Last Comment Bug 723190 - Crash @ nsGfxScrollFrameInner::ScrollToImpl
: Crash @ nsGfxScrollFrameInner::ScrollToImpl
Status: RESOLVED FIXED
: crash, regression, reproducible, topcrash
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 13 Branch
: All All
: -- critical (vote)
: mozilla13
Assigned To: Josh Aas
:
Mentors:
Depends on:
Blocks: 90268
  Show dependency treegraph
 
Reported: 2012-02-01 10:38 PST by Scoobidiver (away)
Modified: 2012-05-10 11:33 PDT (History)
15 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments
fix v1.0 (limit to Mac Carbon) (2.83 KB, patch)
2012-02-17 14:12 PST, Josh Aas
smichaud: review+
Details | Diff | Splinter Review
real fix for Mac Carbon plugins, v1.0 (4.66 KB, patch)
2012-02-18 12:07 PST, Josh Aas
smichaud: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-02-01 10:38:39 PST
It's a residual crash but there is a spike starting in 13.0a1/20120201.
The regression window is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3f26b7bee352&tochange=e18c7bc2c28e

Signature 	nsGfxScrollFrameInner::ScrollToImpl(nsPoint) More Reports Search
UUID	de6a23df-7093-4b76-9a8b-6dfd72120201
Date Processed	2012-02-01 15:37:55
Uptime	158
Last Crash	2.8 minutes before submission
Install Age	46.4 minutes since version was first installed.
Install Time	2012-02-01 14:50:30
Product	Firefox
Version	13.0a1
Build ID	20120201031146
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x6e0061
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a02, AdapterSubsysID: 022f1028, AdapterDriverVersion: 8.15.10.1930
D3D10 Layers? D3D10 Layers-
D3D9 Layers? D3D9 Layers+
Processor Notes 	INFO: This record is a replacement for a previous record with the same uuid
EMCheckCompatibility	False

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsGfxScrollFrameInner::ScrollToImpl 	
1 	xul.dll 	nsGfxScrollFrameInner::AsyncScrollCallback 	layout/generic/nsGfxScrollFrame.cpp:1527
2 	xul.dll 	nsGfxScrollFrameInner::AsyncScrollCallback 	layout/generic/nsGfxScrollFrame.cpp:1537
3 	xul.dll 	nsDOMWindowUtils::ComputeAnimationDistance 	dom/base/nsDOMWindowUtils.cpp:1822
4 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:428
5 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:524
6 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
7 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
8 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
9 	xul.dll 	_SEH_epilog4 	
10 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
11 	xul.dll 	mozilla::storage::AsyncStatement::QueryInterface 	storage/src/mozStorageAsyncStatement.cpp:311
12 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
13 		@0x8ac73f 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsGfxScrollFrameInner%3A%3AScrollToImpl%28nsPoint%29
Comment 1 Scoobidiver (away) 2012-02-01 13:58:46 PST
It's #1 top crasher in 13.0a1 with 6 crashes an hour.

It might be a regression from bug 90268.
Comment 2 Marcia Knous [:marcia - use ni] 2012-02-03 06:51:28 PST
Some comments from the reports:

*wow a mouse scroll crashed...
*Every Lifehacker page I go to crashes when I scroll or click on the page
*Google images > switch to result page
Comment 3 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-02-04 06:13:47 PST
This is 100% reproducible for me on http://hg.mozilla.org/mozilla-central/rev/e777c939a3f9.

STR:

1. Load lifehacker.com
2. Once the page has fully loaded, attempt to scroll.
3. Crash

https://crash-stats.mozilla.com/report/index/bp-6755afc1-3f93-41e7-863f-35c072120204
https://crash-stats.mozilla.com/report/index/bp-ecd5e7cb-9df9-4e54-9a46-48bb52120204
Comment 4 Scoobidiver (away) 2012-02-04 06:43:05 PST
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #3)
> This is 100% reproducible for me
I can't reproduce with a fresh profile or with Adblock Plus installed.
Comment 5 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-02-08 08:30:53 PST
I'm fairly confident this is caused by Bug 90268.
Comment 6 Benjamin Smedberg AWAY UNTIL 2-AUG-2016 [:bsmedberg] 2012-02-08 15:52:09 PST
Yes, this is absolutely a dead nsPluginInstanceOwner being called through nsIScrollPositionListener.

Is this flashblock/adblock-only, or does this happen in stock Firefox?
Comment 7 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-02-08 15:56:54 PST
I haven't tried to reproduce without Adblock.
Comment 8 Scoobidiver (away) 2012-02-09 00:59:59 PST
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #6)
> Is this flashblock/adblock-only, or does this happen in stock Firefox?
+ Greasemonkey + NoScript:
There are crash reports without extension:
bp-ede4c075-4417-4c8a-83a1-1ae1e2120209
bp-1edce8a9-8557-423f-85b4-659df2120208
Comment 9 brassen 2012-02-09 02:57:40 PST
This happens 100% of time in jalopnik.com and gizmodo.com
With NoScript enabled this crash does not happen.
My about:support info http://pastebin.com/gYAHwYW9
Comment 10 Jim Jeffery not reading bug-mail 1/2/11 2012-02-09 13:51:10 PST
I don't use Greasmonkey, Noscript or AdBlock - on FlashBlock and I've yet to get this crash on the listed sites in comment #9 and #3
Comment 11 Sheila Mooney 2012-02-10 10:43:40 PST
Is this something we can fix? Can we assign it to someone?
Comment 12 Matthias Versen [:Matti] 2012-02-15 00:21:25 PST
I had the same crash after opening http://lifehacker.com/5884941/browser-speed-tests-chrome-17-firefox-10-internet-explorer-9-and-opera-1161

Mozilla/5.0 (Windows NT 6.1; rv:13.0a1) Gecko/20120214 Firefox/13.0a1 SeaMonkey/2.10a1, Flash 11.1 r102 and Adblock+ (easylist filterlist)
Comment 13 Josh Aas 2012-02-15 14:44:05 PST
If Steven is right in this comment on another bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=724717#c2

That explanation could be the cause of this.
Comment 14 Josh Aas 2012-02-17 14:12:17 PST
Created attachment 598371 [details] [diff] [review]
fix v1.0 (limit to Mac Carbon)

The code that is crashing is only used for Carbon plugin on Mac OS X, which are quite rare. Firefox will only run them by default on Mac OS X 10.5. This patch skips scroll listener registration except for 32-bit Mac OS X builds and Carbon plugins. This crash possibility will actually remain there, we can open a new bug on that though.
Comment 15 Josh Aas 2012-02-17 14:15:03 PST
Try server run:

https://tbpl.mozilla.org/?tree=Try&rev=880edc058f7b
Comment 16 Steven Michaud [:smichaud] (Retired) 2012-02-17 14:17:44 PST
Comment on attachment 598371 [details] [diff] [review]
fix v1.0 (limit to Mac Carbon)

This looks fine to me, at least as a stopgap.

I'll take your word for it that this stuff isn't needed at all on other platforms than OS X.
Comment 17 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-02-17 14:18:56 PST
I've definitely seen this crash on Windows.
Comment 18 Josh Aas 2012-02-17 14:21:02 PST
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #17)
> I've definitely seen this crash on Windows.

I meant that the code is only necessary for Mac OS X Carbon plugins, even though we're running it on all platforms for all plugins. My patch will fix this crash for the vast majority of users by stopping the code from running on Windows entirely, and limiting it to Carbon plugins in 32-bit Firefox on Mac OS X 10.5.
Comment 19 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-02-17 14:22:14 PST
Ah, ok.  Carry on :-)
Comment 20 Josh Aas 2012-02-17 20:33:58 PST
pushed to mozilla-inbound

http://hg.mozilla.org/integration/mozilla-inbound/rev/19d7edbf60bc
Comment 21 Ed Morley [:emorley] 2012-02-18 09:56:30 PST
https://hg.mozilla.org/mozilla-central/rev/19d7edbf60bc
Comment 22 Josh Aas 2012-02-18 12:07:21 PST
Created attachment 598565 [details] [diff] [review]
real fix for Mac Carbon plugins, v1.0

I can't reproduce this crash but this is my best guess as to the problem. We should unregister as a scroll listener when the object frame changes or goes away instead of just when it goes away.
Comment 23 Josh Aas 2012-02-18 12:09:28 PST
(In reply to Josh Aas (Mozilla Corporation) from comment #22)
> Created attachment 598565 [details] [diff] [review]
> real fix for Mac Carbon plugins, v1.0

Try server run:

https://tbpl.mozilla.org/?tree=Try&rev=bc6f5aad71dc
Comment 24 Steven Michaud [:smichaud] (Retired) 2012-02-21 10:49:46 PST
Comment on attachment 598565 [details] [diff] [review]
real fix for Mac Carbon plugins, v1.0

I haven't tested this either, but it sounds reasonable.  And definitely better than just leaving carbon plugins to crash on OS X.
Comment 25 Josh Aas 2012-02-21 11:01:21 PST
Pushed carbon plugin fix to mozilla-inbound. We can close this bug once that hits m-c, no crashes reported since the last fix made it into a nightly.

http://hg.mozilla.org/integration/mozilla-inbound/rev/428d0a52f855
Comment 26 Ed Morley [:emorley] 2012-02-22 10:45:24 PST
https://hg.mozilla.org/mozilla-central/rev/428d0a52f855
Comment 27 Lukas Blakk [:lsblakk] use ?needinfo 2012-02-22 15:34:53 PST
[Triage Comment]
No need to track this now that it's resolved and will be riding the train.

Note You need to log in before you can comment on or make changes to this bug.