Closed Bug 620512 Opened 14 years ago Closed 8 years ago

Firefox 4.0b9pre crash in [@ nsNPAPIPluginInstance::UseAsyncPainting(int*) ]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Part 1: Only fire MozPaintWait and change window visibi lity in BuildDisplayList if we're painting
(deleted), patch
benjamin
: review+
Details | Diff | Splinter Review
Part 2: Cache UseLayers result to avoid having to call into UseAsyncPainting when it might be unsafe
(deleted), patch
Details | Diff | Splinter Review
Seen while reviewing crash stats. New crash that started showing up in the 2010121500 build. Links to the all crashes: http://tinyurl.com/25bf3r8 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=66036625795f&tochange=f11f7ed625ba shows the changeset, which is based on what I see in crash stats. Frame Module Signature [Expand] Source 0 xul.dll nsNPAPIPluginInstance::UseAsyncPainting modules/plugin/base/src/nsNPAPIPluginInstance.cpp:879 1 xul.dll nsPluginInstanceOwner::UseLayers layout/generic/nsObjectFrame.cpp:474 2 xul.dll nsPluginInstanceOwner::CallSetWindow layout/generic/nsObjectFrame.cpp:6579 3 xul.dll nsPluginInstanceOwner::UpdateWindowPositionAndClipRect layout/generic/nsObjectFrame.cpp:6569 4 xul.dll nsObjectFrame::ComputeWidgetGeometry layout/generic/nsObjectFrame.cpp:1338 5 xul.dll nsObjectFrame::GetEmptyClipConfiguration layout/generic/nsObjectFrame.h:155 6 xul.dll PluginHideEnumerator layout/base/nsPresContext.cpp:2454 7 xul.dll nsTHashtable<nsPtrHashKey<nsObjectFrame> >::s_EnumStub obj-firefox/dist/include/nsTHashtable.h:420 8 xul.dll PL_DHashTableEnumerate obj-firefox/xpcom/build/pldhash.c:754 9 mozcrt19.dll malloc obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:5873 10 xul.dll nsObjectFrame::GetEmptyClipConfiguration layout/generic/nsObjectFrame.h:156 11 @0x3b
There is a spike in crashes from 4.0b9pre/20101220. It is #7 top crasher in this build. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=be8006fc9c4a&tochange=fc50c521bf48 According to that, it seems that is a Layout issue and not a Plug-ins one. More reports at (without a limit date as in comment 0): http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsNPAPIPluginInstance%3A%3AUseAsyncPainting%28int*%29)
blocking2.0: --- → ?
Component: Plug-ins → Layout
QA Contact: plugins → layout
Bug 617152 is the obvious candidate. It's not clear from the stack which of the various members is corrupted.
Assignee: nobody → roc
Blocks: 617152
blocking2.0: ? → beta9+
Keywords: regression
It must be this changeset: http://hg.mozilla.org/mozilla-central/rev/e9f317c9ab52 It added the call to mInstanceOwner->UseLayers() which is crashing here. But why would it crash? That doesn't make sense to me.
Hmm, actually the stacks show lots of paths to UseLayers crashing, not just the one added in that changeset.
They also show lots of crashes in UseAsyncPainting before my stuff landed, so it looks to me like the extra call I added simply made an existing bug worse.
nsNPAPIPluginInstance::UseAsyncPainting is virtual so it's unlikely nsNPAPIPluginInstance is corrupt. Could mPlugin or mPlugin->mLibrary be a non-null dangling pointer?
I'm hopeful that one or both of those patches will effectively work around the bug.
Attachment #499098 - Flags: review?(benjamin) → review+
Part 1 is still a good patch. Part 2 is probably unnecessary complexity.
As per today's meeting, beta 9 will be a time-based release. Marking these all betaN+. Please move it back to beta9+ if you believe it MUST be in the next beta (ie: trunk is in an unshippable state without this)
No longer blocks: 617152
blocking2.0: beta9+ → betaN+
Keywords: crash, regression
Blocks: 617152
Keywords: crash, regression
The spike described in comment 1 has been fixed by the part-1 patch. But it still happens. It is #95 top crasher in 4.0b11. Comments talk mainly about Webex. More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=4&range_unit=weeks&signature=nsNPAPIPluginInstance%3A%3AUseAsyncPainting%28int*%29
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [hardblocker]
WebEx is known to crash on OSX ... is that the primary OS where we're seeing crashes? Not a blocker at this point.
blocking2.0: betaN+ → -
Whiteboard: [hardblocker]
> WebEx is known to crash on OSX ... is that the primary OS where we're seeing > crashes? Crashes happen only on Windows.
Crash Signature: [@ nsNPAPIPluginInstance::UseAsyncPainting(int*) ]
Crash Signature: [@ nsNPAPIPluginInstance::UseAsyncPainting(int*) ] → [@ nsNPAPIPluginInstance::UseAsyncPainting(int*) ] [@ nsNPAPIPluginInstance::UseAsyncPainting ]
Only 5 crash reports in the past 6 months, all in Firefox v15 or older.
Status: REOPENED → RESOLVED
Closed: 14 years ago8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: