Closed Bug 672361 Opened 14 years ago Closed 14 years ago

Firefox 8.0a1 Crash @ IOSurface@0xb5b

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: marcia, Assigned: BenWa)

References

(
URL
)

Details

(Keywords: crash, reproducible, Whiteboard: [inbound])

Crash Data

Attachments

(1 file)

Fix mIOSurface memory management
2.47 KB, patch
smichaud
: review+
Details | Diff | Splinter Review
Seen while reviewing crash stats and reproducible using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a1) Gecko/20110718 Firefox/8.0a1 https://crash-stats.mozilla.com/report/index/bp-b9fccba7-9b41-4ec7-bda3-6aac12110718 STR: 1. http://fullproduct.download.microsoft.com/download/release/3/9/8/SW_DVD5_Windows_Vista_Business_32BIT_Brazilian_Full_Int_SP2_MLF_X15-39885.ISO?LCID=1033&PGM=VLSC&TID=40516574&__gda__=1311102765_ab37533b6655d0c01947f9f92ed2caf7 2. Deny the Java applet. 3. Crash. Frame Module Signature [Expand] Source 0 IOSurface IOSurface@0xb5b 1 XUL nsPluginInstanceOwner::RenderCoreAnimation dom/plugins/base/nsPluginInstanceOwner.cpp:1481 2 XUL nsObjectFrame::PaintPlugin layout/generic/nsObjectFrame.cpp:1780 3 XUL nsDisplayPlugin::Paint layout/generic/nsObjectFrame.cpp:1014 4 XUL mozilla::FrameLayerBuilder::DrawThebesLayer layout/base/FrameLayerBuilder.cpp:2142 5 XUL mozilla::layers::ThebesLayerOGL::RenderLayer gfx/layers/opengl/ThebesLayerOGL.cpp:711 6 XUL mozilla::layers::ContainerLayerOGL::RenderLayer gfx/layers/opengl/ContainerLayerOGL.cpp:245 7 XUL mozilla::layers::ContainerLayerOGL::RenderLayer gfx/layers/opengl/ContainerLayerOGL.cpp:245 8 XUL mozilla::layers::LayerManagerOGL::Render gfx/layers/opengl/LayerManagerOGL.cpp:796 9 XUL mozilla::layers::LayerManagerOGL::EndTransaction gfx/layers/opengl/LayerManagerOGL.cpp:423 10 XUL nsDisplayList::PaintForFrame layout/base/nsDisplayList.cpp:630 11 XUL nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:1639 12 XUL PresShell::Paint layout/base/nsPresShell.cpp:6165 13 XUL nsViewManager::Refresh view/src/nsViewManager.cpp:440 14 XUL nsViewManager::DispatchEvent view/src/nsViewManager.cpp:918 15 XUL HandleEvent view/src/nsView.cpp:160 16 XUL nsChildView::DispatchEvent widget/src/cocoa/nsChildView.mm:1705 17 XUL nsChildView::DispatchWindowEvent widget/src/cocoa/nsChildView.mm:1715 18 XUL -[ChildView drawRect:inContext:] widget/src/cocoa/nsChildView.mm:2793 19 XUL -[ChildView drawRect:] widget/src/cocoa/nsChildView.mm:2699 20 AppKit AppKit@0x100d74 21 AppKit AppKit@0xfbfe6 22 AppKit AppKit@0x73eeff 23 AppKit AppKit@0xfb89b 24 Foundation Foundation@0x16d95 25 AppKit AppKit@0x8046ff 26 AppKit AppKit@0xfe54a 27 libSystem.B.dylib libSystem.B.dylib@0x9d78 28 libSystem.B.dylib libSystem.B.dylib@0x9d78 29 AppKit AppKit@0x755a57 30 AppKit AppKit@0x239a2 31 CoreFoundation CoreFoundation@0xbc54 32 CoreFoundation CoreFoundation@0x1055b 33 CoreFoundation CoreFoundation@0xfd06 34 CoreFoundation CoreFoundation@0xfb5e 35 CoreFoundation CoreFoundation@0x24834 36 CoreFoundation CoreFoundation@0x246a8 37 Foundation Foundation@0x14f1b 38 AppKit AppKit@0xfeed5 39 libSystem.B.dylib libSystem.B.dylib@0x9d78 40 AppKit AppKit@0x755a57 41 AppKit AppKit@0x239a2 42 CoreFoundation CoreFoundation@0xbc54 43 CoreFoundation CoreFoundation@0x13e1a7 44 CoreFoundation CoreFoundation@0xfd06
I put this in Core Plugins but it is probably not the correct component so would appreciate any help in putting it in the correct component.
I can't reproduce this crash. I tested on OS X 3.6.8 with FF 5.0 and 6.0b2. So we need to round up the usual suspects :-) Do you crash with a clean profile?
I can reproduce the crash using the lastest trunk nightly with a clean profile. I will try other versions as well. I first saw the signature associated with someone running 10.7 in crash stats and that is where I got the URL.
I don't crash (even with today's trunk nightly) on OS X 10.6.8. I do crash on OS X 10.7: bp-347bd19d-ef49-47f6-9a7d-5d3062110718
But now Microsoft's done something to break your testcase :-( Now I get the following error, and no Java applet: An error occurred while processing your request. Reference #50.b5ec54b8.1311028747.208abf4d
(Following up comment #5) I find I can get rid of this error, and start crashing again, if I do the following in Terminal: $ rm -rf ~/Library/Caches/Java/cache/6.0
(Following up comment #6) To get rid of the error (and start crashing again) you also have to clear FF's cache (Preferences : Advanced : Network : Offline Storage : Clear Now).
Finding a regression range for this is going to be complicated by bug 663688, which makes FF *terribly* crashy on OS X 10.7 (and which has only been fixed on trunk, one way or another, since 2011-06-20).
> Finding a regression range for this is going to be complicated by > bug 663688, which makes FF *terribly* crashy on OS X 10.7 (and which > has only been fixed on trunk, one way or another, since 2011-06-20). But not, of course, if you set gfx.downloadable_fonts.enabled to false :-)
This appears to be a recent regression. Here's the regression range (testing on OS X 10.7): firefox-2011-07-13-03-07-41-mozilla-central firefox-2011-07-14-03-07-41-mozilla-central Here's the full STR over again: 1) Do the following in Terminal: rm -rf ~/Library/Caches/Java/cache/6.0 2) Run Firefox and clear its cache (Preferences : Advanced : Network : Offline Storage : Clear Now). 3) Visit http://fullproduct.download.microsoft.com/download/release/3/9/8/SW_DVD5_Windows_Vista_Business_32BIT_Brazilian_Full_Int_SP2_MLF_X15-39885.ISO?LCID=1033&PGM=VLSC&TID=40516574&__gda__=1311102765_ab37533b6655d0c01947f9f92ed2caf7 4) Wait 15-20 seconds for the Java applet to finish loading, then "deny" it access to your computer.
Benoit, I'd bet the trigger here is your patch for bug 663259 ("Enable Mac Async plugin by default"). Changing plugins.use_layers from 'true' to 'false' doesn't stop the crashes, but I'm not sure that settings change is enough to fully reverse the effects of your patch.
Thanks for looking into this Steven, I'll work on this bug I have a few ideas.
Assignee: nobody → bgirard
I carelessly changed mIOSurface from nsIOSurface* to nsRefPtr<nsIOSurface> without fixing all the implications. This patch addresses these omissions.
Attachment #546789 - Flags: review?(smichaud)
Comment on attachment 546789 [details] [diff] [review] Fix mIOSurface memory management This looks fine to me. Do we know that it fixes this bug's crashes?
Attachment #546789 - Flags: review?(smichaud) → review+
No, I was unable to reproduce the issue on 10.6 and don't have a 10.7 ready. It seem consistent with the crash report in this bug however.
> It seems consistent with the crash report in this bug however. I agree. Marcia and I can test your patch when it gets into a nightly. Whether or not your patch fixes this bug, though, it does fix things that need to be fixed.
Pushed to mozilla-inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/4c27fe0139bf
Whiteboard: [inbound]
> don't have a 10.7 ready Marcia, do you know if we have a way to distribute copies of the 10.7 GM to employees/contractors?
(In reply to comment #18) > > don't have a 10.7 ready > > Marcia, do you know if we have a way to distribute copies of the 10.7 GM to > employees/contractors? We have a corporate account for MoCo that Josh setup. I just have an old seed from May without a dev environment. I've been meaning to set it up once I get assigned a complex Lion bug.
I have not heard anything from IT yet regarding this. I purchased an individual yearly membership so I could get the seeds. (In reply to comment #18) > > don't have a 10.7 ready > > Marcia, do you know if we have a way to distribute copies of the 10.7 GM to > employees/contractors?
> I purchased an individual yearly membership so I could get the seeds. So did I :-) It's not expensive -- just $99 (http://developer.apple.com/programs/mac/). But this is really something Mozilla should provide for its employees/contractors -- whether by allowing us to expense the $99 or by doing it centrally. I'll beat the bushes to see what I can find out.
(In reply to comment #21) > > I purchased an individual yearly membership so I could get the seeds. > > So did I :-) > > It's not expensive -- just $99 (http://developer.apple.com/programs/mac/). > > But this is really something Mozilla should provide for its > employees/contractors -- whether by allowing us to expense the $99 or by > doing it centrally. I'll beat the bushes to see what I can find out. Contact Josh, he set up a Mozilla account a last month.
> Contact Josh, he set up a Mozilla account a last month. I will. But if we *do* manage this centrally, it really should be IT (or someone in IT) that takes care of it. To my mind Josh shouldn't be saddled with this. Nor am I particularly eager to be :-)
http://hg.mozilla.org/mozilla-central/rev/4c27fe0139bf
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
Testing with this M-I build, I no longer crash using my STR from comment #10.
Blocks: 672852
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: