The default bug view has changed. See this FAQ.

crash in nsDOMWindowUtils::SetDisplayPortForElement

VERIFIED FIXED in Firefox 14

Status

()

Core
DOM
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: dbaron)

Tracking

(4 keywords)

15 Branch
mozilla15
ARM
Android
crash, regression, reproducible, topcrash
Points:
---

Firefox Tracking Flags

(firefox14 fixed, firefox15 verified, blocking-fennec1.0 +, fennec14+)

Details

(Whiteboard: [native-crash][readability], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
It's #2 top crasher in the trunk and first appeared in 15.0a1/20120506. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0a48e6561534&tochange=94ce5f33a9ea

Signature 	nsDOMWindowUtils::SetDisplayPortForElement More Reports Search
UUID	2e8a2401-64f6-4449-bda5-f44682120507
Date Processed	2012-05-07 04:31:25
Uptime	478
Install Age	8.0 minutes since version was first installed.
Install Time	2012-05-07 04:23:16
Product	FennecAndroid
Version	15.0a1
Build ID	20120506030520
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.35.10-Lionfish-1.8_Bright-SBC+ #1 PREEMPT Thu May 3 21:35:21 EDT 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x1c
App Notes 	
AdapterVendorID: supersonic, AdapterDeviceID: PC36100.
AdapterDescription: 'Model: 'PC36100', Product: 'htc_supersonic', Manufacturer: 'HTC', Hardware: 'supersonic''.
HTC PC36100
sprint/htc_supersonic/supersonic:2.3.3/GRI40/134969.1:user/release-keys
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsDOMWindowUtils::SetDisplayPortForElement 	nsFrameManagerBase.h:83
1 	libxul.so 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:194
2 	libxul.so 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:3102
3 	libxul.so 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1553
4 	libxul.so 	js::Interpret 	js/src/jscntxtinlines.h:426
5 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:480
6 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:540
7 	libxul.so 	JS_CallFunctionValue 	js/src/jsapi.cpp:5448
8 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1509
9 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:616
10 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:138
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsDOMWindowUtils%3A%3ASetDisplayPortForElement
Dbaron, could this be yours?
(Assignee)

Comment 2

5 years ago
Maybe http://hg.mozilla.org/mozilla-central/rev/fa94b7958cb4 is hitting the case where a pres shell has a null frame manager?  That seems consistent with an 0x1c offset, but not so consistent with nsIPresShell providing a GetRootFrame method.
(Assignee)

Updated

5 years ago
Assignee: nobody → dbaron
Blocks: 747231
Whiteboard: [native-crash] → [native-crash][readability]
Target Milestone: --- → mozilla15
(Assignee)

Comment 3

5 years ago
Created attachment 621551 [details] [diff] [review]
add null check where I'm not supposed to need one
Attachment #621551 - Flags: review?(roc)
Attachment #621551 - Flags: review?(roc) → review+
I was hitting this crash with: 
http://people.mozilla.org/~mwargers/fuzzing/cross_fuzz/linktocrossfuzz.html
Tap on the 'godoe a whole set' button (make sure you have popup windows unblocked, btw)
While the fuzz testing is going on, switch from portrait to landscape repeatedly.
(Reporter)

Updated

5 years ago
Keywords: reproducible

Updated

5 years ago
blocking-fennec1.0: --- → ?
tracking-fennec: ? → 14+
blocking-fennec1.0: ? → +
Comment on attachment 621551 [details] [diff] [review]
add null check where I'm not supposed to need one

[Triage Comment]
Attachment #621551 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b9a76ac2df3

(now that mozilla-inbound is open, which it wasn't earlier)
https://hg.mozilla.org/mozilla-central/rev/4b9a76ac2df3
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 8

5 years ago
Martijn, could you check that this actually fixes your testcase?

Updated

5 years ago
Keywords: qawanted
(Reporter)

Comment 9

5 years ago
There are still crashes in 15.0a1/20120508055912 where the patch has landed.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Ok, that might be me, I wasn't sure that build contained the fix.
(Assignee)

Comment 11

5 years ago
http://ftp.mozilla.org/pub/mozilla.org/mobile/nightly/2012/05/2012-05-08-05-59-12-mozilla-central-android/fennec-15.0a1.en-US.android-arm.txt says it does contain the fix.
(Assignee)

Comment 12

5 years ago
(In reply to David Baron [:dbaron] from comment #2)
> Maybe http://hg.mozilla.org/mozilla-central/rev/fa94b7958cb4 is hitting the
> case where a pres shell has a null frame manager?  That seems consistent
> with an 0x1c offset, but not so consistent with nsIPresShell providing a
> GetRootFrame method.

Not sure what I was thinking, but now 0x1c looks consistent with just having a null pres-shell.
(Assignee)

Comment 13

5 years ago
Created attachment 622347 [details] [diff] [review]
null check the right thing
Attachment #622347 - Flags: review?(roc)
Just adding in some STR as I just hit this on mobile Nightly (05/09), google.com/reader, sign-in and rotate phone to landscape
Attachment #622347 - Flags: review?(roc) → review+
(Assignee)

Comment 15

5 years ago
https://hg.mozilla.org/mozilla-central/rev/6fe7dd2f8f57
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED

Updated

5 years ago
status-firefox15: --- → affected

Updated

5 years ago
status-firefox14: --- → affected
(Reporter)

Updated

5 years ago
status-firefox15: affected → ---
Duplicate of this bug: 754024
(Assignee)

Comment 17

5 years ago
https://crash-stats.mozilla.com/report/list?signature=nsDOMWindowUtils%3A%3ASetDisplayPortForElement shows crashes only from 2012-05-06 through 2012-05-10, so this looks fixed now.
(Assignee)

Comment 18

5 years ago
Comment on attachment 622347 [details] [diff] [review]
null check the right thing

[Approval Request Comment]
Regression caused by (bug #): bug 747231
User impact if declined: crashes
Testing completed (on m-c, etc.): on mozilla-central, crash stats
Risk to taking this patch (and alternatives if risky): very low, null check
String changes made by this patch: none

I'll merge the two patches in this bug when landing them on aurora.
Attachment #622347 - Flags: approval-mozilla-aurora?
(Reporter)

Updated

5 years ago
status-firefox15: --- → verified
Attachment #622347 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 19

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/9fc473b657fb
https://hg.mozilla.org/releases/mozilla-aurora/rev/e56e0283291c
status-firefox14: affected → fixed
Verified by crash stats.
Status: RESOLVED → VERIFIED
status-firefox14: fixed → verified
(Reporter)

Comment 21

5 years ago
(In reply to Kevin Brosnan [:kbrosnan] from comment #20)
> Verified by crash stats.
It has never happened in 14.0a2.
Status: VERIFIED → RESOLVED
Last Resolved: 5 years ago5 years ago
status-firefox14: verified → fixed
The case in comment 4 doesn't crash anymore in trunk. I verified that.
Status: RESOLVED → VERIFIED
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.