Firefox 13.0a1 Crash Report [@ nsPluginInstanceOwner::CARefresh ]

RESOLVED FIXED in mozilla13

Status

()

Core
Plug-ins
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: marcia, Assigned: Josh Aas)

Tracking

(Blocks: 1 bug, {crash, regression, reproducible})

13 Branch
mozilla13
x86_64
Mac OS X
crash, regression, reproducible
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Seen while looking at crash stats. Low volume trunk Mac crash that started showing up in crash stats using the 2012020103 build. https://crash-stats.mozilla.com/report/list?signature=nsPluginInstanceOwner::CARefresh to the crashes which are all Mac. Could be a regression from the plugin landing.

https://crash-stats.mozilla.com/report/index/b53ad46d-a45f-4762-977e-6749f2120202

Frame 	Module 	Signature 	Source
0 		@0x7fff78fbeb80 	
1 	XUL 	nsPluginInstanceOwner::CARefresh 	dom/plugins/base/nsPluginInstanceOwner.cpp:1400
2 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:428
3 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:524
4 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
5 	XUL 	NS_ProcessPendingEvents_P 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:195
6 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/xpwidgets/nsBaseAppShell.cpp:130
7 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/cocoa/nsAppShell.mm:441
8 	CoreFoundation 	CoreFoundation@0x126e0 	
9 	CoreFoundation 	CoreFoundation@0x11f4c 	
10 	CoreFoundation 	CoreFoundation@0x38d38 	
11 	libsystem_c.dylib 	libsystem_c.dylib@0x4d15f 	
12 	AppKit 	AppKit@0x3e5c9 	
13 	AppKit 	AppKit@0x3e8ca 	
14 	XUL 	nsPresContext::Release 	
15 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
16 		@0x10001bfff 	
17 	libsystem_c.dylib 	libsystem_c.dylib@0xa0788 	
18 	XUL 	nsGenericElement::AddRef 	nsISupportsImpl.h:161
19 	XUL 	nsGenericElement::Release 	nsISupportsImpl.h:210
20 	XUL 	nsCOMArray_base::RemoveObjectAt 	obj-firefox/x86_64/xpcom/build/nsCOMArray.cpp:136
21 	XUL 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6326
22 	XUL 	nsEventStateManager::CheckForAndDispatchClick 	nsCOMPtr.h:480
23 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
24 		@0x7fff946670d4 	
25 	CarbonCore 	CarbonCore@0x1888b 	
26 	XUL 	PresShell::PopCurrentEventInfo 	
27 	XUL 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6316
28 	XUL 	PresShell::HandleEvent

Updated

5 years ago
Blocks: 90268
Keywords: regression
Hardware: x86 → x86_64
Version: 10 Branch → 13 Branch

Comment 1

5 years ago
I saw this once each on Mac OS X 10.6 on 2012-02-08 for

http://www.filmovisaprevodom.com/strani-filmovi-sa-prevodom-online-besplatni-domaci-filmovi/empire-of-assassins-2011/

http://www.allstarpuzzles.com/wsearch/01605.html

These both also showed Bug 674223:

###!!! ASSERTION: pluginInstanceOwner already registered as a listener: '!sCARefreshListeners->Contains(aPluginInstance)', file /work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp, line 1422
nsPluginInstanceOwner::AddToCARefreshTimer [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1423]
nsPluginInstanceOwner::SetupCARefresh [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1470]
nsObjectFrame::PrepForDrawing [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:494]
nsPluginInstanceOwner::SetFrame [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:3729]
nsObjectLoadingContent::HasNewFrame [/work/mozilla/builds/nightly/mozilla/content/base/src/nsObjectLoadingContent.cpp:1023]
nsObjectFrame::DidReflow [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:889]


But could not reproduce locally on Mac OS X 10.5 and could not reproduce when resubmitting the urls to automation.
Blocks: 532972
A quick check shows the nsPluginInstanceOwner destructor can be called without nsPluginInstanceOwner::Destroy() having been called.  That's probably what causes these crashes.
Assignee: nobody → smichaud
(Assignee)

Updated

5 years ago
Assignee: smichaud → joshmoz
(Reporter)

Comment 3

5 years ago
I can reproduce this using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0a1) Gecko/20120215 Firefox/13.0a1:

1. Load http://www.allstarpuzzles.com/wsearch/01605.html
2. Close the tab by clicking the "x" in the tab.

https://crash-stats.mozilla.com/report/index/bp-4ba8311e-b870-4e37-8581-fc1e02120216
Keywords: reproducible
No crash here on the puzzle page from comment #3 Win7 x64, latest m-c hourly win32 
cset: https://hg.mozilla.org/mozilla-central/rev/ae8cce613aa0
(Assignee)

Comment 5

5 years ago
I can reproduce this easily building with the latest code from m-c. This is definitely still a problem. I have to reload the puzzle page to see the crash.
(Assignee)

Comment 6

5 years ago
Created attachment 597854 [details] [diff] [review]
fix v1.0

The way we manage the CA refresh observer list needs to be updated for the content-ownership era, leaving the object frame out of it. This fixes the crash for me.
Attachment #597854 - Flags: review?(bgirard)
(Assignee)

Comment 7

5 years ago
fix v1.0 try run:

https://tbpl.mozilla.org/?tree=Try&rev=4cbcb8251ad4

Updated

5 years ago
Attachment #597854 - Flags: review?(bgirard) → review+
We don't have sufficient try coverage for In progress core animation drawing, make sure that you've tested this with OOPP disabled.
(Assignee)

Comment 9

5 years ago
pushed to mozilla-inbound

http://hg.mozilla.org/integration/mozilla-inbound/rev/e5eeac74744a
https://hg.mozilla.org/mozilla-central/rev/e5eeac74744a
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
(Assignee)

Updated

5 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Updated

5 years ago
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Comment 1 is private: false
You need to log in before you can comment on or make changes to this bug.