Last Comment Bug 781265 - abort crash in nsIFrame::GetOffsetToCrossDoc with abort message: "trying to get the offset between frames in different document hierarchies?"
: abort crash in nsIFrame::GetOffsetToCrossDoc with abort message: "trying to g...
Status: VERIFIED FIXED
: crash, regression, reproducible, topcrash
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 17 Branch
: All All
: -- critical with 2 votes (vote)
: mozilla17
Assigned To: John Schoenick [:johns]
:
: Jet Villegas (:jet)
Mentors:
: 781272 781776 782384 (view as bug list)
Depends on: 823039
Blocks: 745030
  Show dependency treegraph
 
Reported: 2012-08-08 11:05 PDT by Scoobidiver (away)
Modified: 2012-12-21 01:33 PST (History)
20 users (show)
See Also:
Crash Signature:
(edit)
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
[@ mozalloc_abort | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetContentRectRelativeToSelf() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | xul.dll@0xd434f ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | xul.dll@0xd434f | nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | NS_IsMainThread_P() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | RtlTimeToTimeFields | SystemTimeToFileTime ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsGlobalWindow::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsGlobalChromeWindow::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsAString_internal::MutatePrep(unsigned int, wchar_t**, unsigned int*) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsPresContext::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | xul.dll@0x14445f | nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | PR_Unlock | XPCCallContext::~XPCCallContext() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsJSContext::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsXPConnect::GetXPConnect() ]
[@ nsRootPresContext::RequestUpdatePluginGeometry(nsIFrame*) ]
[@ nsRootPresContext::RequestUpdatePluginGeometry ]
[@ nsRootPresContext::UpdatePluginGeometry() ]
[@ nsRootPresContext::UpdatePluginGeometry ]
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
verified
unaffected


Attachments
Remove old logic that double-creates frameloaders in nsObjectLoadingContent (1.76 KB, patch)
2012-08-14 10:55 PDT, John Schoenick [:johns]
jaas: review+
john: checkin+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-08-08 11:05:06 PDT
Bug 719117 is back.
It's currently #1 top crasher in today's build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=e55638d4037a

Signature 	mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) More Reports Search
UUID	bbd78ede-cb3b-454f-a478-96ee92120808
Date Processed	2012-08-08 17:41:33
Uptime	39
Install Age	39 seconds since version was first installed.
Install Time	2012-08-08 17:40:37
Product	Firefox
Version	17.0a1
Build ID	20120808030529
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 4 stepping 3
Crash Reason	EXCEPTION_BREAKPOINT
Crash Address	0x67891999
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x6739, AdapterSubsysID: 23041787, AdapterDriverVersion: 8.980.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ xpcom_runtime_abort(###!!! ABORT: trying to get the offset between frames in different document hierarchies?: file e:/builds/moz2_slave/m-cen-w32-ntly/build/layout/generic/nsFrame.cpp, line 4351)
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x6739
Total Virtual Memory	4294836224
Available Virtual Memory	3575574528
System Memory Use Percentage	37
Available Page File	13462474752
Available Physical Memory	5353267200

Frame 	Module 	Signature 	Source
0 	mozalloc.dll 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:23
1 	xul.dll 	NS_DebugBreak_P 	xpcom/base/nsDebugImpl.cpp:410
2 	xul.dll 	nsIFrame::GetOffsetToCrossDoc 	layout/generic/nsFrame.cpp:4351
3 	xul.dll 	nsIFrame::GetOffsetToCrossDoc 	layout/generic/nsFrame.cpp:4335
4 	xul.dll 	PluginBoundsEnumerator 	layout/base/nsPresContext.cpp:2504
5 	xul.dll 	nsTHashtable<nsCertOverrideEntry>::s_EnumStub 	obj-firefox/dist/include/nsTHashtable.h:486
6 	xul.dll 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.cpp:715
7 	xul.dll 	nsTHashtable<nsPtrHashKey<JSObject> >::EnumerateEntries 	obj-firefox/dist/include/nsTHashtable.h:237
8 	xul.dll 	nsRootPresContext::GetPluginGeometryUpdates 	layout/base/nsPresContext.cpp:2600
9 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2729
10 	xul.dll 	PresShell::DidPaint 	layout/base/nsPresShell.cpp:7068
11 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:770
12 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:159
13 	xul.dll 	nsWindow::DispatchEvent 	widget/windows/nsWindow.cpp:3520
14 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/windows/nsWindow.cpp:3546
15 	xul.dll 	nsWindow::OnPaint 	widget/windows/nsWindowGfx.cpp:606
16 	xul.dll 	nsWindow::ProcessMessage 	widget/windows/nsWindow.cpp:4754
17 	xul.dll 	nsWindow::WindowProcInternal 	widget/windows/nsWindow.cpp:4341
18 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp:32
19 	xul.dll 	nsWindow::WindowProc 	widget/windows/nsWindow.cpp:4283
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozalloc_abort%28char+const*+const%29+|+NS_DebugBreak_P+|+nsIFrame%3A%3AGetOffsetToCrossDoc%28nsIFrame+const*%2C+int%29
Comment 1 Robert O'Callahan (:roc) (email my personal email if necessary) 2012-08-08 18:52:42 PDT
Most likely John Schoenick's changes.
Comment 2 John Schoenick [:johns] 2012-08-08 19:19:54 PDT
investigating
Comment 3 Scoobidiver (away) 2012-08-09 04:25:18 PDT
One comment talks about outlook.com like in bug 781272.
Comment 4 Scoobidiver (away) 2012-08-10 05:27:16 PDT
*** Bug 781776 has been marked as a duplicate of this bug. ***
Comment 5 omeringen 2012-08-10 05:39:03 PDT
https://bugzilla.mozilla.org/show_bug.cgi?id=781776
ATI HD2400 graphic card with open source drivers on linux. Random crashes on hotmail. Disabling HWA fixes the issue.

[    25.381] 
X.Org X Server 1.12.3
Release Date: 2012-07-09
[    25.381] X Protocol Version 11, Revision 0
[    25.381] Build Operating System: Linux 3.4.4-3-ARCH x86_64 
[    25.381] Current Operating System: Linux arch 3.4.7-1-ARCH #1 SMP PREEMPT Sun Jul 29 22:02:56 CEST 2012 x86_64
Comment 6 Alice0775 White 2012-08-13 15:19:39 PDT
bp-c3acac94-0967-493d-a4d3-7abef2120813

Browser crashes with the crash sig when I test Bug 782384

STR
1. Open http://www.zataz.com/news/22329/photobucket_-photo_-hack_-fusking.html
2. Wait
Comment 7 Alice0775 White 2012-08-13 15:34:25 PDT
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/1bbc0b65dffb
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120807030518
Crash:
http://hg.mozilla.org/mozilla-central/rev/2637d896de91
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120807063927
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=2637d896de91

Regression window(m-c)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/b4a63a0b90c2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120806153305
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/89ea9764f9e9
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120806140630
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b4a63a0b90c2&tochange=89ea9764f9e9

In local build:
Last Good:b4a63a0b90c2
First Bad: f3bd764deb31

Triggered by: Bug 745030
Comment 8 John Schoenick [:johns] 2012-08-14 10:55:03 PDT
Created attachment 651827 [details] [diff] [review]
Remove old logic that double-creates frameloaders in nsObjectLoadingContent

So the issue here is a mis-ordering of logic - we need to create the frameloader before we notify, not after.
Additionally, the requirement to force-notify at all before starting the document load was only a workaround for Bug 300540, now fixed
Comment 9 John Schoenick [:johns] 2012-08-14 13:35:32 PDT
I confirmed this fixes the issue on a few reproducible cases, waiting on try push to succeed before landing:
https://tbpl.mozilla.org/?tree=Try&rev=1e72e421e6b8
Comment 10 John Schoenick [:johns] 2012-08-15 11:30:28 PDT
Comment on attachment 651827 [details] [diff] [review]
Remove old logic that double-creates frameloaders in nsObjectLoadingContent

https://hg.mozilla.org/integration/mozilla-inbound/rev/194bf5cfd25f

try run:
https://tbpl.mozilla.org/?tree=Try&rev=1e72e421e6b8
Comment 11 Ryan VanderMeulen [:RyanVM] 2012-08-15 18:44:36 PDT
https://hg.mozilla.org/mozilla-central/rev/194bf5cfd25f
Comment 12 Scoobidiver (away) 2012-08-16 14:21:51 PDT
*** Bug 781272 has been marked as a duplicate of this bug. ***
Comment 13 John Schoenick [:johns] 2012-08-16 15:19:36 PDT
*** Bug 782384 has been marked as a duplicate of this bug. ***
Comment 14 Scoobidiver (away) 2012-08-18 07:12:16 PDT
It's back from 17.0a1/20120818. The new regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a79132ac2f05&tochange=812ea773f166
It might be a regression from bug 781126.
Comment 15 Tony Mechelynck [:tonymec] 2012-08-18 13:23:05 PDT
adding crash signatures for duplicate bug 781272 which just bit me (not repeatably) at the close of a tab.
Comment 16 Andrew McCreight [:mccr8] 2012-08-19 19:53:42 PDT
I happened across a way to reproduce this on the latest Nightly.

Clean profile with just Flash active.

1. open youtube.com, start playing a video
2. While the youtube video is still playing, go to rng.io and let it run.

It crashes quickly.

here are a few examples:
https://crash-stats.mozilla.com/report/index/bp-a588de12-8443-41e0-911c-1dd942120820
https://crash-stats.mozilla.com/report/index/bp-69f75b50-8a16-4b9c-9d44-65cb92120820
Comment 17 Andrew McCreight [:mccr8] 2012-08-19 19:54:58 PDT
(specifically, a crash in nsRootPresContext::RequestUpdatePluginGeometry)
Comment 18 Alice0775 White 2012-08-19 20:15:47 PDT
(In reply to Andrew McCreight [:mccr8] from comment #16)
> I happened across a way to reproduce this on the latest Nightly.
> 
> Clean profile with just Flash active.
> 
> 1. open youtube.com, start playing a video
> 2. While the youtube video is still playing, go to rng.io and let it run.
> 
> It crashes quickly.
> 
> here are a few examples:
> https://crash-stats.mozilla.com/report/index/bp-a588de12-8443-41e0-911c-
> 1dd942120820
> https://crash-stats.mozilla.com/report/index/bp-69f75b50-8a16-4b9c-9d44-
> 65cb92120820

Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/a79132ac2f05
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120816175051
Crash:
http://hg.mozilla.org/mozilla-central/rev/e1cd9fb39dd7
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120817052252
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a79132ac2f05&tochange=e1cd9fb39dd7


Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/7fe1c2d3d1f4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120816212351
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/6f2c8195793c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 ID:20120816212651
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7fe1c2d3d1f4&tochange=6f2c8195793c

Triggered by: Bug 775965
Comment 19 Andrew McCreight [:mccr8] 2012-08-19 20:23:57 PDT
That also matches the window in Comment 14 from Scoobidiver.
Comment 20 John Schoenick [:johns] 2012-08-20 12:17:08 PDT
This looks to be a separate issue from what bug 745030 introduced, but I don't know enough about the frame/presentation side of this to understand what's going wrong here :(
Comment 21 Mats Palmgren (:mats) 2012-08-20 12:35:22 PDT
In that case we should file a new bug to handle that regression.
Comment 22 Robert Kaiser 2012-08-21 10:08:41 PDT
I filed bug 784365 as I thought that was a new unrelated regression in the build from 19th, but it looks like it might be the same thing. We can use that bug for the re-regression or we can file a completely new one.
Also, I guess we should put the authors of bug 781126 or bug 775965, whatever the real one that re-regressed this is, on the hook for this. We should really get this resolved before uplifting 17 to Aurora.
Comment 23 Andrew McCreight [:mccr8] 2012-08-21 10:51:13 PDT
Let's use bug 781279, which is about the specific crash signature that is currently #6.
Comment 24 Virgil Dicu [:virgil] [QA] 2012-10-19 06:52:49 PDT
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 beta 2
20121017073013

Checked on Windows XP, Windows 7. No crashes when following steps to reproduce from comment 6 and 16.

However there are still 63 crashes in 17.0 beta 1. http://bit.ly/T4YpWL

Is this expected in any way or should I file a separate bug?
Comment 25 Ioana (away) 2012-11-07 05:41:44 PST
John, can you please answer Virgil's question (comment 24)?
Comment 26 John Schoenick [:johns] 2012-11-07 09:29:51 PST
(In reply to Virgil Dicu [:virgil] [QA] from comment #24)
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 beta 2
> 20121017073013
> 
> Checked on Windows XP, Windows 7. No crashes when following steps to
> reproduce from comment 6 and 16.
> 
> However there are still 63 crashes in 17.0 beta 1. http://bit.ly/T4YpWL
> 
> Is this expected in any way or should I file a separate bug?

This signature is fairly generic, I would guess it is more likely related to bug 785808, since the issue tracked in this bug was fairly specific and reproducible.
Comment 27 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-07 11:22:30 PST
Based on comment 26, I think we can call this verified fixed for Firefox 17. Please correct me if I am wrong.

Note You need to log in before you can comment on or make changes to this bug.