Closed Bug 613744 Opened 14 years ago Closed 14 years ago

crash [@ nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange>() ][@ nsCOMArray<nsIDOMSVGPoint>::nsCOMArray<nsIDOMSVGPoint>() ][@ nsCOMArray<nsIPermission>::nsCOMArray<nsIPermission>() ] when trying to turn off HW acceleration

Tracking

()

Status:

RESOLVED FIXED

Tracking Flags:

Tracking

Status

blocking2.0

---

final+

People

(Reporter: scoobidiver, Assigned: benjamin)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Compare layer managers before using cached ImageContainer, rev. 1 14 years ago Benjamin Smedberg 3.06 KB, patch	roc : review+	Details \| Diff \| Splinter Review

Scoobidiver (away)

Reporter

Description

•

14 years ago

It is a new crash signature that was introduced by 4.0b8pre/20101120 build.
It happens when you disable HW acceleration on sites with Flash.

Signature	nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange>()
UUID	2feb4be7-0999-4b58-91d2-3978d2101120
Time 	2010-11-20 07:56:20.137715
Uptime	143
Last Crash	79499 seconds (22.1 hours) before submission
Install Age	143 seconds since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101120044537
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0x0
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: 2a42

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange> 	obj-firefox/dist/include/nsCOMPtr.h:575
1 	xul.dll 	mozilla::layers::ImageLayerD3D9::RenderLayer 	gfx/layers/d3d9/ImageLayerD3D9.cpp:219
2 	xul.dll 	mozilla::layers::ContainerLayerD3D9::RenderLayer 	gfx/layers/d3d9/ContainerLayerD3D9.cpp:231
3 	xul.dll 	mozilla::layers::ContainerLayerD3D9::RenderLayer 	gfx/layers/d3d9/ContainerLayerD3D9.cpp:231
4 	xul.dll 	mozilla::layers::LayerManagerD3D9::Render 	gfx/layers/d3d9/LayerManagerD3D9.cpp:306
5 	xul.dll 	mozilla::layers::LayerManagerD3D9::EndTransaction 	gfx/layers/d3d9/LayerManagerD3D9.cpp:163
6 	xul.dll 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:476
7 	xul.dll 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1442
8 	xul.dll 	PresShell::Paint 	layout/base/nsPresShell.cpp:6112
9 	xul.dll 	nsViewManager::RenderViews 	view/src/nsViewManager.cpp:447
10 	xul.dll 	nsViewManager::Refresh 	view/src/nsViewManager.cpp:413
11 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:912
12 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:193
13 	xul.dll 	nsWindow::DispatchEvent 	widget/src/windows/nsWindow.cpp:3559
14 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/src/windows/nsWindow.cpp:3587
15 	xul.dll 	nsWindow::OnPaint 	
16 	ntdll.dll 	RtlpLowFragHeapAllocFromContext 	
17 	user32.dll 	EnumDisplaySettingsA 	

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsCOMArray%3CnsIDOMRange%3E%3A%3AnsCOMArray%3CnsIDOMRange%3E%28%29

Scoobidiver (away)

Reporter

Updated

•

14 years ago

Blocks: 612515

Scoobidiver (away)

Reporter

Updated

•

14 years ago

blocking2.0: --- → ?

Bas Schouten (:bas.schouten)

Comment 1

•

14 years ago

This happens presumably because whatever is drawing the plugin does not have code to deal with its ImageContainer's layerManager not being the same as its Layer's LayerManager. This situation occurs when LayerManagers are changed. I can add some code to ImageLayerD3D9 to make sure this doesn't crash, but the user should probably deal with this and start using a new image container.

Benjamin Smedberg

Assignee

Comment 2

•

14 years ago

Bug 611596 has the same basic root cause, I think. How can one be notified when the layer manager changes?

Bas Schouten (:bas.schouten)

Comment 3

•

14 years ago

(In reply to comment #2)
> Bug 611596 has the same basic root cause, I think. How can one be notified when
> the layer manager changes?

Other code compares its container's manager with the layer manager during display list construction I believe.

Robert O'Callahan (:roc) (email my personal email if necessary)

Comment 4

•

14 years ago

Yes, that's the best way.

Joe Drew (not getting mail)

Updated

•

14 years ago

Assignee: nobody → benjamin

blocking2.0: ? → final+

Scoobidiver (away)

Reporter

Updated

•

14 years ago

Summary: crash [@ nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange>() ] when trying to turn off HW acceleration → crash [@ nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange>() ][@ nsCOMArray<nsIDOMSVGPoint>::nsCOMArray<nsIDOMSVGPoint>() ] when trying to turn off HW acceleration

Benjamin Smedberg

Assignee

Comment 5

•

14 years ago

Attached patch Compare layer managers before using cached ImageContainer, rev. 1 — Details — Splinter Review

Attachment #493671 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Comment 6

•

14 years ago

Actually I think I made a mistake here.

I think this comment on ImageLayer::SetContainer is wrong:
   * Set the ImageContainer. aContainer must have the same layer manager
   * as this layer.
In fact, we should allow aContainer to have any layer manager (although having the same layer manager is best for performance).

ImageLayerD3D9, ImageLayerD3D10 and ImageLayerOGL should be updated to handle that. Basically if the container is an unexpected type, we should just call GetCurrentAsSurface on it and proceed.

But for this bug, we still want the change in this patch for nsObjectFrame::GetImageContainer, because recreating the image container when the layer manager changes is good for performance. But do we need the null checks in the rest of the patch?

Robert O'Callahan (:roc) (email my personal email if necessary)

Comment 7

•

14 years ago

Filed bug 615316 on the first part of comment #6.

Benjamin Smedberg

Assignee

Comment 8

•

14 years ago

The null checks were because I assumed that nsContentUtils::LayerManagerForDocument was possibly fallible. If it is infallible and manager->CreateImageContainer is infallible, nsObjectFrame::GetImageContainer is also infallible and we don't need the null checks.

Robert O'Callahan (:roc) (email my personal email if necessary)

Comment 9

•

14 years ago

Comment on attachment 493671 [details] [diff] [review]
Compare layer managers before using cached ImageContainer, rev. 1

Fair enough.

+     if (container)
+       container->SetCurrentImage(nsnull);

{} around the body

Attachment #493671 - Flags: review?(roc) → review+

Scoobidiver (away)

Reporter

Updated

•

14 years ago

Summary: crash [@ nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange>() ][@ nsCOMArray<nsIDOMSVGPoint>::nsCOMArray<nsIDOMSVGPoint>() ] when trying to turn off HW acceleration → crash [@ nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange>() ][@ nsCOMArray<nsIDOMSVGPoint>::nsCOMArray<nsIDOMSVGPoint>() ][@ nsCOMArray<nsIPermission>::nsCOMArray<nsIPermission>() ] when trying to turn off HW acceleration

Benjamin Smedberg

Assignee

Comment 10

•

14 years ago

http://hg.mozilla.org/mozilla-central/rev/1fa8a96b1c2c

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ nsCOMArray<nsIDOMRange>::nsCOMArray<nsIDOMRange>() ] [@ nsCOMArray<nsIDOMSVGPoint>::nsCOMArray<nsIDOMSVGPoint>() ] [@ nsCOMArray<nsIPermission>::nsCOMArray<nsIPermission>() ]

You need to log in before you can comment on or make changes to this bug.