[10.7] Crash in __-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1

VERIFIED FIXED in Firefox 9

Status

()

Core
Widget: Cocoa
--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: Scoobidiver (away), Assigned: smichaud)

Tracking

(Blocks: 1 bug, {crash, verified-aurora, verified-beta})

9 Branch
mozilla11
x86_64
Mac OS X
crash, verified-aurora, verified-beta
Points:
---

Firefox Tracking Flags

(firefox9+ fixed, firefox10 fixed)

Details

(Whiteboard: [inbound][qa!], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
It's #3 top crasher on Mac OX X in 9.0b2, #13 in 10.0a2, and #14 in 11.0a1.
It happens only with Mac OS X 10.7.

Signature	__-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1
UUID	947c6e73-0e48-42e3-9391-cfe3a2111121
Date Processed	2011-11-21 17:10:09.155660
Uptime	1453
Last Crash	more than 3 months before submission
Install Age	3.3 days since version was first installed.
Install Time	2011-11-18 18:43:36
Product	Firefox
Version	9.0
Build ID	20111116091359
Release Channel	beta
OS	Mac OS X
OS Version	10.7.2 11C74
Build Architecture	amd64
Build Architecture Info	family 6 model 23 stepping 10
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x0
App Notes 	Renderers: 0x22600,0x20400GL Context? GL Context+
GL Layers? GL Layers+
EMCheckCompatibility	True

Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	__-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1 	widget/src/cocoa/nsChildView.mm:3116
1 	AppKit 	AppKit@0x3f7ef5 	
2 	libsystem_c.dylib 	libsystem_c.dylib@0xa115c 	
3 	libobjc.A.dylib 	objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 	
4 	libobjc.A.dylib 	_objc_rootRetain 	
5 	CoreFoundation 	CoreFoundation@0x31008 	
6 	CoreFoundation 	CoreFoundation@0x4b44e 	
7 	libsystem_c.dylib 	libsystem_c.dylib@0x4d46f 	
8 	libsystem_c.dylib 	libsystem_c.dylib@0x4d6aa 	
9 	AppKit 	AppKit@0x98b75f 	
10 	Foundation 	Foundation@0xa58a 	
11 	Foundation 	Foundation@0xa2c6 	
12 	CoreFoundation 	CoreFoundation@0x312e4 	
13 	AppKit 	AppKit@0x6fe37 	
14 	AppKit 	AppKit@0x6d6af 	
15 	AppKit 	AppKit@0x6e0f6 	
16 	AppKit 	AppKit@0x3f5156 	
17 	libobjc.A.dylib 	objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 	
18 	libobjc.A.dylib 	_objc_rootRetain 	
19 	CoreFoundation 	CoreFoundation@0x31008 	
20 	AppKit 	AppKit@0x6dd1b 	
21 	AppKit 	AppKit@0x9064

More reports at:
https://crash-stats.mozilla.com/report/list?signature=__-[ChildView%20maybeTrackScrollEventAsSwipe%3AscrollOverflow%3A]_block_invoke_1
(Assignee)

Comment 1

6 years ago
We seem to be dereferencing a null pointer in mGeckoChild.  I need to add a null check.  I'll post a patch shortly.

Thanks for noticing this.  It needs to be fixed before it gets into a release.
(Assignee)

Comment 2

6 years ago
On the branches that have this bug (9 and up), this is currently the #11 Mac topcrasher.
(Assignee)

Updated

6 years ago
Assignee: nobody → smichaud
tracking-firefox9: --- → ?
(Assignee)

Comment 3

6 years ago
Created attachment 576224 [details] [diff] [review]
Fix

Here's a fix for these crashes.

I've already encountered them (and fixed them) at bug 698761, where my
work on Chrome-style swipe animation made them easier to reproduce.
See bug 698761 comment #22 and bug 698761 comment #23.
Attachment #576224 - Flags: review?(mstange)
Attachment #576224 - Flags: review?(mstange) → review+
(Assignee)

Comment 4

6 years ago
Landed on mozilla-inbound:
http://hg.mozilla.org/integration/mozilla-inbound/rev/2edff46b93f6
Whiteboard: [inbound]
(Assignee)

Comment 5

6 years ago
Comment on attachment 576224 [details] [diff] [review]
Fix

This is a trivial fix for what could become a topcrasher, if it gets into a release.
Attachment #576224 - Flags: approval-mozilla-beta?
Attachment #576224 - Flags: approval-mozilla-aurora?
Comment on attachment 576224 [details] [diff] [review]
Fix

Get it landed soon please, thanks!
Attachment #576224 - Flags: approval-mozilla-beta?
Attachment #576224 - Flags: approval-mozilla-beta+
Attachment #576224 - Flags: approval-mozilla-aurora?
Attachment #576224 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 7

6 years ago
Comment on attachment 576224 [details] [diff] [review]
Fix

Landed on mozilla-aurora:
http://hg.mozilla.org/releases/mozilla-aurora/rev/c9328943fc9e
(Assignee)

Updated

6 years ago
status-firefox10: --- → fixed
(Assignee)

Comment 8

6 years ago
Comment on attachment 576224 [details] [diff] [review]
Fix

Landed on mozilla-beta:
http://hg.mozilla.org/releases/mozilla-beta/rev/c5ecaaed936d
(Assignee)

Updated

6 years ago
status-firefox9: --- → fixed
https://hg.mozilla.org/mozilla-central/rev/2edff46b93f6
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
This could have caused a perf regression. Please have a look at dev.tree-management:
> Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.73% on Linux Firefox-Non-PGO
> Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.61% on Linux x64 Firefox-Non-PGO
(In reply to comment #10)

Nope, it couldn't have:  This patch is Mac-only.
Whiteboard: [inbound] → [inbound][qa+]
This looks good on trunk - I see no crashes after 20111122042008 build.
http://bit.ly/tCoxdN

Verified based on crash reports. No crashes occurred since the fix landed on all channels (last crash build 2011112200)
Status: RESOLVED → VERIFIED
Keywords: verified-aurora, verified-beta
Whiteboard: [inbound][qa+] → [inbound][qa!]

Updated

6 years ago
tracking-firefox9: ? → +
You need to log in before you can comment on or make changes to this bug.