Open
Bug 830679
Opened 13 years ago
Updated 2 years ago
Crash in SaveSubtreeState
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
NEW
| blocking-b2g | - |
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | affected |
| firefox41 | --- | affected |
| firefox42 | --- | affected |
| firefox43 | --- | affected |
| firefox44 | --- | affected |
| firefox47 | --- | affected |
| firefox48 | --- | affected |
| firefox49 | --- | affected |
| firefox-esr45 | --- | affected |
| b2g18 | - | --- |
| firefox50 | --- | affected |
| firefox51 | --- | affected |
| firefox-esr52 | --- | affected |
| firefox57 | --- | affected |
| firefox58 | --- | affected |
| firefox59 | --- | affected |
People
(Reporter: tzimmermann, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [b2g-crash][qa-not-actionable])
Crash Data
I triggered a segmentation fault when clicking 'Restart' in b2g's ui. Stack trace, registers and threads are listed below.
version: e9dfbe2e99bfec5c1609b8e7fafe54477914c715 from git://github.com/mozilla-b2g/B2G.git (b2g18)
gecko: b75dfee39f8a5b634a9bc39dacf2bdf59ee4333f
gaia: df38c1bb813029f3ccfa4a997fb1529b3ff1a1ff
>>>>
tdz@linux-6f0r:~/Projects/mozilla/src/B2G-unagi> ./run-gdb.sh attach 109
Attached; pid = 109
Listening on port 11109
prebuilt/linux-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-gdb -x /tmp/b2g.gdbinit.tdz /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/dist/bin/b2g
GNU gdb (GDB) 7.1-android-gg2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "--host=i686-linux-gnu --target=arm-elf-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Really redefine built-in command "frame"? (y or n) [answered Y; input not from terminal]
Really redefine built-in command "thread"? (y or n) [answered Y; input not from terminal]
Really redefine built-in command "start"? (y or n) [answered Y; input not from terminal]
Reading symbols from /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/dist/bin/b2g...done.
Remote debugging from host 127.0.0.1
_______________________________________________________________________________
Error while running hook_stop:
Value can't be converted to integer.
syscall () at bionic/libc/arch-arm/bionic/syscall.S:50
50 ldmfd sp!, {r4, r5, r6, r7}
gdb> c
Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
Error while running hook_stop:
Value can't be converted to integer.
mozilla::dom::FragmentOrElement::SaveSubtreeState (this=0x48123790) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/FragmentOrElement.cpp:1077
1077 mAttrsAndChildren.ChildAt(i)->SaveSubtreeState();
gdb> bt
#0 mozilla::dom::FragmentOrElement::SaveSubtreeState (this=0x48123790) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/FragmentOrElement.cpp:1077
#1 0x40c01bfc in mozilla::dom::FragmentOrElement::SaveSubtreeState (this=0x429663d0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/FragmentOrElement.cpp:1077
#2 0x40c01bfc in mozilla::dom::FragmentOrElement::SaveSubtreeState (this=0x42966380) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/FragmentOrElement.cpp:1077
#3 0x40c01bfc in mozilla::dom::FragmentOrElement::SaveSubtreeState (this=0x43f206a0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/FragmentOrElement.cpp:1077
#4 0x40bc615c in nsDocument::RemovedFromDocShell (this=0x44bca000) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsDocument.cpp:7214
#5 0x40c8ea34 in nsHTMLDocument::RemovedFromDocShell (this=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/html/document/src/nsHTMLDocument.cpp:3489
#6 0x40aad524 in DocumentViewerImpl::Close (this=0x43fde530, aSHEntry=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/layout/base/nsDocumentViewer.cpp:1440
#7 0x40f2dd1a in nsDocShell::Destroy (this=0x472a0400) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/docshell/base/nsDocShell.cpp:4880
#8 0x40bd3084 in nsFrameLoader::Finalize (this=0x47c6dbf0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsFrameLoader.cpp:580
#9 0x40bcf870 in nsDocument::MaybeInitializeFinalizeFrameLoaders (this=0x47220800) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsDocument.cpp:5646
#10 0x409c11d0 in nsRunnableMethodImpl<void (nsPACMan::*)(), true>::Run (this=<value optimized out>) at ../../../dist/include/nsThreadUtils.h:366
#11 0x40bafbb2 in nsContentUtils::AddScriptRunner (aRunnable=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsContentUtils.cpp:5053
#12 0x40bc5284 in nsDocument::FinalizeFrameLoader (this=0x47220800, aLoader=0xbea76704) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsDocument.cpp:5602
#13 0x40bd3ff4 in nsFrameLoader::Destroy (this=0x47c6dbf0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsFrameLoader.cpp:1370
#14 0x40c528fa in nsGenericHTMLFrameElement::DestroyContent (this=0x47347e20) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/html/content/src/nsGenericHTMLFrameElement.cpp:232
#15 0x40c02af0 in mozilla::dom::FragmentOrElement::DestroyContent (this=0x47209600) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/FragmentOrElement.cpp:1068
#16 0x40e4108c in nsXULElement::DestroyContent (this=0x47209600) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/xul/content/src/nsXULElement.cpp:1076
#17 0x40bc7f80 in nsDocument::Destroy (this=0x47220800) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/nsDocument.cpp:7187
#18 0x40aaf660 in DocumentViewerImpl::Destroy (this=0x4292bf30) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/layout/base/nsDocumentViewer.cpp:1616
#19 0x40f2dd24 in nsDocShell::Destroy (this=0x43e61c00) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/docshell/base/nsDocShell.cpp:4881
#20 0x40f62a40 in nsXULWindow::Destroy (this=0x44b1a420) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpfe/appshell/src/nsXULWindow.cpp:469
#21 0x40f64072 in nsWebShellWindow::Destroy (this=0x44b1a420) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpfe/appshell/src/nsWebShellWindow.cpp:758
#22 0x40f5de24 in nsChromeTreeOwner::Destroy (this=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpfe/appshell/src/nsChromeTreeOwner.cpp:348
#23 0x40cf6d36 in nsGlobalWindow::ReallyCloseWindow (this=0x42a9a780) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/base/nsGlobalWindow.cpp:6716
#24 0x40cf6d82 in nsCloseEvent::Run (this=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/base/nsGlobalWindow.cpp:6505
#25 0x4116b342 in nsThread::ProcessNextEvent (this=0x405098e0, mayWait=<value optimized out>, result=0xbea768ff) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsThread.cpp:620
#26 0x4114b76e in NS_ProcessNextEvent_P (thread=0x429f9640, mayWait=0x1) at /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/xpcom/build/nsThreadUtils.cpp:237
#27 0x4116b4d8 in nsThread::Shutdown (this=0x4735db80) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsThread.cpp:467
#28 0x4116c2a8 in nsThreadPool::Shutdown (this=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsThreadPool.cpp:262
#29 0x40d77d68 in mozilla::dom::indexedDB::TransactionThreadPool::Cleanup (this=0x464fd550) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/indexedDB/TransactionThreadPool.cpp:160
#30 0x40d77e0e in mozilla::dom::indexedDB::TransactionThreadPool::Shutdown () at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/indexedDB/TransactionThreadPool.cpp:121
#31 0x40d725fe in mozilla::dom::indexedDB::IndexedDatabaseManager::Observe (this=0x429291b0, aSubject=0x0, aTopic=<value optimized out>, aData=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/indexedDB/IndexedDatabaseManager.cpp:1646
#32 0x4115601c in nsObserverList::NotifyObservers (this=<value optimized out>, aSubject=0x0, aTopic=0x415e700f "profile-before-change", someData=0x416a0cd2) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/ds/nsObserverList.cpp:99
#33 0x411560fc in nsObserverService::NotifyObservers (this=<value optimized out>, aSubject=0x0, aTopic=0x415e700f "profile-before-change", someData=0x416a0cd2) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/ds/nsObserverService.cpp:149
#34 0x40d33cca in mozilla::dom::power::PowerManagerService::SyncProfile (this=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/power/PowerManagerService.cpp:110
#35 0x40d33d3a in mozilla::dom::power::PowerManagerService::Reboot (this=0x42afefe0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/power/PowerManagerService.cpp:119
#36 0x40d33788 in mozilla::dom::power::PowerManager::Reboot (this=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/power/PowerManager.cpp:68
#37 0x411774d4 in NS_InvokeByIndex_P (that=0x43f90580, methodIndex=<value optimized out>, paramCount=<value optimized out>, params=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160
#38 0x40ed1e92 in CallMethodHelper::Invoke (ccx=<value optimized out>, mode=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNative.cpp:3083
#39 CallMethodHelper::Call (ccx=<value optimized out>, mode=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNative.cpp:2417
#40 XPCWrappedNative::CallMethod (ccx=<value optimized out>, mode=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNative.cpp:2383
#41 0x40ed66e4 in XPC_WN_CallMethod (cx=0x47243040, argc=0x0, vp=0x42cf1060) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1469
#42 0x413d8160 in CallJSNative (cx=0x47243040, args=..., construct=js::NO_CONSTRUCT) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jscntxtinlines.h:364
#43 InvokeKernel (cx=0x47243040, args=..., construct=js::NO_CONSTRUCT) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:367
#44 0x413d5952 in js::Interpret (cx=0x47243040, entryFrame=<value optimized out>, interpMode=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:2475
#45 0x413d7a1e in js::RunScript (cx=0x47243040, script=<value optimized out>, fp=0x42cf1020) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:324
#46 0x413d93dc in InvokeKernel (cx=0x47243040, thisv=..., fval=<value optimized out>, argc=<value optimized out>, argv=0x0, rval=0xbea775f0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:378
#47 Invoke (cx=0x47243040, thisv=..., fval=<value optimized out>, argc=<value optimized out>, argv=0x0, rval=0xbea775f0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.h:109
#48 Invoke (cx=0x47243040, thisv=..., fval=<value optimized out>, argc=<value optimized out>, argv=0x0, rval=0xbea775f0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsinterp.cpp:411
#49 0x4137627a in JS_CallFunctionValue (cx=0x47243040, objArg=<value optimized out>, fval=..., argc=0x0, argv=0x0, rval=0xbea775f0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/js/src/jsapi.cpp:5889
#50 0x40ce01a8 in nsJSContext::CallEventHandler (this=0x47c6dc90, aTarget=<value optimized out>, aScope=<value optimized out>, aHandler=<value optimized out>, aargv=0x48a16f60, arv=0xbea77684) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/base/nsJSEnvironment.cpp:1939
#51 0x40ceb8ae in nsGlobalWindow::RunTimeoutHandler (this=0x42a9cf60, aTimeout=0x47cc1600, aScx=0x47c6dc90) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/base/nsGlobalWindow.cpp:9702
#52 0x40cf45fe in nsGlobalWindow::RunTimeout (this=0x42a9cf60, aTimeout=0x47cc1600) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/base/nsGlobalWindow.cpp:9951
#53 0x40cf46ec in nsGlobalWindow::TimerCallback (aTimer=<value optimized out>, aClosure=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/dom/base/nsGlobalWindow.cpp:10218
#54 0x4116d150 in nsTimerImpl::Fire (this=0x481551f0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsTimerImpl.cpp:473
#55 0x4116d20a in nsTimerEvent::Run (this=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsTimerImpl.cpp:556
#56 0x4116b342 in nsThread::ProcessNextEvent (this=0x405098e0, mayWait=<value optimized out>, result=0xbea777df) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/xpcom/threads/nsThread.cpp:620
#57 0x4114b76e in NS_ProcessNextEvent_P (thread=0x43f90580, mayWait=0x0) at /home/tdz/Projects/mozilla/src/B2G-unagi/objdir-gecko/xpcom/build/nsThreadUtils.cpp:237
#58 0x41080800 in mozilla::ipc::MessagePump::Run (this=0x40502400, aDelegate=0x4052b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/glue/MessagePump.cpp:82
#59 0x4118cb30 in MessageLoop::RunInternal (this=0x1000000) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:215
#60 0x4118cbe6 in MessageLoop::RunHandler (this=0x4052b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:208
#61 MessageLoop::Run (this=0x4052b0c0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/ipc/chromium/src/base/message_loop.cc:182
#62 0x41007350 in nsBaseAppShell::Run (this=0x4290e820) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/widget/xpwidgets/nsBaseAppShell.cpp:163
#63 0x40f6ac10 in nsAppStartup::Run (this=0x42a738b0) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/components/startup/nsAppStartup.cpp:290
#64 0x409a363a in XREMain::XRE_mainRun (this=0xbea7799c) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3794
#65 0x409a5ca4 in XREMain::XRE_main (this=0xbea7799c, argc=<value optimized out>, argv=0xbea79b84, aAppData=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3860
#66 0x409a5df0 in XRE_main (argc=0x1, argv=0xbea79b84, aAppData=0x1f180, aFlags=<value optimized out>) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/toolkit/xre/nsAppRunner.cpp:3935
#67 0x0000a11e in do_main (argc=0x1, argv=0xbea79b84) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/b2g/app/nsBrowserApp.cpp:164
#68 main (argc=0x1, argv=0xbea79b84) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/b2g/app/nsBrowserApp.cpp:249
gdb> info registers
r0 0x0 0x0
r1 0x47de8cc0 0x47de8cc0
r2 0x9 0x9
r3 0x47b9d3c4 0x47b9d3c4
r4 0x2 0x2
r5 0x7 0x7
r6 0x48123790 0x48123790
r7 0x0 0x0
r8 0x472a04a4 0x472a04a4
r9 0x4050990c 0x4050990c
r10 0xbea76de8 0xbea76de8
r11 0x43f90580 0x43f90580
r12 0x2d 0x2d
sp 0xbea76610 0xbea76610
lr 0x40c01bfd 0x40c01bfd
pc 0x40c01bf4 0x40c01bf4 <mozilla::dom::FragmentOrElement::SaveSubtreeState()+40>
cpsr 0x30 0x30
gdb> info threads
[New Thread 109.230]
[New Thread 109.232]
[New Thread 109.233]
[New Thread 109.235]
[New Thread 109.236]
[New Thread 109.237]
[New Thread 109.238]
[New Thread 109.239]
[New Thread 109.240]
[New Thread 109.241]
[New Thread 109.242]
[New Thread 109.243]
[New Thread 109.244]
[New Thread 109.245]
[New Thread 109.249]
[New Thread 109.250]
[New Thread 109.251]
[New Thread 109.252]
[New Thread 109.253]
[New Thread 109.254]
[New Thread 109.258]
[New Thread 109.259]
[New Thread 109.260]
[New Thread 109.261]
[New Thread 109.262]
[New Thread 109.263]
[New Thread 109.267]
[New Thread 109.270]
[New Thread 109.271]
[New Thread 109.311]
[New Thread 109.388]
[New Thread 109.507]
[New Thread 109.579]
[New Thread 109.601]
[New Thread 109.611]
36 Thread 109.611 0xffff0520 in ?? ()
35 Thread 109.601 0xffff0520 in ?? ()
34 Thread 109.579 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
33 Thread 109.507 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
32 Thread 109.388 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
31 Thread 109.311 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
30 Thread 109.271 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
29 Thread 109.270 __ioctl () at bionic/libc/arch-arm/syscalls/__ioctl.S:9
28 Thread 109.267 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
27 Thread 109.263 poll () at bionic/libc/arch-arm/syscalls/poll.S:10
26 Thread 109.262 syscall () at bionic/libc/arch-arm/bionic/syscall.S:50
25 Thread 109.261 read () at bionic/libc/arch-arm/syscalls/read.S:9
24 Thread 109.260 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
23 Thread 109.259 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
22 Thread 109.258 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
21 Thread 109.254 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
20 Thread 109.253 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
19 Thread 109.252 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
18 Thread 109.251 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
17 Thread 109.250 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
16 Thread 109.249 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
15 Thread 109.245 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
14 Thread 109.244 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
13 Thread 109.243 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
12 Thread 109.242 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:183
11 Thread 109.241 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
10 Thread 109.240 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
9 Thread 109.239 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
8 Thread 109.238 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
7 Thread 109.237 0xffff0520 in ?? ()
6 Thread 109.236 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
5 Thread 109.235 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
4 Thread 109.233 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
3 Thread 109.232 syscall () at bionic/libc/arch-arm/bionic/syscall.S:50
2 Thread 109.230 __futex_syscall3 () at bionic/libc/arch-arm/bionic/atomics_arm.S:182
* 1 Thread 109.109 mozilla::dom::FragmentOrElement::SaveSubtreeState (this=0x48123790) at /home/tdz/Projects/mozilla/src/B2G-unagi/gecko/content/base/src/FragmentOrElement.cpp:1077
gdb>
|
||
Updated•13 years ago
|
Severity: normal → critical
blocking-b2g: --- → tef?
Crash Signature: [@ mozilla::dom::FragmentOrElement::SaveSubtreeState()]
[@ mozilla::dom::FragmentOrElement::SaveSubtreeState]
tracking-b2g18:
--- → ?
Keywords: crash
Whiteboard: [b2g-crash]
Cannot block until we get STR or better investigation, we'll keep an eye on this via stability meeting via the whiteboard/keyword
blocking-b2g: tef? → -
|
Reporter | |
Comment 2•13 years ago
|
||
I've only seen this once.
|
||
Comment 3•11 years ago
|
||
Also happens on Thunderbird: https://crash-stats.mozilla.com/report/index/603a94f5-7562-455d-9158-7797d2140525
|
||
Comment 4•10 years ago
|
||
status-firefox40:
--- → affected
OS: Gonk (Firefox OS) → All
Hardware: ARM → All
Version: 18 Branch → 40 Branch
|
||
Comment 5•10 years ago
|
||
Report ID Date Submitted
bp-84e5808d-d64a-4e7d-858e-89b682151012
12/10/2015 10:13 a.m.
340 crashes, 31 startup, on Firefox in the past 28 days per https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=28&signature=mozilla%3A%3Adom%3A%3AFragmentOrElement%3A%3ASaveSubtreeState%28%29
Crashing Thread
Frame Module Signature Source
0 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
1 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
2 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
3 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
4 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
5 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
6 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
7 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
8 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
9 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
10 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
11 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
12 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
13 xul.dll mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp
14 xul.dll nsDocument::RemovedFromDocShell() dom/base/nsDocument.cpp
15 xul.dll nsDocumentViewer::Close(nsISHEntry*) layout/base/nsDocumentViewer.cpp
16 xul.dll nsDocShell::Destroy() docshell/base/nsDocShell.cpp
17 xul.dll nsWebBrowser::SetDocShell(nsIDocShell*) embedding/browser/nsWebBrowser.cpp
18 xul.dll nsWebBrowser::InternalDestroy() embedding/browser/nsWebBrowser.cpp
19 xul.dll nsWebBrowser::Destroy() embedding/browser/nsWebBrowser.cpp
20 xul.dll mozilla::dom::TabChild::DestroyWindow() dom/ipc/TabChild.cpp
21 xul.dll mozilla::dom::TabChild::RecvDestroy() dom/ipc/TabChild.cpp
22 xul.dll mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PBrowserChild.cpp
23 xul.dll mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentChild.cpp
24 xul.dll mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp
25 xul.dll mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message const&) ipc/glue/MessageChannel.cpp
26 xul.dll mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp
27 xul.dll RunnableMethod<mozilla::ipc::MessageChannel, void ( mozilla::ipc::MessageChannel::*)(void), Tuple0>::Run() ipc/chromium/src/base/task.h
28 xul.dll MessageLoop::DoWork() ipc/chromium/src/base/message_loop.cc
29 xul.dll mozilla::ipc::DoWorkRunnable::Run() ipc/glue/MessagePump.cpp
30 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
31 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
32 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
33 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
34 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
35 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
36 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
37 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
38 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
39 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
40 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
41 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
42 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
43 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
44 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
45 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
46 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
47 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
48 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
49 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
50 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
51 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
52 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
53 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
54 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
55 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
56 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
57 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
58 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
59 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
60 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
61 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
62 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
63 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
64 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
65 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
66 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
67 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
68 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
69 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
70 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
71 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
72 xul.dll nsThread::Shutdown() xpcom/threads/nsThread.cpp
73 xul.dll nsRunnableMethodImpl<void ( mozilla::XPCOMThreadWrapper::*)(void), 1>::Run() xpcom/glue/nsThreadUtils.h
74 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
75 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
76 xul.dll nsGlobalWindow::ShowSlowScriptDialog() dom/base/nsGlobalWindow.cpp
77 xul.dll XPCJSRuntime::InterruptCallback(JSContext*) js/xpconnect/src/XPCJSRuntime.cpp
78 xul.dll InvokeInterruptCallback js/src/vm/Runtime.cpp
79 xul.dll js::jit::CheckOverRecursedWithExtra(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned int) js/src/jit/VMFunctions.cpp
80 @0x327f00649cf
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox44:
--- → affected
|
||
Comment 6•9 years ago
|
||
Crash volume for signature 'mozilla::dom::FragmentOrElement::SaveSubtreeState':
- nightly (version 50): 4 crashes from 2016-06-06.
- aurora (version 49): 4 crashes from 2016-06-07.
- beta (version 48): 127 crashes from 2016-06-06.
- release (version 47): 394 crashes from 2016-05-31.
- esr (version 45): 39 crashes from 2016-04-07.
Crash volume on the last weeks:
Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7
- nightly 2 1 0 0 0 1 0
- aurora 1 1 1 0 0 0 1
- beta 19 14 18 21 19 18 4
- release 76 36 73 63 55 43 22
- esr 2 7 5 3 9 2 0
Affected platforms: Windows, Mac OS X, Linux
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr45:
--- → affected
|
|
||
Comment 7•9 years ago
|
||
Crash volume for signature 'mozilla::dom::FragmentOrElement::SaveSubtreeState':
- nightly (version 51): 2 crashes from 2016-08-01.
- aurora (version 50): 4 crashes from 2016-08-01.
- beta (version 49): 33 crashes from 2016-08-02.
- release (version 48): 59 crashes from 2016-07-25.
- esr (version 45): 61 crashes from 2016-05-02.
Crash volume on the last weeks (Week N is from 08-22 to 08-28):
W. N-1 W. N-2 W. N-3
- nightly 0 0 1
- aurora 1 0 0
- beta 7 9 2
- release 13 17 7
- esr 4 6 2
Affected platforms: Windows, Mac OS X, Linux
Crash rank on the last 7 days:
Browser Content Plugin
- nightly #817
- aurora #157
- beta #1367 #373
- release #981 #200
- esr #566
status-firefox51:
--- → affected
|
||
Comment 8•8 years ago
|
||
Signature report for mozilla::dom::FragmentOrElement::SaveSubtreeState
Firefox 59.0a1 8 8.1% 8
Firefox 58.0b12 3 3.0% 3
Firefox 58.0b4 3 3.0% 3
Firefox 58.0b11 2 2.0% 2
Firefox 58.0b10 1 1.0% 1
Firefox 58.0b6 1 1.0% 1
Firefox 58.0b7 1 1.0% 1
Thunderbird 58.0b2 1 1.0% 1
Firefox 57.0.2 35 35.4% 35
Firefox 57.0.1 1 1.0% 1
Firefox 57.0b13 1 1.0% 1
FennecAndroid 57.0.1 1 1.0% 1
Firefox 56.0b9 2 2.0% 2
FennecAndroid 56.0 1 1.0% 1
Firefox 52.5.2esr 11 11.1% 10
status-firefox57:
--- → affected
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox-esr52:
--- → affected
|
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 9•7 years ago
|
||
There appear to be at least three stack variations. One example
bp-cd8a337e-a6f8-4968-b5aa-a76730180811 win7 Crash Address 0xffffffffffffffff
bp-79074b23-424f-4c74-887b-4ff5c0180805 Mac Crash Address 0x2
bp-8fddff46-2219-4667-88ff-488240180808 Mac Crash Address 0x2 (appears to be different user from one above)
0 XUL mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp:1279
1 XUL mozilla::dom::FragmentOrElement::SaveSubtreeState() dom/base/FragmentOrElement.cpp:1279
...
23 XUL nsDocument::RemovedFromDocShell() dom/base/nsDocument.cpp:8233
24 XUL nsDocumentViewer::Close(nsISHEntry*) layout/base/nsDocumentViewer.cpp:1592
25 XUL nsDocShell::SetupNewViewer(nsIContentViewer*) docshell/base/nsDocShell.cpp:9021
26 XUL nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) docshell/base/nsDocShell.cpp:6854
27 XUL nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) docshell/base/nsDocShell.cpp:8845
28 XUL nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) docshell/base/nsDSURIContentListener.cpp:196
29 XUL nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) uriloader/base/nsURILoader.cpp:766
30 XUL nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:435
31 XUL nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:313
32 XUL mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) netwerk/protocol/http/HttpChannelChild.cpp:744
33 XUL mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, unsigned long long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long long const&, mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor> const&, bool const&) netwerk/protocol/http/HttpChannelChild.cpp:667
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
|
||
Comment 10•5 years ago
|
||
Near zero crash rate now for 6 months according to the graph
https://crash-stats.mozilla.org/signature/?signature=mozilla%3A%3Adom%3A%3AFragmentOrElement%3A%3ASaveSubtreeState&date=%3E%3D2020-07-15T05%3A32%3A00.000Z&date=%3C2021-01-15T05%3A32%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1#graphs
Severity: critical → S3
|
||
Comment 11•5 years ago
•
|
||
No idea how, but both here and in bug 1426165 we seem to end up with an invalid child or sibling pointer either in FragmentOrElement::SaveSubtreeState() or in FragmentOrElement::DestroyContent() while traversing the node tree.
|
||
Updated•4 years ago
|
Whiteboard: [b2g-crash] → [b2g-crash][qa-not-actionable]
|
||
Updated•2 years ago
|
Crash Signature: [@ mozilla::dom::FragmentOrElement::SaveSubtreeState()]
[@ mozilla::dom::FragmentOrElement::SaveSubtreeState] → [@ mozilla::dom::FragmentOrElement::SaveSubtreeState]
[@ mozilla::dom::FragmentOrElement::SaveSubtreeState]
You need to log in
before you can comment on or make changes to this bug.
Description
•