builds from comment #28) and had no problems.  And testing
in 32-bit mode, I broke (in gdb) on nsChildView::HidePlugin() and saw
that nsChildView::Show(PR_FALSE) is called on a plugin when it should
be (for example when switching tabs).

So no, this patch doesn't regress the fix for bug 592563.
Attachment #486416 - Flags: feedback?(smichaud) → feedback+
Great, thanks Steven!
Attachment #486416 - Flags: review?(roc)
http://hg.mozilla.org/mozilla-central/rev/4aef2a4443e6
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b7
Blocks: 623108
Crash Signature: [@ nsPresContext::IsRootContentDocument ]
You need to log in before you can comment on or make changes to this bug.