This bug was filed from the Socorro interface and is report bp-4e5a9694-f5cc-413e-a2fc-3b9550170601. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 libxul.so mozilla::dom::TabChild::AsyncPanZoomEnabled dom/ipc/TabChild.cpp:450 1 libxul.so libxul.so@0x17afe1e 2 libxul.so libxul.so@0x1d9de39 3 libxul.so nsDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) 4 libxul.so nsDocumentViewer::InitPresentationStuff(bool) 5 libxul.so nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) 6 libxul.so nsDocumentViewer::Init layout/base/nsDocumentViewer.cpp:690 7 libxul.so nsDocShell::SetupNewViewer(nsIContentViewer*) 8 libxul.so nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) 9 libxul.so nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) 10 libxul.so nsDocShell::GetDocument() 11 libxul.so nsPIDOMWindow<mozIDOMWindowProxy>::MaybeCreateDoc dom/base/nsGlobalWindow.cpp:4132 12 libxul.so nsGlobalWindow::WrapObject dom/base/nsPIDOMWindow.h:216 13 libxul.so XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>, nsIXPConnectJSObjectHolder**, xpcObjectHelper&, nsID const*, bool, nsresult*) 14 libxul.so XPCConvert::NativeData2JS(JS::MutableHandle<JS::Value>, void const*, nsXPTType const&, nsID const*, nsresult*) 15 libxul.so XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 16 libxul.so XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 17 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 18 libxul.so Interpret(JSContext*, js::RunState&) 19 libxul.so js::RunScript(JSContext*, js::RunState&) 20 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 21 libxul.so Interpret(JSContext*, js::RunState&) 22 libxul.so js::RunScript(JSContext*, js::RunState&) 23 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 24 libxul.so Interpret(JSContext*, js::RunState&) 25 libxul.so js::RunScript(JSContext*, js::RunState&) 26 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 27 libxul.so Interpret(JSContext*, js::RunState&) 28 libxul.so js::RunScript(JSContext*, js::RunState&) 29 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 30 libxul.so JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 31 libxul.so nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 32 libxul.so PrepareAndDispatch xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120 33 libxul.so SharedStub 34 libxul.so nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) 35 libxul.so nsDocShell::Destroy() 36 libxul.so nsWebBrowser::SetDocShell toolkit/components/browser/nsWebBrowser.cpp:1705 37 libxul.so nsWebBrowser::InternalDestroy toolkit/components/browser/nsWebBrowser.cpp:95 38 libxul.so nsWebBrowser::Destroy toolkit/components/browser/nsWebBrowser.cpp:1298 39 libxul.so mozilla::dom::TabChild::DestroyWindow dom/ipc/TabChild.cpp:1089 40 libxul.so mozilla::dom::TabChild::RecvDestroy dom/ipc/TabChild.cpp:2460 41 libxul.so mozilla::dom::PBrowserChild::OnMessageReceived obj-firefox/ipc/ipdl/PBrowserChild.cpp:4345 42 libxul.so mozilla::dom::PContentChild::OnMessageReceived obj-firefox/ipc/ipdl/PContentChild.cpp:5630 43 libxul.so mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 44 libxul.so libxul.so@0xc4ef28 45 libxul.so mozilla::ipc::MessageChannel::MessageTask::Run() 46 libxul.so mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:365 47 libxul.so nsThread::ProcessNextEvent(bool, bool*) 48 libxul.so NS_ProcessNextEvent(nsIThread*, bool) 49 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 50 libxul.so MessageLoop::Run() 51 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:156 52 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:893 53 libxul.so MessageLoop::Run() 54 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:709 55 firefox content_process_main ipc/contentproc/plugin-container.cpp:64 56 firefox _init Ø 57 libc-2.19.so libc-2.19.so@0x21b44 58 firefox firefox@0x11c1f 59 firefox firefox@0x1b5bf 60 firefox __libc_csu_fini 61 firefox firefox@0x1b5bf 62 firefox _start reports with this signature are regressing from linux installations in firefox 55.0a1. crashes occur with "MOZ_RELEASE_ASSERT(mCompositorOptions)" that got added in bug 1331509.

https://crash-stats.mozilla.com/report/index/c1639279-2640-495c-a93f-0c8060170531 is a better report, has a fully symbolicated stack. Also this is pretty low-volume, but seems to happen more in 55 than it did in 53 or 54.

I'm hitting this consistently on a release build using current trunk with the following STR: 1. ./mach run (*don't* disable e10s) 2. Type 'gecko profiler' in the search box 3. Click the first result A new tab opens and then crashes. I'll attach the stack since it's a little different to comment 0.

Another STR on latest Nightly: Go to https://treeherder.mozilla.org/#/jobs?repo=try&revision=176255357daf878ec9acbd66c7a4ef4aeb497aa2&selectedJob=110281475 Click on the orange TC-9 job under Linux x64 asan. Click the "Open the Raw Log in a New Window" https://crash-stats.mozilla.com/report/index/2518f340-6e8d-45d6-b430-35ad10170630 https://crash-stats.mozilla.com/report/index/b553a4c0-1a6d-4033-aa0c-2b90d0170630

I also hit this every time I click a link in a pinned GMail tab. The link gets opened in a new tab and immediately crashes. https://crash-stats.mozilla.com/report/index/cff7b8b9-06c7-4c19-9b20-8042e0170630 https://crash-stats.mozilla.com/report/index/060933b9-bc42-4228-a6fa-e2d300170630 https://crash-stats.mozilla.com/report/index/5f233367-2b3e-4c7e-9249-575120170630 https://crash-stats.mozilla.com/report/index/ea82c8a3-245a-4e81-8a7d-7e5390170630 https://crash-stats.mozilla.com/report/index/2d9625e7-ba38-4705-b425-f49c40170630

Similar, I get this when opening a Bugzilla bug in a new tab from a pinned dashboard tab.

I've backed out the patch from bug 1374548 after ehsan pointed to it via mozregression. I'll respin nightlies in a bit.

For those who are running into this, a workaround for now is to set dom.w3c_touch_events.enabled to 0 and restart. This bug should be affecting devices with touchscreens.

Comment on attachment 8882633 [details] Bug 1370089 - Assume APZ is enabled in TabChild if we are queried before we have the compositor options. https://reviewboard.mozilla.org/r/153716/#review158898

Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4ded92f42403 Assume APZ is enabled in TabChild if we are queried before we have the compositor options. r=dvander

Pushed by kwierso@gmail.com: https://hg.mozilla.org/mozilla-central/rev/7cc250ff4f6e Assume APZ is enabled in TabChild if we are queried before we have the compositor options. r=dvander a=bustage

Grafted this over to m-c so we can spin nightlies later today. Would be nice if people can confirm the crash has stopped with this.

(In reply to Wes Kocher (:KWierso) from comment #13) > Grafted this over to m-c so we can spin nightlies later today. Would be nice > if people can confirm the crash has stopped with this. I redid my own build (which is where I first saw the issue) including this patch and I can verify that it fixes my issue.

(In reply to Wes Kocher (:KWierso) from comment #13) > Grafted this over to m-c so we can spin nightlies later today. Would be nice > if people can confirm the crash has stopped with this. Fixed on 56.0a1 (2017-07-01) (64-bit)

I think Wes incorrectly marked status-firefox55 as fixed instead of status-firefox56 back in comment 13.

Comment on attachment 8882633 [details] Bug 1370089 - Assume APZ is enabled in TabChild if we are queried before we have the compositor options. Approval Request Comment [Feature/Bug causing the regression]: bug 1331509 [User impact if declined]: intermittent crashes on touchscreen devices when new tabs are opened. the crashes became much more frequent due to some other changes in m-c recently. [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not really [Why is the change risky/not risky?]: small change, just adds a fallback path where before we were doing a release assert [String changes made/needed]: none

Comment on attachment 8882633 [details] Bug 1370089 - Assume APZ is enabled in TabChild if we are queried before we have the compositor options. prevent crash in apz, beta55+

(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #19) > [Is this code covered by automated tests?]: yes > [Has the fix been verified in Nightly?]: yes > [Needs manual test from QE? If yes, steps to reproduce]: no Setting qe-verify- based on Kartikaya's assessment on manual testing needs and the fact that this fix has automated coverage.