Last Comment Bug 704456 - [10.7] Crash in __-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1
: [10.7] Crash in __-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_b...
: crash, verified-aurora, verified-beta
Product: Core
Classification: Components
Component: Widget: Cocoa (show other bugs)
: 9 Branch
: x86_64 Mac OS X
: -- critical (vote)
: mozilla11
Assigned To: Steven Michaud [:smichaud] (Retired)
: Markus Stange [:mstange]
Depends on:
Blocks: lion-compatibility
  Show dependency treegraph
Reported: 2011-11-22 05:28 PST by Scoobidiver (away)
Modified: 2011-12-06 12:10 PST (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix (1.68 KB, patch)
2011-11-22 12:08 PST, Steven Michaud [:smichaud] (Retired)
mstange: review+
bugzilla: approval‑mozilla‑aurora+
bugzilla: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2011-11-22 05:28:44 PST
It's #3 top crasher on Mac OX X in 9.0b2, #13 in 10.0a2, and #14 in 11.0a1.
It happens only with Mac OS X 10.7.

Signature	__-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1
UUID	947c6e73-0e48-42e3-9391-cfe3a2111121
Date Processed	2011-11-21 17:10:09.155660
Uptime	1453
Last Crash	more than 3 months before submission
Install Age	3.3 days since version was first installed.
Install Time	2011-11-18 18:43:36
Product	Firefox
Version	9.0
Build ID	20111116091359
Release Channel	beta
OS Version	10.7.2 11C74
Build Architecture	amd64
Build Architecture Info	family 6 model 23 stepping 10
Crash Address	0x0
App Notes 	Renderers: 0x22600,0x20400GL Context? GL Context+
GL Layers? GL Layers+
EMCheckCompatibility	True

Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	__-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1 	widget/src/cocoa/
1 	AppKit 	AppKit@0x3f7ef5 	
2 	libsystem_c.dylib 	libsystem_c.dylib@0xa115c 	
3 	libobjc.A.dylib 	objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 	
4 	libobjc.A.dylib 	_objc_rootRetain 	
5 	CoreFoundation 	CoreFoundation@0x31008 	
6 	CoreFoundation 	CoreFoundation@0x4b44e 	
7 	libsystem_c.dylib 	libsystem_c.dylib@0x4d46f 	
8 	libsystem_c.dylib 	libsystem_c.dylib@0x4d6aa 	
9 	AppKit 	AppKit@0x98b75f 	
10 	Foundation 	Foundation@0xa58a 	
11 	Foundation 	Foundation@0xa2c6 	
12 	CoreFoundation 	CoreFoundation@0x312e4 	
13 	AppKit 	AppKit@0x6fe37 	
14 	AppKit 	AppKit@0x6d6af 	
15 	AppKit 	AppKit@0x6e0f6 	
16 	AppKit 	AppKit@0x3f5156 	
17 	libobjc.A.dylib 	objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 	
18 	libobjc.A.dylib 	_objc_rootRetain 	
19 	CoreFoundation 	CoreFoundation@0x31008 	
20 	AppKit 	AppKit@0x6dd1b 	
21 	AppKit 	AppKit@0x9064

More reports at:[ChildView%20maybeTrackScrollEventAsSwipe%3AscrollOverflow%3A]_block_invoke_1
Comment 1 Steven Michaud [:smichaud] (Retired) 2011-11-22 08:13:20 PST
We seem to be dereferencing a null pointer in mGeckoChild.  I need to add a null check.  I'll post a patch shortly.

Thanks for noticing this.  It needs to be fixed before it gets into a release.
Comment 2 Steven Michaud [:smichaud] (Retired) 2011-11-22 08:17:11 PST
On the branches that have this bug (9 and up), this is currently the #11 Mac topcrasher.
Comment 3 Steven Michaud [:smichaud] (Retired) 2011-11-22 12:08:38 PST
Created attachment 576224 [details] [diff] [review]

Here's a fix for these crashes.

I've already encountered them (and fixed them) at bug 698761, where my
work on Chrome-style swipe animation made them easier to reproduce.
See bug 698761 comment #22 and bug 698761 comment #23.
Comment 4 Steven Michaud [:smichaud] (Retired) 2011-11-22 13:18:07 PST
Landed on mozilla-inbound:
Comment 5 Steven Michaud [:smichaud] (Retired) 2011-11-22 13:20:08 PST
Comment on attachment 576224 [details] [diff] [review]

This is a trivial fix for what could become a topcrasher, if it gets into a release.
Comment 6 Johnathan Nightingale [:johnath] 2011-11-22 14:45:58 PST
Comment on attachment 576224 [details] [diff] [review]

Get it landed soon please, thanks!
Comment 7 Steven Michaud [:smichaud] (Retired) 2011-11-22 15:16:00 PST
Comment on attachment 576224 [details] [diff] [review]

Landed on mozilla-aurora:
Comment 8 Steven Michaud [:smichaud] (Retired) 2011-11-22 15:23:05 PST
Comment on attachment 576224 [details] [diff] [review]

Landed on mozilla-beta:
Comment 9 Ed Morley [:emorley] 2011-11-23 04:25:45 PST
Comment 10 Armen Zambrano [:armenzg] (EDT/UTC-4) 2011-11-24 07:37:24 PST
This could have caused a perf regression. Please have a look at dev.tree-management:
> Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.73% on Linux Firefox-Non-PGO
> Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.61% on Linux x64 Firefox-Non-PGO
Comment 11 Steven Michaud [:smichaud] (Retired) 2011-11-24 08:05:06 PST
(In reply to comment #10)

Nope, it couldn't have:  This patch is Mac-only.
Comment 12 Marcia Knous [:marcia - use ni] 2011-12-02 09:50:26 PST
This looks good on trunk - I see no crashes after 20111122042008 build.
Comment 13 Virgil Dicu [:virgil] [QA] 2011-12-05 06:30:36 PST

Verified based on crash reports. No crashes occurred since the fix landed on all channels (last crash build 2011112200)

Note You need to log in before you can comment on or make changes to this bug.