Last Comment Bug 724717 - Firefox 13.0a1 Crash Report [@ nsPluginInstanceOwner::CARefresh ]
: Firefox 13.0a1 Crash Report [@ nsPluginInstanceOwner::CARefresh ]
Status: RESOLVED FIXED
: crash, regression, reproducible
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 13 Branch
: x86_64 Mac OS X
: -- critical (vote)
: mozilla13
Assigned To: Josh Aas
:
Mentors:
Depends on:
Blocks: 532972 90268
  Show dependency treegraph
 
Reported: 2012-02-06 15:58 PST by Marcia Knous [:marcia - use ni]
Modified: 2012-02-18 11:21 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix v1.0 (7.19 KB, patch)
2012-02-16 09:14 PST, Josh Aas
b56girard: review+
Details | Diff | Splinter Review

Description Marcia Knous [:marcia - use ni] 2012-02-06 15:58:12 PST
Seen while looking at crash stats. Low volume trunk Mac crash that started showing up in crash stats using the 2012020103 build. https://crash-stats.mozilla.com/report/list?signature=nsPluginInstanceOwner::CARefresh to the crashes which are all Mac. Could be a regression from the plugin landing.

https://crash-stats.mozilla.com/report/index/b53ad46d-a45f-4762-977e-6749f2120202

Frame 	Module 	Signature 	Source
0 		@0x7fff78fbeb80 	
1 	XUL 	nsPluginInstanceOwner::CARefresh 	dom/plugins/base/nsPluginInstanceOwner.cpp:1400
2 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:428
3 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:524
4 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
5 	XUL 	NS_ProcessPendingEvents_P 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:195
6 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/xpwidgets/nsBaseAppShell.cpp:130
7 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/cocoa/nsAppShell.mm:441
8 	CoreFoundation 	CoreFoundation@0x126e0 	
9 	CoreFoundation 	CoreFoundation@0x11f4c 	
10 	CoreFoundation 	CoreFoundation@0x38d38 	
11 	libsystem_c.dylib 	libsystem_c.dylib@0x4d15f 	
12 	AppKit 	AppKit@0x3e5c9 	
13 	AppKit 	AppKit@0x3e8ca 	
14 	XUL 	nsPresContext::Release 	
15 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
16 		@0x10001bfff 	
17 	libsystem_c.dylib 	libsystem_c.dylib@0xa0788 	
18 	XUL 	nsGenericElement::AddRef 	nsISupportsImpl.h:161
19 	XUL 	nsGenericElement::Release 	nsISupportsImpl.h:210
20 	XUL 	nsCOMArray_base::RemoveObjectAt 	obj-firefox/x86_64/xpcom/build/nsCOMArray.cpp:136
21 	XUL 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6326
22 	XUL 	nsEventStateManager::CheckForAndDispatchClick 	nsCOMPtr.h:480
23 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
24 		@0x7fff946670d4 	
25 	CarbonCore 	CarbonCore@0x1888b 	
26 	XUL 	PresShell::PopCurrentEventInfo 	
27 	XUL 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6316
28 	XUL 	PresShell::HandleEvent
Comment 1 Bob Clary [:bc:] 2012-02-10 00:05:40 PST
I saw this once each on Mac OS X 10.6 on 2012-02-08 for

http://www.filmovisaprevodom.com/strani-filmovi-sa-prevodom-online-besplatni-domaci-filmovi/empire-of-assassins-2011/

http://www.allstarpuzzles.com/wsearch/01605.html

These both also showed Bug 674223:

###!!! ASSERTION: pluginInstanceOwner already registered as a listener: '!sCARefreshListeners->Contains(aPluginInstance)', file /work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp, line 1422
nsPluginInstanceOwner::AddToCARefreshTimer [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1423]
nsPluginInstanceOwner::SetupCARefresh [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1470]
nsObjectFrame::PrepForDrawing [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:494]
nsPluginInstanceOwner::SetFrame [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:3729]
nsObjectLoadingContent::HasNewFrame [/work/mozilla/builds/nightly/mozilla/content/base/src/nsObjectLoadingContent.cpp:1023]
nsObjectFrame::DidReflow [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:889]


But could not reproduce locally on Mac OS X 10.5 and could not reproduce when resubmitting the urls to automation.
Comment 2 Steven Michaud [:smichaud] (Retired) 2012-02-14 12:25:15 PST
A quick check shows the nsPluginInstanceOwner destructor can be called without nsPluginInstanceOwner::Destroy() having been called.  That's probably what causes these crashes.
Comment 3 Marcia Knous [:marcia - use ni] 2012-02-15 19:16:57 PST
I can reproduce this using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0a1) Gecko/20120215 Firefox/13.0a1:

1. Load http://www.allstarpuzzles.com/wsearch/01605.html
2. Close the tab by clicking the "x" in the tab.

https://crash-stats.mozilla.com/report/index/bp-4ba8311e-b870-4e37-8581-fc1e02120216
Comment 4 Jim Jeffery not reading bug-mail 1/2/11 2012-02-15 19:41:37 PST
No crash here on the puzzle page from comment #3 Win7 x64, latest m-c hourly win32 
cset: https://hg.mozilla.org/mozilla-central/rev/ae8cce613aa0
Comment 5 Josh Aas 2012-02-15 20:07:47 PST
I can reproduce this easily building with the latest code from m-c. This is definitely still a problem. I have to reload the puzzle page to see the crash.
Comment 6 Josh Aas 2012-02-16 09:14:17 PST
Created attachment 597854 [details] [diff] [review]
fix v1.0

The way we manage the CA refresh observer list needs to be updated for the content-ownership era, leaving the object frame out of it. This fixes the crash for me.
Comment 7 Josh Aas 2012-02-16 09:35:25 PST
fix v1.0 try run:

https://tbpl.mozilla.org/?tree=Try&rev=4cbcb8251ad4
Comment 8 Benoit Girard (:BenWa) 2012-02-16 18:17:32 PST
We don't have sufficient try coverage for In progress core animation drawing, make sure that you've tested this with OOPP disabled.
Comment 9 Josh Aas 2012-02-16 18:33:17 PST
pushed to mozilla-inbound

http://hg.mozilla.org/integration/mozilla-inbound/rev/e5eeac74744a
Comment 10 Ed Morley [:emorley] 2012-02-17 05:10:42 PST
https://hg.mozilla.org/mozilla-central/rev/e5eeac74744a

Note You need to log in before you can comment on or make changes to this bug.