Open Bug 722155 Opened 8 years ago Updated 4 years ago

crash nsBaseWidget::SetZIndex


(Core :: Widget: Win32, defect, P5, critical)

Windows XP



Tracking Status
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected


(Reporter: mats, Unassigned)



(Keywords: crash, steps-wanted, Whiteboard: [startupcrash][tpi:+])

Crash Data


(1 obsolete file)


crash only occurs on Windows; all versions back to 3.5

UpdateNativeWidgetZIndexes	view/src/nsView.cpp:650
nsView::InitializeWindow	view/src/nsView.cpp:847
nsView::CreateWidgetForPopup	view/src/nsView.cpp:828
nsMenuPopupFrame::CreateWidgetForView	layout/xul/base/src/nsMenuPopupFrame.cpp:333
nsCSSFrameConstructor::InitAndRestoreFrame	layout/base/nsCSSFrameConstructor.cpp:4524
nsCSSFrameConstructor::ConstructFrameFromItemInternal	layout/base/nsCSSFrameConstructor.cpp:3741
nsCSSFrameConstructor::ConstructFramesFromItem	layout/base/nsCSSFrameConstructor.cpp:5505
nsCSSFrameConstructor::ConstructFramesFromItemList	layout/base/nsCSSFrameConstructor.cpp:9528
nsCSSFrameConstructor::ContentRangeInserted	layout/base/nsCSSFrameConstructor.cpp:7194
nsCSSFrameConstructor::RecreateFramesForContent	layout/base/nsCSSFrameConstructor.cpp:9167
nsCSSFrameConstructor::MaybeRecreateFramesForElement	layout/base/nsCSSFrameConstructor.cpp:8929
mozilla::css::RestyleTracker::DoProcessRestyles	layout/base/RestyleTracker.cpp:242
PresShell::FlushPendingNotifications	layout/base/nsPresShell.cpp:4073
nsBoxObject::GetFrame	layout/xul/base/src/nsBoxObject.cpp:158
nsPopupBoxObject::GetPopupState	layout/xul/base/src/nsPopupBoxObject.cpp:241
NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
XPCWrappedNative::GetAttribute	js/xpconnect/src/xpcprivate.h:2656
XPC_WN_GetterSetter	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1587
js::InvokeKernel	js/src/jsinterp.cpp:520
js::Invoke	js/src/jsinterp.cpp:570
js::InvokeGetterOrSetter	js/src/jsinterp.cpp:644
js::Shape::get	js/src/jsscopeinlines.h:287
js::GetPropertyHelper	js/src/jsobj.cpp:5384 
Assignee: nobody → netzen
Attached patch Patch v1. (obsolete) — Splinter Review
I think this problem is that mWidget isn't initialized to NULL in the constructor for nsView.

The following code causes the crash:

>  if (aView->HasWidget()) {
>    nsIWidget* widget = aView->GetWidget();
>    PRInt32 curZ;
>    widget->GetZIndex(&curZ);
>    if (curZ != aZIndex) {
>      widget->SetZIndex(aZIndex); <------------------------
>    }

The crash would sometimes happen when aView's mWidget value happens to be initialized to a non-NULL value.  SetZIndex does a lot more work than GetZIndex including using the 'this' pointer.
Attachment #593308 - Flags: review?(roc)
Comment on attachment 593308 [details] [diff] [review]
Patch v1.

Review of attachment 593308 [details] [diff] [review]:

Attachment #593308 - Flags: review?(roc) → review+
Thanks for the super quick review :)
class nsView has NS_DECL_AND_IMPL_ZEROING_OPERATOR_NEW so I think those
null-assignments were intentionally omitted.  In fact, we should remove
the other ones too and leave a comment that such initializations are
redundant.  Anyway, the patch wont fix the crash.

Please leave the bug open when merging to mozilla-central (if that occurs).
I hate NS_DECL_AND_IMPL_ZEROING_OPERATOR_NEW for exactly this reason.
Sorry about that. I knew about operator new, but not the macro. So I didn't notice it :(
Also NS_DECL_AND_IMPL_ZEROING_OPERATOR_NEW is s a bit dangerous in general, but not in this case since other classes could use it who don't get heap allocated hence not properly initialized.
This seems to fall into a class of crashes that I've seen where we crash shortly after creating a new widget and the only obvious cause is that the widget didn't get created properly even though we check error codes and return values for proper creation everywhere that is appropriate (that I've seen so far).
Assignee: netzen → nobody
Blocks: 837499
Attachment #593308 - Attachment is obsolete: true
QA: does crash-stats give any clues in comments, URLs or add-ons for reproducing this?
(including the signature in bug 837499)
URLs from are as follows:
443 	about:blank
87 	about:home
(there's more with a single hit only, but nothing special there either)

Correlations also don't bring up anything interesting, unfortunately.
Keywords: needURLs
Firefox 21.0 RC (buildID: 20130511120803)
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0

Firefox 22.0 RC (buildID: 20130618035212)
Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0
Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0

Latest Nightly (buildID: 20130723030205)
Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20130723 Firefox/25.0
Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20130723 Firefox/25.0

Firefox 18.0.1 (buildID: 20130116073211)
Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0
Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0

Tested on the above builds using the links from comment 12 but I was unable to reproduce the crash. I tested with BrowsetoSave plugin, Gmail and whatever I could find in the comments from crash-reports. I noticed that there are 101 crashes on Windows XP, 60 crashes on Windows 7 and 22 crashes on Windows Vista with the same signature in the last 7 days. Is there something else I can help with here?
97% of current crashes are startup.

bp-e4c47600-44e6-4b90-a4e4-41b612140825 version 32 example
 0 	xul.dll	nsBaseWidget::SetZIndex(int)	widget/xpwidgets/nsBaseWidget.cpp
1 	xul.dll	UpdateNativeWidgetZIndexes	view/src/nsView.cpp
2 	xul.dll	nsView::InitializeWindow(bool, bool)	view/src/nsView.cpp
3 	xul.dll	nsView::CreateWidgetForPopup(nsWidgetInitData*, nsIWidget*, bool, bool)	view/src/nsView.cpp
4 	xul.dll	nsMenuPopupFrame::CreateWidgetForView(nsView*)	layout/xul/nsMenuPopupFrame.cpp
Whiteboard: [startupcrash]
Duplicate of this bug: 837499
Crash Signature: [@ nsBaseWidget::SetZIndex(int)] → [@ nsBaseWidget::SetZIndex(int)] [@ nsBaseWidget::SetZIndex]
Priority: -- → P5
Whiteboard: [startupcrash] → [startupcrash][tpi:+]
Crash volume for signature 'nsBaseWidget::SetZIndex':
 - nightly (version 51): 0 crashes from 2016-08-01.
 - aurora  (version 50): 0 crashes from 2016-08-01.
 - beta    (version 49): 36 crashes from 2016-08-02.
 - release (version 48): 48 crashes from 2016-07-25.
 - esr     (version 45): 5 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       0       0       0
 - aurora        0       0       0
 - beta         10      13       5
 - release      16      17       4
 - esr           1       0       1

Affected platform: Windows

Crash rank on the last 7 days:
           Browser     Content   Plugin
 - nightly
 - aurora
 - beta    #1282
 - release #1117
 - esr
You need to log in before you can comment on or make changes to this bug.