Closed Bug 866402 Opened 11 years ago Closed 11 years ago

crash in nsRefreshDriver::Tick

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
23 Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 877097
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 --- disabled
firefox24 --- affected
firefox25 --- affected

People

(Reporter: scoobidiver, Assigned: spohl)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

It started spiking in 23.0a1/20130426 and is #3 crasher in today's build but with many duplicates and mostly at startup. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=690b5e0f6562&tochange=a6104e0e5a2c
It's likely a regression from bug 753453.

Signature 	nsRefreshDriver::Tick(__int64, mozilla::TimeStamp) More Reports Search
UUID	00068b2b-6a42-4084-afc8-471812130427
Date Processed	2013-04-27 11:24:10
Uptime	13
Last Crash	33 seconds before submission
Install Age	17.6 hours since version was first installed.
Install Time	2013-04-26 17:46:11
Product	Firefox
Version	23.0a1
Build ID	20130426030834
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 4 stepping 3
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x14
User Comments	
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x1086, AdapterSubsysID: 120719da, AdapterDriverVersion: 9.18.13.1106
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor01.phx1.mozilla.com_5380:2012
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x1086
Total Virtual Memory	4294836224
Available Virtual Memory	3701518336
System Memory Use Percentage	24
Available Page File	14891028480
Available Physical Memory	6486556672

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRefreshDriver::Tick 	layout/base/nsRefreshDriver.cpp:907
1 	xul.dll 	nsTArray_Impl<nsRefPtr<nsRefreshDriver>,nsTArrayInfallibleAllocator>::AppendElem 	obj-firefox/dist/include/nsTArray.h:1044
2 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:547
3 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:634
4 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:627
5 	xul.dll 	NS_ProcessNextEvent 	obj-firefox/xpcom/build/nsThreadUtils.cpp:238
6 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
7 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:212
8 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:186
9 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
10 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:113
11 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:289
12 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3878
13 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3945
14 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:4157
15 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp:271
16 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:105
17 	firefox.exe 	__tmainCRTStartup 	crtexe.c:552
18 	kernel32.dll 	BaseThreadInitThunk 	
19 	ntdll.dll 	__RtlUserThreadStart 	
20 	ntdll.dll 	_RtlUserThreadStart 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsRefreshDriver%3A%3ATick%28__int64%2C+mozilla%3A%3ATimeStamp%29
FYI:

nsRefreshDriver::Tick(long long, mozilla::TimeStamp) is affecting Linux.
Note long long vs __int64, otherwise the function signatures are the same.

https://crash-stats.mozilla.com/report/list?query_search=signature&range_value=4&range_unit=weeks&signature=nsRefreshDriver%3A%3ATick%28long%20long%2C%20mozilla%3A%3ATimeStamp%29

For the Linux crash, can reproduce reliably just by opening a few dozen tabs.
Once the critical limit is hit, firefox reliably crashes...
If you restore a session with more tabs than the critical limit, the next tab opened will crash.

Unknown if same root cause, but this severely hinders usability on Linux.
Rather, it seems that restore of a session beyond the critical limit will also trigger this.  As such, you can get into a viscous cycle of:

Crash
Re-open
Restore
Crash
Crash Signature: [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] → [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp)]
OS: Windows 7 → All
Whiteboard: [startupcrash]
Crash Signature: [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp)] → [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ]
Crash Signature: [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] → [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] [@ nsRefreshDriver::Tick(long, mozilla::TimeStamp) ]
Depends on: 866545
Scoobidiver, is there any way to tell whether the users seeing this have the "dom.enable_performance" preference set to false for some reason?
Flags: needinfo?(scoobidiver)
(In reply to Boris Zbarsky (:bz) from comment #3)
> Scoobidiver, is there any way to tell whether the users seeing this have the
> "dom.enable_performance" preference set to false for some reason?
We don't have that in App Notes. The only way is to contact users that let their email addresses and ask them. It's a lot of work compared to fixing bug 866545 first and see how crash stats behave.
Flags: needinfo?(scoobidiver)
Well, let's start with the user from comment 2.  ;)  But yes, comment 4 describes my current general plan if there is no easy way to tell what prefs look like for crashing cases.
Flags: needinfo?(linux.user.since.2002)
(In reply to Boris Zbarsky (:bz) from comment #3)
> is there any way to tell whether the users seeing this have the
> "dom.enable_performance" preference set to false for some reason?

For one:

From https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
Under "Conclusions / Action Items"
* [dveditz] Point the Tor folks at the pref for disabling this feature (dom.enable_performance)
* [curtisk] talk to Sid about privacy
...

Granted, this may (or may not be) partial, potentially out-of-date information (for one, Sid's reply would be nice to know); however, it is still online without any pointers to anything newer.  As an aside, it can be hard to make an informed decision about every single entry in about:config, particularly if information proves scarce.  IIRC, took a week or so when I attempted that last.  However, for this pref, a quick google search for the pref name ("dom.enable_performance") returned the mozilla page in the top results (within the first few results on the first page and appearing above the fold).

Speculatively, users may have disabled it themselves or perhaps some addons are disabling it on behalf of users, likely including those Tor related as noted in the conclusions on that page.
Flags: needinfo?(linux.user.since.2002)
NO, you don't understand.  You said you can reproduce.  Do _you_ have this pref set?
Flags: needinfo?(linux.user.since.2002)
(In reply to linux.user.since.2002 from comment #1)
> If you restore a session with more tabs than the critical limit, the next
> tab opened will crash.

(In reply to linux.user.since.2002 from comment #2)
> Rather, it seems that restore of a session beyond the critical limit will
> also trigger this.

Regarding session restore, it seems there are some cases where the restore will trigger the crash and some cases where it will not, even if the number of tabs restored is well over the critical limit.  Again, this does not appear to be specific to session restore, as starting a new session and just opening tabs will crash firefox after a few dozen or so.
Flags: needinfo?(linux.user.since.2002)
(In reply to Boris Zbarsky (:bz) from comment #7)
> Do _you_ have this pref set?

To state explicitly, I have:
dom.enable_performance = false
There have been no crashes since 23.0a1/20130503 so it's fully fixed by the patch of bug 866545.
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox23: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
(In reply to Scoobidiver from comment #10)
> There have been no crashes since 23.0a1/20130503 so it's fully fixed by the
> patch of bug 866545.
My bad. There are still a few ones on Mac: https://crash-stats.mozilla.com/report/list?signature=nsRefreshDriver%3A%3ATick%28long+long%2C+mozilla%3A%3ATimeStamp%29
Status: RESOLVED → REOPENED
Crash Signature: [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] [@ nsRefreshDriver::Tick(long, mozilla::TimeStamp) ] → [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] [@ nsRefreshDriver::Tick(long, mozilla::TimeStamp) ] [@ @0x0 | nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ]
status-firefox23: fixedaffected
OS: All → Mac OS X
Hardware: All → x86_64
Resolution: FIXED → ---
For what it's worth, those seem to have completely bogus stacks.
It's #4 browser crasher in 23.0a2 and #9 in 24.0a1 on Mac OS X.
status-firefox24: --- → affected
tracking-firefox23: --- → ?
Keywords: topcrash
Crash Signature: [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] [@ nsRefreshDriver::Tick(long, mozilla::TimeStamp) ] [@ @0x0 | nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] → [@ nsRefreshDriver::Tick(__int64, mozilla::TimeStamp)] [@ nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] [@ nsRefreshDriver::Tick(long, mozilla::TimeStamp) ] [@ @0x0 | nsRefreshDriver::Tick(long long, mozilla::TimeStamp) ] [@ jemalloc_crash | …
I hit this yesterday and I have the dom.enable_performance set to True.

Running 24.0a1 (2013-06-15) UX on a Mac.
There are two kinds of stack trace:
Frame 	Module 	Signature 	Source
0 		@0x400000001 	
1 	XUL 	nsRefreshDriver::Tick(long long, mozilla::TimeStamp) 	obj-firefox/x86_64/dist/include/nsAutoPtr.h
2 	XUL 	mozilla::RefreshDriverTimer::Tick() 	layout/base/nsRefreshDriver.cpp
3 	XUL 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
4 	XUL 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
5 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
6 	XUL 	NS_ProcessPendingEvents(nsIThread*, unsigned int) 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp
7 	XUL 	nsBaseAppShell::NativeEventCallback() 	widget/xpwidgets/nsBaseAppShell.cpp
8 	XUL 	nsAppShell::ProcessGeckoEvents(void*) 	widget/cocoa/nsAppShell.mm

0 	XUL 	nsRefreshDriver::Tick(long long, mozilla::TimeStamp) 	obj-firefox/x86_64/dist/include/nsAutoPtr.h
1 	XUL 	mozilla::InactiveRefreshDriverTimer::TickOne() 	layout/base/nsRefreshDriver.cpp
2 	XUL 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
3 	XUL 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
4 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
5 	XUL 	NS_ProcessPendingEvents(nsIThread*, unsigned int) 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp
6 	XUL 	nsBaseAppShell::NativeEventCallback() 	widget/xpwidgets/nsBaseAppShell.cpp
7 	XUL 	nsAppShell::ProcessGeckoEvents(void*) 	widget/cocoa/nsAppShell.mm
Blocks: 877097
Crash Signature: , mozilla::TimeStamp) ] [@ jemalloc_crash | libsystem_c.dylib@0x2d8f8 ] [@ jemalloc_crash | libsystem_c.dylib@0xa0789 ] → , mozilla::TimeStamp) ] [@ jemalloc_crash | libsystem_c.dylib@0x2d8f8 ] [@ jemalloc_crash | libsystem_c.dylib@0xa0789 ] [@ jemalloc_crash | arena_dalloc | libsystem_c.dylib@0x2d8f8 ]
status-firefox25: --- → affected
Emailed the Layout team for help with assignee.

Scoobidiver, can you please help with info on how is this related to 877097 ? Thanks !
Flags: needinfo?(scoobidiver)
So, FWIW, the dom.enable_performance thing appears to be unrelated.  That was bug 866545, which had a reproducible test case which crashed on all platforms.  This appears to be Mac specific and running the test case in that bug does not trigger a crash anymore.  This crash signature is a generic signature for crashing when trying to call a refresh observer, so while this bug was originally filed around the same time as bug 866545 and probably covered that problem originally the crashes we're seeing today are probably from a different cause.
A comment says: "Facebook….I had just clicked on a picture to see detail (and this is the first ffox had crashed on the new beta)"

(In reply to bhavana bajaj [:bajaj] from comment #18) 
> Scoobidiver, can you please help with info on how is this related to 877097
Bug 877097's stack trace has two more frames than this one but the rest is the same. In addition, both show up around the same build.
Flags: needinfo?(scoobidiver)
spohl - do you agree that it makes sense to investigate this issue at the same time as bug 877097 given comment 20?
Flags: needinfo?(spohl.mozilla.bugs)
(In reply to Alex Keybl [:akeybl] from comment #21)
> spohl - do you agree that it makes sense to investigate this issue at the
> same time as bug 877097 given comment 20?

Yes. Bug 877097 is next on my list and I agree that it may be the same problem we're seeing here. I'll look into it.
Assignee: nobody → spohl.mozilla.bugs
Flags: needinfo?(spohl.mozilla.bugs)
Stephen, do we have any progress on your investigations there? This is still the #1 issue on Mac in Beta 23.
There is a chance that bug 868498 will fix bug 877097, which may just be the same bug as this one here. I just pushed the patches for bug 868498 to inbound. I will monitor the crash stats in the next few days. I'll also try and debug this some more.
Bug 868498 landed in the beta range pointed to, but landed on aurora already on 2013-07-17. Scoobidiver, you say "maybe" on the Aurora working build, could it be the one from the 18th instead where it started to work?
I have a feeling that this crash disappeared due to the landing of bug 895203 in beta and that it might still be present in aurora and nightly, same as bug 877097. Scoobidiver, is that something you can confirm or do we need to wait a few more days?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #26)
> Scoobidiver, you say "maybe" on the Aurora working build, could it be the one from the
> 18th instead where it started to work?
"Maybe" meant "too soon to conclude it's fixed in Aurora based on the low volume of Mac users" but in any case it is fully fixed earlier than 24.0a2/20130720. See bp-7e080d29-6e1d-4002-9a1f-6f1752130719.

(In reply to Stephen Pohl [:spohl] from comment #27)
> Scoobidiver, is that something you can confirm or do we need to wait a few more days?
It's fixed in Beta 7 but not sure in Aurora as there are no Mac builds for 24.0a2/20130721 (see ftp://ftp.mozilla.org/pub/firefox/nightly/2013-07-21-00-40-03-mozilla-aurora/) and 24.0a2/20130722 (see ftp://ftp.mozilla.org/pub/firefox/nightly/2013-07-22-00-40-04-mozilla-aurora/).
Updating tracking flags for FF23 based on comment 28.
status-firefox23: affectedunaffected
tracking-firefox23: + → ---
Depends on: 895203
If I'm reading the crash stats right, this crash hasn't occurred since build 25.0a1 20130722030226, which seems to (roughly) coincide with the landing of patch part 2 in bug 877097. This has me a bit puzzled, but I think we might be able to close this bug here while we're adding additional safeguards in bug 877097 (see bug 877097 comment 39). Scoobidiver, what do you think?
Flags: needinfo?(scoobidiver)
(In reply to Stephen Pohl [:spohl] from comment #30)
> This has me a bit puzzled, but I think we might be able to close this bug here while
> we're adding additional safeguards in bug 877097 (see bug 877097 comment 39).
> Scoobidiver, what do you think?
Yes. Bug 877097 and this bug track the same issue.
No longer blocks: 877097
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Flags: needinfo?(scoobidiver)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.