623606 - Crash [@ nsDisplayClip::nsDisplayClip ] when dragging selected text

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Scoobidiver (away)]

It is a new crash signature that first appears in 4.0b9pre/20110106.
It happens on Linux and Mac OS X.
It is probably a regression from bug 615794.

Signature	nsDisplayClip::nsDisplayClip
UUID	8bf15215-e776-4d6a-852a-e54722110106
Time 	2011-01-06 07:13:07.72300
Uptime	2095
Install Age	3035 seconds (50.6 minutes) since version was first installed.
Product	Firefox
Version	4.0b9pre
Build ID	20110106030349
Branch	2.0
OS	Linux
OS Version	0.0.0 Linux 2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40 UTC 2010 i686
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	SIGSEGV
Crash Address	0x8

Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	nsDisplayClip::nsDisplayClip 	nsIPresShell.h:269
1 	libxul.so 	PresShell::ClipListToRange 	nsPresShell.cpp:5468
2 	libxul.so 	PresShell::CreateRangePaintInfo 	nsPresShell.cpp:5584
3 	libxul.so 	PresShell::RenderSelection 	nsPresShell.cpp:5799
4 	libxul.so 	nsBaseDragService::DrawDrag 	nsBaseDragService.cpp:498
5 	libxul.so 	nsDragService::InvokeDragSession 	nsDragService.cpp:248
6 	libxul.so 	nsBaseDragService::InvokeDragSessionWithSelection 	nsBaseDragService.cpp:318
7 	libxul.so 	nsEventStateManager::DoDefaultDragStart 	nsEventStateManager.cpp:2310
8 	libxul.so 	nsEventStateManager::GenerateDragGesture 	nsEventStateManager.cpp:2092
9 	libxul.so 	nsEventStateManager::PreHandleEvent 	nsEventStateManager.cpp:1170
10 	libxul.so 	PresShell::HandleEventInternal 	nsPresShell.cpp:6937
11 	libxul.so 	PresShell::HandlePositionedEvent 	nsPresShell.cpp:6788
12 	libxul.so 	PresShell::HandleEvent 	nsPresShell.cpp:6638
13 	libxul.so 	nsViewManager::HandleEvent 	nsViewManager.cpp:1092
14 	libxul.so 	nsViewManager::DispatchEvent 	nsViewManager.cpp:1070
15 	libxul.so 	HandleEvent 	nsView.cpp:161
16 	libxul.so 	nsWindow::DispatchEvent 	nsWindow.cpp:571
17 	libxul.so 	nsWindow::OnMotionNotifyEvent 	nsWindow.cpp:2613
18 	libxul.so 	motion_notify_event_cb 	nsWindow.cpp:5644
19 	libgtk-x11-2.0.so.0.2200.0 	libgtk-x11-2.0.so.0.2200.0@0x14b717 	
20 	libgobject-2.0.so.0.2600.0 	libgobject-2.0.so.0.2600.0@0xbbe2 	
21 	libgobject-2.0.so.0.2600.0 	libgobject-2.0.so.0.2600.0@0x1e0ef 	
22 	libgobject-2.0.so.0.2600.0 	libgobject-2.0.so.0.2600.0@0x26fcc 	
23 	libgobject-2.0.so.0.2600.0 	libgobject-2.0.so.0.2600.0@0x27402 	
24 	libgtk-x11-2.0.so.0.2200.0 	libgtk-x11-2.0.so.0.2200.0@0x29bb1d 	
25 	libgtk-x11-2.0.so.0.2200.0 	libgtk-x11-2.0.so.0.2200.0@0x149444 	
26 	libgtk-x11-2.0.so.0.2200.0 	libgtk-x11-2.0.so.0.2200.0@0x149856 	
27 	libgdk-x11-2.0.so.0.2200.0 	libgdk-x11-2.0.so.0.2200.0@0x5c38a 	
28 	libglib-2.0.so.0.2600.0 	libglib-2.0.so.0.2600.0@0x40191 	
29 	libglib-2.0.so.0.2600.0 	libglib-2.0.so.0.2600.0@0x40977 	
30 	libglib-2.0.so.0.2600.0 	libglib-2.0.so.0.2600.0@0x40c34 	
31 	libxul.so 	nsAppShell::ProcessNextNativeEvent 	nsAppShell.cpp:144
32 	libxul.so 	nsBaseAppShell::DoProcessNextNativeEvent 	nsBaseAppShell.cpp:173
33 	libxul.so 	nsBaseAppShell::OnProcessNextEvent 	nsBaseAppShell.cpp:333
34 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:597
35 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
36 	libxul.so 	mozilla::ipc::MessagePump::Run 	MessagePump.cpp:134
37 	libxul.so 	MessageLoop::RunInternal 	message_loop.cc:219
38 	libxul.so 	MessageLoop::Run 	message_loop.cc:202
39 	libxul.so 	nsBaseAppShell::Run 	nsBaseAppShell.cpp:192
40 	libxul.so 	nsAppStartup::Run 	nsAppStartup.cpp:191
41 		@0x23b011b 	
42 	libxul.so 	XRE_main 	nsAppRunner.cpp:3695
43 	firefox-bin 	main 	nsBrowserApp.cpp:158
44 	libc-2.12.90.so 	libc-2.12.90.so@0x16e15 	
45 	firefox-bin 	firefox-bin@0x1390 	
46 	firefox-bin 	Output 	nsBrowserApp.cpp:77
47 		@0x0 	

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsDisplayClip%3A%3AnsDisplayClip

Comment 1

[Scoobidiver (away)]

It is currently #2 top crasher in today's build.

Comment 2

[Mike]

Easy to reproduce on Linux. Load page, select some text and try to drag it - immediate crash.

Comment 3

[Daniel Holbert [:dholbert]]

Updating summary per comment 2. (Confirmed those STR myself.)

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

Doesn't seem to affect Windows builds, for what it's worth.

Comment 6

[Timothy Nikkel (:tnikkel)]

The problem is that we are creating display items (clips) in ClipListToRange after we have called LeavePresShell.

Comment 7

[Timothy Nikkel (:tnikkel)]

Attachment: patch

I'd like to land a fix for this top crasher today.

Comment 8

[Timothy Nikkel (:tnikkel)]

I will create a mochitest for this later.

Comment 9

[Marcia Knous [:marcia]]

I think the Windows version of this crash is [@ xul.dll@0x38357b] since many of the 248 reports mention dragging text someplace in the browser.

Comment 10

[Marcia Knous [:marcia]]

I think this should probably block Beta 9.

Comment 11

[David Baron :dbaron:]

Comment on attachment 501782 [details] [diff] [review]
patch

I'll trust you on that being bad.  r=dbaron

Comment 12

[Timothy Nikkel (:tnikkel)]

The reason for the crash is bug 615794 introduced a call to CurrentPresContext on the display list builder when creating a nsDisplayClip. CurrentPresContext calls CurrentPresShellState() which returns the top of the mPresShellStates stack. And the mPresShellStates stack is pushed to/popped from in EnterPresShell/LeavePresShell. So if we've left the last presshell then the stack is empty and we return a bad pointer.

Comment 13

[Timothy Nikkel (:tnikkel)]

http://hg.mozilla.org/mozilla-central/rev/9f3abbbfed8d

Comment 16

[Timothy Nikkel (:tnikkel)]

Attachment: test that doesn't quite cut it

I wrote a test for this. Unfortunately it doesn't pass on try server on Windows for some reason. I haven't had much time to figure out why.