Closed Bug 704456 Opened 8 years ago Closed 8 years ago

[10.7] Crash in __-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1

Categories

(Core :: Widget: Cocoa, defect, critical)

9 Branch
x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla11
Tracking Status
firefox9 + fixed
firefox10 --- fixed

People

(Reporter: scoobidiver, Assigned: smichaud)

References

(Blocks 1 open bug)

Details

(Keywords: crash, verified-aurora, verified-beta, Whiteboard: [inbound][qa!])

Crash Data

Attachments

(1 file)

It's #3 top crasher on Mac OX X in 9.0b2, #13 in 10.0a2, and #14 in 11.0a1.
It happens only with Mac OS X 10.7.

Signature	__-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1
UUID	947c6e73-0e48-42e3-9391-cfe3a2111121
Date Processed	2011-11-21 17:10:09.155660
Uptime	1453
Last Crash	more than 3 months before submission
Install Age	3.3 days since version was first installed.
Install Time	2011-11-18 18:43:36
Product	Firefox
Version	9.0
Build ID	20111116091359
Release Channel	beta
OS	Mac OS X
OS Version	10.7.2 11C74
Build Architecture	amd64
Build Architecture Info	family 6 model 23 stepping 10
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x0
App Notes 	Renderers: 0x22600,0x20400GL Context? GL Context+
GL Layers? GL Layers+
EMCheckCompatibility	True

Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	__-[ChildView maybeTrackScrollEventAsSwipe:scrollOverflow:]_block_invoke_1 	widget/src/cocoa/nsChildView.mm:3116
1 	AppKit 	AppKit@0x3f7ef5 	
2 	libsystem_c.dylib 	libsystem_c.dylib@0xa115c 	
3 	libobjc.A.dylib 	objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 	
4 	libobjc.A.dylib 	_objc_rootRetain 	
5 	CoreFoundation 	CoreFoundation@0x31008 	
6 	CoreFoundation 	CoreFoundation@0x4b44e 	
7 	libsystem_c.dylib 	libsystem_c.dylib@0x4d46f 	
8 	libsystem_c.dylib 	libsystem_c.dylib@0x4d6aa 	
9 	AppKit 	AppKit@0x98b75f 	
10 	Foundation 	Foundation@0xa58a 	
11 	Foundation 	Foundation@0xa2c6 	
12 	CoreFoundation 	CoreFoundation@0x312e4 	
13 	AppKit 	AppKit@0x6fe37 	
14 	AppKit 	AppKit@0x6d6af 	
15 	AppKit 	AppKit@0x6e0f6 	
16 	AppKit 	AppKit@0x3f5156 	
17 	libobjc.A.dylib 	objc::DenseMap<objc_object*, unsigned long, true, objc::DenseMapInfo<objc_object*>, objc::DenseMapInfo<unsigned long> >::FindAndConstruct 	
18 	libobjc.A.dylib 	_objc_rootRetain 	
19 	CoreFoundation 	CoreFoundation@0x31008 	
20 	AppKit 	AppKit@0x6dd1b 	
21 	AppKit 	AppKit@0x9064

More reports at:
https://crash-stats.mozilla.com/report/list?signature=__-[ChildView%20maybeTrackScrollEventAsSwipe%3AscrollOverflow%3A]_block_invoke_1
We seem to be dereferencing a null pointer in mGeckoChild.  I need to add a null check.  I'll post a patch shortly.

Thanks for noticing this.  It needs to be fixed before it gets into a release.
On the branches that have this bug (9 and up), this is currently the #11 Mac topcrasher.
Assignee: nobody → smichaud
Attached patch FixSplinter Review
Here's a fix for these crashes.

I've already encountered them (and fixed them) at bug 698761, where my
work on Chrome-style swipe animation made them easier to reproduce.
See bug 698761 comment #22 and bug 698761 comment #23.
Attachment #576224 - Flags: review?(mstange)
Attachment #576224 - Flags: review?(mstange) → review+
Landed on mozilla-inbound:
http://hg.mozilla.org/integration/mozilla-inbound/rev/2edff46b93f6
Whiteboard: [inbound]
Comment on attachment 576224 [details] [diff] [review]
Fix

This is a trivial fix for what could become a topcrasher, if it gets into a release.
Attachment #576224 - Flags: approval-mozilla-beta?
Attachment #576224 - Flags: approval-mozilla-aurora?
Comment on attachment 576224 [details] [diff] [review]
Fix

Get it landed soon please, thanks!
Attachment #576224 - Flags: approval-mozilla-beta?
Attachment #576224 - Flags: approval-mozilla-beta+
Attachment #576224 - Flags: approval-mozilla-aurora?
Attachment #576224 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/2edff46b93f6
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
This could have caused a perf regression. Please have a look at dev.tree-management:
> Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.73% on Linux Firefox-Non-PGO
> Talos Regression :( Tp5 MozAfterPaint (Private Bytes) increase 2.61% on Linux x64 Firefox-Non-PGO
(In reply to comment #10)

Nope, it couldn't have:  This patch is Mac-only.
Whiteboard: [inbound] → [inbound][qa+]
This looks good on trunk - I see no crashes after 20111122042008 build.
http://bit.ly/tCoxdN

Verified based on crash reports. No crashes occurred since the fix landed on all channels (last crash build 2011112200)
Status: RESOLVED → VERIFIED
Whiteboard: [inbound][qa+] → [inbound][qa!]
You need to log in before you can comment on or make changes to this bug.