Closed Bug 896200 Opened 7 years ago Closed 7 years ago

crash in DestroyIterator

Categories

(Core :: Layout, defect, critical)

25 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25
Tracking Status
firefox24 --- unaffected
firefox25 + verified

People

(Reporter: scoobidiver, Assigned: jfkthame)

References

()

Details

(5 keywords)

Crash Data

It started spiking in 25.0a1/20130720. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=af4e3ce8c487&tochange=bf73e10f5e54
It might be a regression from bug 879963.

Signature 	nsFontFaceLoader::Cancel() More Reports Search
UUID 	94f25406-4a12-410f-bb1d-6606a2130720
Date Processed	2013-07-20 17:12:39.639023
Uptime	72
Last Crash	82 seconds before submission
Install Age 	151 since version was first installed.
Install Time 	2013-07-20 17:09:57
Product 	Firefox
Version 	25.0a1
Build ID 	20130720030214
Release Channel 	nightly
OS 	Windows NT
OS Version 	6.2.9200
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 58 stepping 9 | 4
Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0152, AdapterSubsysID: 05741028, AdapterDriverVersion: 9.17.10.2849
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsFontFaceLoader::Cancel() 	layout/style/nsFontFaceLoader.cpp
1 	xul.dll 	DestroyIterator 	layout/style/nsFontFaceLoader.cpp
2 	xul.dll 	nsTHashtable<nsPtrHashKey<nsIFrame> >::s_EnumStub(PLDHashTable *,PLDHashEntryHdr *,unsigned int,void *) 	obj-firefox/dist/include/nsTHashtable.h
3 	xul.dll 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.cpp
4 	xul.dll 	nsTHashtable<nsPtrHashKey<nsFontFaceLoader> >::EnumerateEntries(PLDHashOperator (*)(nsPtrHashKey<nsFontFaceLoader> *,void *),void *) 	obj-firefox/dist/include/nsTHashtable.h
5 	xul.dll 	nsUserFontSet::Destroy() 	layout/style/nsFontFaceLoader.cpp
6 	xul.dll 	nsPresContext::SetShell(nsIPresShell *) 	layout/base/nsPresContext.cpp
7 	xul.dll 	PresShell::Destroy() 	layout/base/nsPresShell.cpp
8 	xul.dll 	nsDocumentViewer::DestroyPresShell() 	layout/base/nsDocumentViewer.cpp
9 	xul.dll 	nsDocumentViewer::Destroy() 	layout/base/nsDocumentViewer.cpp
10 	xul.dll 	nsDocumentViewer::Show() 	layout/base/nsDocumentViewer.cpp
11 	xul.dll 	nsPresContext::EnsureVisible() 	layout/base/nsPresContext.cpp
12 	xul.dll 	nsPluginInstanceOwner::Init(nsIContent *) 	dom/plugins/base/nsPluginInstanceOwner.cpp
13 	xul.dll 	nsPluginHost::InstantiatePluginInstance(char const *,nsIURI *,nsObjectLoadingContent *,nsPluginInstanceOwner * *) 	dom/plugins/base/nsPluginHost.cpp
14 	xul.dll 	nsObjectLoadingContent::InstantiatePluginInstance(bool) 	content/base/src/nsObjectLoadingContent.cpp
15 	xul.dll 	nsCString::nsCString(nsCString const &) 	obj-firefox/dist/include/nsTString.h
16 	xul.dll 	nsObjectLoadingContent::ScriptRequestPluginInstance(JSContext *,nsNPAPIPluginInstance * *) 	content/base/src/nsObjectLoadingContent.cpp
17 	xul.dll 	nsObjectLoadingContent::DoNewResolve(JSContext *,JS::Handle<JSObject *>,JS::Handle<int>,JS::MutableHandle<JS::Value>) 	content/base/src/nsObjectLoadingContent.cpp
18 	xul.dll 	mozilla::dom::HTMLEmbedElementBinding::_newResolve 	obj-firefox/dom/bindings/HTMLEmbedElementBinding.cpp
19 	mozjs.dll 	js::GetPropertyHelper(JSContext *,JS::Handle<JSObject *>,JS::Handle<int>,unsigned int,JS::MutableHandle<JS::Value>) 	js/src/jsobj.cpp
20 	mozjs.dll 	GetPropertyOperation(JSContext *,js::StackFrame *,JS::Handle<JSScript *>,unsigned char *,JS::MutableHandle<JS::Value>,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
21 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
22 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
23 	mozjs.dll 	js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) 	js/src/vm/Interpreter.cpp
24 	mozjs.dll 	js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) 	js/src/vm/Interpreter.cpp
25 	mozjs.dll 	JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::CompileOptions,wchar_t const *,unsigned int,JS::Value *) 	js/src/jsapi.cpp
26 	xul.dll 	nsJSContext::EvaluateString(nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,bool,JS::Value *) 	dom/base/nsJSEnvironment.cpp
27 	xul.dll 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString const &) 	content/base/src/nsScriptLoader.cpp
28 	xul.dll 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest *) 	content/base/src/nsScriptLoader.cpp
29 	xul.dll 	nsScriptLoader::ProcessPendingRequests() 	content/base/src/nsScriptLoader.cpp
30 	xul.dll 	nsScriptLoader::OnStreamComplete(nsIStreamLoader *,nsISupports *,tag_nsresult,unsigned int,unsigned char const *) 	content/base/src/nsScriptLoader.cpp
31 	xul.dll 	nsStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) 	netwerk/base/src/nsStreamLoader.cpp
32 	xul.dll 	nsForceXMLListener::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp
33 	xul.dll 	mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) 	netwerk/protocol/http/nsHttpChannel.cpp
34 	xul.dll 	nsInputStreamPump::OnStateStop() 	netwerk/base/src/nsInputStreamPump.cpp
35 	xul.dll 	nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) 	netwerk/base/src/nsInputStreamPump.cpp
36 	xul.dll 	nsInputStreamReadyEvent::Run() 	xpcom/io/nsStreamUtils.cpp
37 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
38 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	obj-firefox/xpcom/build/nsThreadUtils.cpp
39 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
40 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
41 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
42 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
43 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
44 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
45 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
46 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
47 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsFontFaceLoader%3A%3ACancel%28%29
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=DestroyIterator
It's #1 top crasher in this build.
Keywords: topcrash
STR: Load the ref. URL and close its tab.
Is this filed correctly as "all platforms", or is it Windows-specific? I'm unable to reproduce with current Nightly on OS X. Will try Windows later...
(In reply to Jonathan Kew (:jfkthame) from comment #3)
> Is this filed correctly as "all platforms", or is it Windows-specific?
The first signature is for Windows and Linux, the second one is for Windows and Mac OS X.

> I'm unable to reproduce with current Nightly on OS X. Will try Windows later...
The STR of comment 2 work at least on Windows.
Assignee: nobody → jfkthame
Jonathan, this was brought up in our stability meeting today and looks like a serious crasher on nightly and since we may not be close to a resolution here could we instead do a backout of 879963 due to the volume here ?
Yes, I think that makes sense (sadly). I haven't figured out exactly what's going on yet that can lead to the crash here. So at this point a backout looks like our safest option.

I'm suspicious that what's really happening here is that the changes from bug 879963 may be exposing a pre-existing bug (or at least some overly fragile assumptions) elsewhere in the font-related code, but that's little more than a hunch as yet.

I'll plan to push a backout tomorrow morning my time (as inbound is currently closed).
Blocks: 879963
Crash Signature: [@ nsFontFaceLoader::Cancel()] [@ DestroyIterator ] → [@ nsFontFaceLoader::Cancel()] [@ DestroyIterator ] [@ gfxUserFontSet::Release()]
(I think this was mistakenly unset)
(In reply to Alex Keybl [:akeybl] from comment #7)
> (I think this was mistakenly unset)

Sorry - I must've had a stale/cached bugzilla tab.

Backed out bug 879963 on inbound (see bug 879963#c23):
https://hg.mozilla.org/integration/mozilla-inbound/rev/9fc53053c489

I'll leave this open until the backout goes out in Nightly and we can confirm that the crashes no longer occur.
Backout merge to m-c:
https://hg.mozilla.org/mozilla-central/rev/9fc53053c489

Should be good from tomorrow's nightly onwards :-)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Flagging for verification in Firefox 25.
Keywords: verifyme
Verified as fixed with latest Aurora, on Ubuntu 12.10 32bit, Mac OSX 10.8.4 and Windows 7 64bit, using the STR from comment 2.

Here are the reports from Socorro, regarding last month:

1) for the first signature, there are no crashes with 25.0a2

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&reason_type=contains&date=2013-09-11&range_value=28&range_unit=days&hang_type=any&process_type=any&signature=nsFontFaceLoader%3A%3ACancel%28%29

2) for the 2nd signature, there are no reports/crashes

3) for the 3rd signature, there is 1 crash with 25.0a2

https://crash-stats.mozilla.com/report/list?signature=gfxUserFontSet%3A%3ARelease%28%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-09-11+12%3A00%3A00&range_value=4
QA Contact: manuela.muntean
You need to log in before you can comment on or make changes to this bug.