Closed Bug 724717 Opened 8 years ago Closed 8 years ago

Firefox 13.0a1 Crash Report [@ nsPluginInstanceOwner::CARefresh ]

Categories

(Core :: Plug-ins, defect, critical)

13 Branch
x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla13

People

(Reporter: marcia, Assigned: jaas)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, reproducible)

Crash Data

Attachments

(1 file)

Seen while looking at crash stats. Low volume trunk Mac crash that started showing up in crash stats using the 2012020103 build. https://crash-stats.mozilla.com/report/list?signature=nsPluginInstanceOwner::CARefresh to the crashes which are all Mac. Could be a regression from the plugin landing.

https://crash-stats.mozilla.com/report/index/b53ad46d-a45f-4762-977e-6749f2120202

Frame 	Module 	Signature 	Source
0 		@0x7fff78fbeb80 	
1 	XUL 	nsPluginInstanceOwner::CARefresh 	dom/plugins/base/nsPluginInstanceOwner.cpp:1400
2 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:428
3 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:524
4 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
5 	XUL 	NS_ProcessPendingEvents_P 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:195
6 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/xpwidgets/nsBaseAppShell.cpp:130
7 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/cocoa/nsAppShell.mm:441
8 	CoreFoundation 	CoreFoundation@0x126e0 	
9 	CoreFoundation 	CoreFoundation@0x11f4c 	
10 	CoreFoundation 	CoreFoundation@0x38d38 	
11 	libsystem_c.dylib 	libsystem_c.dylib@0x4d15f 	
12 	AppKit 	AppKit@0x3e5c9 	
13 	AppKit 	AppKit@0x3e8ca 	
14 	XUL 	nsPresContext::Release 	
15 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
16 		@0x10001bfff 	
17 	libsystem_c.dylib 	libsystem_c.dylib@0xa0788 	
18 	XUL 	nsGenericElement::AddRef 	nsISupportsImpl.h:161
19 	XUL 	nsGenericElement::Release 	nsISupportsImpl.h:210
20 	XUL 	nsCOMArray_base::RemoveObjectAt 	obj-firefox/x86_64/xpcom/build/nsCOMArray.cpp:136
21 	XUL 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6326
22 	XUL 	nsEventStateManager::CheckForAndDispatchClick 	nsCOMPtr.h:480
23 	XUL 	nsEventStateManager::PostHandleEvent 	nsAutoPtr.h:907
24 		@0x7fff946670d4 	
25 	CarbonCore 	CarbonCore@0x1888b 	
26 	XUL 	PresShell::PopCurrentEventInfo 	
27 	XUL 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6316
28 	XUL 	PresShell::HandleEvent
Blocks: 90268
Keywords: regression
Hardware: x86 → x86_64
Version: 10 Branch → 13 Branch
I saw this once each on Mac OS X 10.6 on 2012-02-08 for

http://www.filmovisaprevodom.com/strani-filmovi-sa-prevodom-online-besplatni-domaci-filmovi/empire-of-assassins-2011/

http://www.allstarpuzzles.com/wsearch/01605.html

These both also showed Bug 674223:

###!!! ASSERTION: pluginInstanceOwner already registered as a listener: '!sCARefreshListeners->Contains(aPluginInstance)', file /work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp, line 1422
nsPluginInstanceOwner::AddToCARefreshTimer [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1423]
nsPluginInstanceOwner::SetupCARefresh [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:1470]
nsObjectFrame::PrepForDrawing [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:494]
nsPluginInstanceOwner::SetFrame [/work/mozilla/builds/nightly/mozilla/dom/plugins/base/nsPluginInstanceOwner.cpp:3729]
nsObjectLoadingContent::HasNewFrame [/work/mozilla/builds/nightly/mozilla/content/base/src/nsObjectLoadingContent.cpp:1023]
nsObjectFrame::DidReflow [/work/mozilla/builds/nightly/mozilla/layout/generic/nsObjectFrame.cpp:889]


But could not reproduce locally on Mac OS X 10.5 and could not reproduce when resubmitting the urls to automation.
Blocks: 532972
A quick check shows the nsPluginInstanceOwner destructor can be called without nsPluginInstanceOwner::Destroy() having been called.  That's probably what causes these crashes.
Assignee: nobody → smichaud
Assignee: smichaud → joshmoz
I can reproduce this using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0a1) Gecko/20120215 Firefox/13.0a1:

1. Load http://www.allstarpuzzles.com/wsearch/01605.html
2. Close the tab by clicking the "x" in the tab.

https://crash-stats.mozilla.com/report/index/bp-4ba8311e-b870-4e37-8581-fc1e02120216
Keywords: reproducible
No crash here on the puzzle page from comment #3 Win7 x64, latest m-c hourly win32 
cset: https://hg.mozilla.org/mozilla-central/rev/ae8cce613aa0
I can reproduce this easily building with the latest code from m-c. This is definitely still a problem. I have to reload the puzzle page to see the crash.
Attached patch fix v1.0Splinter Review
The way we manage the CA refresh observer list needs to be updated for the content-ownership era, leaving the object frame out of it. This fixes the crash for me.
Attachment #597854 - Flags: review?(bgirard)
Attachment #597854 - Flags: review?(bgirard) → review+
We don't have sufficient try coverage for In progress core animation drawing, make sure that you've tested this with OOPP disabled.
https://hg.mozilla.org/mozilla-central/rev/e5eeac74744a
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Comment 1 is private: false
You need to log in before you can comment on or make changes to this bug.