Closed Bug 884334 Opened 7 years ago Closed 7 years ago

startup jemalloc crash coming from WidgetShutdownObserver::Observe

Categories

(Core :: Widget, defect, critical)

24 Branch
x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 --- verified

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [startupcrash])

Crash Data

Attachments

(1 file)

It first showed up in 24.0a1/20130618. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=834c8941ae24&tochange=4e5983de6e3b
It's likely a regression from bug 877534.

Signature 	mozilla::layers::PCompositorChild::SendWillStop() More Reports Search
UUID	f6c360b9-58aa-4814-ac43-bf5a42130618
Date Processed	2013-06-18 14:06:20
Uptime	3
Last Crash	1.1 minutes before submission
Install Age	2.0 minutes since version was first installed.
Install Time	2013-06-18 14:04:01
Product	Firefox
Version	24.0a1
Build ID	20130618031335
Release Channel	nightly
OS	Mac OS X
OS Version	10.8.4 12E55
Build Architecture	amd64
Build Architecture Info	family 6 model 23 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x36b
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x 863GL Layers? GL Context? GL Context+ GL Layers+ 
Processor Notes 	sp-processor03_phx1_mozilla_com_27827:2012; WARNING: raw_crash missing Add-ons; exploitability tool: ERROR: unable to analyze dump
EMCheckCompatibility	False
Adapter Vendor ID	0x10de
Adapter Device ID	0x 863

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::layers::PCompositorChild::SendWillStop 	obj-firefox/x86_64/ipc/ipdl/PCompositorChild.cpp:170
1 	XUL 	_ZZL11toHexStringPKhjR19nsACString_internalE6digits 	
2 	XUL 	CMMFCertOrEncCertTemplate 	
3 	XUL 	nsBaseWidget::DestroyCompositor 	widget/xpwidgets/nsBaseWidget.cpp:160
4 	XUL 	CMMFCertOrEncCertTemplate 	
5 	XUL 	WidgetShutdownObserver::Observe 	widget/xpwidgets/nsBaseWidget.cpp:143
6 	XUL 	nsObserverList::NotifyObservers 	xpcom/ds/nsObserverList.cpp:99
7 	XUL 	CMMFCertOrEncCertTemplate 	
8 	XUL 	CMMFCertOrEncCertTemplate 	
9 	XUL 	nsObserverService::NotifyObservers 	nsObserverService.cpp:161
10 	XUL 	mozilla::ShutdownXPCOM 	xpcom/build/nsXPComInit.cpp:579
11 	XUL 	ScopedXPCOMStartup::~ScopedXPCOMStartup 	toolkit/xre/nsAppRunner.cpp:1129
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Alayers%3A%3APCompositorChild%3A%3ASendWillStop%28%29
https://crash-stats.mozilla.com/report/list?signature=jemalloc_crash+|+CMMFCertOrEncCertTemplate
https://crash-stats.mozilla.com/report/list?signature=jemalloc_crash+|+libsystem_c.dylib%400x2d8f8
That's a constant startup crash for me :(
Gregor: I assume you have layers.offmainthreadcomposition.enabled set to true. Setting that to false (the default) should stop this happening for now.

Figuring out why you're getting XPCOM shutdown observers called during startup would be really helpful too.
Other stack traces look like:
Frame 	Module 	Signature 	Source
0 	libmozglue.dylib 	jemalloc_crash 	jemalloc.c:1590
1 	XUL 	CMMFCertOrEncCertTemplate 	
2 	XUL 	WidgetShutdownObserver::Release 	obj-firefox/x86_64/dist/include/mozilla/mozalloc.h:225
3 	XUL 	nsCOMArray_base::Clear 	nsCOMArray.cpp:240
4 	XUL 	nsCOMArray_base::~nsCOMArray_base 	nsCOMArray.cpp:44
5 	XUL 	nsObserverList::NotifyObservers 	obj-firefox/x86_64/dist/include/nsCOMArray.h:232
6 	XUL 	CMMFCertOrEncCertTemplate 	
7 	XUL 	CMMFCertOrEncCertTemplate 	
8 	XUL 	nsObserverService::NotifyObservers 	nsObserverService.cpp:161
9 	XUL 	mozilla::ShutdownXPCOM 	xpcom/build/nsXPComInit.cpp:579
10 	XUL 	ScopedXPCOMStartup::~ScopedXPCOMStartup 	toolkit/xre/nsAppRunner.cpp:1129
...

Frame 	Module 	Signature 	Source
0 	libmozglue.dylib 	jemalloc_crash 	jemalloc.c:1590
1 	libsystem_c.dylib 	libsystem_c.dylib@0x2d8f8 	
2 	XUL 	CMMFCertOrEncCertTemplate 	
3 	XUL 	WidgetShutdownObserver::Release 	obj-firefox/x86_64/dist/include/mozilla/mozalloc.h:225
4 	XUL 	nsCOMArray_base::Clear 	nsCOMArray.cpp:240
5 	XUL 	nsCOMArray_base::~nsCOMArray_base 	nsCOMArray.cpp:44
6 	XUL 	nsObserverList::NotifyObservers 	obj-firefox/x86_64/dist/include/nsCOMArray.h:232
7 	XUL 	CMMFCertOrEncCertTemplate 	
8 	XUL 	CMMFCertOrEncCertTemplate 	
9 	XUL 	nsObserverService::NotifyObservers 	nsObserverService.cpp:161
10 	XUL 	XUL@0xd8d160 	
11 	XUL 	mozilla::ShutdownXPCOM 	xpcom/build/nsXPComInit.cpp:579
Crash Signature: [@ jemalloc_crash | libsystem_c.dylib@0x2d8f8] [@ jemalloc_crash | CMMFCertOrEncCertTemplate] [@ mozilla::layers::PCompositorChild::SendWillStop()] → [@ jemalloc_crash | libsystem_c.dylib@0x2d8f8] [@ jemalloc_crash | libsystem_c.dylib@0x2d898] [@ jemalloc_crash | libsystem_c.dylib@0xa0789] [@ jemalloc_crash | CMMFCertOrEncCertTemplate] [@ mozilla::layers::PCompositorChild::SendWillStop()]
Duplicate of this bug: 884481
Summary: startup crash in WidgetShutdownObserver::Observe → startup jemalloc crash coming from WidgetShutdownObserver::Observe
(In reply to Matt Woodrow (:mattwoodrow) from comment #2)
> Gregor: I assume you have layers.offmainthreadcomposition.enabled set to
> true. Setting that to false (the default) should stop this happening for now.
> 
> Figuring out why you're getting XPCOM shutdown observers called during
> startup would be really helpful too.

I don't seem to have this pref in my profile. I only have:
layers.offmainthreadcomposition.animate-opacity;false
layers.offmainthreadcomposition.animate-transform;false
layers.offmainthreadcomposition.log-animations;false

And they all contain default values. This is now with my profile and FF21.
When the ObserverList starts processing updates, it makes a copy of the list.

If we try remove items from the list during this, we won't stop them from being processed.

I haven't been able to reproduce this, but it makes sense that this could cause us to hit WidgetShutdownObserver::Observe() with mWidget pointing to invalid memory.
Attachment #764511 - Flags: review?(roc)
Matt, the patch you sent me fixed the problem.
Crash Signature: [@ jemalloc_crash | libsystem_c.dylib@0x2d8f8] [@ jemalloc_crash | libsystem_c.dylib@0x2d898] [@ jemalloc_crash | libsystem_c.dylib@0xa0789] [@ jemalloc_crash | CMMFCertOrEncCertTemplate] [@ mozilla::layers::PCompositorChild::SendWillStop()] → [@ jemalloc_crash | libsystem_c.dylib@0x2d8f8] [@ jemalloc_crash | libsystem_c.dylib@0x2d898] [@ jemalloc_crash | libsystem_c.dylib@0xa0789] [@ jemalloc_crash | CMMFCertOrEncCertTemplate] [@ jemalloc_crash | free | CMMFCertOrEncCertTemplate ] [@ mozi…
https://hg.mozilla.org/mozilla-central/rev/171ec5d1724d
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
No crashes on FF >= 24 in the crashstats in the last 4 weeks. Verified fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.