Crash [@ nsRefreshDriver::Notify] with accessibility retrieval on a deleted frame

RESOLVED WORKSFORME

Status

()

Core
Disability Access APIs
--
critical
RESOLVED WORKSFORME
7 years ago
2 years ago

People

(Reporter: Martijn Wargers (dead), Unassigned)

Tracking

({crash, testcase})

Trunk
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 542109 [details]
testcase (uses enhanced privileges)

See testcase, which crashes current trunk build, when mousing down on the green block in the iframe.
The content of the iframe is this:
<div tabindex="4" id="a" style="height: 500px; background: green;" onmousedown="setTimeout(function() {window.frameElement.style.display = 'none'}, 100);"></div>

https://crash-stats.mozilla.com/report/index/9a46ed96-079c-4368-97b6-9bc122110627
0 	xul.dll 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:325
1 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
2 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
3 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
4 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
5 	xul.dll 	xul.dll@0xb6560f 	
6 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
7 	xul.dll 	xul.dll@0x3719bf 	
8 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
9 	xul.dll 	mozilla::storage::AsyncExecuteStatements::AsyncExecuteStatements 	storage/src/mozStorageAsyncStatementExecution.cpp:238
10 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
11 		@0x7530ffff 	
12 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:222
13 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3565
14 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
15 	firefox.exe 	firefox.exe@0x4043 	
16 	firefox.exe 	_RTC_Initialize 	
17 	mozcrt19.dll 	_initterm 	obj-firefox/memory/jemalloc/crtsrc/crt0dat.c:852
18 	firefox.exe 	firefox.exe@0x2087 	
19 	ntdll.dll 	LdrpAppendToForwarderList 	
20 	ntdll.dll 	_RtlUserThreadStart 	
21 	firefox.exe 	firefox.exe@0x1cef 	
22 	firefox.exe 	firefox.exe@0x1cef
(Reporter)

Comment 1

7 years ago
Not fixed by the patch in the bug that I filed appr. around the same time.
(Reporter)

Comment 2

7 years ago
Still crashes in current trunk  build.

Comment 3

7 years ago
Martijn, it doesn't crash for me
(Reporter)

Updated

7 years ago
Summary: Crash [@ nsRefreshDriver::Notify] with accessibility retreival on a deleted frame → Crash [@ nsRefreshDriver::Notify] with accessibility retrieval on a deleted frame
(Reporter)

Comment 4

7 years ago
Created attachment 551734 [details]
stack from debug build

This is a stack from a debug build. Let me know if you need more info.

Comment 5

7 years ago
Martijn, still no luck to reproduce it. Could you please update debug stack trace to trunk and/or give me changeset the existing stack is for?
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #4)
> Created attachment 551734 [details]
> stack from debug build
> 
> This is a stack from a debug build. Let me know if you need more info.

I haven't looked at this code in a while, but calling NotificationController::Shutdown inside of NotificationController::WillRefresh might be odd?

Comment 7

7 years ago
(In reply to David Bolter [:davidb] from comment #6)

> I haven't looked at this code in a while, but calling
> NotificationController::Shutdown inside of
> NotificationController::WillRefresh might be odd?

It might be but it shouldn't be a problem to remove listener when listener is called. If I remember right, refresh driver addrefs listener when it calls into it, so when listener gets shutdown during a call and gets removed from listeners array then the listener should be alive. I'd need updated stack to check the code.

Updated

6 years ago
Crash Signature: https://crash-stats.mozilla.com/report/index/9a46ed96-079c-4368-97b6-9bc122110627 0 xul.dll nsRefreshDriver::Notify layout/base/nsRefreshDriver.cpp:325 1 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:427 2 xul.dll nsTimerEvent:&hellip; → [@ nsRefreshDriver::Notify(nsITimer*) ]

Updated

6 years ago
Crash Signature: [@ nsRefreshDriver::Notify(nsITimer*) ] → [@ nsRefreshDriver::Notify(nsITimer*) ] [@ nsRefreshDriver::Notify ]
OS: Windows 7 → All
Hardware: x86 → All
Martijn do you have a fresh stack?
Two more stacks:
ea07fbaf-8313-4d1b-9d86-9c95f2120806
c00c7a9a-91e6-4bdd-b145-da5512120808
(In reply to David Bolter [:davidb] from comment #11)
> Still happens:
> https://crash-stats.mozilla.com/report/index/bp-1ecbffcb-49e6-4ed7-98a5-
> ddd2d2130205

Oof sorry that was FF13... trying Nightly...
The test case does not seem to cause the crash in Nightly.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.