Last Comment Bug 724717 - Firefox 13.0a1 Crash Report [@ nsPluginInstanceOwner::CARefresh ]
: Firefox 13.0a1 Crash Report [@ nsPluginInstanceOwner::CARefresh ]
: crash, regression, reproducible
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 13 Branch
: x86_64 Mac OS X
-- critical (vote)
: mozilla13
Assigned To: Josh Aas
: Benjamin Smedberg [:bsmedberg]
Depends on:
Blocks: 532972 90268
  Show dependency treegraph
Reported: 2012-02-06 15:58 PST by Marcia Knous [:marcia - use ni]
Modified: 2012-02-18 11:21 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix v1.0 (7.19 KB, patch)
2012-02-16 09:14 PST, Josh Aas
b56girard: review+
Details | Diff | Splinter Review

Description User image Marcia Knous [:marcia - use ni] 2012-02-06 15:58:12 PST
Seen while looking at crash stats. Low volume trunk Mac crash that started showing up in crash stats using the 2012020103 build. to the crashes which are all Mac. Could be a regression from the plugin landing.

Frame 	Module 	Signature 	Source
0 		@0x7fff78fbeb80 	
1 	XUL 	nsPluginInstanceOwner::CARefresh 	dom/plugins/base/nsPluginInstanceOwner.cpp:1400
2 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:428
3 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:524
4 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
5 	XUL 	NS_ProcessPendingEvents_P 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:195
6 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/xpwidgets/nsBaseAppShell.cpp:130
7 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/cocoa/
8 	CoreFoundation 	CoreFoundation@0x126e0 	
9 	CoreFoundation 	CoreFoundation@0x11f4c 	
10 	CoreFoundation 	CoreFoundation@0x38d38 	
11 	libsystem_c.dylib 	libsystem_c.dylib@0x4d15f 	
12 	AppKit 	AppKit@0x3e5c9 	
13 	AppKit 	AppKit@0x3e8ca 	
14 	XUL 	nsPresContext::Release 	
15 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
16 		@0x10001bfff 	
17 	libsystem_c.dylib 	libsystem_c.dylib@0xa0788 	
18 	XUL 	nsGenericElement::AddRef 	nsISupportsImpl.h:161
19 	XUL 	nsGenericElement::Release 	nsISupportsImpl.h:210
20 	XUL 	nsCOMArray_base::RemoveObjectAt 	obj-firefox/x86_64/xpcom/build/nsCOMArray.cpp:136
21 	XUL 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6326
22 	XUL 	nsEventStateManager::CheckForAndDispatchClick 	nsCOMPtr.h:480
23 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
24 		@0x7fff946670d4 	
25 	CarbonCore 	CarbonCore@0x1888b 	
26 	XUL 	PresShell::PopCurrentEventInfo 	
27 	XUL 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6316
28 	XUL 	PresShell::HandleEvent
Comment 1 User image Bob Clary [:bc:] 2012-02-10 00:05:40 PST
I saw this once each on Mac OS X 10.6 on 2012-02-08 for

These both also showed Bug 674223:

###!!! ASSERTION: pluginInstanceOwner already registered as a listener: '!sCARefreshListeners->Contains(aPluginInstance)', file /work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp, line 1422
nsPluginInstanceOwner::AddToCARefreshTimer [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1423]
nsPluginInstanceOwner::SetupCARefresh [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1470]
nsObjectFrame::PrepForDrawing [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:494]
nsPluginInstanceOwner::SetFrame [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:3729]
nsObjectLoadingContent::HasNewFrame [/work/mozilla/builds/nightly/mozilla/content/base/src/nsObjectLoadingContent.cpp:1023]
nsObjectFrame::DidReflow [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:889]

But could not reproduce locally on Mac OS X 10.5 and could not reproduce when resubmitting the urls to automation.
Comment 2 User image Steven Michaud [:smichaud] (Retired) 2012-02-14 12:25:15 PST
A quick check shows the nsPluginInstanceOwner destructor can be called without nsPluginInstanceOwner::Destroy() having been called.  That's probably what causes these crashes.
Comment 3 User image Marcia Knous [:marcia - use ni] 2012-02-15 19:16:57 PST
I can reproduce this using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0a1) Gecko/20120215 Firefox/13.0a1:

1. Load
2. Close the tab by clicking the "x" in the tab.
Comment 4 User image Jim Jeffery not reading bug-mail 1/2/11 2012-02-15 19:41:37 PST
No crash here on the puzzle page from comment #3 Win7 x64, latest m-c hourly win32 
Comment 5 User image Josh Aas 2012-02-15 20:07:47 PST
I can reproduce this easily building with the latest code from m-c. This is definitely still a problem. I have to reload the puzzle page to see the crash.
Comment 6 User image Josh Aas 2012-02-16 09:14:17 PST
Created attachment 597854 [details] [diff] [review]
fix v1.0

The way we manage the CA refresh observer list needs to be updated for the content-ownership era, leaving the object frame out of it. This fixes the crash for me.
Comment 7 User image Josh Aas 2012-02-16 09:35:25 PST
fix v1.0 try run:
Comment 8 User image Benoit Girard (:BenWa) 2012-02-16 18:17:32 PST
We don't have sufficient try coverage for In progress core animation drawing, make sure that you've tested this with OOPP disabled.
Comment 9 User image Josh Aas 2012-02-16 18:33:17 PST
pushed to mozilla-inbound
Comment 10 User image Ed Morley [:emorley] 2012-02-17 05:10:42 PST

Note You need to log in before you can comment on or make changes to this bug.