Last Comment Bug 752428 - crash in nsDOMWindowUtils::SetDisplayPortForElement
: crash in nsDOMWindowUtils::SetDisplayPortForElement
Status: VERIFIED FIXED
[native-crash][readability]
: crash, regression, reproducible, topcrash
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 15 Branch
: ARM Android
: -- critical (vote)
: mozilla15
Assigned To: David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19)
:
: Andrew Overholt [:overholt]
Mentors:
: 754024 (view as bug list)
Depends on:
Blocks: 747231
  Show dependency treegraph
 
Reported: 2012-05-07 00:44 PDT by Scoobidiver (away)
Modified: 2012-05-21 09:26 PDT (History)
10 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
verified
+
14+


Attachments
add null check where I'm not supposed to need one (1.39 KB, patch)
2012-05-07 04:07 PDT, David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19)
roc: review+
mark.finkle: approval‑mozilla‑aurora+
Details | Diff | Splinter Review
null check the right thing (1.18 KB, patch)
2012-05-09 04:57 PDT, David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19)
roc: review+
mark.finkle: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-05-07 00:44:18 PDT
It's #2 top crasher in the trunk and first appeared in 15.0a1/20120506. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0a48e6561534&tochange=94ce5f33a9ea

Signature 	nsDOMWindowUtils::SetDisplayPortForElement More Reports Search
UUID	2e8a2401-64f6-4449-bda5-f44682120507
Date Processed	2012-05-07 04:31:25
Uptime	478
Install Age	8.0 minutes since version was first installed.
Install Time	2012-05-07 04:23:16
Product	FennecAndroid
Version	15.0a1
Build ID	20120506030520
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.35.10-Lionfish-1.8_Bright-SBC+ #1 PREEMPT Thu May 3 21:35:21 EDT 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x1c
App Notes 	
AdapterVendorID: supersonic, AdapterDeviceID: PC36100.
AdapterDescription: 'Model: 'PC36100', Product: 'htc_supersonic', Manufacturer: 'HTC', Hardware: 'supersonic''.
HTC PC36100
sprint/htc_supersonic/supersonic:2.3.3/GRI40/134969.1:user/release-keys
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsDOMWindowUtils::SetDisplayPortForElement 	nsFrameManagerBase.h:83
1 	libxul.so 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:194
2 	libxul.so 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:3102
3 	libxul.so 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1553
4 	libxul.so 	js::Interpret 	js/src/jscntxtinlines.h:426
5 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:480
6 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:540
7 	libxul.so 	JS_CallFunctionValue 	js/src/jsapi.cpp:5448
8 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1509
9 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:616
10 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:138
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsDOMWindowUtils%3A%3ASetDisplayPortForElement
Comment 1 :Ms2ger (⌚ UTC+1/+2) 2012-05-07 02:33:51 PDT
Dbaron, could this be yours?
Comment 2 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-07 04:00:47 PDT
Maybe http://hg.mozilla.org/mozilla-central/rev/fa94b7958cb4 is hitting the case where a pres shell has a null frame manager?  That seems consistent with an 0x1c offset, but not so consistent with nsIPresShell providing a GetRootFrame method.
Comment 3 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-07 04:07:52 PDT
Created attachment 621551 [details] [diff] [review]
add null check where I'm not supposed to need one
Comment 4 Martijn Wargers [:mwargers] (not working for Mozilla) 2012-05-07 09:04:09 PDT
I was hitting this crash with: 
http://people.mozilla.org/~mwargers/fuzzing/cross_fuzz/linktocrossfuzz.html
Tap on the 'godoe a whole set' button (make sure you have popup windows unblocked, btw)
While the fuzz testing is going on, switch from portrait to landscape repeatedly.
Comment 5 Mark Finkle (:mfinkle) (use needinfo?) 2012-05-07 12:23:59 PDT
Comment on attachment 621551 [details] [diff] [review]
add null check where I'm not supposed to need one

[Triage Comment]
Comment 6 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-07 12:35:37 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b9a76ac2df3

(now that mozilla-inbound is open, which it wasn't earlier)
Comment 7 Ed Morley [:emorley] 2012-05-08 03:13:21 PDT
https://hg.mozilla.org/mozilla-central/rev/4b9a76ac2df3
Comment 8 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-08 05:37:52 PDT
Martijn, could you check that this actually fixes your testcase?
Comment 9 Scoobidiver (away) 2012-05-08 10:18:56 PDT
There are still crashes in 15.0a1/20120508055912 where the patch has landed.
Comment 10 Martijn Wargers [:mwargers] (not working for Mozilla) 2012-05-09 01:33:29 PDT
Ok, that might be me, I wasn't sure that build contained the fix.
Comment 11 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-09 04:49:44 PDT
http://ftp.mozilla.org/pub/mozilla.org/mobile/nightly/2012/05/2012-05-08-05-59-12-mozilla-central-android/fennec-15.0a1.en-US.android-arm.txt says it does contain the fix.
Comment 12 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-09 04:53:52 PDT
(In reply to David Baron [:dbaron] from comment #2)
> Maybe http://hg.mozilla.org/mozilla-central/rev/fa94b7958cb4 is hitting the
> case where a pres shell has a null frame manager?  That seems consistent
> with an 0x1c offset, but not so consistent with nsIPresShell providing a
> GetRootFrame method.

Not sure what I was thinking, but now 0x1c looks consistent with just having a null pres-shell.
Comment 13 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-09 04:57:40 PDT
Created attachment 622347 [details] [diff] [review]
null check the right thing
Comment 14 Aaron Train [:aaronmt] 2012-05-09 11:00:43 PDT
Just adding in some STR as I just hit this on mobile Nightly (05/09), google.com/reader, sign-in and rotate phone to landscape
Comment 15 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-10 02:14:34 PDT
https://hg.mozilla.org/mozilla-central/rev/6fe7dd2f8f57
Comment 16 Mark Finkle (:mfinkle) (use needinfo?) 2012-05-10 13:52:22 PDT
*** Bug 754024 has been marked as a duplicate of this bug. ***
Comment 17 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-14 01:30:19 PDT
https://crash-stats.mozilla.com/report/list?signature=nsDOMWindowUtils%3A%3ASetDisplayPortForElement shows crashes only from 2012-05-06 through 2012-05-10, so this looks fixed now.
Comment 18 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-14 01:31:27 PDT
Comment on attachment 622347 [details] [diff] [review]
null check the right thing

[Approval Request Comment]
Regression caused by (bug #): bug 747231
User impact if declined: crashes
Testing completed (on m-c, etc.): on mozilla-central, crash stats
Risk to taking this patch (and alternatives if risky): very low, null check
String changes made by this patch: none

I'll merge the two patches in this bug when landing them on aurora.
Comment 19 David Baron :dbaron: ⌚️UTC-10 (vacation, returning December 19) 2012-05-15 00:25:27 PDT
https://hg.mozilla.org/releases/mozilla-aurora/rev/9fc473b657fb
https://hg.mozilla.org/releases/mozilla-aurora/rev/e56e0283291c
Comment 20 Kevin Brosnan [:kbrosnan] 2012-05-17 18:56:36 PDT
Verified by crash stats.
Comment 21 Scoobidiver (away) 2012-05-18 01:17:57 PDT
(In reply to Kevin Brosnan [:kbrosnan] from comment #20)
> Verified by crash stats.
It has never happened in 14.0a2.
Comment 22 Martijn Wargers [:mwargers] (not working for Mozilla) 2012-05-21 09:26:24 PDT
The case in comment 4 doesn't crash anymore in trunk. I verified that.

Note You need to log in before you can comment on or make changes to this bug.