Closed Bug 672361 Opened 11 years ago Closed 11 years ago

Firefox 8.0a1 Crash @ IOSurface@0xb5b

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: marcia, Assigned: BenWa)

References

(
URL
)

Details

(Keywords: crash, reproducible, Whiteboard: [inbound])

Crash Data

Attachments

(1 file)

Fix mIOSurface memory management
2.47 KB, patch
smichaud
: review+
Details | Diff | Splinter Review 
Seen while reviewing crash stats and reproducible using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a1) Gecko/20110718 Firefox/8.0a1

https://crash-stats.mozilla.com/report/index/bp-b9fccba7-9b41-4ec7-bda3-6aac12110718

STR:

1. http://fullproduct.download.microsoft.com/download/release/3/9/8/SW_DVD5_Windows_Vista_Business_32BIT_Brazilian_Full_Int_SP2_MLF_X15-39885.ISO?LCID=1033&PGM=VLSC&TID=40516574&__gda__=1311102765_ab37533b6655d0c01947f9f92ed2caf7
2. Deny the Java applet.
3. Crash.


Frame 	Module 	Signature [Expand] 	Source
0 	IOSurface 	IOSurface@0xb5b 	
1 	XUL 	nsPluginInstanceOwner::RenderCoreAnimation 	dom/plugins/base/nsPluginInstanceOwner.cpp:1481
2 	XUL 	nsObjectFrame::PaintPlugin 	layout/generic/nsObjectFrame.cpp:1780
3 	XUL 	nsDisplayPlugin::Paint 	layout/generic/nsObjectFrame.cpp:1014
4 	XUL 	mozilla::FrameLayerBuilder::DrawThebesLayer 	layout/base/FrameLayerBuilder.cpp:2142
5 	XUL 	mozilla::layers::ThebesLayerOGL::RenderLayer 	gfx/layers/opengl/ThebesLayerOGL.cpp:711
6 	XUL 	mozilla::layers::ContainerLayerOGL::RenderLayer 	gfx/layers/opengl/ContainerLayerOGL.cpp:245
7 	XUL 	mozilla::layers::ContainerLayerOGL::RenderLayer 	gfx/layers/opengl/ContainerLayerOGL.cpp:245
8 	XUL 	mozilla::layers::LayerManagerOGL::Render 	gfx/layers/opengl/LayerManagerOGL.cpp:796
9 	XUL 	mozilla::layers::LayerManagerOGL::EndTransaction 	gfx/layers/opengl/LayerManagerOGL.cpp:423
10 	XUL 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:630
11 	XUL 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1639
12 	XUL 	PresShell::Paint 	layout/base/nsPresShell.cpp:6165
13 	XUL 	nsViewManager::Refresh 	view/src/nsViewManager.cpp:440
14 	XUL 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:918
15 	XUL 	HandleEvent 	view/src/nsView.cpp:160
16 	XUL 	nsChildView::DispatchEvent 	widget/src/cocoa/nsChildView.mm:1705
17 	XUL 	nsChildView::DispatchWindowEvent 	widget/src/cocoa/nsChildView.mm:1715
18 	XUL 	-[ChildView drawRect:inContext:] 	widget/src/cocoa/nsChildView.mm:2793
19 	XUL 	-[ChildView drawRect:] 	widget/src/cocoa/nsChildView.mm:2699
20 	AppKit 	AppKit@0x100d74 	
21 	AppKit 	AppKit@0xfbfe6 	
22 	AppKit 	AppKit@0x73eeff 	
23 	AppKit 	AppKit@0xfb89b 	
24 	Foundation 	Foundation@0x16d95 	
25 	AppKit 	AppKit@0x8046ff 	
26 	AppKit 	AppKit@0xfe54a 	
27 	libSystem.B.dylib 	libSystem.B.dylib@0x9d78 	
28 	libSystem.B.dylib 	libSystem.B.dylib@0x9d78 	
29 	AppKit 	AppKit@0x755a57 	
30 	AppKit 	AppKit@0x239a2 	
31 	CoreFoundation 	CoreFoundation@0xbc54 	
32 	CoreFoundation 	CoreFoundation@0x1055b 	
33 	CoreFoundation 	CoreFoundation@0xfd06 	
34 	CoreFoundation 	CoreFoundation@0xfb5e 	
35 	CoreFoundation 	CoreFoundation@0x24834 	
36 	CoreFoundation 	CoreFoundation@0x246a8 	
37 	Foundation 	Foundation@0x14f1b 	
38 	AppKit 	AppKit@0xfeed5 	
39 	libSystem.B.dylib 	libSystem.B.dylib@0x9d78 	
40 	AppKit 	AppKit@0x755a57 	
41 	AppKit 	AppKit@0x239a2 	
42 	CoreFoundation 	CoreFoundation@0xbc54 	
43 	CoreFoundation 	CoreFoundation@0x13e1a7 	
44 	CoreFoundation 	CoreFoundation@0xfd06
I put this in Core Plugins but it is probably not the correct component so would appreciate any help in putting it in the correct component.
I can't reproduce this crash.  I tested on OS X 3.6.8 with FF 5.0 and 6.0b2.

So we need to round up the usual suspects :-)

Do you crash with a clean profile?
I can reproduce the crash using the lastest trunk nightly with a clean profile.

I will try other versions as well. I first saw the signature associated with someone running 10.7 in crash stats and that is where I got the URL.
I don't crash (even with today's trunk nightly) on OS X 10.6.8.

I do crash on OS X 10.7:

bp-347bd19d-ef49-47f6-9a7d-5d3062110718
But now Microsoft's done something to break your testcase :-(

Now I get the following error, and no Java applet:

An error occurred while processing your request.

Reference #50.b5ec54b8.1311028747.208abf4d
(Following up comment #5)

I find I can get rid of this error, and start crashing again, if I do the following in Terminal:

$ rm -rf ~/Library/Caches/Java/cache/6.0
(Following up comment #6)

To get rid of the error (and start crashing again) you also have to clear FF's cache (Preferences : Advanced : Network : Offline Storage : Clear Now).
Finding a regression range for this is going to be complicated by bug 663688, which makes FF *terribly* crashy on OS X 10.7 (and which has only been fixed on trunk, one way or another, since 2011-06-20).
> Finding a regression range for this is going to be complicated by
> bug 663688, which makes FF *terribly* crashy on OS X 10.7 (and which
> has only been fixed on trunk, one way or another, since 2011-06-20).

But not, of course, if you set gfx.downloadable_fonts.enabled to false
:-)
This appears to be a recent regression.  Here's the regression range
(testing on OS X 10.7):

firefox-2011-07-13-03-07-41-mozilla-central
firefox-2011-07-14-03-07-41-mozilla-central

Here's the full STR over again:

1) Do the following in Terminal:

   rm -rf ~/Library/Caches/Java/cache/6.0

2) Run Firefox and clear its cache (Preferences : Advanced : Network :
   Offline Storage : Clear Now).

3) Visit http://fullproduct.download.microsoft.com/download/release/3/9/8/SW_DVD5_Windows_Vista_Business_32BIT_Brazilian_Full_Int_SP2_MLF_X15-39885.ISO?LCID=1033&PGM=VLSC&TID=40516574&__gda__=1311102765_ab37533b6655d0c01947f9f92ed2caf7

4) Wait 15-20 seconds for the Java applet to finish loading, then
   "deny" it access to your computer.
Benoit, I'd bet the trigger here is your patch for bug 663259 ("Enable Mac Async plugin by default").  Changing plugins.use_layers from 'true' to 'false' doesn't stop the crashes, but I'm not sure that settings change is enough to fully reverse the effects of your patch.
Thanks for looking into this Steven, I'll work on this bug I have a few ideas.
Assignee: nobody → bgirard
I carelessly changed mIOSurface from nsIOSurface* to nsRefPtr<nsIOSurface> without fixing all the implications. This patch addresses these omissions.
Attachment #546789 - Flags: review?(smichaud)
Comment on attachment 546789 [details] [diff] [review]
Fix mIOSurface memory management

This looks fine to me.

Do we know that it fixes this bug's crashes?
Attachment #546789 - Flags: review?(smichaud) → review+
No, I was unable to reproduce the issue on 10.6 and don't have a 10.7 ready. It seem consistent with the crash report in this bug however.
> It seems consistent with the crash report in this bug however.

I agree.  Marcia and I can test your patch when it gets into a nightly.

Whether or not your patch fixes this bug, though, it does fix things that need to be fixed.
Pushed to mozilla-inbound:
http://hg.mozilla.org/integration/mozilla-inbound/rev/4c27fe0139bf
Whiteboard: [inbound]
> don't have a 10.7 ready

Marcia, do you know if we have a way to distribute copies of the 10.7 GM to employees/contractors?
(In reply to comment #18)
> > don't have a 10.7 ready
> 
> Marcia, do you know if we have a way to distribute copies of the 10.7 GM to
> employees/contractors?

We have a corporate account for MoCo that Josh setup. I just have an old seed from May without a dev environment. I've been meaning to set it up once I get assigned a complex Lion bug.
I have not heard anything from IT yet regarding this. I purchased an individual yearly membership so I could get the seeds.

(In reply to comment #18)
> > don't have a 10.7 ready
> 
> Marcia, do you know if we have a way to distribute copies of the 10.7 GM to
> employees/contractors?
> I purchased an individual yearly membership so I could get the seeds.

So did I :-)

It's not expensive -- just $99 (http://developer.apple.com/programs/mac/).

But this is really something Mozilla should provide for its employees/contractors -- whether by allowing us to expense the $99 or by doing it centrally.  I'll beat the bushes to see what I can find out.
(In reply to comment #21)
> > I purchased an individual yearly membership so I could get the seeds.
> 
> So did I :-)
> 
> It's not expensive -- just $99 (http://developer.apple.com/programs/mac/).
> 
> But this is really something Mozilla should provide for its
> employees/contractors -- whether by allowing us to expense the $99 or by
> doing it centrally.  I'll beat the bushes to see what I can find out.

Contact Josh, he set up a Mozilla account a last month.
> Contact Josh, he set up a Mozilla account a last month.

I will.	 But if we *do* manage this centrally, it really should be IT
(or someone in IT) that takes care of it.

To my mind Josh shouldn't be saddled with this.  Nor am I particularly
eager to be :-)
http://hg.mozilla.org/mozilla-central/rev/4c27fe0139bf
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
Testing with this M-I build, I no longer crash using my STR from comment #10.
Blocks: 672852
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.