Ubuntu
firefox package

Various imagelib related crashes

Bug #1134409 reported by Chris Coulson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Invalid
Critical
firefox (Ubuntu)
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned

Bug Description

We have a lot of crashes in Firefox 19 with the following traces:

0 libxul.so imgRequestProxy::UnblockOnload imgRequestProxy.cpp:818
1 libxul.so imgStatusTracker::MaybeUnblockOnload imgStatusTracker.cpp:766
2 libxul.so imgStatusTrackerObserver::OnStopFrame imgStatusTracker.cpp:133
3 libxul.so mozilla::image::Decoder::PostFrameStop Decoder.cpp:244
4 libxul.so mozilla::image::nsPNGDecoder::end_callback nsPNGDecoder.cpp:858
5 libxul.so MOZ_PNG_push_have_end pngpread.c:1453
6 libxul.so MOZ_PNG_push_read_chunk pngpread.c:358
7 libxul.so MOZ_PNG_process_data pngpread.c:40
8 libxul.so mozilla::image::nsPNGDecoder::WriteInternal nsPNGDecoder.cpp:349
9 libxul.so mozilla::image::Decoder::Write Decoder.cpp:79
10 libxul.so mozilla::image::RasterImage::WriteToDecoder RasterImage.cpp:2648
11 libxul.so mozilla::image::RasterImage::DecodeSomeData RasterImage.cpp:3167
12 libxul.so mozilla::image::RasterImage::DecodeWorker::DecodeSomeOfImage RasterImage.cpp:3478
13 libxul.so mozilla::image::RasterImage::DecodeWorker::Run RasterImage.cpp:3403
14 libxul.so nsThread::ProcessNextEvent nsThread.cpp:627
15 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:238
16 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:82
17 libxul.so MessageLoop::RunInternal message_loop.cc:215
18 libxul.so MessageLoop::Run message_loop.cc:208
19 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:163
20 libxul.so nsAppStartup::Run nsAppStartup.cpp:290
21 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3823
22 libxul.so XREMain::XRE_main nsAppRunner.cpp:3890
23 libxul.so XRE_main nsAppRunner.cpp:4084
24 firefox main nsBrowserApp.cpp:174
25 libc-2.13.so libc-2.13.so@0x19113
26 libdl-2.13.so libdl-2.13.so@0x3ea4
27 libc-2.13.so libc-2.13.so@0x17dff4
28 ld-2.13.so ld-2.13.so@0x1f30
29 libc-2.13.so libc-2.13.so@0x19029
30 firefox firefox@0x1c90
31 firefox firefox@0xfa20
32 ld-2.13.so ld-2.13.so@0xeba0
33 ld-2.13.so ld-2.13.so@0x1f918

(from https://crash-stats.mozilla.com/report/index/bff34a78-7e58-41be-af57-db7272130227)

0 libxul.so nsQueryInterface::operator const nsCOMPtr.cpp:14
1 libxul.so nsCOMPtr_base::assign_from_qi nsCOMPtr.cpp:56
2 libxul.so imgRequestProxy::UnblockOnload nsCOMPtr.h:556
3 libxul.so imgStatusTracker::EmulateRequestFinished imgStatusTracker.cpp:454
4 libxul.so imgStatusTracker::RemoveConsumer imgStatusTracker.cpp:478
5 libxul.so imgRequest::RemoveProxy imgRequest.cpp:224
6 libxul.so imgRequestProxy::DoCancel imgRequestProxy.cpp:306
7 libxul.so imgRequestProxy::imgCancelRunnable::Run imgRequestProxy.h:122
8 libxul.so nsThread::ProcessNextEvent nsThread.cpp:627
9 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:238
10 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:82
11 libxul.so MessageLoop::RunInternal message_loop.cc:215
12 libxul.so MessageLoop::Run message_loop.cc:208
13 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:163
14 libxul.so nsAppStartup::Run nsAppStartup.cpp:290
15 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3823
16 libxul.so XREMain::XRE_main nsAppRunner.cpp:3890
17 libxul.so XRE_main nsAppRunner.cpp:4084
18 firefox main nsBrowserApp.cpp:174
19 libc-2.15.so libc-2.15.so@0x194d3
20 libdl-2.15.so libdl-2.15.so@0x3eb0
21 libc-2.15.so libc-2.15.so@0x1a6000
22 ld-2.15.so ld-2.15.so@0x2d4
23 libc-2.15.so libc-2.15.so@0x193e9
24 firefox firefox@0x1d00
25 firefox firefox@0xfc00
26 ld-2.15.so ld-2.15.so@0xf270
27 ld-2.15.so ld-2.15.so@0x21938

(from https://crash-stats.mozilla.com/report/index/0cc0981e-d445-48e6-aa19-b6ffa2130227)

Although I've so far been unable to reproduce it, I suspect this is caused by our menubar addon (and there's a 100% correlation of these crashes with users who have it installed)

Revision history for this message
In , Scoobidiver (scoobidiver) wrote :

It's #2 top browser crasher in the first days of 19.0 on Linux.

Many crash reports have Mesa.

Signature imgRequestProxy::UnblockOnload() More Reports Search
UUID 83185214-0cd8-4872-afd0-7ab2e2130222
Date Processed 2013-02-22 09:10:21
Uptime 231
Last Crash more than 3 months before submission
Install Age 1.8 days since version was first installed.
Install Time 2013-02-20 13:09:21
Product Firefox
Version 19.0
Build ID 20130218103552
Release Channel release
OS Linux
OS Version 0.0.0 Linux 3.0.0-31-generic #48-Ubuntu SMP Mon Feb 4 13:25:59 UTC 2013 i686
Build Architecture x86
Build Architecture Info AuthenticAM family 15 model 107 stepping 2
Crash Reason SIGSEGV
Crash Address 0x1c24549b
App Notes
OpenGL: X.Org R300 Project -- Gallium 0.4 on ATI RS740 -- 2.1 Mesa 7.11 -- texture_from_pixmap
Processor Notes sp-processor05.phx1.mozilla.com_14839:2008; exploitablity tool: ERROR: unable to analyze dump
EMCheckCompatibility True

Frame Module Signature Source
0 libxul.so imgRequestProxy::UnblockOnload imgRequestProxy.cpp:818
1 libxul.so imgStatusTracker::MaybeUnblockOnload imgStatusTracker.cpp:766
2 libxul.so imgStatusTrackerObserver::OnStopFrame imgStatusTracker.cpp:133
3 libxul.so mozilla::image::Decoder::PostFrameStop Decoder.cpp:244
4 libxul.so mozilla::image::nsPNGDecoder::end_callback nsPNGDecoder.cpp:858
5 libxul.so MOZ_PNG_push_have_end pngpread.c:1453
6 libxul.so MOZ_PNG_push_read_chunk pngpread.c:358
7 libxul.so MOZ_PNG_process_data pngpread.c:40
8 libxul.so mozilla::image::nsPNGDecoder::WriteInternal nsPNGDecoder.cpp:349
9 libxul.so mozilla::image::Decoder::Write Decoder.cpp:79
10 libxul.so mozilla::image::RasterImage::WriteToDecoder RasterImage.cpp:2648
11 libxul.so mozilla::image::RasterImage::DecodeSomeData RasterImage.cpp:3167
12 libxul.so mozilla::image::RasterImage::DecodeWorker::DecodeSomeOfImage RasterImage.cpp:3478
13 libxul.so mozilla::image::RasterImage::DecodeWorker::Run RasterImage.cpp:3403
14 libxul.so nsThread::ProcessNextEvent nsThread.cpp:627
15 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:238
16 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:82
17 libxul.so MessageLoop::RunInternal message_loop.cc:215
18 libxul.so MessageLoop::Run message_loop.cc:208
19 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:163
20 libxul.so nsAppStartup::Run nsAppStartup.cpp:290
21 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3823
22 libxul.so XREMain::XRE_main nsAppRunner.cpp:3890
23 libxul.so XRE_main nsAppRunner.cpp:4084
24 firefox main nsBrowserApp.cpp:174

More reports at:
https://crash-stats.mozilla.com/report/list?signature=imgRequestProxy%3A%3AUnblockOnload%28%29

Revision history for this message
In , Scoobidiver (scoobidiver) wrote :

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=nsQueryInterface%3A%3Aoperator%28%29%28nsID+const%26%2C+void**%29+const

Revision history for this message
In , Akeybl (akeybl) wrote :

Some guidance for QA:

" upgrade on ubuntu 12/04 to ff 19.0 reopening one pined tab (gmail) + 1 twitter tab + 3 other tabs, get a freeze."
"I was using a gesture plugin to open multiple tabs from links, and it shut down."

Seems to happen when opening tabs? KaiRo should be able to help with add-on correlations, which I suspect will be to blame if we didn't reproduce in our own pre-release testing.

Revision history for this message
In , Kairo-kairo (kairo-kairo) wrote :

  imgRequestProxy::UnblockOnload()|SIGSEGV (18 crashes)
    100% (18/18) vs. 61% (468/766) <email address hidden>
     28% (5/18) vs. 11% (84/766) <email address hidden> (Firebug, https://addons.mozilla.org/addon/1843)
     94% (17/18) vs. 81% (623/766) <email address hidden>

Revision history for this message
In , Akeybl (akeybl) wrote :

(In reply to Robert Kaiser (:<email address hidden>) from comment #3)
> imgRequestProxy::UnblockOnload()|SIGSEGV (18 crashes)
> 100% (18/18) vs. 61% (468/766) <email address hidden>
> 28% (5/18) vs. 11% (84/766) <email address hidden> (Firebug,
> https://addons.mozilla.org/addon/1843)
> 94% (17/18) vs. 81% (623/766) <email address hidden>

Sounds like this may just be through normal usage in that case.

Revision history for this message
In , Chris Coulson (chrisccoulson) wrote :

Sigh, this is almost certainly my addon which causes this :(

Revision history for this message
In , Josh Matthews (joshmatthews) wrote :

Well, my suspicion is that it triggers rather than causes the crash (unless it's a binary one that is mucking with imagelib stuff). If you can reproduce it, that would be extremely helpful.

Revision history for this message
In , Chris Coulson (chrisccoulson) wrote :

It's both - binary and using imagelib.

I haven't been able to reproduce it at all. But IIUC the trace suggests that the observer has been freed already, and when I checked if this could happen in our addon I realized that we're calling imgIRequest::Cancel() when releasing our only reference to the imgINotificationObserver. I guess this is likely to cause these types of crashes? I don't know why this hasn't shown up before, seeing as it's been like it for nearly 2 years :/

I wish we could catch these issues sooner. We have our (Ubuntu) crash reports appear in Socorro for release builds, but the crash reports from the beta builds we provide aren't exposed in the UI (presumably there is some server side magic to map a build ID to a particular beta milestone, eg 20.0b1)

Eg, https://crash-stats.mozilla.com/topcrasher/byos/Firefox/20.0b1/Linux/7/browser shows crashes for the Mozilla builds, but you need to manually hunt for crashes in "20.0" to find ours:

https://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A20.0&platform=linux&range_value=1&range_unit=weeks&date=02%2F27%2F2013+17%3A49%3A10&query_search=signature&query_type=contains&query=&reason=&build_id=&process_type=any&hang_type=any&do_query=1

Is there anything we can do to fix this?

Revision history for this message
In , Josh Matthews (joshmatthews) wrote :

You may want CancelAndForgetObserver, but I can never remember when one is more appropriate than the other. Maybe Joe has thoughts on the matter.

Revision history for this message
In , Chris Coulson (chrisccoulson) wrote :

I did use CancelAndForgetObserver in the patch for bug 619899 (which basically does what my addon does, but implemented properly), but there's a comment in imgIRequest.idl saying that it shouldn't be used for new code.

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
importance: Unknown → Critical
status: Unknown → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 19.0+build1-0ubuntu2

---------------
firefox (19.0+build1-0ubuntu2) raring; urgency=low

  * Update globalmenu-extension to 3.7.2
    - Fix various imagelib related crashes (LP: #1134409)
 -- Chris Coulson <email address hidden> Wed, 27 Feb 2013 14:35:00 +0000

Changed in firefox (Ubuntu Raring):
status: New → Fix Released
Revision history for this message
In , Joe-drew (joe-drew) wrote :

CancelAndForgetObserver should be used from the destructor or similar places (i.e. "omg I'm going away right now"); ideally it wouldn't be necessary at all, but due to the way imagelib delivers notifications, that can't be guaranteed.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 19.0+build1-0ubuntu0.12.10.2

---------------
firefox (19.0+build1-0ubuntu0.12.10.2) quantal-security; urgency=low

  * Update globalmenu-extension to 3.7.2
    - Fix various imagelib related crashes (LP: #1134409)
 -- Chris Coulson <email address hidden> Wed, 27 Feb 2013 14:35:00 +0000

Changed in firefox (Ubuntu Quantal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 19.0+build1-0ubuntu0.12.04.2

---------------
firefox (19.0+build1-0ubuntu0.12.04.2) precise-security; urgency=low

  * Update globalmenu-extension to 3.7.2
    - Fix various imagelib related crashes (LP: #1134409)
 -- Chris Coulson <email address hidden> Wed, 27 Feb 2013 14:35:00 +0000

Changed in firefox (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 19.0+build1-0ubuntu0.11.10.2

---------------
firefox (19.0+build1-0ubuntu0.11.10.2) oneiric-security; urgency=low

  * Update globalmenu-extension to 3.7.2
    - Fix various imagelib related crashes (LP: #1134409)
 -- Chris Coulson <email address hidden> Wed, 27 Feb 2013 14:35:00 +0000

Changed in firefox (Ubuntu Oneiric):
status: New → Fix Released
Revision history for this message
In , Chris Coulson (chrisccoulson) wrote :

It doesn't look like there are any crashes from people with version 3.7.2 of the addon installed (which has a fix). So hopefully, this should start to drop over the next couple of days

Revision history for this message
In , Scoobidiver (scoobidiver) wrote :

(In reply to Chris Coulson from comment #11)
> So hopefully, this should start to drop over the next couple of days
 It seems so as it's now #9 top crasher in 19.0 on Linux.

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.