Open Bug 713025 Opened 12 years ago Updated 1 year ago

Firefox Crash [@ nsCycleCollector::CollectWhite(nsICycleCollectorListener*) ]

Categories

(Core :: Cycle Collector, defect)

x86
Windows 7
defect

Tracking

()

Tracking Status
firefox47 --- affected
firefox48 --- wontfix
firefox49 --- fix-optional
firefox-esr45 --- affected
firefox50 --- fix-optional
firefox51 --- fix-optional

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

Seen while looking at crash stats data. https://crash-stats.mozilla.com/report/list?signature=nsCycleCollector::CollectWhite%28nsICycleCollectorListener*%29 - happens in 9, 10 and 11 but not in huge volume. The first crashes appears in crash status using 2011110900 build which was Firefox 9 beta 1.

Bug 705941 is one file for a similar signature. A "contains" search shows there are other similar signatures that are across other platforms: http://tinyurl.com/cedjkce

https://crash-stats.mozilla.com/report/index/6464da67-7c62-44e3-a63a-b69402111220

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsCycleCollector::CollectWhite 	xpcom/base/nsCycleCollector.cpp:2084
1 	xul.dll 	nsCycleCollector::FinishCollection 	xpcom/base/nsCycleCollector.cpp:2938
2 	xul.dll 	nsCycleCollectorRunner::Collect 	xpcom/base/nsCycleCollector.cpp:3635
3 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
4 	xul.dll 	nsRegion::SubRect 	gfx/src/nsRegion.cpp:1277
5 	xul.dll 	xul.dll@0xf971f 	
6 	xul.dll 	nsDisplayWrapList::GetBounds 	layout/base/nsDisplayList.cpp:1601
7 	xul.dll 	xul.dll@0xec37f 	
8 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
9 	xul.dll 	nsRegion::Or 	gfx/src/nsRegion.cpp:870
10 	xul.dll 	nsLayoutUtils::RoundedRectIntersectRect 	layout/base/nsLayoutUtils.cpp:1081
11 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
12 	xul.dll 	xul.dll@0xf971f 	
13 	xul.dll 	xul.dll@0x2422c3 	
14 	xul.dll 	nsDisplayClip::GetBounds 	layout/base/nsDisplayList.cpp:2107
15 	xul.dll 	xul.dll@0xec37f 	
16 	xul.dll 	xul.dll@0xc675f 	
17 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
18 	xul.dll 	nsIFrame::ComputeBorderRadii 	layout/generic/nsFrame.cpp:926
19 	xul.dll 	nsRegion::Optimize 	gfx/src/nsRegion.cpp:507
20 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
21 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
22 	xul.dll 	nsDisplayBackground::GetInsideClipRegion 	layout/base/nsDisplayList.cpp:1165
23 	xul.dll 	mozilla::imagelib::RasterImage::WantDecodedFrames 	image/src/RasterImage.cpp:2409
24 	xul.dll 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.cpp:625
25 	xul.dll 	mozilla::imagelib::RasterImage::GetImgFrame 	image/src/RasterImage.cpp:639
26 	xul.dll 	mozilla::imagelib::RasterImage::GetCurrentFrameIsOpaque 	image/src/RasterImage.cpp:707
27 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
28 	xul.dll 	nsDisplayBackground::GetOpaqueRegion 	layout/base/nsDisplayList.cpp:1210
29 	xul.dll 	nsDisplayBackground::GetOpaqueRegion 	layout/base/nsDisplayList.cpp:1218
30 	xul.dll 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.cpp:625
31 	xul.dll 	nsIFrame::GetUsedBorder 	layout/generic/nsFrame.cpp:789
32 	xul.dll 	xul.dll@0xc675f 	
33 	xul.dll 	nsIFrame::GetPaddingRectRelativeToSelf 	layout/generic/nsFrame.cpp:859
34 	xul.dll 	nsIFrame::GetPaddingRect 	layout/generic/nsFrame.cpp:866
35 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
36 	xul.dll 	nsRegion::SetToElements 	gfx/src/nsRegion.cpp:330
37 	nspr4.dll 	PR_GetThreadPrivate 	nsprpub/pr/src/threads/prtpd.c:232
38 	xul.dll 	nsDisplayList::ComputeVisibilityForSublist 	layout/base/nsDisplayList.cpp:534
Made it a little further in https://tbpl.mozilla.org/php/getParsedLog.php?id=8457592&tree=Services-Central, through nsGenericElement::cycleCollection::Unlink before crashing in nsAttrAndChildArray::TakeChildAt
Note, the code now using TakechildAt was using ChildAt() + RemoveChild() earlier.
Blocks: 881402
This crash is still reproducing on the current versions, but I don't see any steps/guidelines for reproducing it. Without this, QA won't be able to track down the regression window.

Please re-add the keyword if you can give any details on reproducing this issue.
Keywords: qawanted
Crash Signature: [@ nsCycleCollector::CollectWhite(nsICycleCollectorListener*) ] → [@ nsCycleCollector::CollectWhite(nsICycleCollectorListener*) ] [@ nsCycleCollector::CollectWhite ]
Crashes with the [@ nsCycleCollector::CollectWhite(nsICycleCollectorListener*)] signature appear to be long gone, but [@ nsCycleCollector::CollectWhite] appears to still be around on Android with low frequency.
Crash volume for signature 'nsCycleCollector::CollectWhite':
 - nightly(version 50):2 crashes from 2016-06-06.
 - aurora (version 49):3 crashes from 2016-06-07.
 - beta   (version 48):201 crashes from 2016-06-06.
 - release(version 47):308 crashes from 2016-05-31.
 - esr    (version 45):14 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       1       0       1
 - aurora        0       1       0       0       0       1       1
 - beta         19      33      42      18      33      25      22
 - release      49      30      51      43      43      42      35
 - esr           2       2       0       4       0       2       1

Affected platforms: Windows, Mac OS X, Linux
QA Whiteboard: qa-not-actionable
Severity: critical → S2
Component: XPCOM → Cycle Collector

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.