If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

crash in nsDisplayList::RemoveBottom

RESOLVED WORKSFORME

Status

()

Core
Layout: View Rendering
--
critical
RESOLVED WORKSFORME
4 years ago
10 months ago

People

(Reporter: wsmwk, Unassigned)

Tracking

({crash})

Trunk
crash
Points:
---

Firefox Tracking Flags

(firefox47 affected, firefox48 affected, firefox49 affected, firefox-esr45 affected, firefox50 affected)

Details

(Whiteboard: [tbird crash], crash signature)

not a new crash for thunderbird.

bp-4b2735c5-dfdc-41c6-bc18-5a8412130515 TB22.0a2
============================================================= 
0	xul.dll	nsDisplayList::RemoveBottom	layout/base/nsDisplayList.cpp:1230
1	xul.dll	nsDisplayList::DeleteAll	layout/base/nsDisplayList.cpp:1241
2	xul.dll	nsDisplayListCollection::~nsDisplayListCollection	
3	xul.dll	nsBoxFrame::BuildDisplayList	layout/xul/base/src/nsBoxFrame.cpp:1344
4	xul.dll	nsIFrame::BuildDisplayListForChild	layout/generic/nsFrame.cpp:2234
5	xul.dll	nsBoxFrame::BuildDisplayListForChildren	layout/xul/base/src/nsBoxFrame.cpp:1357
6	xul.dll	nsBoxFrame::BuildDisplayList	layout/xul/base/src/nsBoxFrame.cpp:1323
7	xul.dll	nsIFrame::BuildDisplayListForChild	layout/generic/nsFrame.cpp:2234
8	xul.dll	nsBoxFrame::BuildDisplayListForChildren	layout/xul/base/src/nsBoxFrame.cpp:1357
9	xul.dll	nsBoxFrame::BuildDisplayList	layout/xul/base/src/nsBoxFrame.cpp:1323 

hg@1 1226nsDisplayItem* nsDisplayList::RemoveBottom() {
hg@1 1227 nsDisplayItem* item = mSentinel.mAbove;
hg@1 1228 if (!item)
ayg@103959 1229 return nullptr;
hg@1 1230 mSentinel.mAbove = item->mAbove;
Component: General → Layout
Product: Thunderbird → Core
I looked through some of the recent reports on this signature and they don't 
match the stack above.  Instead, the current stack on Windows is:

nsDisplayList::RemoveBottom()
PresShell::Paint(nsView*, nsRegion const&, unsigned int)
nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)
nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)

which doesn't really make sense.  The Linux crashes have a better stack:

nsDisplayList::RemoveBottom()
nsDisplayList::FlattenTo(nsTArray<nsDisplayItem*>*)
nsDisplayList::FlattenTo(nsTArray<nsDisplayItem*>*)
nsDisplayList::ComputeVisibilityForSublist(nsDisplayListBuilder*, nsRegion*, nsRect const&, nsRect const&, nsIFrame*)
nsDisplayList::ComputeVisibilityForRoot(nsDisplayListBuilder*, nsRegion*, nsIFrame*)
nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int)
PresShell::Paint(nsView*, nsRegion const&, unsigned int)
nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)
nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)
nsRefreshDriver::Tick(long, mozilla::TimeStamp)

bp-b0c13d16-7e9b-4217-a2a3-5ae572141008
bp-1a44a9b8-d957-4be1-993e-720ae2140925

About 250 reported crashes in the past 4 weeks.
OS: Windows NT → All
Hardware: x86 → All

Updated

2 years ago
Crash Signature: [@ nsDisplayList::RemoveBottom()] → [@ nsDisplayList::RemoveBottom()] [@ nsDisplayList::RemoveBottom]
(In reply to Mats Palmgren (:mats) from comment #1)
> I looked through some of the recent reports on this signature and they don't 
> match the stack above.  Instead, the current stack on Windows is:
> 
> nsDisplayList::RemoveBottom()
> PresShell::Paint(nsView*, nsRegion const&, unsigned int)
> nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)
> nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)

only 2 crashes per week now for thunderbird, and stacks still do not match.
From a thunderbird POV, not worth keeping open.
But maybe for firefox?  ...


> which doesn't really make sense.  The Linux crashes have a better stack:
> 
> nsDisplayList::RemoveBottom()
> nsDisplayList::FlattenTo(nsTArray<nsDisplayItem*>*)
> nsDisplayList::FlattenTo(nsTArray<nsDisplayItem*>*)
> nsDisplayList::ComputeVisibilityForSublist(nsDisplayListBuilder*, nsRegion*,
> nsRect const&, nsRect const&, nsIFrame*)
> nsDisplayList::ComputeVisibilityForRoot(nsDisplayListBuilder*, nsRegion*,
> nsIFrame*)
> nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&,
> unsigned int, unsigned int)
> PresShell::Paint(nsView*, nsRegion const&, unsigned int)
> nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*)
> nsViewManager::ProcessPendingUpdatesForView(nsView*, bool)
> nsRefreshDriver::Tick(long, mozilla::TimeStamp)
> 
> bp-b0c13d16-7e9b-4217-a2a3-5ae572141008
> bp-1a44a9b8-d957-4be1-993e-720ae2140925
> 
> About 250 reported crashes in the past 4 weeks.

about the same rate now - 65 in the past week
Crash volume for signature 'nsDisplayList::RemoveBottom':
 - nightly (version 50): 1 crash from 2016-06-06.
 - aurora  (version 49): 3 crashes from 2016-06-07.
 - beta    (version 48): 46 crashes from 2016-06-06.
 - release (version 47): 84 crashes from 2016-05-31.
 - esr     (version 45): 3 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          1          0          0
 - aurora           0          0          0          2          1          0          0
 - beta            10          6          5          7          8          8          0
 - release         14         19         11         11          9         14          4
 - esr              0          0          1          1          0          1          0

Affected platforms: Windows, Mac OS X, Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected

Updated

10 months ago
Component: Layout → Layout: View Rendering
(Reporter)

Comment 4

10 months ago
This is currently quite rare. I sampled a few both Thunderbird and Firefox crashes - only a few per week.  Firefox crashes not match the stack of comment 0. Plus I sampled a few Thunderbird users with emails and they have a variety of signatures - so I think the original Thunderbird crash is gone or morhped to another signature. In short I do not believe there is an actionable crash in the layout code via this bug report
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
Whiteboard: [tbird crash]
(Reporter)

Updated

10 months ago
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.