Last Comment Bug 454872 - Crashes while scrolling [@ nsScrollPortView::IncrementalScroll()]
: Crashes while scrolling [@ nsScrollPortView::IncrementalScroll()]
Status: VERIFIED FIXED
: [sg:critical?]
: crash, fixed1.9.0.15, testcase-wanted, verified1.9.1
Product: Core
Classification: Components
Component: Layout: View Rendering
: unspecified
: All All
: P2 critical (vote)
: ---
Assigned To: Mats Palmgren [:mats]
: layout.view-rendering
:
: 465360
:
  Show dependency treegraph
 
Reported: 2008-09-11 13:22 PDT by Daniel Banchero
Modified: 2009-11-09 18:57 PST (History)
11 users (show)
roc: blocking1.9.2+
dveditz: blocking1.9.0.15+
dveditz: wanted1.9.0.x+
See Also:
Crash Signature:
[@ nsScrollPortView::IncrementalScroll()]
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  ---
  beta1-fixed
  .4+
  .4-fixed


Attachments
Patch rev. 1 (975 bytes, patch)
2009-08-19 10:09 PDT, Mats Palmgren [:mats]
roc: review+
dveditz: superreview+
roc: approval1.9.2+
samuel.sidler+old: approval1.9.1.4+
Details | Diff | Splinter Review
for 1.9.0 (1.05 KB, patch)
2009-08-24 17:16 PDT, Mats Palmgren [:mats]
samuel.sidler+old: approval1.9.0.15+
Details | Diff | Splinter Review

Summon comment box

Description Daniel Banchero 2008-09-11 13:22:02 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1

Yesterday set preferences to "Use smooth scrolling" (unchecked "Use Autoscrolling). Today multiple crashes while attempting to scroll. Seems much worse when attempting to scroll while page is loading/reloading, but sometimes happens even when page is loaded.

Reset to "Use Autoscrolling"; now seems stable again.

Reproducible: Sometimes

Steps to Reproduce:
1.See above.
2.
3.
Actual Results:  
See above.


If I can help with any testing or provide additional info, please advise.
Comment 1 Marcia Knous [:marcia] 2008-09-11 16:37:33 PDT
Daniel: I am not able to reproduce this using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 or with the 3.0.2 candidate.

Which particular site were you scrolling? Can you type about:crashes and provide a crash URL?
Comment 2 Marcia Knous [:marcia] 2008-09-11 16:44:17 PDT
I was not able to reproduce on a PPC machine either using 3.0.1.
Comment 3 Daniel Banchero 2008-09-11 17:19:21 PDT
Hi Marcia-

Yes, I was able to reproduce the problem by (as before) changing the Firefox scrolling preferences to "Use smooth scrolling" and unchecking "Use
Autoscrolling". Again, the problem seems to be associated with attempting to scroll while a page is loading or reloading.

The URL that I tested this time was: http://www.newsweek.com/id/158429?from=rss

The URL info after "www.newsweek.com/" is specific to a particular Newsweek article... The previous crashes occurred at the same Newsweek URL but with different specific articles.

To obtain more of a sampling, I also just tried a Washington Post newsarticle: 
http://www.washingtonpost.com/wp-dyn/content/article/2008/09/07/AR2008090702262.html?nav=rss_world

and I was able to crash at that site also.

Finally, I tried the same thing while reloading https://bugzilla.mozilla.org/show_bug.cgi?id=454872, but was not able to crash the browser.
Comment 4 Mats Palmgren [:mats] 2008-09-11 20:30:08 PDT
Daniel, please submit the crash data and then give us its ID.  You can see
the IDs if you enter about:crashes in the url bar.  See:
http://support.mozilla.com/en-US/kb/Mozilla+Crash+Reporter#Viewing_crash_reports
Comment 5 Daniel Banchero 2008-09-11 21:23:38 PDT
OK, here are the last three, they all seem to be essentially identical:

75504d80-805f-11dd-88a4-0013211cbf8a

Signature	nsScrollPortView::IncrementalScroll()
bp-75504d80-805f-11dd-88a4-0013211cbf8a
Time	2008-09-11 17:12:01-07
Uptime	765
Product	Firefox
Version	3.0.1
Build ID	2008070206
OS	Mac OS X
OS Version	10.4.10 8R218
CPU	ppc
CPU Info	
Crash Reason	EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address	0x2d477df8
Comments	



9e6ff26b-805d-11dd-8d41-001a4bd43ef6

Signature	nsScrollPortView::IncrementalScroll()
bp-9e6ff26b-805d-11dd-8d41-001a4bd43ef6
Time	2008-09-11 16:58:52-07
Uptime	53
Product	Firefox
Version	3.0.1
Build ID	2008070206
OS	Mac OS X
OS Version	10.4.10 8R218
CPU	ppc
CPU Info	
Crash Reason	EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address	0x2d477df8
Comments	



e28da64c-8033-11dd-802e-001321b13766

Signature	nsScrollPortView::IncrementalScroll()
bp-e28da64c-8033-11dd-802e-001321b13766
Time	2008-09-11 12:00:10-07
Uptime	1048
Product	Firefox
Version	3.0.1
Build ID	2008070206
OS	Mac OS X
OS Version	10.4.10 8R218
CPU	ppc
CPU Info	
Crash Reason	EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address	0x2d477df8
Comments
Comment 6 Daniel Banchero 2008-09-11 21:24:26 PDT
Thanks for trying to figure this out!

db
Comment 7 Daniel Banchero 2008-09-11 21:35:54 PDT
For what it may be worth, here are all of the similar reports that I was able to find:

263609 (Windows)

385100 (Windows)

433365 (Mac)
Comment 8 Mats Palmgren [:mats] 2008-09-11 22:10:26 PDT
Possibly fixed in Firefox 3.0.2 by bug 435422.  You can try with the
release candidates here (which includes the fix):
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.0.2-candidates/
or you can wait until it's officially released (currently planned for
Tuesday 16th but it might be later).
Comment 9 Daniel Banchero 2008-09-11 22:35:15 PDT
Thanks for the info.  Since it doesn't crash unless I change the scrolling preferences it's not a big deal. I think that I'll wait for the official rollout.
Comment 10 Mats Palmgren [:mats] 2008-09-23 17:13:37 PDT
FYI, Firefox 3.0.2 is available now.
Comment 11 Daniel Banchero 2008-09-23 17:28:27 PDT
Mats- thanks a lot for keeping on top of this. I'll let you know how things work out after I download 3.0.2
Comment 12 Daniel Banchero 2008-09-24 10:44:51 PDT
Looks like you folks have nailed it. 3.0.2 seems to work just fine as far as the scrolling preferences are concerned.

Thanks to all.
Comment 13 Mats Palmgren [:mats] 2008-09-24 16:56:35 PDT
Ok, good to hear it's working for you.  I'll leave the bug open for now
since I can't query crash statistics at the moment (bug 444749) and
I want to verify it's really gone in 3.0.2.
Comment 14 Mats Palmgren [:mats] 2008-10-03 17:16:28 PDT
There are still some crash reports for 3.0.2 and 3.0.3 I'm afraid.
Comment 15 Jesse Ruderman 2009-08-18 17:46:10 PDT
There were 72 crashes in the last week at nsScrollPortView::IncrementalScroll.  All OSes are represented, but Mac is especially heavy.  Both active releases of Firefox, 3.0.x and 3.5.x, are represented.

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=startswith&query=nsScrollPortView%3A%3AIncrementalScroll%28%29&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsScrollPortView%3A%3AIncrementalScroll%28%29
Comment 16 Mats Palmgren [:mats] 2009-08-19 10:07:08 PDT
Looking at the code I'm guessing the nsScrollPortView is dead by the time
we execute line 726:
http://hg.mozilla.org/releases/mozilla-1.9.1/annotate/345e7a83db64/view/src/nsScrollPortView.cpp#l726
Assuming nsScrollPortView::ScrollToImpl() can execute arbitrary stuff like
deleting the 'this' nsScrollPortView we're currently using.
Comment 17 Mats Palmgren [:mats] 2009-08-19 10:09:09 PDT
Created attachment 395330 [details] [review]
Patch rev. 1

Should fix it if my assumption is right.
Comment 18 Mats Palmgren [:mats] 2009-08-19 10:24:57 PDT
nsScrollPortView::ScrollToImpl calls
  nsScrollPortView::Scroll calls
    nearestWidget->Scroll

There's an analysis of widget methods that reach nsChildView::DispatchEvent
(which executes arbitrary stuff) in bug 402505.
nsChildView::Scroll is in that list.  Seems like a good idea to audit
nsScrollPortView for calls reaching anything on that list.
Comment 19 Mats Palmgren [:mats] 2009-08-19 10:26:46 PDT
... although the list could be out-dated by now of course ...
Comment 20 Markus Stange 2009-08-19 12:35:57 PDT
The patch looks good to me, but I'm not a peer of this code.
Comment 21 Mats Palmgren [:mats] 2009-08-19 12:44:20 PDT
Sorry, I assumed you were...
Comment 22 Mats Palmgren [:mats] 2009-08-23 20:27:57 PDT
http://hg.mozilla.org/mozilla-central/rev/15c3a72d8aac
Comment 23 Samuel Sidler (old account; do not CC) 2009-08-23 21:31:06 PDT
Pushing out Mats' request to 1.9.0.15 since we're basically code frozen for 1.9.0.14.
Comment 24 Samuel Sidler (old account; do not CC) 2009-08-24 15:34:17 PDT
Mats: When this lands on 1.9.2, please request approval1.9.0.15 and approval1.9.1.4 on it (or if it doesn't apply, please attach a patch that does).
Comment 25 Mats Palmgren [:mats] 2009-08-24 17:15:07 PDT
ok
Comment 26 Mats Palmgren [:mats] 2009-08-24 17:16:09 PDT
Created attachment 396338 [details] [review]
for 1.9.0
Comment 27 Mats Palmgren [:mats] 2009-09-08 17:18:26 PDT
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/635177741480
Comment 28 Samuel Sidler (old account; do not CC) 2009-09-10 10:59:25 PDT
Comment on attachment 395330 [details] [review]
Patch rev. 1

As a security bug, per our new policy, this patch needs explicit superview from a second person. It should *not* have landed on trunk or 1.9.2 without that superview. Please be mindful of that in the future.

http://www.mozilla.org/hacking/reviewers.html

Tagging dbaron for superview.
Comment 29 David Baron [:dbaron] 2009-09-10 11:12:41 PDT
That's a bad policy, as I've said before.
Comment 30 Samuel Sidler (old account; do not CC) 2009-09-10 11:18:13 PDT
There are many bad policies, but it *is* a policy and we'll keep enforcing it until it's no longer a policy.
Comment 31 Mats Palmgren [:mats] 2009-09-10 15:59:12 PDT
(In reply to comment #28)
Sorry I missed that!
Comment 32 Daniel Veditz 2009-09-11 10:35:14 PDT
Comment on attachment 395330 [details] [review]
Patch rev. 1

sr=dveditz
Comment 33 Samuel Sidler (old account; do not CC) 2009-09-11 10:36:31 PDT
Comment on attachment 395330 [details] [review]
Patch rev. 1

Approved for 1.9.1.4. a=ss for release-drivers
Comment 34 Samuel Sidler (old account; do not CC) 2009-09-11 10:36:42 PDT
Comment on attachment 396338 [details] [review]
for 1.9.0

Approved for 1.9.0.15. a=ss for release-drivers
Comment 35 Mats Palmgren [:mats] 2009-09-11 17:32:47 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b3536c557f1e

On CVS HEAD:
mozilla/view/src/nsScrollPortView.cpp 	3.91
Comment 36 Al Billings [:abillings] 2009-09-14 15:45:27 PDT
I can't reproduce this issue with Firefox 3.5.3 on OS X 10.6.
Comment 37 Al Billings [:abillings] 2009-09-17 11:14:01 PDT
I can't reproduce this issues with Firefox 3.0.14 on OS X 10.6 either.
Comment 38 Tracy Walker 2009-10-01 11:36:19 PDT
verified with: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a1pre) Gecko/20090930 Minefield/3.7a1pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20091001 Shiretoko/3.5.4pre

Note You need to log in before you can comment on or make changes to this bug.