Closed
Bug 781279
Opened 13 years ago
Closed 13 years ago
crash in nsRootPresContext::UpdatePluginGeometry
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: scoobidiver, Assigned: cpearce)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file, 1 obsolete file)
1.50 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
There's a spike in crashes from 17.0a1/20120808. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=e55638d4037a
It's likely related to bug 781272.
Stack traces are various:
Frame Module Signature Source
0 xul.dll nsRootPresContext::UpdatePluginGeometry layout/base/nsPresContext.cpp:2722
1 xul.dll PresShell::DidPaint layout/base/nsPresShell.cpp:7068
2 xul.dll nsViewManager::DispatchEvent view/src/nsViewManager.cpp:770
3 xul.dll AttachedHandleEvent view/src/nsView.cpp:159
4 xul.dll nsWindow::DispatchEvent widget/windows/nsWindow.cpp:3520
5 xul.dll nsWindow::DispatchWindowEvent widget/windows/nsWindow.cpp:3546
6 xul.dll nsWindow::OnPaint widget/windows/nsWindowGfx.cpp:606
...
Frame Module Signature Source
0 xul.dll nsRootPresContext::UpdatePluginGeometry layout/base/nsPresContext.cpp:2722
1 xul.dll UpdatePluginGeometryCallback layout/base/nsPresContext.cpp:2742
2 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:473
3 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:624
4 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:116
5 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201
...
Frame Module Signature Source
0 xul.dll nsRootPresContext::UpdatePluginGeometry layout/base/nsPresContext.cpp:2722
1 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:3898
2 xul.dll nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6314
3 xul.dll nsGlobalWindow::FlushPendingNotifications dom/base/nsGlobalWindow.cpp:10245
...
More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsRootPresContext%3A%3AUpdatePluginGeometry%28%29
Reporter | ||
Comment 1•13 years ago
|
||
It's #3 top crasher in today's build.
tracking-firefox17:
--- → ?
Keywords: topcrash
Reporter | ||
Updated•13 years ago
|
Crash Signature: [@ nsRootPresContext::UpdatePluginGeometry()] → [@ nsRootPresContext::UpdatePluginGeometry()]
[@ nsRootPresContext::UpdatePluginGeometry]
OS: Windows 7 → All
![]() |
||
Comment 2•13 years ago
|
||
I think this is a dupe of bug 781272.
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•13 years ago
|
Comment 4•13 years ago
|
||
Currently the #6 crasher. It looks like a regression from bug 775965.
Here's my comment from bug 781265 which has more information:
I happened across a way to reproduce this on the latest Nightly.
Clean profile with just Flash active.
1. open youtube.com, start playing a video
2. While the youtube video is still playing, go to rng.io and let it run.
It crashes quickly.
here are a few examples:
https://crash-stats.mozilla.com/report/index/bp-a588de12-8443-41e0-911c-1dd942120820
https://crash-stats.mozilla.com/report/index/bp-69f75b50-8a16-4b9c-9d44-65cb92120820
Comment 5•13 years ago
|
||
This was initially being caused by bug 781272, but then that was fixed and a new regression came up, from bug 775965 judging by Alice's bisection of my steps to reproduce given in comment 4.
Reporter | ||
Comment 7•13 years ago
|
||
With combined signatures, it's #1 top crasher in the trunk.
Status: REOPENED → NEW
Crash Signature: [@ nsRootPresContext::UpdatePluginGeometry()]
[@ nsRootPresContext::UpdatePluginGeometry] → [@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc(nsIFrame const* int)]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P]
[@ mozalloc_abort | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc]
[@ mozalloc_abort(…
Comment 8•13 years ago
|
||
I'm hitting this just running through "all tests" on http://browserscope.org/, with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Assignee | ||
Comment 9•13 years ago
|
||
The crash I see is caused by loading
http://www.zataz.com/news/22329/photobucket_-photo_-hack_-fusking.html
Stack is:
#0 0x00007f403184303d in nanosleep () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f4031842edc in sleep () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f402be3193e in ah_crap_handler (signum=11)
at /home/cpearce/src/mozilla/orange/toolkit/xre/nsSigHandlers.cpp:87
#3 0x00007f402be3b976 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffe1d45b30,
context=0x7fffe1d45a00) at /obj/orange/toolkit/profile/nsProfileLock.cpp:190
#4 <signal handler called>
#5 0x00007f402c0ce5e6 in nsStyleContext::GetRuleNode (this=0x5a5a5a5a5a5a5a5a)
at ../../dist/include/nsStyleContext.h:190
#6 0x00007f402c0ce60c in nsIFrame::PresContext (this=0x7f400b8d41e8) at ../../dist/include/nsIFrame.h:547
#7 0x00007f402c1d72d6 in nsRootPresContext::RequestUpdatePluginGeometry (this=0x7f400db0a400,
aFrame=0x7f4009ca51e8) at /home/cpearce/src/mozilla/orange/layout/base/nsPresContext.cpp:2665
#8 0x00007f402c1f5592 in PresShell::DoReflow (this=0x7f400ddbdb20, target=0x7f4009ca51e8, aInterruptible=true)
at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7501
#9 0x00007f402c1f58b6 in PresShell::ProcessReflowCommands (this=0x7f400ddbdb20, aInterruptible=true)
at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7577
#10 0x00007f402c1e9494 in PresShell::FlushPendingNotifications (this=0x7f400ddbdb20,
aType=Flush_InterruptibleLayout) at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:3898
#11 0x00007f402c201ac6 in nsRefreshDriver::Notify (this=0x7f400ba7c210, aTimer=0x7f4005ff1fe0)
at /home/cpearce/src/mozilla/orange/layout/base/nsRefreshDriver.cpp:398
#12 0x00007f402d8b9c6d in nsTimerImpl::Fire (this=0x7f4005ff1fe0)
at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:476
#13 0x00007f402d8ba053 in nsTimerEvent::Run (this=0x7f402247a788)
at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:556
#14 0x00007f402d8b1f3a in nsThread::ProcessNextEvent (this=0x7f403146f300, mayWait=false,
result=0x7fffe1d4662f) at /home/cpearce/src/mozilla/orange/xpcom/threads/nsThread.cpp:624
#15 0x00007f402d84317b in NS_ProcessNextEvent_P (thread=0x7f403146f300, mayWait=false)
at /obj/orange/xpcom/build/nsThreadUtils.cpp:220
#16 0x00007f402d65b910 in mozilla::ipc::MessagePump::Run (this=0x7f402245cac0, aDelegate=0x7f40314d9f90)
at /home/cpearce/src/mozilla/orange/ipc/glue/MessagePump.cpp:82
#17 0x00007f402d9032a7 in MessageLoop::RunInternal (this=0x7f40314d9f90)
at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:208
#18 0x00007f402d903238 in MessageLoop::RunHandler (this=0x7f40314d9f90)
at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:201
#19 0x00007f402d903211 in MessageLoop::Run (this=0x7f40314d9f90)
at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:175
#20 0x00007f402d4d3038 in nsBaseAppShell::Run (this=0x7f401d93fa20)
at /home/cpearce/src/mozilla/orange/widget/xpwidgets/nsBaseAppShell.cpp:163
#21 0x00007f402d200dd0 in nsAppStartup::Run (this=0x7f401d94d420)
at /home/cpearce/src/mozilla/orange/toolkit/components/startup/nsAppStartup.cpp:273
#22 0x00007f402be23349 in XREMain::XRE_mainRun (this=0x7fffe1d46b00)
at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3800
#23 0x00007f402be23639 in XREMain::XRE_main (this=0x7fffe1d46b00, argc=4, argv=0x7fffe1d48f68,
aAppData=0x637c40) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3877
#24 0x00007f402be23882 in XRE_main (argc=4, argv=0x7fffe1d48f68, aAppData=0x637c40, aFlags=0)
at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3953
#25 0x0000000000402a7f in do_main (argc=4, argv=0x7fffe1d48f68)
at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:174
#26 0x0000000000402d35 in main (argc=4, argv=0x7fffe1d48f68)
at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:279
Reverting the patches from bug 775965 indeed fixes the crash, so it it a regression from bug 775965.
Assignee: nobody → cpearce
Assignee | ||
Comment 10•13 years ago
|
||
Forget the plugin for geometry updates in the root PresContext right before we we detach the sub doc's presentation.
This fixes the crashes reported as best as I can tell; it was not deterministic. I tested the URLs the Marcia listed in bug 781272 comment #3, and we no longer crash with this patch.
Looks promising so far on Try:
https://tbpl.mozilla.org/?tree=Try&rev=3440d9ef242b
Attachment #654091 -
Flags: review?(roc)
Comment on attachment 654091 [details] [diff] [review]
Patch
Review of attachment 654091 [details] [diff] [review]:
-----------------------------------------------------------------
::: layout/generic/nsSubDocumentFrame.cpp
@@ +818,5 @@
> + if (presContext) {
> + nsRootPresContext* rootPresContext = presContext->GetRootPresContext();
> + if (rootPresContext) {
> + rootPresContext->
> + RootForgetUpdatePluginGeometryFrameForPresContext(presContext);
I think we should do this when we destroy the original nsSubdocumentFrame.
Assignee | ||
Comment 12•13 years ago
|
||
Forget update plugin geometry in nsSubDocumentFrame::DestroyFrom().
I was also forgetting the update-plugin-geometry-frame the outer-frame's PresContext(), not the sub frame's PresContext(), so we were actually still crashing sporadically. This version of the patch forgets in the subframe's PresContext.
https://tbpl.mozilla.org/?tree=Try&rev=95d0e0d01bbd
Attachment #654091 -
Attachment is obsolete: true
Attachment #654091 -
Flags: review?(roc)
Attachment #654945 -
Flags: review?(roc)
Attachment #654945 -
Flags: review?(roc) → review+
Assignee | ||
Comment 13•13 years ago
|
||
Updated•13 years ago
|
Comment 14•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Reporter | ||
Updated•13 years ago
|
status-firefox17:
--- → fixed
Comment 16•13 years ago
|
||
Could not reproduce crash from comment 4 but crash from comment 9 reproducible for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20120808030529
No crashes for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 beta 4
Build ID: 20121031065642
I can still see 83 crashes for Beta 3 with this signature and 40 for Beta 4.
There are 2 other bugs however which track crashes with this signature: bug 754380 and bug 798760 so setting this to verified for Beta.
You need to log in
before you can comment on or make changes to this bug.
Description
•