Last Comment Bug 781279 - crash in nsRootPresContext::UpdatePluginGeometry
: crash in nsRootPresContext::UpdatePluginGeometry
Status: RESOLVED FIXED
: crash, regression, testcase, topcrash
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 17 Branch
: All All
: -- critical (vote)
: mozilla17
Assigned To: Chris Pearce (:cpearce)
:
Mentors:
: 784365 (view as bug list)
Depends on:
Blocks: 775965
  Show dependency treegraph
 
Reported: 2012-08-08 11:24 PDT by Scoobidiver (away)
Modified: 2014-01-10 10:39 PST (History)
14 users (show)
See Also:
Crash Signature:
(edit)
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
[@ mozalloc_abort | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetContentRectRelativeToSelf() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | xul.dll@0xd434f ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | xul.dll@0xd434f | nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | NS_IsMainThread_P() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | RtlTimeToTimeFields | SystemTimeToFileTime ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsGlobalWindow::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsGlobalChromeWindow::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsAString_internal::MutatePrep(unsigned int, wchar_t**, unsigned int*) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsPresContext::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | xul.dll@0x14445f | nsIFrame::GetOffsetToCrossDoc(nsIFrame const*, int) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | PR_Unlock | XPCCallContext::~XPCCallContext() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsJSContext::Release() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsXPConnect::GetXPConnect() ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::ProxyXrayTraits>::get(JSContext*, JSObject*, JSObject*, __int64, JS::Value*) ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | PR_Now | MD_CURRENT_THREAD ]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | XPCCallContext::~XPCCallContext() ]
[@ nsRootPresContext::RequestUpdatePluginGeometry(nsIFrame*) ]
[@ nsRootPresContext::RequestUpdatePluginGeometry ]
[@ nsRootPresContext::UpdatePluginGeometry() ]
[@ nsRootPresContext::UpdatePluginGeometry ]
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
verified


Attachments
Patch (1.64 KB, patch)
2012-08-21 21:56 PDT, Chris Pearce (:cpearce)
no flags Details | Diff | Splinter Review
Patch v2 (1.50 KB, patch)
2012-08-24 00:05 PDT, Chris Pearce (:cpearce)
roc: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-08-08 11:24:42 PDT
There's a spike in crashes from 17.0a1/20120808. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=e55638d4037a
It's likely related to bug 781272.

Stack traces are various:
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	PresShell::DidPaint 	layout/base/nsPresShell.cpp:7068
2 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:770
3 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:159
4 	xul.dll 	nsWindow::DispatchEvent 	widget/windows/nsWindow.cpp:3520
5 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/windows/nsWindow.cpp:3546
6 	xul.dll 	nsWindow::OnPaint 	widget/windows/nsWindowGfx.cpp:606
...

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	UpdatePluginGeometryCallback 	layout/base/nsPresContext.cpp:2742
2 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:473
3 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:624
4 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:116
5 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
...

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:3898
2 	xul.dll 	nsDocument::FlushPendingNotifications 	content/base/src/nsDocument.cpp:6314
3 	xul.dll 	nsGlobalWindow::FlushPendingNotifications 	dom/base/nsGlobalWindow.cpp:10245
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsRootPresContext%3A%3AUpdatePluginGeometry%28%29
Comment 1 Scoobidiver (away) 2012-08-08 14:12:01 PDT
It's #3 top crasher in today's build.
Comment 2 Robert Kaiser 2012-08-14 08:38:28 PDT
I think this is a dupe of bug 781272.
Comment 3 John Schoenick [:johns] 2012-08-14 11:19:21 PDT

*** This bug has been marked as a duplicate of bug 781272 ***
Comment 4 Andrew McCreight [:mccr8] 2012-08-21 10:50:20 PDT
Currently the #6 crasher.  It looks like a regression from bug 775965.

Here's my comment from bug 781265 which has more information:

I happened across a way to reproduce this on the latest Nightly.

Clean profile with just Flash active.

1. open youtube.com, start playing a video
2. While the youtube video is still playing, go to rng.io and let it run.

It crashes quickly.

here are a few examples:
https://crash-stats.mozilla.com/report/index/bp-a588de12-8443-41e0-911c-1dd942120820
https://crash-stats.mozilla.com/report/index/bp-69f75b50-8a16-4b9c-9d44-65cb92120820
Comment 5 Andrew McCreight [:mccr8] 2012-08-21 10:52:56 PDT
This was initially being caused by bug 781272, but then that was fixed and a new regression came up, from bug 775965 judging by Alice's bisection of my steps to reproduce given in comment 4.
Comment 6 Robert Kaiser 2012-08-21 10:58:54 PDT
*** Bug 784365 has been marked as a duplicate of this bug. ***
Comment 7 Scoobidiver (away) 2012-08-21 11:46:47 PDT
With combined signatures, it's #1 top crasher in the trunk.
Comment 8 Stephen Donner [:stephend] 2012-08-21 12:13:44 PDT
I'm hitting this just running through "all tests" on http://browserscope.org/, with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Comment 9 Chris Pearce (:cpearce) 2012-08-21 17:46:18 PDT
The crash I see is caused by loading
http://www.zataz.com/news/22329/photobucket_-photo_-hack_-fusking.html

Stack is:

#0  0x00007f403184303d in nanosleep () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f4031842edc in sleep () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f402be3193e in ah_crap_handler (signum=11)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsSigHandlers.cpp:87
#3  0x00007f402be3b976 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffe1d45b30, 
    context=0x7fffe1d45a00) at /obj/orange/toolkit/profile/nsProfileLock.cpp:190
#4  <signal handler called>
#5  0x00007f402c0ce5e6 in nsStyleContext::GetRuleNode (this=0x5a5a5a5a5a5a5a5a)
    at ../../dist/include/nsStyleContext.h:190
#6  0x00007f402c0ce60c in nsIFrame::PresContext (this=0x7f400b8d41e8) at ../../dist/include/nsIFrame.h:547
#7  0x00007f402c1d72d6 in nsRootPresContext::RequestUpdatePluginGeometry (this=0x7f400db0a400, 
    aFrame=0x7f4009ca51e8) at /home/cpearce/src/mozilla/orange/layout/base/nsPresContext.cpp:2665
#8  0x00007f402c1f5592 in PresShell::DoReflow (this=0x7f400ddbdb20, target=0x7f4009ca51e8, aInterruptible=true)
    at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7501
#9  0x00007f402c1f58b6 in PresShell::ProcessReflowCommands (this=0x7f400ddbdb20, aInterruptible=true)
    at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7577
#10 0x00007f402c1e9494 in PresShell::FlushPendingNotifications (this=0x7f400ddbdb20, 
    aType=Flush_InterruptibleLayout) at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:3898
#11 0x00007f402c201ac6 in nsRefreshDriver::Notify (this=0x7f400ba7c210, aTimer=0x7f4005ff1fe0)
    at /home/cpearce/src/mozilla/orange/layout/base/nsRefreshDriver.cpp:398
#12 0x00007f402d8b9c6d in nsTimerImpl::Fire (this=0x7f4005ff1fe0)
    at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:476
#13 0x00007f402d8ba053 in nsTimerEvent::Run (this=0x7f402247a788)
    at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:556
#14 0x00007f402d8b1f3a in nsThread::ProcessNextEvent (this=0x7f403146f300, mayWait=false, 
    result=0x7fffe1d4662f) at /home/cpearce/src/mozilla/orange/xpcom/threads/nsThread.cpp:624
#15 0x00007f402d84317b in NS_ProcessNextEvent_P (thread=0x7f403146f300, mayWait=false)
    at /obj/orange/xpcom/build/nsThreadUtils.cpp:220
#16 0x00007f402d65b910 in mozilla::ipc::MessagePump::Run (this=0x7f402245cac0, aDelegate=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/glue/MessagePump.cpp:82
#17 0x00007f402d9032a7 in MessageLoop::RunInternal (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:208
#18 0x00007f402d903238 in MessageLoop::RunHandler (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:201
#19 0x00007f402d903211 in MessageLoop::Run (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:175
#20 0x00007f402d4d3038 in nsBaseAppShell::Run (this=0x7f401d93fa20)
    at /home/cpearce/src/mozilla/orange/widget/xpwidgets/nsBaseAppShell.cpp:163
#21 0x00007f402d200dd0 in nsAppStartup::Run (this=0x7f401d94d420)
    at /home/cpearce/src/mozilla/orange/toolkit/components/startup/nsAppStartup.cpp:273
#22 0x00007f402be23349 in XREMain::XRE_mainRun (this=0x7fffe1d46b00)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3800
#23 0x00007f402be23639 in XREMain::XRE_main (this=0x7fffe1d46b00, argc=4, argv=0x7fffe1d48f68, 
    aAppData=0x637c40) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3877
#24 0x00007f402be23882 in XRE_main (argc=4, argv=0x7fffe1d48f68, aAppData=0x637c40, aFlags=0)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3953
#25 0x0000000000402a7f in do_main (argc=4, argv=0x7fffe1d48f68)
    at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:174
#26 0x0000000000402d35 in main (argc=4, argv=0x7fffe1d48f68)
    at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:279

Reverting the patches from bug 775965 indeed fixes the crash, so it it a regression from bug 775965.
Comment 10 Chris Pearce (:cpearce) 2012-08-21 21:56:24 PDT
Created attachment 654091 [details] [diff] [review]
Patch

Forget the plugin for geometry updates in the root PresContext right before we we detach the sub doc's presentation.

This fixes the crashes reported as best as I can tell; it was not deterministic. I tested the URLs the Marcia listed in bug 781272 comment #3, and we no longer crash with this patch.

Looks promising so far on Try:

https://tbpl.mozilla.org/?tree=Try&rev=3440d9ef242b
Comment 11 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2012-08-21 22:47:40 PDT
Comment on attachment 654091 [details] [diff] [review]
Patch

Review of attachment 654091 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/generic/nsSubDocumentFrame.cpp
@@ +818,5 @@
> +    if (presContext) {
> +      nsRootPresContext* rootPresContext = presContext->GetRootPresContext();
> +      if (rootPresContext) {
> +        rootPresContext->
> +          RootForgetUpdatePluginGeometryFrameForPresContext(presContext);

I think we should do this when we destroy the original nsSubdocumentFrame.
Comment 12 Chris Pearce (:cpearce) 2012-08-24 00:05:16 PDT
Created attachment 654945 [details] [diff] [review]
Patch v2

Forget update plugin geometry in nsSubDocumentFrame::DestroyFrom().

I was also forgetting the update-plugin-geometry-frame the outer-frame's PresContext(), not the sub frame's PresContext(), so we were actually still crashing sporadically. This version of the patch forgets in the subframe's PresContext.

https://tbpl.mozilla.org/?tree=Try&rev=95d0e0d01bbd
Comment 14 Ryan VanderMeulen [:RyanVM] 2012-08-24 20:03:26 PDT
https://hg.mozilla.org/mozilla-central/rev/fe4538ef86c5
Comment 16 Virgil Dicu [:virgil] [QA] 2012-11-06 05:13:40 PST
Could not reproduce crash from comment 4 but crash from comment 9 reproducible for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20120808030529

No crashes for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 beta 4
Build ID: 20121031065642

I can still see 83 crashes for Beta 3 with this signature and 40 for Beta 4. 
There are 2 other bugs however which track crashes with this signature: bug 754380 and bug 798760 so setting this to verified for Beta.
Comment 17 Tracy Walker [:tracy] 2014-01-10 10:39:11 PST
mass remove verifyme requests greater than 4 months old

Note You need to log in before you can comment on or make changes to this bug.