Closed Bug 924681 Opened 11 years ago Closed 11 years ago

crash in nsPresContext::GetPrimaryFrameFor(nsIContent*)

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Version:
26 Branch
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Project Flags:
blocking-b2g koi+
Tracking Flags:
Tracking Status
firefox26 --- wontfix
firefox27 --- wontfix
firefox28 --- fixed
b2g-v1.2 --- fixed

People

(Reporter: nhirata, Assigned: smaug)

References

Details

(Keywords: crash, Whiteboard: [b2g-crash])

Crash Data

Attachments

(1 file, 1 obsolete file)

with {}
1019 bytes, patch
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-3b4505d2-dd02-4227-bced-ff0872131002.
=============================================================
Crashing Thread
Frame 	Module 	Signature 	Source
0 	libxul.so 	nsPresContext::GetPrimaryFrameFor(nsIContent*) 	layout/base/nsPresContext.h
1 	libxul.so 	nsEventStateManager::FireContextClick() 	content/events/src/nsEventStateManager.cpp
2 	libxul.so 	nsEventStateManager::sClickHoldCallback(nsITimer*, void*) 	content/events/src/nsEventStateManager.cpp
3 	libxul.so 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
4 	libxul.so 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
5 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
6 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
7 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
8 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
9 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
10 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
11 	libxul.so 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
12 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
13 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
14 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
15 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
16 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
17 	plugin-container 	main 	ipc/app/MozillaRuntimeMain.cpp
18 	libc.so 	__libc_init 	bionic/libc/bionic/libc_init_dynamic.c
19 		@0xb0001dc5

Looks like one could potentially play around with the pulse.me and crash
I think I'm hitting this in b2g desktop mochitests. This is intermittent, and doesn't seem to be related to a specific test (if I disable one test, others just crash in its place).

Log file with crash stack:
https://tbpl.mozilla.org/php/getParsedLog.php?id=29893368&tree=Cedar&full=1

Though there are many other jobs with different tests that hit the crash: https://tbpl.mozilla.org/?tree=Cedar&showall=1&jobname=b2g (see the Bg M(1)'s)

Andrew, do you think you could get someone to look into this? I don't think I'll be able to get around this by disabling tests, so this blocks b2g desktop mochitests.
Blocks: 931116
Flags: needinfo?(overholt)
Gregor, fyi this is blocking me from rolling b2g desktop mochitests out on tbpl.
Blocks: 933355
Olli, this seems like your area of expertise.
Component: Layout → DOM: Events
Flags: needinfo?(overholt)
Attached patch null check (obsolete) — Splinter Review 
Looks like a null pointer crash (offset from null).
FireContextClick() is, IIRC, used currently only in b2g.

We could also just cancel the timer in few more places, but I think this patch is just fine.
Assignee: nobody → bugs
Attachment #825468 - Flags: review?(masayuki)
(In reply to Olli Pettay [:smaug] from comment #5)
> Created attachment 825468 [details] [diff] [review]
> null check
> 
> Looks like a null pointer crash (offset from null).
> FireContextClick() is, IIRC, used currently only in b2g.
> 
> We could also just cancel the timer in few more places, but I think this
> patch is just fine.

So this looks like it would fix the crash, which is great, but I think we'll still have the root problem that the presentation is intermittently null on b2g desktop for some reason (similar to bug 927586). I anticipate new failures after this.

I guess we'll see how this goes and I'll file a new bug if this doesn't fix the root problem. Thanks for the quick patch though!
The patch should be valid. We don't cancel the possible timeout when mPresContext becomes null, and
that is the root problem.

b2g-desktop may use iframes in some unusual way and expect that there is presentation always.
But that doesn't sound like this bug.
Comment on attachment 825468 [details] [diff] [review]
null check

If you don't mind, please add {} before landing.
Attachment #825468 - Flags: review?(masayuki) → review+
I knew you were going to ask that :)
Attached patch with {}Splinter Review 

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/357348508e06
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28

    
  

        Attachment #825468 -
        Attachment is obsolete: true
blocking-b2g: --- → koi+

          status-b2g-v1.2:
          --- → affected

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: