Closed Bug 296375 Opened 20 years ago Closed 20 years ago

document.addBinding() segfaults called on a node with existing binding

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: awuest, Assigned: bryner)

References

Details

(Keywords: crash, verified1.8, Whiteboard: [no l10n impact][ETA: unknown])

Attachments

(6 files)

Testcase #1 to reproduce document.addBinding() segfault
3.38 KB, text/plain
Details
Stacktrace and console debug output for testcase #1
43.33 KB, text/plain
Details
Testcase #2 to reproduce document.addBinding() segfault
3.57 KB, text/plain
Details
Stacktrace and console debug output for testcase #2
35.48 KB, text/plain
Details
self-contained testcase
451 bytes, application/vnd.mozilla.xul+xml
Details
idea for a fix
2.72 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval1.8b4+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050523 Firefox/1.0+ Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050523 Firefox/1.0+ This bug due to the request in https://bugzilla.mozilla.org/show_bug.cgi?id=51261#c23. Calling document.addBinding() produces a segmentation fault. Completely fresh checkout: checkout start: Thu Jun 2 10:21:53 CEST 2005 Stacktrace (non-blank-line numbered for your convenience): 1 (gdb) thread apply all bt 2 Thread 6 (Thread 108567472 (LWP 10176)): 3 #0 0x00b22d19 in __lll_mutex_lock_wait () from /lib/tls/libc.so.6 4 #1 0x00aae1b4 in _L_mutex_lock_2570 () from /lib/tls/libc.so.6 5 #2 0x0052eaf0 in __JCR_LIST__ () from firefox-devbuild/dist/bin/libxpcom_core.so 6 #3 0x06789868 in ?? () 7 #4 0x00a33034 in ?? () from /usr/lib/libstdc++.so.5 8 #5 0x0a0291d8 in ?? () 9 #6 0x06789ac0 in ?? () 10 #7 0x06789868 in ?? () 11 #8 0x00a10233 in operator delete () from /usr/lib/libstdc++.so.5 12 #9 0x00a10233 in operator delete () from /usr/lib/libstdc++.so.5 13 #10 0x004ac47d in nsStringInputStream::Release (this=0xb6beacd8) at /tmp/awuest/trees/statustext/mozilla/xpcom/io/nsStringStream.cpp:142 14 #11 0x00fe1f73 in nsCOMPtr<nsIInputStream>::assign_assuming_AddRef (this=0xb6bea914, newPtr=0x0) at ../../../dist/include/xpcom/nsCOMPtr.h:568 15 #12 0x00fe1b76 in nsCOMPtr<nsIInputStream>::assign_with_AddRef (this=0xb6bea914, rawPtr=0x0) at ../../../../dist/include/xpcom/nsCOMPtr.h:1224 16 #13 0x00fe175f in nsCOMPtr<nsIInputStream>::operator= (this=0xb6bea914, rhs=0x0) at ../../../../dist/include/xpcom/nsCOMPtr.h:713 17 #14 0x010a97ec in nsHttpTransaction::Close (this=0xb6bea8d8, reason=0) at /tmp/awuest/trees/statustext/mozilla/netwerk/protocol/http/src/nsHttpTransaction.cpp:532 18 #15 0x0109b606 in nsHttpConnection::CloseTransaction (this=0xb6beaf38, trans=0xb6bea8d8, reason=0) 19 at /tmp/awuest/trees/statustext/mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:485 20 #16 0x0109c28d in nsHttpConnection::OnInputStreamReady (this=0xb6beaf38, in=0xb6f72224) 21 at /tmp/awuest/trees/statustext/mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:749 22 #17 0x0101ae26 in nsSocketInputStream::OnSocketReady (this=0xb6f72224, condition=0) at /tmp/awuest/trees/statustext/mozilla/netwerk/base/src/nsSocketTransport2.cpp:240 23 #18 0x0101eade in nsSocketTransport::OnSocketReady (this=0xb6f72140, fd=0xb6bd0680, outFlags=1) 24 at /tmp/awuest/trees/statustext/mozilla/netwerk/base/src/nsSocketTransport2.cpp:1453 25 #19 0x0102340e in nsSocketTransportService::Run (this=0xa01c020) at /tmp/awuest/trees/statustext/mozilla/netwerk/base/src/nsSocketTransportService2.cpp:573 26 #20 0x004d33e2 in nsThread::Main (arg=0xa029158) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsThread.cpp:118 27 #21 0x00141796 in _pt_root (arg=0xa0291d8) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/pthreads/ptthread.c:220 28 #22 0x00c0fde8 in start_thread () from /lib/tls/libpthread.so.0 29 #23 0x00b1593a in clone () from /lib/tls/libc.so.6 30 Thread 5 (Thread 181783472 (LWP 10178)): 31 #0 0x00b22d19 in __lll_mutex_lock_wait () from /lib/tls/libc.so.6 32 #1 0x00aae1b4 in _L_mutex_lock_2570 () from /lib/tls/libc.so.6 33 #2 0x00150368 in __JCR_LIST__ () from firefox-devbuild/dist/bin/libnspr4.so 34 #3 0x0ad5cc08 in ?? () 35 #4 0x00150368 in __JCR_LIST__ () from firefox-devbuild/dist/bin/libnspr4.so 36 #5 0x00000001 in ?? () 37 #6 0x0ad5cc08 in ?? () 38 #7 0x0ad5ca48 in ?? () 39 #8 0x00128ae0 in PR_Free (ptr=0xa343bc8) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/malloc/prmem.c:477 40 #9 0x00128ae0 in PR_Free (ptr=0xa343bc8) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/malloc/prmem.c:477 41 #10 0x001426dc in _pt_thread_death (arg=0xa343a58) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/pthreads/ptthread.c:816 42 #11 0x00c106a9 in deallocate_tsd () from /lib/tls/libpthread.so.0 43 #12 0x00c0fdf6 in start_thread () from /lib/tls/libpthread.so.0 44 #13 0x00b1593a in clone () from /lib/tls/libc.so.6 45 Thread 4 (Thread 192273328 (LWP 10179)): 46 #0 0x00c1245b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/libpthread.so.0 47 #1 0x00139d24 in pt_TimedWait (cv=0x9f9bbb4, ml=0x9f9cca0, timeout=838199) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/pthreads/ptsynch.c:280 48 #2 0x0013a23b in PR_WaitCondVar (cvar=0x9f9bbb0, timeout=838199) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/pthreads/ptsynch.c:407 49 #3 0x004d792b in TimerThread::Run (this=0x9f9be10) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/TimerThread.cpp:318 50 #4 0x004d33e2 in nsThread::Main (arg=0xa343eb8) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsThread.cpp:118 51 #5 0x00141796 in _pt_root (arg=0xa345020) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/pthreads/ptthread.c:220 52 #6 0x00c0fde8 in start_thread () from /lib/tls/libpthread.so.0 53 #7 0x00b1593a in clone () from /lib/tls/libc.so.6 54 Thread 3 (Thread 202763184 (LWP 10181)): 55 #0 0x00b22d19 in __lll_mutex_lock_wait () from /lib/tls/libc.so.6 56 ---Type <return> to continue, or q <return> to quit--- 57 #1 0x00aae1b4 in _L_mutex_lock_2570 () from /lib/tls/libc.so.6 58 #2 0x0000ea61 in ?? () 59 #3 0x0c15ec08 in ?? () 60 #4 0x00150368 in __JCR_LIST__ () from firefox-devbuild/dist/bin/libnspr4.so 61 #5 0x00000001 in ?? () 62 #6 0x0c15ec08 in ?? () 63 #7 0x0c15ea48 in ?? () 64 #8 0x00128ae0 in PR_Free (ptr=0xb73d1d00) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/malloc/prmem.c:477 65 #9 0x00128ae0 in PR_Free (ptr=0xb73d1d00) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/malloc/prmem.c:477 66 #10 0x001426dc in _pt_thread_death (arg=0xb73ad568) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/pthreads/ptthread.c:816 67 #11 0x00c106a9 in deallocate_tsd () from /lib/tls/libpthread.so.0 68 #12 0x00c0fdf6 in start_thread () from /lib/tls/libpthread.so.0 69 #13 0x00b1593a in clone () from /lib/tls/libc.so.6 70 Thread 2 (Thread 213253040 (LWP 10183)): 71 #0 0x00b22d19 in __lll_mutex_lock_wait () from /lib/tls/libc.so.6 72 #1 0x00aae1b4 in _L_mutex_lock_2570 () from /lib/tls/libc.so.6 73 #2 0x01106938 in __JCR_LIST__ () from /tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libnecko.so 74 #3 0x0cb5fc08 in ?? () 75 #4 0x00150368 in __JCR_LIST__ () from firefox-devbuild/dist/bin/libnspr4.so 76 #5 0x00000001 in ?? () 77 #6 0x0cb5fc08 in ?? () 78 #7 0x0cb5fa48 in ?? () 79 #8 0x00128ae0 in PR_Free (ptr=0xb6bcea40) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/malloc/prmem.c:477 80 #9 0x00128ae0 in PR_Free (ptr=0xb6bcea40) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/malloc/prmem.c:477 81 #10 0x001426dc in _pt_thread_death (arg=0xb6bce8b8) at /tmp/awuest/trees/statustext/mozilla/nsprpub/pr/src/pthreads/ptthread.c:816 82 #11 0x00c106a9 in deallocate_tsd () from /lib/tls/libpthread.so.0 83 #12 0x00c0fdf6 in start_thread () from /lib/tls/libpthread.so.0 84 #13 0x00b1593a in clone () from /lib/tls/libc.so.6 85 Thread 1 (Thread -1218583904 (LWP 10159)): 86 #0 0x00ae283c in __nanosleep_nocancel () from /lib/tls/libc.so.6 87 #1 0x00ae265f in sleep () from /lib/tls/libc.so.6 88 #2 0x0806945d in ah_crap_handler (signum=11) at nsSigHandlers.cpp:132 89 #3 0x08069f79 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:209 90 #4 <signal handler called> 91 #5 0x00aab2f0 in malloc_consolidate () from /lib/tls/libc.so.6 92 #6 0x00aab1cd in _int_free () from /lib/tls/libc.so.6 93 #7 0x00aaa048 in free () from /lib/tls/libc.so.6 94 #8 0x08069a46 in DemangleSymbol (aSymbol=0x11ddec7 "_ZN8nsCOMPtrI13nsIDOMElementE14assign_from_qiE16nsQueryInterfaceRK4nsID", 95 aBuffer=0xbfff4624 "nsCOMPtr<nsIDOMElement>::assign_from_qi(nsQueryInterface, nsID const&)", aBufLen=4096) at nsStackFrameUnix.cpp:80 96 #9 0x08069bb5 in DumpStackToFile (aStream=0xb6bca0) at nsStackFrameUnix.cpp:129 97 #10 0x08069416 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:125 98 #11 0x08069f79 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:209 99 #12 <signal handler called> 100 #13 0x53e58955 in ?? () 101 #14 0x00450e6c in nsQueryInterface::operator() (this=0xbfff5b04, aIID=@0x1938e14, answer=0xbfff5af0) at nsCOMPtr.cpp:47 102 #15 0x0140f363 in nsCOMPtr<nsIDOMElement>::assign_from_qi (this=0xbfff5b40, qi={mRawPtr = 0x52b008}, aIID=@0x1938e14) at ../../../dist/include/xpcom/nsCOMPtr.h:1232 103 #16 0x0140d18d in nsCOMPtr (this=0xbfff5b40, qi={mRawPtr = 0x52b008}) at ../../../../dist/include/xpcom/nsCOMPtr.h:645 104 #17 0x017fc468 in nsXBLBinding::GetAnonymousNodes (this=0xb6be6468) at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLBinding.cpp:1271 105 #18 0x017f8f32 in BuildContentLists (aKey=0xb6bf1780, aData=0xb6bf1770, aClosure=0xbfff5e30) at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLBinding.cpp:303 106 #19 0x004647fe in hashEnumerate (table=0xb6be64f0, hdr=0xb6bf1b2c, i=0, arg=0xbfff5ce0) at /tmp/awuest/trees/statustext/mozilla/xpcom/ds/nsHashtable.cpp:131 107 #20 0x0045d35f in PL_DHashTableEnumerate (table=0xb6be64f0, etor=0x4647d0 <hashEnumerate>, arg=0xbfff5ce0) at /tmp/awuest/trees/statustext/mozilla/xpcom/ds/pldhash.c:619 108 #21 0x00465119 in nsHashtable::Enumerate (this=0xb6be64e8, aEnumFunc=0x17f8e2e <BuildContentLists>, aClosure=0xbfff5e30) 109 at /tmp/awuest/trees/statustext/mozilla/xpcom/ds/nsHashtable.cpp:319 110 #22 0x017f9d18 in nsXBLBinding::GenerateAnonymousContent (this=0xb6be6468) at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLBinding.cpp:527 111 #23 0x017f975e in nsXBLBinding::GenerateAnonymousContent (this=0xb6bf1718) at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLBinding.cpp:437 112 #24 0x01815b63 in nsXBLService::LoadBindings (this=0xb7323128, aContent=0xb6beb470, aURL=0xb6bf19b8, aAugmentFlag=1, aBinding=0xbfff65c0, aResolveStyle=0xbfff65bc) 113 ---Type <return> to continue, or q <return> to quit--- 114 at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLService.cpp:636 115 #25 0x0181ac6c in nsBindingManager::AddLayeredBinding (this=0xb7387258, aContent=0xb6beb470, aURL=0xb6bf19b8) 116 at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsBindingManager.cpp:630 117 #26 0x016b5af2 in nsDocument::AddBinding (this=0xb732e6f8, aContent=0xb6beb48c, aURI=@0xb6bf1698) at /tmp/awuest/trees/statustext/mozilla/content/base/src/nsDocument.cpp:2730 118 #27 0x004fb651 in XPTC_InvokeByIndex () at /tmp/awuest/trees/statustext/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_gcc_x86_unix.cpp:69 119 #28 0x00cddaac in XPCWrappedNative::CallMethod (ccx=@0xbfff694c, mode=CALL_METHOD) at /tmp/awuest/trees/statustext/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2104 120 #29 0x00ce7d6b in XPC_WN_CallMethod (cx=0xb734ff68, obj=0xb73bfed8, argc=2, argv=0xb6bd7140, vp=0xbfff6afc) 121 at /tmp/awuest/trees/statustext/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1348 122 #30 0x002d0b7f in js_Invoke (cx=0xb734ff68, argc=2, flags=0) at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1178 123 #31 0x002e03df in js_Interpret (cx=0xb734ff68, pc=0xa21907d ":", result=0xbfff7238) at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:3468 124 #32 0x002d0c08 in js_Invoke (cx=0xb734ff68, argc=0, flags=2) at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1198 125 #33 0x002d0fb9 in js_InternalInvoke (cx=0xb734ff68, obj=0xb6d18b40, fval=-1227780280, flags=0, argc=0, argv=0x0, rval=0xbfff73dc) 126 at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1275 127 #34 0x0029d2a2 in JS_CallFunctionValue (cx=0xb734ff68, obj=0xb6d18b40, fval=-1227780280, argc=0, argv=0x0, rval=0xbfff73dc) 128 at /tmp/awuest/trees/statustext/mozilla/js/src/jsapi.c:3858 129 #35 0x0180ad92 in nsXBLProtoImplAnonymousMethod::Execute (this=0xb703e9a0, aBoundElement=0xb6beb470) 130 at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:333 131 #36 0x017fd824 in nsXBLPrototypeBinding::BindingAttached (this=0xb703e788, aBoundElement=0xb6beb470) 132 at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp:390 133 #37 0x017fad14 in nsXBLBinding::ExecuteAttachedHandler (this=0xb6bd5538) at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsXBLBinding.cpp:768 134 #38 0x0181b439 in nsBindingManager::ProcessAttachedQueue (this=0xb7387258) at /tmp/awuest/trees/statustext/mozilla/content/xbl/src/nsBindingManager.cpp:761 135 #39 0x013fff1f in nsCSSFrameConstructor::ContentAppended (this=0xb732ddb8, aContainer=0xb6d02158, aNewIndexInContainer=0) 136 at /tmp/awuest/trees/statustext/mozilla/layout/base/nsCSSFrameConstructor.cpp:8576 137 #40 0x0145d3be in PresShell::ContentAppended (this=0xb733bec8, aDocument=0xb732e6f8, aContainer=0xb6d02158, aNewIndexInContainer=0) 138 at /tmp/awuest/trees/statustext/mozilla/layout/base/nsPresShell.cpp:5441 139 #41 0x016b3fd9 in nsDocument::ContentAppended (this=0xb732e6f8, aContainer=0xb6d02158, aNewIndexInContainer=0) 140 at /tmp/awuest/trees/statustext/mozilla/content/base/src/nsDocument.cpp:2194 141 #42 0x0183d721 in nsXULDocument::ContentAppended (this=0xb732e6f8, aContainer=0xb6d02158, aNewIndexInContainer=0) 142 at /tmp/awuest/trees/statustext/mozilla/content/xul/document/src/nsXULDocument.cpp:1172 143 #43 0x0190b5a3 in nsXULContentBuilder::RebuildAll (this=0xb6d5d9d8) at /tmp/awuest/trees/statustext/mozilla/content/xul/templates/src/nsXULContentBuilder.cpp:1909 144 #44 0x0191f25d in nsXULTemplateBuilder::Rebuild (this=0xb6d5d9d8) at /tmp/awuest/trees/statustext/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:244 145 #45 0x0191f773 in nsXULTemplateBuilder::AttributeChanged (this=0xb6d5d9d8, aDocument=0xb732e6f8, aContent=0xb6d02158, aNameSpaceID=0, aAttribute=0xa346050, aModType=2) 146 at /tmp/awuest/trees/statustext/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:343 147 #46 0x0190a5b9 in nsXULContentBuilder::AttributeChanged (this=0xb6d5d9d8, aDocument=0xb732e6f8, aContent=0xb6d02158, aNameSpaceID=0, aAttribute=0xa346050, aModType=2) 148 at /tmp/awuest/trees/statustext/mozilla/content/xul/templates/src/nsXULContentBuilder.cpp:1568 149 #47 0x0183d527 in nsXULDocument::AttributeChanged (this=0xb732e6f8, aElement=0xb6d02158, aNameSpaceID=0, aAttribute=0xa346050, aModType=2) 150 at /tmp/awuest/trees/statustext/mozilla/content/xul/document/src/nsXULDocument.cpp:1136 151 #48 0x01822d3d in nsXULElement::SetAttrAndNotify (this=0xb6d02158, aNamespaceID=0, aAttribute=0xa346050, aPrefix=0x0, aOldValue=@0xbfff7ddc, aParsedValue=@0xbfff7dbc, 152 aModification=0, aFireMutation=0, aNotify=1) at /tmp/awuest/trees/statustext/mozilla/content/xul/content/src/nsXULElement.cpp:1571 153 #49 0x018227cc in nsXULElement::SetAttr (this=0xb6d02158, aNamespaceID=0, aName=0xa346050, aPrefix=0x0, aValue=@0xb6be63f8, aNotify=1) 154 at /tmp/awuest/trees/statustext/mozilla/content/xul/content/src/nsXULElement.cpp:1495 155 #50 0x0182d32a in nsXULElement::SetAttr (this=0xb6d02158, aNameSpaceID=0, aName=0xa346050, aValue=@0xb6be63f8, aNotify=1) 156 at /tmp/awuest/trees/statustext/mozilla/content/xul/content/src/nsXULElement.h:482 157 #51 0x01827141 in nsXULElement::SetRef (this=0xb6d02158, aValue=@0xb6be63f8) at /tmp/awuest/trees/statustext/mozilla/content/xul/content/src/nsXULElement.cpp:2646 158 #52 0x004fb651 in XPTC_InvokeByIndex () at /tmp/awuest/trees/statustext/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_gcc_x86_unix.cpp:69 159 #53 0x00cddaac in XPCWrappedNative::CallMethod (ccx=@0xbfff81b0, mode=CALL_SETTER) at /tmp/awuest/trees/statustext/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2104 160 #54 0x00ce911a in XPCWrappedNative::SetAttribute (ccx=@0xbfff81b0) at /tmp/awuest/trees/statustext/mozilla/js/src/xpconnect/src/xpcprivate.h:1902 161 #55 0x00ce7f57 in XPC_WN_GetterSetter (cx=0xb734ff68, obj=0xb6d18808, argc=1, argv=0xb6bd711c, vp=0xbfff8360) 162 at /tmp/awuest/trees/statustext/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1372 163 #56 0x002d0b7f in js_Invoke (cx=0xb734ff68, argc=1, flags=2) at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1178 164 #57 0x002d0fb9 in js_InternalInvoke (cx=0xb734ff68, obj=0xb6d18808, fval=-1227781320, flags=0, argc=1, argv=0xbfff8b20, rval=0xbfff8b20) 165 at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1275 166 #58 0x002d1258 in js_InternalGetOrSet (cx=0xb734ff68, obj=0xb6d18808, id=-1220963400, fval=-1227781320, mode=JSACC_WRITE, argc=1, argv=0xbfff8b20, rval=0xbfff8b20) 167 at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1318 168 #59 0x002f7b60 in js_SetProperty (cx=0xb734ff68, obj=0xb6d18808, id=-1220963400, vp=0xbfff8b20) at /tmp/awuest/trees/statustext/mozilla/js/src/jsobj.c:2891 169 #60 0x002deb64 in js_Interpret (cx=0xb734ff68, pc=0xb71cc1e9 "6", result=0xbfff8c7c) at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:3306 170 #61 0x002d0c08 in js_Invoke (cx=0xb734ff68, argc=1, flags=2) at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1198 171 #62 0x002d0fb9 in js_InternalInvoke (cx=0xb734ff68, obj=0xa0bcab0, fval=-1225246288, flags=0, argc=1, argv=0xb734aab0, rval=0xbfff8ecc) 172 ---Type <return> to continue, or q <return> to quit--- 173 at /tmp/awuest/trees/statustext/mozilla/js/src/jsinterp.c:1275 174 #63 0x0029d2a2 in JS_CallFunctionValue (cx=0xb734ff68, obj=0xa0bcab0, fval=-1225246288, argc=1, argv=0xb734aab0, rval=0xbfff8ecc) 175 at /tmp/awuest/trees/statustext/mozilla/js/src/jsapi.c:3858 176 #64 0x01871d64 in nsJSContext::CallEventHandler (this=0xb733daa0, aTarget=0xa0bcab0, aHandler=0xb6f839b0, argc=1, argv=0xb734aab0, rval=0xbfff8ecc) 177 at /tmp/awuest/trees/statustext/mozilla/dom/src/base/nsJSEnvironment.cpp:1385 178 #65 0x0188a62a in nsGlobalWindow::RunTimeout (this=0xb734fda8, aTimeout=0xb734aa60) at /tmp/awuest/trees/statustext/mozilla/dom/src/base/nsGlobalWindow.cpp:5257 179 #66 0x0188b1c1 in nsGlobalWindow::TimerCallback (aTimer=0xb6bd00b8, aClosure=0xb734aa60) at /tmp/awuest/trees/statustext/mozilla/dom/src/base/nsGlobalWindow.cpp:5619 180 #67 0x004d53c0 in nsTimerImpl::Fire (this=0xb6bd00b8) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsTimerImpl.cpp:394 181 #68 0x004d55a6 in handleTimerEvent (event=0xb6db2f00) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsTimerImpl.cpp:459 182 #69 0x004ccf18 in PL_HandleEvent (self=0xb6db2f00) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/plevent.c:698 183 #70 0x004ccdb9 in PL_ProcessPendingEvents (self=0xa028fb8) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/plevent.c:633 184 #71 0x004d0304 in nsEventQueueImpl::ProcessPendingEvents (this=0xa028f80) at /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsEventQueue.cpp:417 185 #72 0x07586288 in event_processor_callback (source=0xb730e9f0, condition=G_IO_IN, data=0xa028f80) at /tmp/awuest/trees/statustext/mozilla/widget/src/gtk2/nsAppShell.cpp:67 186 #73 0x0039ff8f in g_vsnprintf () from /usr/lib/libglib-2.0.so.0 187 #74 0x0037ec30 in unblock_source () from /usr/lib/libglib-2.0.so.0 188 #75 0x0037fc98 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 189 #76 0x0037ffad in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 190 #77 0x003806cf in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 191 #78 0x0074943f in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 192 #79 0x0758697a in nsAppShell::Run (this=0xa2b7638) at /tmp/awuest/trees/statustext/mozilla/widget/src/gtk2/nsAppShell.cpp:139 193 #80 0x02d94d0f in nsAppStartup::Run (this=0xa2b75f0) at /tmp/awuest/trees/statustext/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:144 194 #81 0x080574db in XRE_main (argc=1, argv=0xbfff9aa4, aAppData=0x8070040) at /tmp/awuest/trees/statustext/mozilla/toolkit/xre/nsAppRunner.cpp:2059 195 #82 0x0804f6c2 in main (argc=1, argv=0xbfff9aa4) at /tmp/awuest/trees/statustext/mozilla/browser/app/nsBrowserApp.cpp:61 196 (gdb) Console debug output of firefox run (non-blank-line numbered for your convenience): 1 Type Manifest File: /tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/xpti.dat 2 nsNativeComponentLoader: autoregistering begins. 3 nsNativeComponentLoader: autoregistering succeeded 4 nsNativeComponentLoader: registering deferred (0) 5 nsNativeComponentLoader: autoregistering begins. 6 nsNativeComponentLoader: autoregistering succeeded 7 nsNativeComponentLoader: registering deferred (0) 8 WARNING: nsExceptionService ignoring thread destruction after shutdown, file /tmp/awuest/trees/statustext/mozilla/xpcom/base/nsExceptionService.cpp, line 191 9 No Persistent Registry Found. 10 Type Manifest File: /home/awuest/.mozilla/firefox/qsazrhuz.default/xpti.dat 11 nsNativeComponentLoader: autoregistering begins. 12 *** Registering xpcomObsoleteModule components (all right -- a generic module!) 13 *** Registering xpconnect components (all right -- a generic module!) 14 *** Registering nsUConvModule components (all right -- a generic module!) 15 *** Registering nsI18nModule components (all right -- a generic module!) 16 *** Registering necko_core_and_primary_protocols components (all right -- a generic module!) 17 *** Registering necko_secondary_protocols components (all right -- a generic module!) 18 *** Registering nsJarModule components (all right -- a generic module!) 19 *** Registering nsPrefModule components (all right -- a generic module!) 20 *** Registering nsSecurityManagerModule components (all right -- a generic module!) 21 *** Registering nsRDFModule components (all right -- a generic module!) 22 *** Registering nsParserModule components (all right -- a generic module!) 23 *** Registering nsGfxGTKModule components (all right -- a generic module!) 24 *** Registering nsIconDecoderModule components (all right -- a generic module!) 25 *** Registering nsImageLib2Module components (all right -- a generic module!) 26 *** Registering nsWidgetGtk2Module components (all right -- a generic module!) 27 *** Registering nsLayoutModule components (all right -- a generic module!) 28 *** Registering docshell_provider components (all right -- a generic module!) 29 *** Registering embedcomponents components (all right -- a generic module!) 30 *** Registering Browser_Embedding_Module components (all right -- a generic module!) 31 *** Registering nsEditorModule components (all right -- a generic module!) 32 *** Registering nsTransactionManagerModule components (all right -- a generic module!) 33 *** Registering nsComposerModule components (all right -- a generic module!) 34 *** Registering appshell components (all right -- a generic module!) 35 *** Registering nsAccessibilityModule components (all right -- a generic module!) 36 *** Registering nsChromeModule components (all right -- a generic module!) 37 *** Registering nsMorkModule components (all right -- a generic module!) 38 *** Registering nsFindComponent components (all right -- a generic module!) 39 *** Registering application components (all right -- a generic module!) 40 *** Registering nsFileViewModule components (all right -- a generic module!) 41 *** Registering RemoteServiceModule components (all right -- a generic module!) 42 *** Registering CommandLineModule components (all right -- a generic module!) 43 *** Registering nsToolkitCompsModule components (all right -- a generic module!) 44 *** Registering nsSoftwareUpdate components (all right -- a generic module!) 45 *** Registering BOOT components (all right -- a generic module!) 46 *** Registering NSS components (all right -- a generic module!) 47 *** Registering PKI components (all right -- a generic module!) 48 *** Registering mozgnome components (all right -- a generic module!) 49 *** Registering nsCookieModule components (all right -- a generic module!) 50 *** Registering nsXMLExtrasModule components (all right -- a generic module!) 51 *** Registering nsAutoConfigModule components (all right -- a generic module!) 52 *** Registering nsSystemPrefModule components (all right -- a generic module!) 53 *** Registering TransformiixModule components (all right -- a generic module!) 54 *** Registering nsUniversalCharDetModule components (all right -- a generic module!) 55 *** Registering nsWebServicesModule components (all right -- a generic module!) 56 *** Registering nsInspectorModule components (all right -- a generic module!) 57 *** Registering nsGnomeVFSModule components (all right -- a generic module!) 58 *** Registering nsNegotiateAuthModule components (all right -- a generic module!) 59 *** Registering nsPermissionsModule components (all right -- a generic module!) 60 *** Registering SearchServiceModule components (all right -- a generic module!) 61 *** Registering nsBrowserCompsModule components (all right -- a generic module!) 62 nsNativeComponentLoader: autoregistering succeeded 63 nsNativeComponentLoader: registering deferred (0) 64 nsNativeComponentLoader: registering deferred (0) 65 nsNativeComponentLoader: registering deferred (0) 66 nsNativeComponentLoader: autoregistering begins. 67 nsNativeComponentLoader: autoregistering succeeded 68 nsNativeComponentLoader: registering deferred (0) 69 pldhash: for the table at address 0x9049fd0, the given entrySize of 44 probably favors chaining over double hashing. 70 GFX: dpi=96 t2p=0.0666667 p2t=15 depth=24 71 ++WEBSHELL == 1 72 WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file /tmp/awuest/trees/statustext/mozilla/extensions/cookie/nsPermissionManager.cpp, line 624 73 ++DOMWINDOW == 1 74 *** loading the extensions datasource 75 WARNING: nsExceptionService ignoring thread destruction after shutdown, file /tmp/awuest/trees/statustext/mozilla/xpcom/base/nsExceptionService.cpp, line 191 76 --WEBSHELL == 0 77 WARNING: unable to Flush() diry datasource during XPCOM shutdown, file /tmp/awuest/trees/statustext/mozilla/rdf/base/src/nsRDFXMLDataSource.cpp, line 801 78 ###!!! ASSERTION: Main thread being held past XPCOM shutdown.: 'cnt == 0', file /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsThread.cpp, line 450 79 Break: at file /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsThread.cpp, line 450 80 Type Manifest File: /home/awuest/.mozilla/firefox/qsazrhuz.default/xpti.dat 81 nsNativeComponentLoader: autoregistering begins. 82 nsNativeComponentLoader: autoregistering succeeded 83 nsNativeComponentLoader: registering deferred (0) 84 pldhash: for the table at address 0x9e4a700, the given entrySize of 44 probably favors chaining over double hashing. 85 GFX: dpi=96 t2p=0.0666667 p2t=15 depth=24 86 ++WEBSHELL == 1 87 WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file /tmp/awuest/trees/statustext/mozilla/extensions/cookie/nsPermissionManager.cpp, line 624 88 ++DOMWINDOW == 1 89 *** Item Installed via directory addition to Install Location: app-global Item ID: {972ce4c6-7e08-4474-a285-3208198ce6fd}, attempting to register... 90 *** Item Installed/Upgraded at Install Location: app-global Item ID: {972ce4c6-7e08-4474-a285-3208198ce6fd}, attempting to register... 91 *** loading the extensions datasource 92 *** ... success, item is compatible 93 WARNING: nsExceptionService ignoring thread destruction after shutdown, file /tmp/awuest/trees/statustext/mozilla/xpcom/base/nsExceptionService.cpp, line 191 94 --WEBSHELL == 0 95 ###!!! ASSERTION: Main thread being held past XPCOM shutdown.: 'cnt == 0', file /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsThread.cpp, line 450 96 Break: at file /tmp/awuest/trees/statustext/mozilla/xpcom/threads/nsThread.cpp, line 450 97 No Persistent Registry Found. 98 Type Manifest File: /home/awuest/.mozilla/firefox/qsazrhuz.default/xpti.dat 99 nsNativeComponentLoader: autoregistering begins. 100 *** Registering xpcomObsoleteModule components (all right -- a generic module!) 101 *** Registering xpconnect components (all right -- a generic module!) 102 *** Registering nsUConvModule components (all right -- a generic module!) 103 *** Registering nsI18nModule components (all right -- a generic module!) 104 *** Registering necko_core_and_primary_protocols components (all right -- a generic module!) 105 *** Registering necko_secondary_protocols components (all right -- a generic module!) 106 *** Registering nsJarModule components (all right -- a generic module!) 107 *** Registering nsPrefModule components (all right -- a generic module!) 108 *** Registering nsSecurityManagerModule components (all right -- a generic module!) 109 *** Registering nsRDFModule components (all right -- a generic module!) 110 *** Registering nsParserModule components (all right -- a generic module!) 111 *** Registering nsGfxGTKModule components (all right -- a generic module!) 112 *** Registering nsIconDecoderModule components (all right -- a generic module!) 113 *** Registering nsImageLib2Module components (all right -- a generic module!) 114 *** Registering nsWidgetGtk2Module components (all right -- a generic module!) 115 *** Registering nsLayoutModule components (all right -- a generic module!) 116 *** Registering docshell_provider components (all right -- a generic module!) 117 *** Registering embedcomponents components (all right -- a generic module!) 118 *** Registering Browser_Embedding_Module components (all right -- a generic module!) 119 *** Registering nsEditorModule components (all right -- a generic module!) 120 *** Registering nsTransactionManagerModule components (all right -- a generic module!) 121 *** Registering nsComposerModule components (all right -- a generic module!) 122 *** Registering appshell components (all right -- a generic module!) 123 *** Registering nsAccessibilityModule components (all right -- a generic module!) 124 *** Registering nsChromeModule components (all right -- a generic module!) 125 *** Registering nsMorkModule components (all right -- a generic module!) 126 *** Registering nsFindComponent components (all right -- a generic module!) 127 *** Registering application components (all right -- a generic module!) 128 *** Registering nsFileViewModule components (all right -- a generic module!) 129 *** Registering RemoteServiceModule components (all right -- a generic module!) 130 *** Registering CommandLineModule components (all right -- a generic module!) 131 *** Registering nsToolkitCompsModule components (all right -- a generic module!) 132 *** Registering nsSoftwareUpdate components (all right -- a generic module!) 133 *** Registering BOOT components (all right -- a generic module!) 134 *** Registering NSS components (all right -- a generic module!) 135 *** Registering PKI components (all right -- a generic module!) 136 *** Registering mozgnome components (all right -- a generic module!) 137 *** Registering nsCookieModule components (all right -- a generic module!) 138 *** Registering nsXMLExtrasModule components (all right -- a generic module!) 139 *** Registering nsAutoConfigModule components (all right -- a generic module!) 140 *** Registering nsSystemPrefModule components (all right -- a generic module!) 141 *** Registering TransformiixModule components (all right -- a generic module!) 142 *** Registering nsUniversalCharDetModule components (all right -- a generic module!) 143 *** Registering nsWebServicesModule components (all right -- a generic module!) 144 *** Registering nsInspectorModule components (all right -- a generic module!) 145 *** Registering nsGnomeVFSModule components (all right -- a generic module!) 146 *** Registering nsNegotiateAuthModule components (all right -- a generic module!) 147 *** Registering nsPermissionsModule components (all right -- a generic module!) 148 *** Registering SearchServiceModule components (all right -- a generic module!) 149 *** Registering nsBrowserCompsModule components (all right -- a generic module!) 150 nsNativeComponentLoader: autoregistering succeeded 151 nsNativeComponentLoader: registering deferred (0) 152 nsNativeComponentLoader: registering deferred (0) 153 nsNativeComponentLoader: registering deferred (0) 154 nsNativeComponentLoader: autoregistering begins. 155 nsNativeComponentLoader: autoregistering succeeded 156 nsNativeComponentLoader: registering deferred (0) 157 pldhash: for the table at address 0xa16eaf8, the given entrySize of 44 probably favors chaining over double hashing. 158 GFX: dpi=96 t2p=0.0666667 p2t=15 depth=24 159 ++WEBSHELL == 1 160 WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file /tmp/awuest/trees/statustext/mozilla/extensions/cookie/nsPermissionManager.cpp, line 624 161 ++DOMWINDOW == 1 162 WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file /tmp/awuest/trees/statustext/mozilla/intl/strres/src/nsStringBundle.cpp, line 273 163 ++WEBSHELL == 2 164 ++DOMWINDOW == 2 165 Note: styleverifytree is disabled 166 Note: frameverifytree is disabled 167 Note: verifyreflow is disabled 168 ++WEBSHELL == 3 169 ++DOMWINDOW == 3 170 **** Stale search engine reference to 'NC:SearchCategory?engine=urn:search:engine:lxrmozilla.src' 171 **** Stale search engine reference to 'NC:SearchCategory?engine=urn:search:engine:bugzilla.src' 172 **** Stale search engine reference to 'NC:SearchCategory?engine=urn:search:engine:mozilla.src' 173 **** Stale search engine reference to 'NC:SearchCategory?engine=urn:search:engine:dmoz.src' 174 **** Stale search engine reference to 'NC:SearchCategory?engine=urn:search:engine:NetscapeSearch.src' 175 JS DUMP: bind_orthogonal_implementation::ctor: binding "chrome://global/content/bindings/general.xml#testbinding" on "[object XULElement @ 0xb6be1158 (native @ 0xb6beb470)]". 176 Program firefox-devbuild/dist/bin/firefox-bin (pid = 10159) received signal 11. 177 Stack: 178 nsProfileLock::FatalSignalHandler(int)+0x00000137 [firefox-devbuild/dist/bin/firefox-bin +0x00021F79] 179 UNKNOWN [/lib/tls/libpthread.so.0 +0x0000AE48] 180 Program firefox-devbuild/dist/bin/firefox-bin (pid = 10159) received signal 11. 181 Stack: 182 nsProfileLock::FatalSignalHandler(int)+0x00000137 [firefox-devbuild/dist/bin/firefox-bin +0x00021F79] 183 UNKNOWN [/lib/tls/libpthread.so.0 +0x0000AE48] 184 UNKNOWN [/lib/tls/libc.so.6 +0x000721CD] 185 __libc_free+0x00000088 [/lib/tls/libc.so.6 +0x00071048] 186 DemangleSymbol(char const*, char*, int)+0x00000052 [firefox-devbuild/dist/bin/firefox-bin +0x00021A46] 187 DumpStackToFile(_IO_FILE*)+0x00000167 [firefox-devbuild/dist/bin/firefox-bin +0x00021BB5] 188 ah_crap_handler(int)+0x0000005A [firefox-devbuild/dist/bin/firefox-bin +0x00021416] 189 nsProfileLock::FatalSignalHandler(int)+0x00000137 [firefox-devbuild/dist/bin/firefox-bin +0x00021F79] 190 UNKNOWN [/lib/tls/libpthread.so.0 +0x0000AE48] 191 nsCOMPtr<nsIDOMElement>::assign_from_qi(nsQueryInterface, nsID const&)+0x00000021 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00307363] 192 nsCOMPtr<nsIDOMElement>::nsCOMPtr(nsQueryInterface)+0x00000037 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0030518D] 193 nsXBLBinding::GetAnonymousNodes()+0x00000058 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x006F4468] 194 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x006F0F32] 195 UNKNOWN [firefox-devbuild/dist/bin/libxpcom_core.so +0x0008A7FE] 196 PL_DHashTableEnumerate+0x00000089 [firefox-devbuild/dist/bin/libxpcom_core.so +0x0008335F] 197 nsHashtable::Enumerate(int (*)(nsHashKey*, void*, void*), void*)+0x00000057 [firefox-devbuild/dist/bin/libxpcom_core.so +0x0008B119] 198 nsXBLBinding::GenerateAnonymousContent()+0x00000626 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x006F1D18] 199 nsXBLBinding::GenerateAnonymousContent()+0x0000006C [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x006F175E] 200 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0070DB63] 201 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00712C6C] 202 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x005ADAF2] 203 XPTC_InvokeByIndex+0x00000029 [firefox-devbuild/dist/bin/libxpcom_core.so +0x00121651] 204 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)+0x00001154 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libxpconnect.so +0x00080AAC] 205 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*)+0x000001A5 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libxpconnect.so +0x0008AD6B] 206 js_Invoke+0x00000F2A [firefox-devbuild/dist/bin/libmozjs.so +0x00050B7F] 207 js_Interpret+0x0000E0BF [firefox-devbuild/dist/bin/libmozjs.so +0x000603DF] 208 js_Invoke+0x00000FB3 [firefox-devbuild/dist/bin/libmozjs.so +0x00050C08] 209 js_InternalInvoke+0x00000141 [firefox-devbuild/dist/bin/libmozjs.so +0x00050FB9] 210 JS_CallFunctionValue+0x0000002F [firefox-devbuild/dist/bin/libmozjs.so +0x0001D2A2] 211 nsXBLProtoImplAnonymousMethod::Execute(nsIContent*)+0x00000416 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00702D92] 212 nsXBLPrototypeBinding::BindingAttached(nsIContent*)+0x0000003C [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x006F5824] 213 nsXBLBinding::ExecuteAttachedHandler()+0x0000006A [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x006F2D14] 214 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00713439] 215 nsCSSFrameConstructor::ContentAppended(nsIContent*, int)+0x00000B7F [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x002F7F1F] 216 PresShell::ContentAppended(nsIDocument*, nsIContent*, int)+0x0000009E [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x003553BE] 217 nsDocument::ContentAppended(nsIContent*, int)+0x0000008F [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x005ABFD9] 218 nsXULDocument::ContentAppended(nsIContent*, int)+0x00000093 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00735721] 219 nsXULContentBuilder::RebuildAll()+0x0000036F [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x008035A3] 220 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0081725D] 221 nsXULTemplateBuilder::AttributeChanged(nsIDocument*, nsIContent*, int, nsIAtom*, int)+0x0000004B [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00817773] 222 nsXULContentBuilder::AttributeChanged(nsIDocument*, nsIContent*, int, nsIAtom*, int)+0x000000E7 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x008025B9] 223 nsXULDocument::AttributeChanged(nsIContent*, int, nsIAtom*, int)+0x00000315 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00735527]nsXULElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAString const&, nsAttrValue&, int, int, int)+0x00000535 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0071AD3D] 224 nsXULElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString const&, int)+0x00000314 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0071A7CC] 225 nsXULElement::SetAttr(int, nsIAtom*, nsAString const&, int)+0x00000026 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0072532A] 226 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0071F141] 227 XPTC_InvokeByIndex+0x00000029 [firefox-devbuild/dist/bin/libxpcom_core.so +0x00121651] 228 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)+0x00001154 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libxpconnect.so +0x00080AAC] 229 XPCWrappedNative::SetAttribute(XPCCallContext&)+0x00000020 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libxpconnect.so +0x0008C11A] 230 XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, long*, long*)+0x000001C1 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libxpconnect.so +0x0008AF57] 231 js_Invoke+0x00000F2A [firefox-devbuild/dist/bin/libmozjs.so +0x00050B7F] 232 js_InternalInvoke+0x00000141 [firefox-devbuild/dist/bin/libmozjs.so +0x00050FB9] 233 js_InternalGetOrSet+0x0000023B [firefox-devbuild/dist/bin/libmozjs.so +0x00051258] 234 js_SetProperty+0x00000374 [firefox-devbuild/dist/bin/libmozjs.so +0x00077B60] 235 js_Interpret+0x0000C844 [firefox-devbuild/dist/bin/libmozjs.so +0x0005EB64] 236 js_Invoke+0x00000FB3 [firefox-devbuild/dist/bin/libmozjs.so +0x00050C08] 237 js_InternalInvoke+0x00000141 [firefox-devbuild/dist/bin/libmozjs.so +0x00050FB9] 238 JS_CallFunctionValue+0x0000002F [firefox-devbuild/dist/bin/libmozjs.so +0x0001D2A2] 239 nsJSContext::CallEventHandler(JSObject*, JSObject*, unsigned int, long*, long*)+0x0000012C [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x00769D64] 240 nsGlobalWindow::RunTimeout(nsTimeout*)+0x00000486 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x0078262A] 241 nsGlobalWindow::TimerCallback(nsITimer*, void*)+0x00000037 [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libgklayout.so +0x007831C1] 242 nsTimerImpl::Fire()+0x00000250 [firefox-devbuild/dist/bin/libxpcom_core.so +0x000FB3C0] 243 handleTimerEvent(TimerEventType*)+0x0000010C [firefox-devbuild/dist/bin/libxpcom_core.so +0x000FB5A6] 244 PL_HandleEvent+0x00000054 [firefox-devbuild/dist/bin/libxpcom_core.so +0x000F2F18] 245 PL_ProcessPendingEvents+0x000000DC [firefox-devbuild/dist/bin/libxpcom_core.so +0x000F2DB9] 246 UNKNOWN [firefox-devbuild/dist/bin/libxpcom_core.so +0x000F6304] 247 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libwidget_gtk2.so +0x00037288] 248 UNKNOWN [/usr/lib/libglib-2.0.so.0 +0x00043F8F] 249 UNKNOWN [/usr/lib/libglib-2.0.so.0 +0x00022C30] 250 g_main_context_dispatch+0x00000098 [/usr/lib/libglib-2.0.so.0 +0x00023C98] 251 UNKNOWN [/usr/lib/libglib-2.0.so.0 +0x00023FAD] 252 g_main_loop_run+0x0000019F [/usr/lib/libglib-2.0.so.0 +0x000246CF] 253 gtk_main+0x000000BF [/usr/lib/libgtk-x11-2.0.so.0 +0x000D443F] 254 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libwidget_gtk2.so +0x0003797A] 255 UNKNOWN [/tmp/awuest/trees/statustext/mozilla/firefox-devbuild/dist/bin/components/libtoolkitcomps.so +0x00043D0F] 256 UNKNOWN [firefox-devbuild/dist/bin/firefox-bin +0x0000F4DB] 257 XOpenDisplay+0x0000010E [firefox-devbuild/dist/bin/firefox-bin +0x000076C2] 258 __libc_start_main+0x000000DA [/lib/tls/libc.so.6 +0x0001578A] 259 Sleeping for 5 minutes. 260 Type 'gdb firefox-devbuild/dist/bin/firefox-bin 10159' to attach your debugger to this thread. Please note the line starting with "JS DUMP" (line 175). After this 'dump()', the document.addBinding() is called (see testcase). The 'dump()' after addBinding() is never reached. In case you wonder about what the code should do: it should supply a facility to add orthogonal bindings (i.e. bindings or a chain of bindings with functionality which does not need to inherit from other bindings or chains of bindings). It implements quasi-multiple inheritance, with the difference that addBinding() just links the additional bindings into the existing bindings chain, i.e. conflict resolution is solved by simple 'subclassing'. See also rant^H^H^H^Hcomment https://bugzilla.mozilla.org/show_bug.cgi?id=213163#c33. It doesn't matter that addBinding has to add the binding at the top of the chain (i.e. at the point where no other (normal) bindings have been bound to the current element), the same behaviour can also be reproduced when factoring the 'bind_orthogonal_implementation' code out and call it via a mouseover event after the browser was loaded. But maybe these are just the two corner cases (inserting binding at the top and at the bottom of the chain), but it would work in between (altough I cannot imagine this since it is always an insertion at the bottom, except for the topmost insertion). Reproducible: Always Steps to Reproduce: 1. Compile 2. Run 3. Crash Actual Results: Segmentation fault (see backtraces above) Expected Results: Execute the addBinding() function and add the specified binding to the element. Linux 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686 i686 i386 GNU/Linux
Adds a new super class, which in its constructor calls document.addBinding to bind an additional binding which can be specified in an attribute 'orthogonalBinding'. Call to addBinding crashes.
PS: Just to make sure: changing the attribute to low caps has no effect, except that I can't get a sensible stacktrace anymore...
Blocks: 213163
Attachment #185144 - Attachment is patch: false
For future reference, a testcase should generally be runnable in the browser without having to change the source... Makes it a lot easier to work with.
So the problem here is probably that this code is reentering the binding construction somehow before it's quite done. The crash is happening because nsXBLBinding::GenerateAnonymousContent hits a null array in its hashtable...
Severity: normal → critical
Component: DOM: Core → XBL
Keywords: crash
Summary: document.addBinding() segfaults → document.addBinding() segfaults when called from binding constructor for same element
(In reply to comment #4) > So the problem here is probably that this code is reentering the binding > construction somehow before it's quite done. The crash is happening because > nsXBLBinding::GenerateAnonymousContent hits a null array in its hashtable... Sorry, but I have to disagree with you. As I mentioned above, the segfault also happens when using something like this: <binding id="bind_orthogonal_implementation"> <implementation> <property name="orthogonalbinding" onget="return this.getAttribute('orthogonalbinding');"/> <method name="bind_orthogonal_implementation"> <body> <![CDATA[ if (this.orthogonalbinding) { dump("JS DUMP: bind_orthogonal_implementation::bind_orthogonal_implementation: binding \"" + this.orthogonalbinding + "\" on \"" + this + "\".\n"); document.addBinding(this, this.orthogonalbinding); dump("JS DUMP: bind_orthogonal_implementation::bind_orthogonal_implementation: after document.addBinding() invocation.\n"); } ]]> </body> </method> </implementation> </binding> and invoking it via orthogonalbinding="chrome://global/content/bindings/general.xml#testbinding" onmouseover="bind_orthogonal_implementation();" by hovering over the toolbarbutton. In this case, the binding obvioulsy happens *after* this element and everything has been initialised! (You can even do some browsing before.) See testcase #2 and backtrace #2. PS: Should I try to rework the testcases somehow to be able to load it directly into the browser without having to recompile?
Attachment #185144 - Attachment description: Testcase to reproduce document.addBinding() segfault → Testcase #1 to reproduce document.addBinding() segfault
Summary: document.addBinding() segfaults when called from binding constructor for same element → document.addBinding() segfaults when calling element is the target of the binding
Actually, this should just crash any time it's called on a node which already has a binding. Part of the problem is deCOM that leads to us not holding a ref to a binding we need and hence it actually going away while we're working with it. Fixing that gets me a little further, but still crashes...
Summary: document.addBinding() segfaults when calling element is the target of the binding → document.addBinding() segfaults called on a node with existing binding
Brian, could you possibly look into this? I won't have a chance to till July at this point. Two problems I've found so far are: 1) In nsXBLService::LoadBindings when we are in the aAugmentFlag we do: bindingManager->SetBinding(aContent, newBinding); baseBinding->SetBaseBinding(binding); That first call destroys |binding|, since we're not holding a ref to it. Just taking a ref before calling SetBinding helps with this. 2) With #1 fixed we crash in ObjectEntry::SetValue, called from nsBindingManager::SetAnonymousNodesFor. In particular, the nsVoidArray::EnumerateForwards in ~nsAnonymousContentList crashes, with this stack: 0 0x0000000e in ?? () #1 0xb7e72bc9 in nsCOMArray_base::~nsCOMArray_base () at nsIComponentManager.h:29 #2 0xb71fa912 in nsCOMArray<nsIContent>::~nsCOMArray () at nsCOMArray.h:52 #3 0xb75bfe2c in nsXBLInsertionPoint::~nsXBLInsertionPoint () at ../../../../mozilla/content/xtf/src/nsXTFElementWrapper.cpp:58 #4 0xb75baf0a in DeleteInsertionPoint (aElement=0x8853050, aData=0x0) at ../../../../mozilla/content/xbl/src/nsBindingManager.cpp:124 #5 0xb7e6d4b0 in nsVoidArray::EnumerateForwards (this=0x8861fd0, aFunc=0xb75baee0 <DeleteInsertionPoint>, aData=0x0) at ../../../mozilla/xpcom/ds/nsVoidArray.cpp:648 At a guess, we are trying to double-delete insertion points or something along those lines, since we're just augmenting an existing binding and hence reusing its existing insertion point table. That is, I'm not sure the "binding manager table owns insertion points" model introduced in bug 194834 is correct (or rather it's not enforced right now; other places have pointers to the same insertion points).
Assignee: general → general
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3?
Bumping... this sucks.
Flags: blocking1.8b4?
Flags: blocking1.8b3?
Flags: blocking1.8b3-
Just to make it clear, this is a major XBL usability regression in 1.8, and I think we should definitely fix it before we branch 1.8....
Whiteboard: [no l10n impact]
Flags: blocking1.8b4? → blocking1.8b4+
Whiteboard: [no l10n impact] → [no l10n impact] [needed before branch]
Is anyone working on this? If not, who should? /cb
Whiteboard: [no l10n impact] [needed before branch] → [no l10n impact] [needed before branch] [at risk?]
I'm not aware of anyone working on this yet. As for who should.... bryner wrote the code and probably knows it better than anyone else. I could try to work on it, but I really don't know how and why most of this code works, so my approach would be mostly along the lines of backing out parts of bug 194834.
ok, so bz, if you could take this, and perhaps get an assist from bryner? /cb
Assignee: general → bzbarsky
I'm not going to be able to work on this until at least two weeks from now.
No longer blocks: branching1.8
Whiteboard: [no l10n impact] [needed before branch] [at risk?] → [no l10n impact]
Whiteboard: [no l10n impact] → [no l10n impact][ETA: 8/19]
bryner, could you possibly take a look at this? I really don't quite understand why the code you wrote in bug 194834 is doing what it's doing, and at the same time I don't really want to try to back it out wholesale -- enough stuff has changed since that that would be pretty painful.
Keywords: helpwanted
Whiteboard: [no l10n impact][ETA: 8/19] → [no l10n impact][ETA: unknown]
Blocks: 194834
Flags: blocking1.8b5+
Flags: blocking1.8b5+
Bryner said he'd look at this...
Assignee: bzbarsky → bryner
Target Milestone: --- → mozilla1.8beta4
Attached patch idea for a fixSplinter Review
As Boris mentioned, there are two problems. The first is that the old binding can be deleted as the new binding is inserted into the chain. That's fixed by simply reordering things in LoadBindings(). The other problem happens when GenerateAnonymousContent() is called on a binding for the second time. The binding will already have the insertion points created, in mInsertionPointTable. They are inserted into a newly-created VoidArray which is then set as the anonymous content list for the node on the binding manager. So, the binding manager goes to replace one VoidArray that contains nsXBLInsertionPoints with a second void array containing the same points. Since the insertion points are deleted as the old array is removed, the new array has pointers to freed memory. My fix here is simply to remove any duplicate insertion points from the old nsVoidArray prior to swapping them, so that only insertion points that are no longer referenced will be deleted.
Attachment #194492 - Flags: superreview?(bzbarsky)
Attachment #194492 - Flags: review?(bzbarsky)
Comment on attachment 194492 [details] [diff] [review] idea for a fix Nice! r+sr=bzbarsky
Attachment #194492 - Flags: superreview?(bzbarsky)
Attachment #194492 - Flags: superreview+
Attachment #194492 - Flags: review?(bzbarsky)
Attachment #194492 - Flags: review+
checked in on the trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Attachment #194492 - Flags: approval1.8b4?
Brian, thanks for the human testcase. ;-) verified on the trunk with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050901 Firefox/1.6a1
Status: RESOLVED → VERIFIED
Attachment #194492 - Flags: approval1.8b4? → approval1.8b4+
checked in on the branch
Keywords: fixed1.8
verified on Firefox 1.4 -mozilla1.8 branch- Win, Lin and Mac : 2005-09-07
Keywords: fixed1.8, helpwantedverified1.8
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: