Closed
Bug 781279
Opened 12 years ago
Closed 12 years ago
crash in nsRootPresContext::UpdatePluginGeometry
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: scoobidiver, Assigned: cpearce)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file, 1 obsolete file)
1.50 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
There's a spike in crashes from 17.0a1/20120808. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1bbc0b65dffb&tochange=e55638d4037a It's likely related to bug 781272. Stack traces are various: Frame Module Signature Source 0 xul.dll nsRootPresContext::UpdatePluginGeometry layout/base/nsPresContext.cpp:2722 1 xul.dll PresShell::DidPaint layout/base/nsPresShell.cpp:7068 2 xul.dll nsViewManager::DispatchEvent view/src/nsViewManager.cpp:770 3 xul.dll AttachedHandleEvent view/src/nsView.cpp:159 4 xul.dll nsWindow::DispatchEvent widget/windows/nsWindow.cpp:3520 5 xul.dll nsWindow::DispatchWindowEvent widget/windows/nsWindow.cpp:3546 6 xul.dll nsWindow::OnPaint widget/windows/nsWindowGfx.cpp:606 ... Frame Module Signature Source 0 xul.dll nsRootPresContext::UpdatePluginGeometry layout/base/nsPresContext.cpp:2722 1 xul.dll UpdatePluginGeometryCallback layout/base/nsPresContext.cpp:2742 2 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:473 3 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:624 4 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:116 5 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 ... Frame Module Signature Source 0 xul.dll nsRootPresContext::UpdatePluginGeometry layout/base/nsPresContext.cpp:2722 1 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:3898 2 xul.dll nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6314 3 xul.dll nsGlobalWindow::FlushPendingNotifications dom/base/nsGlobalWindow.cpp:10245 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsRootPresContext%3A%3AUpdatePluginGeometry%28%29
Reporter | ||
Comment 1•12 years ago
|
||
It's #3 top crasher in today's build.
tracking-firefox17:
--- → ?
Keywords: topcrash
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ nsRootPresContext::UpdatePluginGeometry()] → [@ nsRootPresContext::UpdatePluginGeometry()]
[@ nsRootPresContext::UpdatePluginGeometry]
OS: Windows 7 → All
Comment 2•12 years ago
|
||
I think this is a dupe of bug 781272.
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•12 years ago
|
Comment 4•12 years ago
|
||
Currently the #6 crasher. It looks like a regression from bug 775965. Here's my comment from bug 781265 which has more information: I happened across a way to reproduce this on the latest Nightly. Clean profile with just Flash active. 1. open youtube.com, start playing a video 2. While the youtube video is still playing, go to rng.io and let it run. It crashes quickly. here are a few examples: https://crash-stats.mozilla.com/report/index/bp-a588de12-8443-41e0-911c-1dd942120820 https://crash-stats.mozilla.com/report/index/bp-69f75b50-8a16-4b9c-9d44-65cb92120820
Comment 5•12 years ago
|
||
This was initially being caused by bug 781272, but then that was fixed and a new regression came up, from bug 775965 judging by Alice's bisection of my steps to reproduce given in comment 4.
Reporter | ||
Comment 7•12 years ago
|
||
With combined signatures, it's #1 top crasher in the trunk.
Status: REOPENED → NEW
Crash Signature: [@ nsRootPresContext::UpdatePluginGeometry()]
[@ nsRootPresContext::UpdatePluginGeometry] → [@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc(nsIFrame const* int)]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P]
[@ mozalloc_abort | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc]
[@ mozalloc_abort(…
Comment 8•12 years ago
|
||
I'm hitting this just running through "all tests" on http://browserscope.org/, with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
Assignee | ||
Comment 9•12 years ago
|
||
The crash I see is caused by loading http://www.zataz.com/news/22329/photobucket_-photo_-hack_-fusking.html Stack is: #0 0x00007f403184303d in nanosleep () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007f4031842edc in sleep () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007f402be3193e in ah_crap_handler (signum=11) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsSigHandlers.cpp:87 #3 0x00007f402be3b976 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffe1d45b30, context=0x7fffe1d45a00) at /obj/orange/toolkit/profile/nsProfileLock.cpp:190 #4 <signal handler called> #5 0x00007f402c0ce5e6 in nsStyleContext::GetRuleNode (this=0x5a5a5a5a5a5a5a5a) at ../../dist/include/nsStyleContext.h:190 #6 0x00007f402c0ce60c in nsIFrame::PresContext (this=0x7f400b8d41e8) at ../../dist/include/nsIFrame.h:547 #7 0x00007f402c1d72d6 in nsRootPresContext::RequestUpdatePluginGeometry (this=0x7f400db0a400, aFrame=0x7f4009ca51e8) at /home/cpearce/src/mozilla/orange/layout/base/nsPresContext.cpp:2665 #8 0x00007f402c1f5592 in PresShell::DoReflow (this=0x7f400ddbdb20, target=0x7f4009ca51e8, aInterruptible=true) at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7501 #9 0x00007f402c1f58b6 in PresShell::ProcessReflowCommands (this=0x7f400ddbdb20, aInterruptible=true) at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:7577 #10 0x00007f402c1e9494 in PresShell::FlushPendingNotifications (this=0x7f400ddbdb20, aType=Flush_InterruptibleLayout) at /home/cpearce/src/mozilla/orange/layout/base/nsPresShell.cpp:3898 #11 0x00007f402c201ac6 in nsRefreshDriver::Notify (this=0x7f400ba7c210, aTimer=0x7f4005ff1fe0) at /home/cpearce/src/mozilla/orange/layout/base/nsRefreshDriver.cpp:398 #12 0x00007f402d8b9c6d in nsTimerImpl::Fire (this=0x7f4005ff1fe0) at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:476 #13 0x00007f402d8ba053 in nsTimerEvent::Run (this=0x7f402247a788) at /home/cpearce/src/mozilla/orange/xpcom/threads/nsTimerImpl.cpp:556 #14 0x00007f402d8b1f3a in nsThread::ProcessNextEvent (this=0x7f403146f300, mayWait=false, result=0x7fffe1d4662f) at /home/cpearce/src/mozilla/orange/xpcom/threads/nsThread.cpp:624 #15 0x00007f402d84317b in NS_ProcessNextEvent_P (thread=0x7f403146f300, mayWait=false) at /obj/orange/xpcom/build/nsThreadUtils.cpp:220 #16 0x00007f402d65b910 in mozilla::ipc::MessagePump::Run (this=0x7f402245cac0, aDelegate=0x7f40314d9f90) at /home/cpearce/src/mozilla/orange/ipc/glue/MessagePump.cpp:82 #17 0x00007f402d9032a7 in MessageLoop::RunInternal (this=0x7f40314d9f90) at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:208 #18 0x00007f402d903238 in MessageLoop::RunHandler (this=0x7f40314d9f90) at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:201 #19 0x00007f402d903211 in MessageLoop::Run (this=0x7f40314d9f90) at /home/cpearce/src/mozilla/orange/ipc/chromium/src/base/message_loop.cc:175 #20 0x00007f402d4d3038 in nsBaseAppShell::Run (this=0x7f401d93fa20) at /home/cpearce/src/mozilla/orange/widget/xpwidgets/nsBaseAppShell.cpp:163 #21 0x00007f402d200dd0 in nsAppStartup::Run (this=0x7f401d94d420) at /home/cpearce/src/mozilla/orange/toolkit/components/startup/nsAppStartup.cpp:273 #22 0x00007f402be23349 in XREMain::XRE_mainRun (this=0x7fffe1d46b00) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3800 #23 0x00007f402be23639 in XREMain::XRE_main (this=0x7fffe1d46b00, argc=4, argv=0x7fffe1d48f68, aAppData=0x637c40) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3877 #24 0x00007f402be23882 in XRE_main (argc=4, argv=0x7fffe1d48f68, aAppData=0x637c40, aFlags=0) at /home/cpearce/src/mozilla/orange/toolkit/xre/nsAppRunner.cpp:3953 #25 0x0000000000402a7f in do_main (argc=4, argv=0x7fffe1d48f68) at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:174 #26 0x0000000000402d35 in main (argc=4, argv=0x7fffe1d48f68) at /home/cpearce/src/mozilla/orange/browser/app/nsBrowserApp.cpp:279 Reverting the patches from bug 775965 indeed fixes the crash, so it it a regression from bug 775965.
Assignee: nobody → cpearce
Assignee | ||
Comment 10•12 years ago
|
||
Forget the plugin for geometry updates in the root PresContext right before we we detach the sub doc's presentation. This fixes the crashes reported as best as I can tell; it was not deterministic. I tested the URLs the Marcia listed in bug 781272 comment #3, and we no longer crash with this patch. Looks promising so far on Try: https://tbpl.mozilla.org/?tree=Try&rev=3440d9ef242b
Attachment #654091 -
Flags: review?(roc)
Comment on attachment 654091 [details] [diff] [review] Patch Review of attachment 654091 [details] [diff] [review]: ----------------------------------------------------------------- ::: layout/generic/nsSubDocumentFrame.cpp @@ +818,5 @@ > + if (presContext) { > + nsRootPresContext* rootPresContext = presContext->GetRootPresContext(); > + if (rootPresContext) { > + rootPresContext-> > + RootForgetUpdatePluginGeometryFrameForPresContext(presContext); I think we should do this when we destroy the original nsSubdocumentFrame.
Assignee | ||
Comment 12•12 years ago
|
||
Forget update plugin geometry in nsSubDocumentFrame::DestroyFrom(). I was also forgetting the update-plugin-geometry-frame the outer-frame's PresContext(), not the sub frame's PresContext(), so we were actually still crashing sporadically. This version of the patch forgets in the subframe's PresContext. https://tbpl.mozilla.org/?tree=Try&rev=95d0e0d01bbd
Attachment #654091 -
Attachment is obsolete: true
Attachment #654091 -
Flags: review?(roc)
Attachment #654945 -
Flags: review?(roc)
Attachment #654945 -
Flags: review?(roc) → review+
Assignee | ||
Comment 13•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fe4538ef86c5
Updated•12 years ago
|
Comment 14•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fe4538ef86c5
Status: NEW → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Reporter | ||
Updated•12 years ago
|
status-firefox17:
--- → fixed
Comment 16•12 years ago
|
||
Could not reproduce crash from comment 4 but crash from comment 9 reproducible for Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 Build ID: 20120808030529 No crashes for Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 beta 4 Build ID: 20121031065642 I can still see 83 crashes for Beta 3 with this signature and 40 for Beta 4. There are 2 other bugs however which track crashes with this signature: bug 754380 and bug 798760 so setting this to verified for Beta.
You need to log in
before you can comment on or make changes to this bug.
Description
•