Closed Bug 781279 Opened 11 years ago Closed 11 years ago

crash in nsRootPresContext::UpdatePluginGeometry


(Core :: Layout, defect)

17 Branch
Not set



Tracking Status
firefox17 + verified


(Reporter: scoobidiver, Assigned: cpearce)



(4 keywords)

Crash Data


(1 file, 1 obsolete file)

There's a spike in crashes from 17.0a1/20120808. The regression range for the spike is:
It's likely related to bug 781272.

Stack traces are various:
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	PresShell::DidPaint 	layout/base/nsPresShell.cpp:7068
2 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:770
3 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:159
4 	xul.dll 	nsWindow::DispatchEvent 	widget/windows/nsWindow.cpp:3520
5 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/windows/nsWindow.cpp:3546
6 	xul.dll 	nsWindow::OnPaint 	widget/windows/nsWindowGfx.cpp:606

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	UpdatePluginGeometryCallback 	layout/base/nsPresContext.cpp:2742
2 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:473
3 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:624
4 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:116
5 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRootPresContext::UpdatePluginGeometry 	layout/base/nsPresContext.cpp:2722
1 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:3898
2 	xul.dll 	nsDocument::FlushPendingNotifications 	content/base/src/nsDocument.cpp:6314
3 	xul.dll 	nsGlobalWindow::FlushPendingNotifications 	dom/base/nsGlobalWindow.cpp:10245

More reports at:
It's #3 top crasher in today's build.
Keywords: topcrash
Crash Signature: [@ nsRootPresContext::UpdatePluginGeometry()] → [@ nsRootPresContext::UpdatePluginGeometry()] [@ nsRootPresContext::UpdatePluginGeometry]
OS: Windows 7 → All
I think this is a dupe of bug 781272.
Closed: 11 years ago
Resolution: --- → DUPLICATE
Currently the #6 crasher.  It looks like a regression from bug 775965.

Here's my comment from bug 781265 which has more information:

I happened across a way to reproduce this on the latest Nightly.

Clean profile with just Flash active.

1. open, start playing a video
2. While the youtube video is still playing, go to and let it run.

It crashes quickly.

here are a few examples:
Blocks: 775965
Resolution: DUPLICATE → ---
This was initially being caused by bug 781272, but then that was fixed and a new regression came up, from bug 775965 judging by Alice's bisection of my steps to reproduce given in comment 4.
Keywords: testcase
With combined signatures, it's #1 top crasher in the trunk.
Crash Signature: [@ nsRootPresContext::UpdatePluginGeometry()] [@ nsRootPresContext::UpdatePluginGeometry] → [@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc(nsIFrame const* int)] [@ mozalloc_abort(char const* const) | NS_DebugBreak_P] [@ mozalloc_abort | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc] [@ mozalloc_abort(…
I'm hitting this just running through "all tests" on, with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
The crash I see is caused by loading

Stack is:

#0  0x00007f403184303d in nanosleep () from /lib/x86_64-linux-gnu/
#1  0x00007f4031842edc in sleep () from /lib/x86_64-linux-gnu/
#2  0x00007f402be3193e in ah_crap_handler (signum=11)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsSigHandlers.cpp:87
#3  0x00007f402be3b976 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffe1d45b30, 
    context=0x7fffe1d45a00) at /obj/orange/toolkit/profile/nsProfileLock.cpp:190
#4  <signal handler called>
#5  0x00007f402c0ce5e6 in nsStyleContext::GetRuleNode (this=0x5a5a5a5a5a5a5a5a)
    at ../../dist/include/nsStyleContext.h:190
#6  0x00007f402c0ce60c in nsIFrame::PresContext (this=0x7f400b8d41e8) at ../../dist/include/nsIFrame.h:547
#7  0x00007f402c1d72d6 in nsRootPresContext::RequestUpdatePluginGeometry (this=0x7f400db0a400, 
    aFrame=0x7f4009ca51e8) at /home/cpearce/src/mozilla/orange/layout/base/nsPresContext.cpp:2665
#8  0x00007f402c1f5592 in PresShell::DoReflow (this=0x7f400ddbdb20, target=0x7f4009ca51e8, aInterruptible=true)
    at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7501
#9  0x00007f402c1f58b6 in PresShell::ProcessReflowCommands (this=0x7f400ddbdb20, aInterruptible=true)
    at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7577
#10 0x00007f402c1e9494 in PresShell::FlushPendingNotifications (this=0x7f400ddbdb20, 
    aType=Flush_InterruptibleLayout) at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:3898
#11 0x00007f402c201ac6 in nsRefreshDriver::Notify (this=0x7f400ba7c210, aTimer=0x7f4005ff1fe0)
    at /home/cpearce/src/mozilla/orange/layout/base/nsRefreshDriver.cpp:398
#12 0x00007f402d8b9c6d in nsTimerImpl::Fire (this=0x7f4005ff1fe0)
    at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:476
#13 0x00007f402d8ba053 in nsTimerEvent::Run (this=0x7f402247a788)
    at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:556
#14 0x00007f402d8b1f3a in nsThread::ProcessNextEvent (this=0x7f403146f300, mayWait=false, 
    result=0x7fffe1d4662f) at /home/cpearce/src/mozilla/orange/xpcom/threads/nsThread.cpp:624
#15 0x00007f402d84317b in NS_ProcessNextEvent_P (thread=0x7f403146f300, mayWait=false)
    at /obj/orange/xpcom/build/nsThreadUtils.cpp:220
#16 0x00007f402d65b910 in mozilla::ipc::MessagePump::Run (this=0x7f402245cac0, aDelegate=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/glue/MessagePump.cpp:82
#17 0x00007f402d9032a7 in MessageLoop::RunInternal (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/
#18 0x00007f402d903238 in MessageLoop::RunHandler (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/
#19 0x00007f402d903211 in MessageLoop::Run (this=0x7f40314d9f90)
    at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/
#20 0x00007f402d4d3038 in nsBaseAppShell::Run (this=0x7f401d93fa20)
    at /home/cpearce/src/mozilla/orange/widget/xpwidgets/nsBaseAppShell.cpp:163
#21 0x00007f402d200dd0 in nsAppStartup::Run (this=0x7f401d94d420)
    at /home/cpearce/src/mozilla/orange/toolkit/components/startup/nsAppStartup.cpp:273
#22 0x00007f402be23349 in XREMain::XRE_mainRun (this=0x7fffe1d46b00)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3800
#23 0x00007f402be23639 in XREMain::XRE_main (this=0x7fffe1d46b00, argc=4, argv=0x7fffe1d48f68, 
    aAppData=0x637c40) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3877
#24 0x00007f402be23882 in XRE_main (argc=4, argv=0x7fffe1d48f68, aAppData=0x637c40, aFlags=0)
    at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3953
#25 0x0000000000402a7f in do_main (argc=4, argv=0x7fffe1d48f68)
    at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:174
#26 0x0000000000402d35 in main (argc=4, argv=0x7fffe1d48f68)
    at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:279

Reverting the patches from bug 775965 indeed fixes the crash, so it it a regression from bug 775965.
Assignee: nobody → cpearce
Attached patch Patch (obsolete) — Splinter Review
Forget the plugin for geometry updates in the root PresContext right before we we detach the sub doc's presentation.

This fixes the crashes reported as best as I can tell; it was not deterministic. I tested the URLs the Marcia listed in bug 781272 comment #3, and we no longer crash with this patch.

Looks promising so far on Try:
Attachment #654091 - Flags: review?(roc)
Comment on attachment 654091 [details] [diff] [review]

Review of attachment 654091 [details] [diff] [review]:

::: layout/generic/nsSubDocumentFrame.cpp
@@ +818,5 @@
> +    if (presContext) {
> +      nsRootPresContext* rootPresContext = presContext->GetRootPresContext();
> +      if (rootPresContext) {
> +        rootPresContext->
> +          RootForgetUpdatePluginGeometryFrameForPresContext(presContext);

I think we should do this when we destroy the original nsSubdocumentFrame.
Attached patch Patch v2Splinter Review
Forget update plugin geometry in nsSubDocumentFrame::DestroyFrom().

I was also forgetting the update-plugin-geometry-frame the outer-frame's PresContext(), not the sub frame's PresContext(), so we were actually still crashing sporadically. This version of the patch forgets in the subframe's PresContext.
Attachment #654091 - Attachment is obsolete: true
Attachment #654091 - Flags: review?(roc)
Attachment #654945 - Flags: review?(roc)
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Keywords: verifyme
Could not reproduce crash from comment 4 but crash from comment 9 reproducible for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20120808030529

No crashes for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 beta 4
Build ID: 20121031065642

I can still see 83 crashes for Beta 3 with this signature and 40 for Beta 4. 
There are 2 other bugs however which track crashes with this signature: bug 754380 and bug 798760 so setting this to verified for Beta.
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.