Closed Bug 911546 Opened 11 years ago Closed 8 years ago

segfault in PresContext when popup menu displayed

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
25 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox49 --- fixed

People

(Reporter: mozilla.org, Assigned: enndeakin)

References

Details

(Keywords: crash)

Attachments

(5 files, 2 obsolete files)

firefox_PresContext_segfault_backtrace.txt
6.56 KB, text/plain
Details
firefox_PresContext_crash_apport_log.txt.bz2
44.78 KB, application/octet-stream
Details
stack for popup frame destruction
15.74 KB, text/html
Details
gdb backtraces of the crash
222.35 KB, text/plain
Details
Rollup using a runnable
2.40 KB, patch
karlt
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20130830125138

Steps to reproduce:

firefox-25.0~a2~hg20130829r149208 under Linux

Cause an add-on such as Cookie Monster or RequestPolicy to display its popup menu, then navigate to a second level menu from this menu.


Actual results:

When the second or later level popup menu is displayed, the browser crashes with a segfault in PresContext.  This happens on average perhaps one in five times on average; seems more frequent when the browser is rendering.

Top level of backtrace (further levels in attached file):
#0  0x00007ffff2e97f17 in PresContext (this=0x7fffaba0ae48)
    at /build/buildd/firefox-25.0~a2~hg20130829r149208/layout/generic/nsFrame.cpp:8118
#1  nsWeakFrame::InitInternal (this=this@entry=0x7fffffffc3b0, 
    aFrame=aFrame@entry=0x7fffaba0ae48)
    at /build/buildd/firefox-25.0~a2~hg20130829r149208/layout/generic/nsFrame.cpp:367
#2  0x00007ffff2f8c9b8 in Init (aFrame=0x7fffaba0ae48, this=0x7fffffffc3b0)
    at /build/buildd/firefox-25.0~a2~hg20130829r149208/layout/xul/base/src/../../../generic/nsIFrame.h:3267
#3  nsWeakFrame (aFrame=0x7fffaba0ae48, this=0x7fffffffc3b0)
    at /build/buildd/firefox-25.0~a2~hg20130829r149208/layout/xul/base/src/../../../generic/nsIFrame.h:3205
#4  nsXULPopupManager::HidePopupCallback (this=this@entry=0x7fffe3672900, 
    aPopup=aPopup@entry=0x7fffde4be8f0, aPopupFrame=0x7fffaba0ae48, 
    aNextPopup=aNextPopup@entry=0x7fffe00c2f70, 
    aLastPopup=aLastPopup@entry=0x0, 
    aPopupType=aPopupType@entry=ePopupTypeMenu, 
    aDeselectMenu=aDeselectMenu@entry=true)
    at /build/buildd/firefox-25.0~a2~hg20130829r149208/layout/xul/base/src/nsXULPopupManager.cpp:931


Expected results:

The menu should render.
Keywords: crash
WFM, Aurora 25a2 and Nightly ASAN on Linux64.
Severity: normal → critical
Keywords: qawanted
Please let me know if there's any other data you'd like, as it's quite easy for me to reproduce this, also within GDB.

In the appropriate source version, nsFrame.cpp:8118 is the closing brace of the definition of nsIFrame::CreateOwnLayerIfNeeded(), which isn't particularly enlightening. Not sure how it can segfault there.

On the other hand, nsWeakFrame::InitInternal() does dereference mFrame->PresContext(), without sanity checking it. The assumption throughout seems to be that it's safe to do this.
> In the appropriate source version, nsFrame.cpp:8118 is the closing brace of
> the definition of nsIFrame::CreateOwnLayerIfNeeded(), which isn't
> particularly enlightening. Not sure how it can segfault there.

Yeah, that line doesn't seem like the right one.  I suspect your source / binary
is out-of-sync somehow.  You can make your own debug build if you want:
https://developer.mozilla.org/en/docs/Simple_Firefox_build
the Aurora repo is at:
http://hg.mozilla.org/releases/mozilla-aurora

> On the other hand, nsWeakFrame::InitInternal() does dereference
> mFrame->PresContext(), without sanity checking it. The assumption throughout
> seems to be that it's safe to do this.

The frame must be alive when you wrap it in a nsWeakFrame, so that's a correct
assumption.

Can you put a break-point in nsXULPopupManager::HidePopupCallback and
"print *aPopupFrame" when you get there?  Might as well do "print *aPopup"
and "print *this" too.  Then type "next" to line before nsWeakFrame and
do a "print *aPopupFrame" again.

It's a bit tricky to debug this though because Firefox has likely grabbed
all mouse/kbd events at that point so when you hit the breakpoint your
desktop will freeze.  So you'll have to either run Firefox under Xephyr
or something like it, or login remotely from a different computer and debug
from there.  I usually use Xephyr and here's the bash function I use for that:
function bg1() {
( { nohup Xephyr :1 -screen 1600x1200 > /dev/null 2>&1  & } && sleep 3 && { export DISPLAY=:1;  xfwm4 & } && $* )
}

then start Firefox like so:
# bg1 firefox ... &
Thanks for the detailed instructions. I upgraded to firefox-25.0~a2~hg20130902r149232, set up GDB over SSH, and spent a few hours trying to reproduce this, with no luck. Perhaps it is timing-dependent and won't happen when process flow is paused by the breakpoint.

Next best thing: ran without a breakpoint, reproduced the segfault, and traversed back up the stack to print the variables you wanted.

(gdb) bt
#0  0x00007ffff2e97fe7 in PresContext (this=0x7fff98383a08) at /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/generic/nsFrame.cpp:8118
#1  nsWeakFrame::InitInternal (this=this@entry=0x7fffffffc3d0, aFrame=aFrame@entry=0x7fff98383a08) at /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/generic/nsFrame.cpp:367
#2  0x00007ffff2f8ca88 in Init (aFrame=0x7fff98383a08, this=0x7fffffffc3d0) at /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/xul/base/src/../../../generic/nsIFrame.h:3267
#3  nsWeakFrame (aFrame=0x7fff98383a08, this=0x7fffffffc3d0) at /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/xul/base/src/../../../generic/nsIFrame.h:3205
#4  nsXULPopupManager::HidePopupCallback (this=this@entry=0x7fffe3672900, aPopup=aPopup@entry=0x7fff723acb80, aPopupFrame=0x7fff98383a08, aNextPopup=aNextPopup@entry=0x7fffdf580dc0, aLastPopup=aLastPopup@entry=0x0, aPopupType=aPopupType@entry=ePopupTypeMenu, aDeselectMenu=aDeselectMenu@entry=true) at /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/xul/base/src/nsXULPopupManager.cpp:931
[...]
(gdb) up [x 4]
[...]
(gdb) print *aPopupFrame
$1 = {<nsBoxFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsQueryFrame> = {_vptr.nsQueryFrame = 0x7ffffffff0dea7ff}, static kFrameIID = nsQueryFrame::nsIFrame_id, static kPrincipalList = mozilla::layout::kPrincipalList, static kAbsoluteList = mozilla::layout::kAbsoluteList, static kBulletList = mozilla::layout::kBulletList, static kCaptionList = mozilla::layout::kCaptionList, static kColGroupList = mozilla::layout::kColGroupList, static kExcessOverflowContainersList = mozilla::layout::kExcessOverflowContainersList, static kFixedList = mozilla::layout::kFixedList, static kFloatList = mozilla::layout::kFloatList, static kOverflowContainersList = mozilla::layout::kOverflowContainersList, static kOverflowList = mozilla::layout::kOverflowList, static kOverflowOutOfFlowList = mozilla::layout::kOverflowOutOfFlowList, static kPopupList = mozilla::layout::kPopupList, static kPushedFloatsList = mozilla::layout::kPushedFloatsList, static kSelectPopupList = mozilla::layout::kSelectPopupList, static kNoReflowPrincipalList = mozilla::layout::kNoReflowPrincipalList, static sLayerIsPrerenderedDataKey = 0 '\000', mRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = -253843457, y = 2147483647, width = -253843457, height = 2147483647}, <No data fields>}, mContent = 0x7ffffffff0dea7ff, mStyleContext = 0x7ffffffff0dea7ff, mParent = 0x7ffffffff0dea7ff, mNextSibling = 0x7ffffffff0dea7ff, mPrevSibling = 0x7ffffffff0dea7ff, mState = 9223372036600932351, mOverflow = {mType = 4041123839, mVisualDeltas = {mLeft = 255 '\377', mTop = 167 '\247', mRight = 222 '\336', mBottom = 240 '\360'}}}, static gGotTheme = true, static gTheme = 0x7fffd44608c8}, <No data fields>}, mPrevContinuation = 0x7ffffffff0dea7ff, mNextContinuation = 0x7ffffffff0dea7ff}, static kFrameIID = nsQueryFrame::nsContainerFrame_id, mFrames = {mFirstChild = 0x7ffffffff0dea7ff, mLastChild = 0x7ffffffff0dea7ff}}, mPrefSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mMinSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mMaxSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mFlex = -253843457, mAscent = 2147483647, mLayoutManager = {<nsCOMPtr_base> = {mRawPtr = 0x7ffffffff0dea7ff}, <No data fields>}, mHalign = (nsIFrame::hAlign_Right | nsIFrame::hAlign_Center | unknown: 4041123836), mValign = 2147483647}, <nsMenuParent> = {_vptr.nsMenuParent = 0x7ffffffff0dea7ff}, static kFrameIID = nsQueryFrame::nsMenuPopupFrame_id, mIncrementalString = {<nsAString_internal> = {mData = 0x7ffffffff0dea7ff, mLength = 4041123839, mFlags = 2147483647}, <No data fields>}, mAnchorContent = {<nsCOMPtr_base> = {mRawPtr = 0x7ffffffff0dea7ff}, <No data fields>}, mTriggerContent = {<nsCOMPtr_base> = {mRawPtr = 0x7ffffffff0dea7ff}, <No data fields>}, mCurrentMenu = 0x7ffffffff0dea7ff, mPrefSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mXPos = -253843457, mYPos = 2147483647, mScreenXPos = -253843457, mScreenYPos = 2147483647, mAlignmentOffset = -253843457, mLastClientOffset = {<mozilla::gfx::BasePoint<int, nsIntPoint>> = {x = 2147483647, y = -253843457}, <No data fields>}, mPopupType = (ePopupTypeMenu | ePopupTypeTooltip | ePopupTypeAny | unknown: 2147422204), mPopupState = 4041123839, mPopupAlignment = -1 '\377', mPopupAnchor = -1 '\377', mPosition = -1 '\377', mConsumeRollupEvent = 127 '\177', mFlipBoth = 255, mSlide = 167, mIsOpenChanged = 222, mIsContextMenu = 240, mAdjustOffsetForContextMenu = 255, mGeneratedChildren = 255, mMenuCanOverlapOSBar = 255, mShouldAutoPosition = 127, mInContentShell = 255, mIsMenuLocked = 167, mIsDragPopup = 222, mHFlip = 240, mVFlip = 255, static sDefaultLevelIsTop = 1 '\001'}
(gdb) print *aPopup
$2 = {<nsINode> = {<mozilla::dom::EventTarget> = {<nsIDOMEventTarget> = {<nsISupports> = {_vptr.nsISupports = 0x7ffff51d91d0 <vtable for nsXULElement+16>}, <No data fields>}, <nsWrapperCache> = {_vptr.nsWrapperCache = 0x7ffff51d9e90 <vtable for nsXULElement+3280>, mWrapper = {<js::HeapBase<JSObject*>> = {<No data fields>}, ptr = 0x7fffac2d51c0}, mFlags = 98827}, <No data fields>}, mNodeInfo = {<nsCOMPtr_base> = {mRawPtr = 0x7fffcbf59f80}, <No data fields>}, mParent = 0x7fff723abe00, mBoolFlags = 268566542, mNextSibling = 0x0, mPreviousSibling = 0x0, mFirstChild = 0x7fff723e1ce0, {mPrimaryFrame = 0x0, mSubtreeRoot = 0x0}, mSlots = 0x7fff723acca0}, static sTabFocusModel = 7, static sTabFocusModelAppliesToXUL = false}
(gdb) print *this
$3 = {<nsIDOMEventListener> = {<nsISupports> = {_vptr.nsISupports = 0x7ffff510acc0 <vtable for nsXULPopupManager+16>}, <No data fields>}, <nsIRollupListener> = {_vptr.nsIRollupListener = 0x7ffff510ad38 <vtable for nsXULPopupManager+136>}, <nsITimerCallback> = {<nsISupports> = {_vptr.nsISupports = 0x7ffff510ad80 <vtable for nsXULPopupManager+208>}, <No data fields>}, <nsIObserver> = {<nsISupports> = {_vptr.nsISupports = 0x7ffff510adb0 <vtable for nsXULPopupManager+256>}, <No data fields>}, mRefCnt = {static isThreadSafe = false, mValue = 2}, static sInstance = 0x7fffe3672900, mKeyListener = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mWidget = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mRangeParent = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mRangeOffset = 0, mCachedMousePoint = {<mozilla::gfx::BasePoint<int, nsIntPoint>> = {x = 0, y = 0}, <No data fields>}, mCachedModifiers = 0, mActiveMenuBar = 0x0, mPopups = 0x0, mNoHidePanels = 0x0, mCloseTimer = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mTimerMenu = 0x0, mOpeningPopup = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}}
(gdb) print *aNextPopup
$4 = {<nsINode> = {<mozilla::dom::EventTarget> = {<nsIDOMEventTarget> = {<nsISupports> = {_vptr.nsISupports = 0x7ffff51d91d0 <vtable for nsXULElement+16>}, <No data fields>}, <nsWrapperCache> = {_vptr.nsWrapperCache = 0x7ffff51d9e90 <vtable for nsXULElement+3280>, mWrapper = {<js::HeapBase<JSObject*>> = {<No data fields>}, ptr = 0x7fffc5286740}, mFlags = 98843}, <No data fields>}, mNodeInfo = {<nsCOMPtr_base> = {mRawPtr = 0x7fffcbf59f80}, <No data fields>}, mParent = 0x7fffdf5809d0, mBoolFlags = 196638, mNextSibling = 0x0, mPreviousSibling = 0x0, mFirstChild = 0x7fffdf580e50, {mPrimaryFrame = 0x0, mSubtreeRoot = 0x0}, mSlots = 0x7fffbcffb5e0}, static sTabFocusModel = 7, static sTabFocusModelAppliesToXUL = false}
(gdb) print *aLastPopup
Cannot access memory at address 0x0
(gdb) print aPopupType
$5 = ePopupTypeMenu
(gdb) print aDeselectMenu
$6 = true
(gdb) print *item
$7 = {mFrame = 0x7fff98383a08, mPopupType = ePopupTypeMenu, mIsContext = true, mOnMenuBar = false, mIgnoreKeys = false, mParent = 0x0, mChild = 0x0}

Is there anything useful for you in here? Please let me know if there's any other data you'd like.
Yes, that's very valuable indeed.  It shows that aPopupFrame is already destroyed
at this point (it's overwritten with the poison value 0x7ffffffff0dea7ff).
(other values looks reasonable)

I think it's hard to debug this without using breakpoints though, so it would be better
if you can make your own debug build and see if you can reproduce the crash with that.

Actually, it might be worth trying to set a breakpoint in HidePopupCallback as before
but instead of stopping just run a few commands then continue.  Try for example

break nsXULPopupManager::HidePopupCallback
commands 1
print aPopupFrame->mContent
cont
end

(I think you can run this locally without risk of freezing your desktop)

If the value of aPopupFrame->mContent is the poison value just before the crash then
we can rule out the code in HidePopupCallback as the culprit.
At the entry of FirePopupHidingEvent, aPopup->GetPrimaryFrame()->mContent is the
expression to print.
Thanks for introducing me to GDB's commands feature. I did not know about it.

Printing aPopupFrame->mContent caused GDB to spin on CPU for a minute before printing the pointer, so it wasn't suitable. I printed all of *aPopupFrame as before instead.

Here's the output immediately before and after a crash. mContent started with the value 0x7fffdbf4e350, which it had for the previous 16 invocations also.

Breakpoint 3, nsXULPopupManager::HidePopupCallback (this=this@entry=0x7fffe3672900, aPopup=aPopup@entry=0x7fffdbf4e350, aPopupFrame=0x7fffbca28770, aNextPopup=aNextPopup@entry=0x0, aLastPopup=aLastPopup@entry=0x0, aPopupType=aPopupType@entry=ePopupTypeMenu, aDeselectMenu=aDeselectMenu@entry=true) at /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/xul/base/src/nsXULPopupManager.cpp:896
896	in /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/xul/base/src/nsXULPopupManager.cpp
$126 = {<nsBoxFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsQueryFrame> = {_vptr.nsQueryFrame = 0x7ffff5107a30 <vtable for nsMenuPopupFrame+16>}, static kFrameIID = nsQueryFrame::nsIFrame_id, static kPrincipalList = mozilla::layout::kPrincipalList, static kAbsoluteList = mozilla::layout::kAbsoluteList, static kBulletList = mozilla::layout::kBulletList, static kCaptionList = mozilla::layout::kCaptionList, static kColGroupList = mozilla::layout::kColGroupList, static kExcessOverflowContainersList = mozilla::layout::kExcessOverflowContainersList, static kFixedList = mozilla::layout::kFixedList, static kFloatList = mozilla::layout::kFloatList, static kOverflowContainersList = mozilla::layout::kOverflowContainersList, static kOverflowList = mozilla::layout::kOverflowList, static kOverflowOutOfFlowList = mozilla::layout::kOverflowOutOfFlowList, static kPopupList = mozilla::layout::kPopupList, static kPushedFloatsList = mozilla::layout::kPushedFloatsList, static kSelectPopupList = mozilla::layout::kSelectPopupList, static kNoReflowPrincipalList = mozilla::layout::kNoReflowPrincipalList, static sLayerIsPrerenderedDataKey = 0 '\000', mRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = 62280, y = 2340, width = 19500, height = 22620}, <No data fields>}, mContent = 0x7fffdbf4e350, mStyleContext = 0x7fff8f667ba0, mParent = 0x7fffdf38e530, mNextSibling = 0x7fffbdb58fc0, mPrevSibling = 0x0, mState = 1126176940892432, mOverflow = {mType = 0, mVisualDeltas = {mLeft = 0 '\000', mTop = 0 '\000', mRight = 0 '\000', mBottom = 0 '\000'}}}, static gGotTheme = true, static gTheme = 0x7fffdd70f8c8}, <No data fields>}, mPrevContinuation = 0x0, mNextContinuation = 0x0}, static kFrameIID = nsQueryFrame::nsContainerFrame_id, mFrames = {mFirstChild = 0x7fff92c09308, mLastChild = 0x7fff92c09308}}, mPrefSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = 19500, height = 22620}, <No data fields>}, mMinSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = 60, height = 0}, <No data fields>}, mMaxSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = 1073741824, height = 1073741824}, <No data fields>}, mFlex = -1, mAscent = -1, mLayoutManager = {<nsCOMPtr_base> = {mRawPtr = 0x7fffc5a07f50}, <No data fields>}, mHalign = nsIFrame::hAlign_Left, mValign = nsIFrame::vAlign_Top}, <nsMenuParent> = {_vptr.nsMenuParent = 0x7ffff5107f68 <vtable for nsMenuPopupFrame+1352>}, static kFrameIID = nsQueryFrame::nsMenuPopupFrame_id, mIncrementalString = {<nsAString_internal> = {mData = 0x7ffff5423470 <gNullChar>, mLength = 0, mFlags = 1}, <No data fields>}, mAnchorContent = {<nsCOMPtr_base> = {mRawPtr = 0x7fffcb699dc0}, <No data fields>}, mTriggerContent = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mCurrentMenu = 0x7fff950bc510, mPrefSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = 19500, height = 22620}, <No data fields>}, mXPos = 0, mYPos = 0, mScreenXPos = -1, mScreenYPos = -1, mAlignmentOffset = 0, mLastClientOffset = {<mozilla::gfx::BasePoint<int, nsIntPoint>> = {x = 0, y = 0}, <No data fields>}, mPopupType = ePopupTypeMenu, mPopupState = ePopupHiding, mPopupAlignment = 1 '\001', mPopupAnchor = 2 '\002', mPosition = 2 '\002', mConsumeRollupEvent = 0 '\000', mFlipBoth = false, mSlide = false, mIsOpenChanged = false, mIsContextMenu = true, mAdjustOffsetForContextMenu = false, mGeneratedChildren = true, mMenuCanOverlapOSBar = true, mShouldAutoPosition = true, mInContentShell = false, mIsMenuLocked = false, mIsDragPopup = false, mHFlip = false, mVFlip = false, static sDefaultLevelIsTop = 1 '\001'}

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2e97fe7 in PresContext (this=0x7fffbdb58cf8) at /build/buildd/firefox-25.0~a2~hg20130902r149232/layout/generic/nsFrame.cpp:8118
8118	/build/buildd/firefox-25.0~a2~hg20130902r149232/layout/generic/nsFrame.cpp: No such file or directory.
(gdb) up [x 4]
[...]
(gdb) print *aPopupFrame
$127 = {<nsBoxFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsQueryFrame> = {_vptr.nsQueryFrame = 0x7ffffffff0dea7ff}, static kFrameIID = nsQueryFrame::nsIFrame_id, static kPrincipalList = mozilla::layout::kPrincipalList, static kAbsoluteList = mozilla::layout::kAbsoluteList, static kBulletList = mozilla::layout::kBulletList, static kCaptionList = mozilla::layout::kCaptionList, static kColGroupList = mozilla::layout::kColGroupList, static kExcessOverflowContainersList = mozilla::layout::kExcessOverflowContainersList, static kFixedList = mozilla::layout::kFixedList, static kFloatList = mozilla::layout::kFloatList, static kOverflowContainersList = mozilla::layout::kOverflowContainersList, static kOverflowList = mozilla::layout::kOverflowList, static kOverflowOutOfFlowList = mozilla::layout::kOverflowOutOfFlowList, static kPopupList = mozilla::layout::kPopupList, static kPushedFloatsList = mozilla::layout::kPushedFloatsList, static kSelectPopupList = mozilla::layout::kSelectPopupList, static kNoReflowPrincipalList = mozilla::layout::kNoReflowPrincipalList, static sLayerIsPrerenderedDataKey = 0 '\000', mRect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = -253843457, y = 2147483647, width = -253843457, height = 2147483647}, <No data fields>}, mContent = 0x7ffffffff0dea7ff, mStyleContext = 0x7ffffffff0dea7ff, mParent = 0x7ffffffff0dea7ff, mNextSibling = 0x7ffffffff0dea7ff, mPrevSibling = 0x7ffffffff0dea7ff, mState = 9223372036600932351, mOverflow = {mType = 4041123839, mVisualDeltas = {mLeft = 255 '\377', mTop = 167 '\247', mRight = 222 '\336', mBottom = 240 '\360'}}}, static gGotTheme = true, static gTheme = 0x7fffdd70f8c8}, <No data fields>}, mPrevContinuation = 0x7ffffffff0dea7ff, mNextContinuation = 0x7ffffffff0dea7ff}, static kFrameIID = nsQueryFrame::nsContainerFrame_id, mFrames = {mFirstChild = 0x7ffffffff0dea7ff, mLastChild = 0x7ffffffff0dea7ff}}, mPrefSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mMinSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mMaxSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mFlex = -253843457, mAscent = 2147483647, mLayoutManager = {<nsCOMPtr_base> = {mRawPtr = 0x7ffffffff0dea7ff}, <No data fields>}, mHalign = (nsIFrame::hAlign_Right | nsIFrame::hAlign_Center | unknown: 4041123836), mValign = 2147483647}, <nsMenuParent> = {_vptr.nsMenuParent = 0x7ffffffff0dea7ff}, static kFrameIID = nsQueryFrame::nsMenuPopupFrame_id, mIncrementalString = {<nsAString_internal> = {mData = 0x7ffffffff0dea7ff, mLength = 4041123839, mFlags = 2147483647}, <No data fields>}, mAnchorContent = {<nsCOMPtr_base> = {mRawPtr = 0x7ffffffff0dea7ff}, <No data fields>}, mTriggerContent = {<nsCOMPtr_base> = {mRawPtr = 0x7ffffffff0dea7ff}, <No data fields>}, mCurrentMenu = 0x7ffffffff0dea7ff, mPrefSize = {<mozilla::gfx::BaseSize<int, nsSize>> = {width = -253843457, height = 2147483647}, <No data fields>}, mXPos = -253843457, mYPos = 2147483647, mScreenXPos = -253843457, mScreenYPos = 2147483647, mAlignmentOffset = -253843457, mLastClientOffset = {<mozilla::gfx::BasePoint<int, nsIntPoint>> = {x = 2147483647, y = -253843457}, <No data fields>}, mPopupType = (ePopupTypeMenu | ePopupTypeTooltip | ePopupTypeAny | unknown: 2147422204), mPopupState = 4041123839, mPopupAlignment = -1 '\377', mPopupAnchor = -1 '\377', mPosition = -1 '\377', mConsumeRollupEvent = 127 '\177', mFlipBoth = 255, mSlide = 167, mIsOpenChanged = 222, mIsContextMenu = 240, mAdjustOffsetForContextMenu = 255, mGeneratedChildren = 255, mMenuCanOverlapOSBar = 255, mShouldAutoPosition = 127, mInContentShell = 255, mIsMenuLocked = 167, mIsDragPopup = 222, mHFlip = 240, mVFlip = 255, static sDefaultLevelIsTop = 1 '\001'}

Where to from here?
Great! So that shows that the frame is alive at the entry of HidePopupCallback.
I've added some debug code to that section of the code - can you try this build please:
https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/mpalmgren@mozilla.com-a489e130025e/
(pick either debug or non-debug)
The expected result is that it does not crash, but instead prints "frame was destroyed!"
and a line number where that happened.
The debug version was chatty and too slow to use with my 400+ tabs, but the non-debug works and produces this output (all four lines) each time a crash would have occurred (your patch prevents any actual crash):

../../../../../layout/xul/base/src/nsXULPopupManager.cpp:1623 frame 0x7fea309ef450 was destroyed!
../../../../../layout/xul/base/src/nsXULPopupManager.cpp:1627 frame 0x7fea309ef450 was destroyed!
../../../../../layout/xul/base/src/nsXULPopupManager.cpp:1634 frame 0x7fea309ef450 was destroyed!
../../../../../layout/xul/base/src/nsXULPopupManager.cpp:937 frame 0x7fea1d220860 was destroyed!

Is this sufficient information to pinpoint the issue?
Yes, thank you.  It pinpoints the blame in nsXULPopupManager.cpp, it's the SetCaptureState
call in HidePopupCallback, which has this line:

    mWidget->CaptureRollupEvents(nullptr, true);

https://hg.mozilla.org/try/annotate/a489e130025e/layout/xul/base/src/nsXULPopupManager.cpp#l1621

Looking at CaptureRollupEvents:
http://hg.mozilla.org/mozilla-central/annotate/fff320870b20/widget/gtk2/nsWindow.cpp#l1791
I'm still kind of puzzled as to how that lead to destroying frames...

So I made another test build:
https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/mpalmgren@mozilla.com-e54d07c77dec/

Please run that build in gdb and reproduce the crash, this time it should crash in
nsFrame::DestroyFrom, I'd like the stack trace for this crash.  It will tell us
how we got from HidePopupCallback to frame destruction, hopefully.

Thanks for your patience and help on this issue.
And also, if I did not say so before, please make a backup copy of your profile
before running any of these tests.
You're right; forgot the ./ when invoking firefox. Here's the full backtrace from a crash with your latest test build:

#0  0x00007ffff2462438 in nsFrame::DestroyFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#1  0x00007ffff246d1aa in nsFrameList::DestroyFramesFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#2  0x00007ffff245b08b in nsContainerFrame::DestroyFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#3  0x00007ffff246d1aa in nsFrameList::DestroyFramesFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#4  0x00007ffff245b08b in nsContainerFrame::DestroyFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#5  0x00007ffff246d1aa in nsFrameList::DestroyFramesFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#6  0x00007ffff245b08b in nsContainerFrame::DestroyFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#7  0x00007ffff25583b7 in nsMenuPopupFrame::DestroyFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#8  0x00007ffff255ca90 in nsPopupSetFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#9  0x00007ffff240cb3b in nsFrameManager::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#10 0x00007ffff248c67c in nsPlaceholderFrame::DestroyFrom(nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#11 0x00007ffff25421e3 in nsBoxFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#12 0x00007ffff240cb3b in nsFrameManager::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#13 0x00007ffff23e3b5c in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#14 0x00007ffff2421fc8 in PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int, nsIContent*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#15 0x00007ffff2605da7 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, int, nsIContent*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#16 0x00007ffff25f4b9e in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#17 0x00007ffff258e1a3 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#18 0x00007ffff298c473 in nsXULElement::RemoveChildAt(unsigned int, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#19 0x00007ffff25fbaf6 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#20 0x00007ffff2e91561 in mozilla::dom::NodeBinding::insertBefore(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#21 0x00007ffff2e919bb in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#22 0x00007ffff353028a in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#23 0x00007ffff353d05f in Interpret(JSContext*, js::RunState&) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#24 0x00007ffff353e060 in js::RunScript(JSContext*, js::RunState&) [clone .part.297] () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#25 0x00007ffff3530237 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#26 0x00007ffff3540035 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#27 0x00007ffff35ea515 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#28 0x00007ffff2df3de0 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#29 0x00007ffff283a424 in nsJSEventListener::HandleEvent(nsIDOMEvent*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#30 0x00007ffff2679fa2 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#31 0x00007ffff267a18c in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#32 0x00007ffff26751e3 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, ELMCreationDetector&, nsCxPusher*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#33 0x00007ffff2675597 in nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&, nsCxPusher*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#34 0x00007ffff2676dae in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#35 0x00007ffff256357b in nsXULPopupManager::HidePopupCallback(nsIContent*, nsMenuPopupFrame*, nsIContent*, nsIContent*, nsPopupType, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#36 0x00007ffff2563319 in nsXULPopupManager::FirePopupHidingEvent(nsIContent*, nsIContent*, nsIContent*, nsPresContext*, nsPopupType, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#37 0x00007ffff256391a in nsXULPopupManager::HidePopup(nsIContent*, bool, bool, bool, nsIContent*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#38 0x00007ffff2563b08 in nsXULPopupManager::Rollup(unsigned int, nsIContent**) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#39 0x00007ffff2c3216f in nsWindow::CheckForRollup(double, double, bool, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#40 0x00007ffff2c335d1 in nsWindow::CaptureRollupEvents(nsIRollupListener*, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#41 0x00007ffff2562529 in nsXULPopupManager::SetCaptureState(nsIContent*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#42 0x00007ffff25634b4 in nsXULPopupManager::HidePopupCallback(nsIContent*, nsMenuPopupFrame*, nsIContent*, nsIContent*, nsPopupType, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#43 0x00007ffff2563319 in nsXULPopupManager::FirePopupHidingEvent(nsIContent*, nsIContent*, nsIContent*, nsPresContext*, nsPopupType, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#44 0x00007ffff256391a in nsXULPopupManager::HidePopup(nsIContent*, bool, bool, bool, nsIContent*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#45 0x00007ffff2563b08 in nsXULPopupManager::Rollup(unsigned int, nsIContent**) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#46 0x00007ffff2c3216f in nsWindow::CheckForRollup(double, double, bool, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#47 0x00007ffff2c322a3 in nsWindow::SetHasMappedToplevel(bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#48 0x00007ffff2c32426 in window_state_event_cb(_GtkWidget*, _GdkEventWindowState*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#49 0x00007ffff055d929 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#50 0x00007ffff0d6c620 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#51 0x00007ffff0d7df00 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#52 0x00007ffff0d85996 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#53 0x00007ffff0d85f92 in g_signal_emit () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#54 0x00007ffff0676d9e in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#55 0x00007ffff055c27b in gtk_main_do_event () from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#56 0x00007fffef569ccc in ?? () from /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0
#57 0x00007ffff0aa8f05 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#58 0x00007ffff0aa9248 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#59 0x00007ffff0aa9304 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#60 0x00007ffff2c1dc15 in nsAppShell::ProcessNextNativeEvent(bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#61 0x00007ffff2c44004 in nsBaseAppShell::DoProcessNextNativeEvent(bool, unsigned int) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#62 0x00007ffff2c440cf in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#63 0x00007ffff3004a38 in nsThread::ProcessNextEvent(bool, bool*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#64 0x00007ffff2fd41f4 in NS_ProcessNextEvent(nsIThread*, bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#65 0x00007ffff2cbf3f5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#66 0x00007ffff302c496 in MessageLoop::Run() () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#67 0x00007ffff2c43439 in nsBaseAppShell::Run() () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#68 0x00007ffff2aff33a in nsAppStartup::Run() () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#69 0x00007ffff21ad8bb in XREMain::XRE_mainRun() () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#70 0x00007ffff21afb7c in XREMain::XRE_main(int, char**, nsXREAppData const*) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#71 0x00007ffff21afdda in XRE_main () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#72 0x0000000000403d8d in do_main(int, char**, nsIFile*) ()
#73 0x0000000000403eb3 in main ()

Thank you also for your patience and thoroughness in this matter.
#38 0x00007ffff2563b08 in nsXULPopupManager::Rollup(unsigned int, nsIContent**)
() from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#39 0x00007ffff2c3216f in nsWindow::CheckForRollup(double, double, bool, bool)
() from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#40 0x00007ffff2c335d1 in nsWindow::CaptureRollupEvents(nsIRollupListener*,
bool) () from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so
#41 0x00007ffff2562529 in nsXULPopupManager::SetCaptureState(nsIContent*) ()
from /tmp/firefox/firefox-26.0a1.en-US.linux-x86_64-1/libxul.so

Is this stack missing a GrabPointer line called from CaptureRollupEvents? That looks like it could cause a recursive rollup if gdk_pointer_grab fails.
I tried to reproduce this issue on Ubuntu 12.10 64bit with the 09/21 Firefox 25 debug build, and the 09/23 Aurora debug and asan builds. It didn't reproduce once, even after navigating the Cookie Monster menu tens of times.

Reporter, can you please add a crash report with the crash in this bug in a comment here? If Firefox crashed with different signatures while reproducing this bug, please add a report for each crash.

You can find the reports in about:crashes.
Flags: needinfo?(mozilla.org)
Keywords: qawanted
about:crashes states that "No crash reports have been submitted."

Sometimes following a crash, Apport runs, generating a 100MB+ file in /var/crash; but it doesn't seem to do anything with that file. Most times, Apport does not run.

What is a crash report, and what information from it do you need? Perhaps I can get that for you some other way, such as via GDB.
Flags: needinfo?(mozilla.org)
(In reply to mozilla.org from comment #15)
> about:crashes states that "No crash reports have been submitted."
> 
> Sometimes following a crash, Apport runs, generating a 100MB+ file in
> /var/crash; but it doesn't seem to do anything with that file. Most times,
> Apport does not run.
> 
> What is a crash report, and what information from it do you need? Perhaps I
> can get that for you some other way, such as via GDB.

Thanks for trying :) A crash signature would be useful, since you already gave traces. I'm not sure you can get that another way though. Maybe someone else here knows how this could get done ...

    
    

    
  
I have finally reproduced the issue again, with an Apport crash log. (For no apparent reason, Firefox was very stable for the past two days, despite concerted efforts to crash it.)

The log is around 300MB, almost all of which is the core dump. I have attached the remaining parts of the Apport log to this ticket. If you want any of the parts I've removed, please provide details of a secure way I can upload them to you.

    
    

    
  
(In reply to Neil Deakin from comment #13)
> Is this stack missing a GrabPointer line called from CaptureRollupEvents?

Yes, I think it might have been inlined.

> That looks like it could cause a recursive rollup if gdk_pointer_grab fails.

I can reproduce a crash quite easily if I add

+    if (double(random()) / RAND_MAX > 0.5) {
+        CheckForRollup(0, 0, false, true);
+        return;
+    }
     gint retval;
     retval = gdk_pointer_grab(mGdkWindow, TRUE,

to simulate a failed gdk_pointer_grab in nsWindow::GrabPointer.

    
    

    
  


  
We'll use the destroyed frame when we come back to stack frame #49.

    
    

    
  
Neil, can you take this one?  I think you know this code better than I do.
Flags: needinfo?(enndeakin)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        crashonrollup (obsolete)
        — Splinter Review
      

    


  
I suppose we could just not allow this to happen recursively.

I can't reproduce the bug though, even with the change in comment 19.

        Attachment #8343754 -
        Flags: feedback?(karlt)
Flags: needinfo?(enndeakin)

    
    

    
  
Is any special input method in use when this bug occurs?
XIM is known to corrupt timestamps on events, which can cause grab failures.
Flags: needinfo?(mozilla.org)

    
    

    
  
Just the default English settings (I do have a compose key defined, but that shouldn't matter), keyboard and touchpad.

I haven't been able to reproduce this crash for some time, so it might have been incidentally fixed, or the particular conditions that caused it on my computer have changed. I agree that the condition should be trapped, similar to Mats' build that just logged "frame was destroyed!" when a crash would otherwise have occurred.
Flags: needinfo?(mozilla.org)

    
    

    
  
Comment on attachment 8343754 [details] [diff] [review]
crashonrollup

Thanks for looking at this.

The window should still be rolled up if the grab fails so as not to leave the
popup window open above the other application that has the grab.

Is the problem here the recursive rollup, or do you think the synchronous
rollup during CaptureRollupEvents() is the core problem? 

If the recursion is the core problem, then can GetActiveRollupListener() return
null if Rollup has already been called?

If the synchronous rollup is the core problem, then I think the best solution
is probably to CheckForRollup() off an event.  Does NS_NewRunnableMethod()
make that reasonably easy to do?  The same reasoning for not rolling up
synchronously from CaptureRollupEvents() probably would apply to
CaptureMouse() also.  mRetryPointerGrab can be used instead of the boolean
parameter to determine whether to rollup synchronously.

There are no function names in these diff hunks.

        Attachment #8343754 -
        Flags: feedback?(karlt) → feedback-

    
    

    
  
Or perhaps a better solution, if the synchronous rollup is the problem, might be to return failure from CaptureRollupEvents() if the grab fails for a reason other than GDK_GRAB_NOT_VIEWABLE.  Would the calling code rollup if CaptureRollupEvents() failed?

    
    

    
  
Confirmed that the crash bug still exists in Firefox 27.0~a2~hg20131207r161522. Reproduced with the system and Firefox both heavily loaded.
Blocks: 635611

    
    

    
  


  
Apparently I'm hitting the same thing in firefox 41.0 in gentoo while playing within NoScript(extension)'s menus trying to mark sites as Untrusted and I've had these crashes(in extension's menus) before(pre-firefox 40), with Request Policy but didn't have the means to get stacktraces then.

Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

...
<snip>
Thread 1 (Thread 0x35dab79c780 (LWP 9459)):
#0  raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/pt-raise.c:36
        resultvar = 0
        pid = <optimized out>
#1  0x0000035da82ada40 in nsProfileLock::FatalSignalHandler (signo=11, info=0x3b0e6c1efb0, context=0x3b0e6c1ee80) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/toolkit/profile/nsProfileLock.cpp:181
        unblock_sigs = {__val = {1024, 0 <repeats 15 times>}}
        oldact = <optimized out>
#2  <signal handler called>
No locals.
#3  0x0000035da7d3e53b in nsWeakFrame::Init (this=this@entry=0x3b0e6c1f350, aFrame=aFrame@entry=0x35d870a7610) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/layout/generic/nsFrame.cpp:386
No locals.
#4  0x0000035da7e597a8 in nsWeakFrame::nsWeakFrame (aFrame=0x35d870a7610, this=0x3b0e6c1f350) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/layout/generic/nsIFrame.h:3273
No locals.
#5  nsXULPopupManager::HidePopupCallback (this=this@entry=0x35d911a1580, aPopup=aPopup@entry=0x35d7b85f860, aPopupFrame=0x35d870a7610, aNextPopup=aNextPopup@entry=0x35d71944500, aLastPopup=aLastPopup@entry=0x0, aPopupType=aPopupType@entry=ePopupTypeMenu, aDeselectMenu=true) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/layout/xul/nsXULPopupManager.cpp:1091
        item = 0x35d609f8a60
        weakFrame = {mPrev = 0x0, mFrame = 0x35d870a7610}
        status = 944
        event = {<mozilla::WidgetMouseEventBase> = {<mozilla::WidgetInputEvent> = {<mozilla::WidgetGUIEvent> = {<mozilla::WidgetEvent> = {_vptr.WidgetEvent = 0x3b0e6c1f4c4, mClass = -120, message = 944, refPoint = {<mozilla::gfx::BasePoint<int, mozilla::gfx::IntPointTyped<mozilla::LayoutDevicePixel>, mozilla::gfx::IntCoordTyped<mozilla::LayoutDevicePixel> >> = {x = 0, y = 0}, <mozilla::LayoutDevicePixel> = {<No data fields>}, <No data fields>}, lastRefPoint = {<mozilla::gfx::BasePoint<int, mozilla::gfx::IntPointTyped<mozilla::LayoutDevicePixel>, mozilla::gfx::IntCoordTyped<mozilla::LayoutDevicePixel> >> = {x = -423496808, y = 944}, <mozilla::LayoutDevicePixel> = {<No data fields>}, <No data fields>}, time = 3700822757376, timeStamp = {mValue = 3700039219296}, mFlags = {mIsTrusted = false, mInBubblingPhase = false, mInCapturePhase = false, mInSystemGroup = false, mCancelable = false, mBubbles = false, mPropagationStopped = false, mImmediatePropagationStopped = false, mDefaultPrevented = true, mDefaultPreventedByContent = false, mDefaultPreventedByChrome = true, mMultipleActionsPrevented = true, mIsBeingDispatched = false, mDispatchedAtLeastOnce = false, mIsSynthesizedForTests = false, mExceptionHasBeenRisen = true, mRetargetToNonNativeAnonymous = true, mNoCrossProcessBoundaryForwarding = false, mNoContentDispatch = true, mOnlyChromeDispatch = true, mWantReplyFromContentProcess = true, mHandledByAPZ = false}, userType = {<nsCOMPtr_base> = {mRawPtr = 0x35daa252d70 <nsTArrayHeader::sEmptyHdr>}, <No data fields>}, typeString = {<nsAString_internal> = {mData = 0x35d7b85f860 u"\x2e58\xaa1b\x35d", mLength = 2072377440, mFlags = 861}, <No data fields>}, target = {<nsCOMPtr_base> = {mRawPtr = 0xec5e6c1f300}, <No data fields>}, currentTarget = {<nsCOMPtr_base> = {mRawPtr = 0x35d809d8d00}, <No data fields>}, originalTarget = {<nsCOMPtr_base> = {mRawPtr = 0x3b0e6c1f4e0}, <No data fields>}}, widget = {<nsCOMPtr_base> = {mRawPtr = 0x35d684ebf60}, <No data fields>}, mPluginEvent = {mBuffer = {<nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x0}, <nsTArray_TypedBase<unsigned char, nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<unsigned char, nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = <optimized out>}, <No data fields>}}}, modifiers = 10272}, relatedTarget = {<nsCOMPtr_base> = {mRawPtr = 0x35d809d8d00}, <No data fields>}, button = -2848, buttons = -6463, pressure = 1.32282575e-42, hitCluster = 96, inputSource = 26702, region = {<nsAString_internal> = {mData = 0x0, mLength = 2153981984, mFlags = 861}, <No data fields>}}, <mozilla::WidgetPointerHelper> = {convertToPointer = true, pointerId = 218169344, tiltX = 0, tiltY = 0, retargetedByPointerCapture = false}, acceptActivation = false, ignoreRootScrollFrame = false, reason = mozilla::WidgetMouseEvent::eReal, context = mozilla::WidgetMouseEvent::eNormal, exit = mozilla::WidgetMouseEvent::eChild, clickCount = 2854563184}
#6  0x0000035da7e59bdd in nsXULPopupManager::FirePopupHidingEvent (this=this@entry=0x35d911a1580, aPopup=0x35d7b85f860, aNextPopup=aNextPopup@entry=0x35d71944500, aLastPopup=0x0, aPresContext=<optimized out>, aPopupType=aPopupType@entry=ePopupTypeMenu, aDeselectMenu=true, aIsCancel=true) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/layout/xul/nsXULPopupManager.cpp:1488
        presShell = {<nsCOMPtr_base> = {mRawPtr = 0x35d811d1900}, <No data fields>}
        status = nsEventStatus_eIgnore
        event = {<mozilla::WidgetMouseEventBase> = {<mozilla::WidgetInputEvent> = {<mozilla::WidgetGUIEvent> = {<mozilla::WidgetEvent> = {_vptr.WidgetEvent = 0x35da9d7c130 <vtable for mozilla::WidgetMouseEvent+16>, mClass = mozilla::eMouseEventClass, message = 1502, refPoint = {<mozilla::gfx::BasePoint<int, mozilla::gfx::IntPointTyped<mozilla::LayoutDevicePixel>, mozilla::gfx::IntCoordTyped<mozilla::LayoutDevicePixel> >> = {x = 0, y = 0}, <mozilla::LayoutDevicePixel> = {<No data fields>}, <No data fields>}, lastRefPoint = {<mozilla::gfx::BasePoint<int, mozilla::gfx::IntPointTyped<mozilla::LayoutDevicePixel>, mozilla::gfx::IntCoordTyped<mozilla::LayoutDevicePixel> >> = {x = 0, y = 0}, <mozilla::LayoutDevicePixel> = {<No data fields>}, <No data fields>}, time = 0, timeStamp = {mValue = 399064077745}, mFlags = {mIsTrusted = true, mInBubblingPhase = false, mInCapturePhase = false, mInSystemGroup = false, mCancelable = true, mBubbles = true, mPropagationStopped = false, mImmediatePropagationStopped = false, mDefaultPrevented = false, mDefaultPreventedByContent = false, mDefaultPreventedByChrome = false, mMultipleActionsPrevented = false, mIsBeingDispatched = false, mDispatchedAtLeastOnce = true, mIsSynthesizedForTests = false, mExceptionHasBeenRisen = false, mRetargetToNonNativeAnonymous = false, mNoCrossProcessBoundaryForwarding = false, mNoContentDispatch = false, mOnlyChromeDispatch = false, mWantReplyFromContentProcess = false, mHandledByAPZ = false}, userType = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, typeString = {<nsAString_internal> = {mData = 0x35da8ca7102 <gNullChar> u"", mLength = 0, mFlags = 1}, <No data fields>}, target = {<nsCOMPtr_base> = {mRawPtr = 0x35d7b85f860}, <No data fields>}, currentTarget = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, originalTarget = {<nsCOMPtr_base> = {mRawPtr = 0x35d7b85f860}, <No data fields>}}, widget = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mPluginEvent = {mBuffer = {<nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {mHdr = 0x35daa252d70 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<unsigned char, nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<unsigned char, nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = <optimized out>}, <No data fields>}}}, modifiers = 0}, relatedTarget = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, button = 0, buttons = 0, pressure = 0, hitCluster = false, inputSource = 1, region = {<nsAString_internal> = {mData = 0x35da8ca7102 <gNullChar> u"", mLength = 0, mFlags = 1}, <No data fields>}}, <mozilla::WidgetPointerHelper> = {convertToPointer = true, pointerId = 0, tiltX = 0, tiltY = 0, retargetedByPointerCapture = false}, acceptActivation = false, ignoreRootScrollFrame = false, reason = mozilla::WidgetMouseEvent::eReal, context = mozilla::WidgetMouseEvent::eNormal, exit = mozilla::WidgetMouseEvent::eChild, clickCount = 0}
        popupFrame = <optimized out>
#7  0x0000035da7e59e28 in nsXULPopupManager::HidePopup (this=this@entry=0x35d911a1580, aPopup=<optimized out>, aHideChain=aHideChain@entry=true, aDeselectMenu=aDeselectMenu@entry=true, aAsynchronous=aAsynchronous@entry=false, aIsCancel=aIsCancel@entry=true, aLastPopup=0x0) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/layout/xul/nsXULPopupManager.cpp:997
        popupFrame = <optimized out>
        foundPanel = <optimized out>
        item = <optimized out>
        foundMenu = <optimized out>
        type = ePopupTypeMenu
        deselectMenu = true
        popupToHide = {<nsCOMPtr_base> = {mRawPtr = 0x35d7b85f860}, <No data fields>}
        nextPopup = {<nsCOMPtr_base> = {mRawPtr = 0x35d71944500}, <No data fields>}
        lastPopup = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
#8  0x0000035da7e5a0e2 in nsXULPopupManager::Rollup (this=0x35d911a1580, aCount=4294967295, aFlush=<optimized out>, pos=0x0, aLastRolledUp=<optimized out>) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/layout/xul/nsXULPopupManager.cpp:274
        lastPopup = <optimized out>
        viewManager = {mRawPtr = 0x35d806c4280}
        consumeResult = ConsumeOutsideClicks_True
        rollup = <optimized out>
        noRollupOnAnchor = false
        consume = true
        item = <optimized out>
#9  0x0000035da7ae71ba in nsWindow::CheckForRollup (this=<optimized out>, aMouseX=0, aMouseY=0, aIsWheel=<optimized out>, aAlwaysRollup=<optimized out>) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/widget/gtk/nsWindow.cpp:4832
        rollup = <optimized out>
        popupsToRollup = <optimized out>
        usePoint = <optimized out>
        point = {<mozilla::gfx::BasePoint<int, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits>, mozilla::gfx::IntCoordTyped<mozilla::gfx::UnknownUnits> >> = {x = 0, y = 0}, <mozilla::gfx::UnknownUnits> = {<No data fields>}, <No data fields>}
        rollupListener = 0x35d911a1588
        rollupWidget = {<nsCOMPtr_base> = {mRawPtr = 0x35d672fa9c0}, <No data fields>}
        retVal = <optimized out>
        currentPopup = <optimized out>
#10 0x0000035da7ae8176 in nsWindow::SetHasMappedToplevel (this=0x35d672fa9c0, aState=true) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/widget/gtk/nsWindow.cpp:4018
        oldState = <optimized out>
#11 0x0000035da7ae878f in window_state_event_cb (widget=0x35d8bbcf590, event=0x35d7a7ed9f0) at /usr/src/debug/www-client/firefox-41.0-r1/mozilla-release/widget/gtk/nsWindow.cpp:5663
        window = {mRawPtr = 0x35d672fa9c0}
#12 0x0000035da07cc830 in _gtk_marshal_BOOLEAN__BOXED (closure=0x35d61ac48d0, return_value=0x3b0e6c1fac0, n_param_values=<optimized out>, param_values=0x3b0e6c1fb20, invocation_hint=<optimized out>, marshal_data=0x0) at gtkmarshalers.c:86
        callback = <optimized out>
        cc = <optimized out>
        data1 = 0x35d8bbcf590
        data2 = <optimized out>
        v_return = <optimized out>
        __func__ = "_gtk_marshal_BOOLEAN__BOXED"
...
<snip>

Search for "Thread 1 " in the included stacktrace log.

Here's my emerge --info firefox  (night be useful):

Portage 2.2.22 (python 3.4.3-final-0, hardened/linux/amd64/no-multilib, gcc-5.2.0, glibc-2.21-r1, 4.1.7-hardened-r1-g45b4b78 x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.1.7-hardened-r1-g45b4b78-x86_64-AMD_A6-3400M_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.2
KiB Mem:    15870032 total,  13456280 free
KiB Swap:   33554428 total,  33554428 free
Timestamp of repository gentoo: Wed, 07 Oct 2015 00:45:01 +0000
sh bash 4.4_alpha-r1
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
ccache version 3.2.3 [enabled]
app-shells/bash:          4.4_alpha-r1::gentoo
dev-lang/perl:            5.22.0::gentoo
dev-lang/python:          2.7.10::gentoo, 3.4.3::gentoo
dev-util/ccache:          3.2.3::gentoo
dev-util/cmake:           3.3.2::gentoo
dev-util/pkgconfig:       0.29::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.17::gentoo
sys-apps/sandbox:         2.9::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r1::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            5.2.0::gentoo
sys-devel/gcc-config:     1.8::gentoo
sys-devel/libtool:        2.4.6-r1::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.2::gentoo (virtual/os-headers)
sys-libs/glibc:           2.21-r1::gentoo
Repositories:

gentoo
    location: /usr/portage
    priority: -1000

tox-overlay
    location: /var/lib/layman/tox-overlay
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs binpkg-multi-instance ccache cgroup collision-protect config-protect-if-modified distlocks downgrade-backup ebuild-locks fakeroot fixlafiles force-mirror installsources ipc-sandbox merge-sync multilib-strict network-sandbox news nostrip parallel-fetch parallel-install prelink-checksums preserve-libs sandbox sfperms split-elog split-log strict unknown-features-warn unmerge-backup unmerge-logs userfetch userpriv usersandbox webrsync-gpg"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://ftp.romnet.org/gentoo/ http://tux.rainside.sk/gentoo/ http://de-mirror.org/gentoo/  http://www.las.ic.unicamp.br/pub/gentoo/"
INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd"
LANG="C"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="3dnow 3dnowext X acl amd64 berkdb bindist btrfs bzip2 cli consolekit cracklib crypt cryptsetup cscope cxx dbus device-mapper dri egl extensions gdbm git gpg gpm gtk3 hardened iconv jpeg justify lm_sensors lock mmx mmxext modules mosh-hardening ncurses nptl ogg openmp opus pam pax_kernel pcre pie png policykit popcnt pulseaudio qt4 readline seccomp session smp sse sse2 sse3 sse4a ssl ssp startup-notification strong-security system-icu system-jpeg system-libvpx system-sqlite urandom xattr xcomposite xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="radeon" XFCE_PLUGINS="brightness clock trash battery power" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

www-client/firefox-41.0-r1::gentoo was built with the following:
USE="bindist dbus egl gstreamer hardened jemalloc3 pulseaudio startup-notification system-icu system-jpeg system-libvpx system-sqlite -custom-cflags -custom-optimization -debug (-gmp-autoupdate) -gstreamer-0 -jit -minimal (-neon) (-pgo) (-selinux) -system-cairo -test -wifi" LINGUAS="-af -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -cy -da -de -el -en_GB -en_ZA -eo -es_AR -es_CL -es_ES -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -te -th -tr -uk -vi -xh -zh_CN -zh_TW"
CFLAGS="-pipe -march=native -ggdb -fno-omit-frame-pointer -fstack-protector-all -fPIC"
CXXFLAGS="-pipe -march=native -ggdb -fno-omit-frame-pointer -fstack-protector-all -fPIC"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,relro,-z,now"

    
    

    
  
Neil, can you address Karl's questions in comment 25 please?
Flags: needinfo?(enndeakin)

    
    

    
  
Bug 1213099 describes a "recurring into frame construction" assertion that Neil thinks may be related to this.

    
    

    
  
> If the synchronous rollup is the core problem, then I think the best solution
> is probably to CheckForRollup() off an event.

I think that seems reasonable.
Flags: needinfo?(enndeakin)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch as suggested (obsolete)
        — Splinter Review
      

    


  
Assignee: nobody → enndeakin
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

        Attachment #8679424 -
        Flags: review?(karlt)

    
    

    
  
Comment on attachment 8679424 [details] [diff] [review]
Patch as suggested

(In reply to Neil Deakin from comment #32)
> Created attachment 8679424 [details] [diff] [review]
> Patch as suggested

Please include commit messages before submitting for review.

I'm not sure this is really what I suggested because the suggestions depended
on the answers to questions.  I'd prefer "I don't know" over ignoring the
questions.

I guess the asynchronicity is no worse than what we already have with
GDK_GRAB_NOT_VIEWABLE, so I hope this is fine, but I don't understand the
comment below.  Can you explain, please?

>+        // [...] Do this with an event so that
>+        // popups don't rollup while potentionally adjusting the grab for
>+        // another popup.

"potentially"

Isn't this about rollup while requesting a grab on *this* popup?

>+        nsCOMPtr<nsIRunnable> event =
>+            NS_NewRunnableMethod(this, &nsWindow::CheckForRollupDuringGrab);
>+        NS_DispatchToCurrentThread(event);

NS_DispatchToCurrentThread(event.forget());

        Attachment #8679424 -
        Flags: review?(karlt)

    
    

    
  
> If the recursion is the core problem, then can GetActiveRollupListener()
> return
> null if Rollup has already been called?

GetActiveRollupListener() never returns null except in a catastrophic case. I assume you mean GetRollupWidget(). Returning null seems an unusual way to indicate that Rollup is currently being called. Note that Rollup may not close all or any popups, and GetRollupWidget() would still return the a widget after the call to Rollup is complete.

An alternative would be to add a guard to Rollup() to ensure that it isn't called recursively. Would you prefer this solution? Or maybe you meant that GetActiveRollupListener should return null when this recursive guard is set?

> Isn't this about rollup while requesting a grab on *this* popup?

Yes. I can change the comment.

> NS_DispatchToCurrentThread(event.forget());

Although a wrapper function exists that does this, I can change this.
Flags: needinfo?(karlt)

    
    

    
  
(In reply to Neil Deakin from comment #34)
> > If the recursion is the core problem, then can GetActiveRollupListener()
> > return
> > null if Rollup has already been called?
> 
> GetActiveRollupListener() never returns null except in a catastrophic case.

Thanks.  I was assuming there would only be an active roll-up listener for the
window if it had something to roll up, but I see now this is a class method
not an object method.

> I assume you mean GetRollupWidget(). Returning null seems an unusual way to
> indicate that Rollup is currently being called.

I don't know much about GetRollupWidget().  If it returns the widget that needs
to be rolled up, then it might be reasonable for it to return null if there is
no longer a widget that needs to be rolled up, but I guess there are multiple
widgets involved, which makes this unhelpful.

> Note that Rollup may not
> close all or any popups, and GetRollupWidget() would still return the a
> widget after the call to Rollup is complete.

OK, thanks.  I was assuming that Rollup() involved closing the window so that it
would not need to roll up again.

> An alternative would be to add a guard to Rollup() to ensure that it isn't
> called recursively. Would you prefer this solution?

I don't know.

I wasn't so much thinking of a recursion blocker for the sake of blocking
recursion, but assuming that if Rollup() had happened once, it didn't need to
happen again, and so it could return early, but I guess calling Rollup() twice
can do something different to calling Rollup() once?  I don't know what
behaviour is expected here.

I wonder whether state can be set in a way that calling Rollup() recursively
could be made to behave the same way as when Rollup is called sequentially,
but I don't know whether that is practical or what is wanted anyway.

Does Rollup() ever dispatch events to content?
If so, that would allow a nested event loop and so recursive calls to Rollup().

> Or maybe you meant that
> GetActiveRollupListener should return null when this recursive guard is set?

I don't have a good understanding of what this returns, but if there is still
something to roll up, then I would agree that temporarily returning null would
be an odd way to indicate that Rollup() is on the stack and doesn't want any
further calls.

I don't know what is going wrong.  It would help me if you are able to explain
what expectations are being broken.

> > Isn't this about rollup while requesting a grab on *this* popup?
> 
> Yes. I can change the comment.

Thanks.  I expect the approach is fine, but it would be helpful if you can
write down somewhere what you know about the situation, in case we need to
revisit.  Why is it a problem if the roll-up happens when trying to obtain the
grab?

> > NS_DispatchToCurrentThread(event.forget());
> 
> Although a wrapper function exists that does this, I can change this.

The wrapper with the extra refcount manipulation is for compatibility with old
code that hasn't been migrated and for code that doesn't pass ownership of the
runnable.
Flags: needinfo?(karlt)

    
    

    
  
Let's say there are several popups open. Rollup is called to close them. Event listeners will fire during this time and not all popups may close, either because some are of a different type, for example the top-most is a context menu on another doorhanger-type panel, or an event listener cancelled the event preventing it from closing. Each popup is closed in sequence from top to bottom. When one popup is closing, the grab is moved to the next popup.

The issue here is that the grab being added is causing Rollup to be called again, while it hasn't finished hiding the chain of popups. This second call causes an event which destroys frames, which later causes a crash.

Note that I'm making assumptions here based on the stacks above; I haven't reproduced the crash.

    
    

    
  
What's the status of this bug? Based on the comment thread, it reads as if the patch is OK, or is there something else that needs to be done?

[Not trying to be nosey -- just trying to lighten the load on Neil for some upcoming work.]
Flags: needinfo?(karlt)

    
    

    
  
(In reply to David Durst [:ddurst] from comment #37)
> What's the status of this bug? Based on the comment thread, it reads as if
> the patch is OK, or is there something else that needs to be done?

The approach is OK.  The patch needs to be updated to address comment 33.
Flags: needinfo?(karlt)

    
    

    
  


  

        Attachment #8343754 -
        Attachment is obsolete: true

        Attachment #8679424 -
        Attachment is obsolete: true

        Attachment #8748016 -
        Flags: review?(karlt)

        Attachment #8679424 -
        Attachment is patch: true

        Attachment #8748016 -
        Flags: review?(karlt) → review+

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/fa8d527717fa2f01edaf958789a4d683b976dd90
Bug 911546, use a runnable so that popups don't rollup during a grab, r=karlt

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/fa8d527717fa
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox49:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49

    
    

    
  
Thank you all for your work on this!

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: