Crash when dragging tabs in FX Developer Edition

RESOLVED DUPLICATE of bug 1264454

Status

()

Core
Widget: Gtk
RESOLVED DUPLICATE of bug 1264454
2 years ago
2 years ago

People

(Reporter: cade, Unassigned)

Tracking

47 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

2 years ago
I'm seeing Firefox crash every time I rearrange my open tabs.

Here's a crash report: https://crash-stats.mozilla.com/report/index/97407d79-1691-4dd2-ae24-547c82160412

I'm running this on Antergos Linux with the XFCE desktop environment.

STR (for my system, at least):
1. Open Firefox developer edition
2. Make at least two tabs
3. click and drag a tab to rearrange. (if it doesn't crash, try a few times, but it shouldn't take more than two or three drags)

The crash happens during the drag, or right after the drop.

Comment 1

2 years ago
Martin or Karl, any idea what's going on here? Looks like a crash in GTK-land...
Blocks: 627699
Component: Tabbed Browser → Widget: Gtk
Flags: needinfo?(stransky)
Flags: needinfo?(karlt)
Product: Firefox → Core
See Also: → bug 1263703
(Reporter)

Comment 2

2 years ago
Looking at all the crashes with the same signature, it appears we're all running some kind of Arch based system. This crash might be related to the recent release of gtk3 3.20.2?
(Reporter)

Comment 3

2 years ago
Also, the bug doesn't affect my Firefox Nighlty install.
(Reporter)

Comment 4

2 years ago
(In reply to Chris DeCairos (:cade) from comment #3)
> Also, the bug doesn't affect my Firefox Nighlty install.

I regret typing this so soon, for I just crashed nightly :D 

https://crash-stats.mozilla.com/report/index/efc81493-89a6-44ae-ae44-ec7b92160412
(In reply to Chris DeCairos (:cade) from comment #2)
> Looking at all the crashes with the same signature, it appears we're all
> running some kind of Arch based system. This crash might be related to the
> recent release of gtk3 3.20.2?

Yes, this shows 73.27% of all crashes in that library are with libgtk-3.so.0.2000.2:

https://crash-stats.mozilla.com/search/?signature=~libgtk-3.so.0&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

I would confirm by rolling back to a previous version, and file a bug against GTK.  I think 3.16 is the last version that will run against a GIO version that doesn't suffer from https://bugzilla.gnome.org/show_bug.cgi?id=762994

A stack trace from gdb may provide more info, but it won't find symbols in libxul.so downloaded from Mozilla.

addr2line can be used with the debuginfo packages for libgtk and libgobject to get a bit more info.  See for example
https://bugzilla.mozilla.org/show_bug.cgi?id=1239962#c5
Flags: needinfo?(karlt)
Reporter, does it also happen with firefox from distro? It may be 45.0.x. Or is that happens only on mozilla builds? AFAIK Arch carries gtk3.20 patches from Fedora.

If the distro firefox also crashes it would be easy to install debuginfo packages and get the backtrace by gdb.
Flags: needinfo?(stransky) → needinfo?(cade)
(Reporter)

Comment 7

2 years ago
I can confirm that the crash isn't present in gtk 3.18.9

I can try and get a backtrace with gdb - is there any guide on the exact steps required to do so?
Flags: needinfo?(cade)
(Reporter)

Comment 8

2 years ago
I figured it out, I think.

Developer Edition offers next to nothing in terms of a backtrace, but I do get this from nightly when I crash it and gdb is attached:

> Thread 1 "firefox-nightly" received signal SIGSEGV, Segmentation fault.
> 0x00007ffff1f91920 in g_type_check_instance_cast () from /usr/lib/libgobject-2.0.so.0
> (gdb) bt
> #0  0x00007ffff1f91920 in g_type_check_instance_cast () from /usr/lib/libgobject-2.0.so.0
> #1  0x00007fffe90653ca in nsWindow::NativeShow(bool) () from /opt/firefox-nightly/libxul.so
> #2  0x00007fffe7a49d02 in nsWindow::Show(bool) () from /opt/firefox-nightly/libxul.so
> #3  0x00007fffe8824aec in nsView::ResetWidgetBounds(bool, bool) ()
>    from /opt/firefox-nightly/libxul.so
> #4  0x00007fffe8826879 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) ()
>    from /opt/firefox-nightly/libxul.so
> #5  0x00007fffe896ef76 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) ()
>    from /opt/firefox-nightly/libxul.so
> #6  0x00007fffe896f8c4 in PresShell::ProcessSynthMouseMoveEvent(bool) ()
>    from /opt/firefox-nightly/libxul.so
> #7  0x00007fffe896fc96 in PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp) ()
>    from /opt/firefox-nightly/libxul.so
> #8  0x00007fffe88dd9ee in nsRefreshDriver::Tick(long, mozilla::TimeStamp) ()
>    from /opt/firefox-nightly/libxul.so
> #9  0x00007fffe88df169 in nsRunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, mozilla::TimeStamp>::Run() ()
>    from /opt/firefox-nightly/libxul.so
> #10 0x00007fffe8583cc2 in nsThread::ProcessNextEvent(bool, bool*) ()
>    from /opt/firefox-nightly/libxul.so
> #11 0x00007fffe859629c in NS_ProcessNextEvent(nsIThread*, bool) ()
>    from /opt/firefox-nightly/libxul.so
> #12 0x00007fffe85e81a5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ()
>    from /opt/firefox-nightly/libxul.so
> #13 0x00007fffe8ebb0b3 in MessageLoop::Run() () from /opt/firefox-nightly/libxul.so
> #14 0x00007fffe7a390ce in nsBaseAppShell::Run() () from /opt/firefox-nightly/libxul.so
> #15 0x00007fffe7f0020b in nsAppStartup::Run() () from /opt/firefox-nightly/libxul.so
> #16 0x00007fffe7f271a4 in XREMain::XRE_mainRun() () from /opt/firefox-nightly/libxul.so
> #17 0x00007fffe7f274ab in XREMain::XRE_main(int, char**, nsXREAppData const*) ()
>    from /opt/firefox-nightly/libxul.so
> #18 0x00007fffe7f276d5 in XRE_main () from /opt/firefox-nightly/libxul.so
> #19 0x0000000000410551 in do_main(int, char**, char**, nsIFile*) ()
> #20 0x000000000040c983 in main ()
See Also: → bug 1264454
That's very helpful, thanks Chris.

https://bbs.archlinux.org/viewtopic.php?id=174250 indicates that Arch don't provide debug packages for more specific information.

https://wiki.archlinux.org/index.php/Step-by-step_debugging_guide indicates that recompiling is required to get all the debug info.

If you are willing to recompile glib2, as indicated there, we can expect a little more info.

Mozilla's ASAN builds include debug info.  Can you try one of those please?
That's probably simpler than recompiling glib2.
It may provide useful info without gdb even.
http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64-asan-debug/1460580527/
Or if that is too slow
http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1460580527/
(Reporter)

Comment 10

2 years ago
Both of those builds do not trigger the crash, no matter how much tabs rearranging I do.
Thanks for trying those builds, Chris.

Crash data (bug 1264454) is not detecting this crash on beta.
Would you be able to try turning of e10s please, to see whether that is part of the trigger?
Flags: needinfo?(cade)
(Reporter)

Comment 12

2 years ago
Well, look at that! Turning off e10s appears to stop the crash.
Flags: needinfo?(cade)
Does disabling `nglayout.enable_drag_images` instead of e10s also stop the crash?

Here are two different backtraces from crashes on tab-dragging, from my own FDE build, with debug symbols for GLib and GTK:

> #0  0x00007ffff5b890b3 in gtk_drag_set_icon_widget (context=0x7fffc5d12460, widget=0x7fffbea7de40, hot_x=-16, hot_y=-16) at gtkdnd.c:2592
>         __inst = 0x7fffbea7de40
>         __t = 140737333101056
>         __r = <optimized out>
>         __func__ = "gtk_drag_set_icon_widget"
> #1  0x00007fffe7da2d5c in nsDragService::SetDragIcon(_GdkDragContext*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #2  0x00007ffff2de8ea5 in g_closure_invoke (closure=0x7fffcb06e350, return_value=return_value@entry=0x0, n_param_values=2, param_values=param_values@entry=0x7fffffffac40, invocation_hint=invocation_hint@entry=0x7fffffffabb0) at gclosure.c:804
>         marshal = <optimized out>
>         marshal_data = <optimized out>
>         in_marshal = 0
>         real_closure = 0x7fffcb06e330
>         __func__ = "g_closure_invoke"
> #3  0x00007ffff2dfb0e6 in signal_emit_unlocked_R (node=node@entry=0x7fffe4731aa0, detail=detail@entry=0, instance=instance@entry=0x7fffcae96640, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffac40) at gsignal.c:3629
>         tmp = <optimized out>
>         handler = 0x7fffcaefbc80
>         accumulator = 0x0
>         emission = {next = 0x7fffffffbe90, instance = 0x7fffcae96640, ihint = {signal_id = 79, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4}
>         handler_list = 0x7fffcaefbc80
>         return_accu = 0x0
>         accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
>         signal_id = 79
>         max_sequential_handler_number = 1214
>         return_value_altered = 0
> #4  0x00007ffff2e05354 in g_signal_emit_valist (instance=instance@entry=0x7fffcae96640, signal_id=signal_id@entry=79, detail=detail@entry=0, var_args=var_args@entry=0x7fffffffae48) at gsignal.c:3385
>         instance_and_params = 0x7fffffffac40
>         signal_return_type = <optimized out>
>         param_values = 0x7fffffffac58
>         i = <optimized out>
>         n_params = <optimized out>
>         __func__ = "g_signal_emit_valist"
> #5  0x00007ffff2e05c15 in g_signal_emit_by_name (instance=instance@entry=0x7fffcae96640, detailed_signal=detailed_signal@entry=0x7ffff5bae673 "drag-begin") at gsignal.c:3481
>         var_args = <error reading variable var_args (Attempt to dereference a generic pointer.)>
>         detail = 0
>         signal_id = 79
>         itype = 140736597636784
>         __func__ = "g_signal_emit_by_name"
> #6  0x00007ffff5b8883b in gtk_drag_begin_internal (widget=widget@entry=0x7fffcae96640, icon=icon@entry=0x0, target_list=target_list@entry=0x7fffbe45e8e0, actions=actions@entry=(GDK_ACTION_DEFAULT | GDK_ACTION_COPY | GDK_ACTION_MOVE | GDK_ACTION_LINK), button=button@entry=1, event=event@entry=0x7fffffffb0f0, x=-1, y=-1) at gtkdnd.c:2340
>         info = 0x7fffc78d1d80
>         targets = <optimized out>
>         tmp_list = <optimized out>
>         time = 724819034
>         possible_actions = (GDK_ACTION_DEFAULT | GDK_ACTION_COPY | GDK_ACTION_MOVE | GDK_ACTION_LINK)
>         suggested_action = GDK_ACTION_COPY
>         context = 0x7fffc5d12460
>         ipc_widget = 0x7fffbf7ac640
>         cursor = 0x7fffba326d40
>         pointer = <optimized out>
>         keyboard = <optimized out>
>         ipc_window = 0x7fffb76a5a40
>         start_x = 525
>         start_y = 161
>         selection = <optimized out>
>         managed = 1
> #7  0x00007ffff5b88fe3 in gtk_drag_begin (widget=0x7fffcae96640, targets=0x7fffbe45e8e0, actions=(GDK_ACTION_DEFAULT | GDK_ACTION_COPY | GDK_ACTION_MOVE | GDK_ACTION_LINK), button=1, event=0x7fffffffb0f0) at gtkdnd.c:2499
>         __func__ = "gtk_drag_begin"
> #8  0x00007fffe7da8bf2 in nsDragService::InvokeDragSessionImpl(nsISupportsArray*, nsIScriptableRegion*, unsigned int) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #9  0x00007fffe7d7f3d2 in nsBaseDragService::InvokeDragSession(nsIDOMNode*, nsISupportsArray*, nsIScriptableRegion*, unsigned int) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #10 0x00007fffe7d7d311 in nsBaseDragService::InvokeDragSessionWithImage(nsIDOMNode*, nsISupportsArray*, nsIScriptableRegion*, unsigned int, nsIDOMNode*, int, int, nsIDOMDragEvent*, nsIDOMDataTransfer*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #11 0x00007fffe7947104 in mozilla::EventStateManager::DoDefaultDragStart(nsPresContext*, mozilla::WidgetDragEvent*, mozilla::dom::DataTransfer*, nsIContent*, nsISelection*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #12 0x00007fffe794098f in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) [clone .cold.135] () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #13 0x00007fffe8d718c6 in PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #14 0x00007fffe8d716b0 in PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #15 0x00007fffe8d70638 in PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #16 0x00007fffe8c778b6 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #17 0x00007fffe93d273a in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #18 0x00007fffe93db5ba in nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #19 0x00007fffe93d3c70 in nsBaseWidget::DispatchInputEvent(mozilla::WidgetInputEvent*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #20 0x00007fffe7d96972 in nsWindow::OnMotionNotifyEvent(_GdkEventMotion*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #21 0x00007fffe7d969fb in motion_notify_event_cb(_GtkWidget*, _GdkEventMotion*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #22 0x00007ffff59d345c in _gtk_marshal_BOOLEAN__BOXED (closure=0x7fffd6d57940, return_value=0x7fffffffbec0, n_param_values=<optimized out>, param_values=0x7fffffffbf20, invocation_hint=<optimized out>, marshal_data=<optimized out>) at gtkmarshalers.c:86
>         callback = 0x7fffe7d969d4 <motion_notify_event_cb(_GtkWidget*, _GdkEventMotion*)>
>         cc = 0x7fffd6d57940
>         data1 = 0x7fffd9ff7e40
>         data2 = <optimized out>
>         v_return = <optimized out>
>         __func__ = "_gtk_marshal_BOOLEAN__BOXED"
> #23 0x00007ffff2de8ea5 in g_closure_invoke (closure=0x7fffd6d57940, return_value=return_value@entry=0x7fffffffbec0, n_param_values=2, param_values=param_values@entry=0x7fffffffbf20, invocation_hint=invocation_hint@entry=0x7fffffffbea0) at gclosure.c:804
>         marshal = <optimized out>
>         marshal_data = <optimized out>
>         in_marshal = 0
>         real_closure = 0x7fffd6d57920
>         __func__ = "g_closure_invoke"
> #24 0x00007ffff2dfb0e6 in signal_emit_unlocked_R (node=node@entry=0x7fffe4731140, detail=detail@entry=0, instance=instance@entry=0x7fffd9ff7e40, emission_return=emission_return@entry=0x7fffffffc040, instance_and_params=instance_and_params@entry=0x7fffffffbf20) at gsignal.c:3629
>         tmp = <optimized out>
>         handler = 0x7fffd6d56640
>         accumulator = 0x7fffe4729570
>         emission = {next = 0x0, instance = 0x7fffd9ff7e40, ihint = {signal_id = 57, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4}
>         handler_list = 0x7fffd6d56640
>         return_accu = 0x7fffffffbec0
>         accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
>         signal_id = 57
>         max_sequential_handler_number = 1208
>         return_value_altered = 0
> #25 0x00007ffff2e04e05 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffc0f0) at gsignal.c:3395
>         return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
>         error = 0x0
>         rtype = 20
>         static_scope = 0
>         instance_and_params = 0x7fffffffbf20
>         signal_return_type = <optimized out>
>         param_values = 0x7fffffffbf38
>         i = <optimized out>
>         n_params = <optimized out>
>         __func__ = "g_signal_emit_valist"
> #26 0x00007ffff2e05737 in g_signal_emit (instance=instance@entry=0x7fffd9ff7e40, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3441
>         var_args = <error reading variable var_args (Attempt to dereference a generic pointer.)>
> #27 0x00007ffff5b54c14 in gtk_widget_event_internal (widget=widget@entry=0x7fffd9ff7e40, event=event@entry=0x7fffb86c2670) at gtkwidget.c:7704
>         signal_num = <optimized out>
>         return_val = 0
>         handled = 0
> #28 0x00007ffff5b570ab in gtk_widget_event_internal (event=<optimized out>, widget=<optimized out>) at gtkwidget.c:7265
>         return_val = <optimized out>
> #29 gtk_widget_event (widget=widget@entry=0x7fffe4726880, event=event@entry=0x7fffb86c2670) at gtkwidget.c:7264
>         __func__ = "gtk_widget_event"
> #30 0x00007ffff5b78c73 in _gtk_window_check_handle_wm_event (event=event@entry=0x7fffb86c2670) at gtkwindow.c:8082
>         priv = <optimized out>
>         widget = 0x7fffe4726880
> #31 0x00007ffff59d1d68 in gtk_main_do_event (event=0x7fffb86c2670) at gtkmain.c:1702
>         event_widget = 0x7fffd9ff7e40
>         grab_widget = 0x0
>         topmost_widget = 0x0
>         rewritten_event = <optimized out>
>         device = 0x7ffff6b5a660
>         tmp_list = <optimized out>
>         __func__ = "gtk_main_do_event"
> #32 0x00007ffff54b4145 in _gdk_event_emit (event=event@entry=0x7fffb86c2670) at gdkevents.c:73
> No locals.
> #33 0x00007ffff54e7cf2 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkeventsource.c:369
>         display = <optimized out>
>         event = <optimized out>
> #34 0x00007ffff2b05617 in g_main_dispatch (context=0x7fffe470a690) at gmain.c:3154
>         dispatch = 0x7ffff54e7cd0 <gdk_event_source_dispatch>
>         prev_source = 0x0
>         was_in_call = 0
>         user_data = 0x0
>         callback = 0x0
>         cb_funcs = <optimized out>
>         cb_data = <optimized out>
>         need_destroy = <optimized out>
>         source = 0x7fffe4726880
>         current = 0x7ffff6bc0b70
>         i = 0
> #35 g_main_context_dispatch (context=context@entry=0x7fffe470a690) at gmain.c:3769
> No locals.
> #36 0x00007ffff2b058a0 in g_main_context_iterate (context=context@entry=0x7fffe470a690, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3840
>         max_priority = 0
>         timeout = 0
>         some_ready = 1
>         nfds = <optimized out>
>         allocated_nfds = 6
>         fds = 0x7fffc5dbb2e0
> #37 0x00007ffff2b0594c in g_main_context_iteration (context=0x7fffe470a690, may_block=1) at gmain.c:3901
>         retval = <optimized out>
> #38 0x00007fffe8c7e32f in nsAppShell::ProcessNextNativeEvent(bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #39 0x00007fffe8c7b026 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #40 0x00007fffe89ea87c in nsThread::ProcessNextEvent(bool, bool*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #41 0x00007fffe8a00928 in NS_ProcessNextEvent(nsIThread*, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #42 0x00007fffe8a5351f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #43 0x00007fffe8a498e0 in MessageLoop::Run() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #44 0x00007fffe93d6175 in nsBaseAppShell::Run() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #45 0x00007fffe949267e in nsAppStartup::Run() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #46 0x00007fffe94a7cca in XREMain::XRE_mainRun() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #47 0x00007fffe94a52cb in XREMain::XRE_main(int, char**, nsXREAppData const*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #48 0x00007fffe94a5081 in XRE_main () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #49 0x0000555555566c73 in do_main(int, char**, char**, nsIFile*) ()
> No symbol table info available.
> #50 0x0000555555561a5a in main ()
> No symbol table info available.

This one (above) crashes in GTK_IS_WIDGET(widget) in gtk_drag_set_icon_widget.


> #0  g_type_check_instance_cast (type_instance=0x7fffb75b4e40, iface_type=140737333101056) at gtype.c:4065
>         is_instantiatable = <optimized out>
> #1  0x00007fffe93da8fa in nsWindow::NativeShow(bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #2  0x00007fffe93da7e3 in nsWindow::Show(bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #3  0x00007fffe7d65bca in nsView::DoResetWidgetBounds(bool, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #4  0x00007fffe8c75ba8 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #5  0x00007fffe8d5bf26 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #6  0x00007fffe8d5f00a in PresShell::FlushPendingNotifications(mozFlushType) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #7  0x00007fffe8bb5a5f in nsDocument::FlushPendingNotifications(mozFlushType) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #8  0x00007fffe8bc0b41 in nsFocusManager::CheckIfFocusable(nsIContent*, unsigned int) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #9  0x00007fffe72f962d in nsFocusManager::Focus(nsPIDOMWindowOuter*, nsIContent*, unsigned int, bool, bool, bool, bool) [clone .cold.799] () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #10 0x00007fffe92ea945 in nsFocusManager::WindowRaised(mozIDOMWindowProxy*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #11 0x00007fffe945fa0e in nsWebShellWindow::WindowActivated() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #12 0x00007fffe93daefb in nsWindow::OnContainerFocusInEvent(_GdkEventFocus*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #13 0x00007fffe93dae77 in focus_in_event_cb(_GtkWidget*, _GdkEventFocus*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #14 0x00007ffff59d345c in _gtk_marshal_BOOLEAN__BOXED (closure=0x7fffd49ac0d0, return_value=0x7fffffffb930, n_param_values=<optimized out>, param_values=0x7fffffffb9a0, invocation_hint=<optimized out>, marshal_data=<optimized out>) at gtkmarshalers.c:86
>         callback = 0x7fffe93dae50 <focus_in_event_cb(_GtkWidget*, _GdkEventFocus*)>
>         cc = 0x7fffd49ac0d0
>         data1 = 0x7fffd5030d50
>         data2 = <optimized out>
>         v_return = <optimized out>
>         __func__ = "_gtk_marshal_BOOLEAN__BOXED"
> #15 0x00007ffff2de8ea5 in g_closure_invoke (closure=0x7fffd49ac0d0, return_value=return_value@entry=0x7fffffffb930, n_param_values=2, param_values=param_values@entry=0x7fffffffb9a0, invocation_hint=invocation_hint@entry=0x7fffffffb910) at gclosure.c:804
>         marshal = <optimized out>
>         marshal_data = <optimized out>
>         in_marshal = 0
>         real_closure = 0x7fffd49ac0b0
>         __func__ = "g_closure_invoke"
> #16 0x00007ffff2dfb0e6 in signal_emit_unlocked_R (node=node@entry=0x7fffe47314a0, detail=detail@entry=0, instance=instance@entry=0x7fffd5030d50, emission_return=emission_return@entry=0x7fffffffbab0, instance_and_params=instance_and_params@entry=0x7fffffffb9a0) at gsignal.c:3629
>         tmp = <optimized out>
>         handler = 0x7fffd4978a80
>         accumulator = 0x7fffe4729620
>         emission = {next = 0x7fffffffbec0, instance = 0x7fffd5030d50, ihint = {signal_id = 66, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4}
>         handler_list = 0x7fffd4978a80
>         return_accu = 0x7fffffffb930
>         accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
>         signal_id = 66
>         max_sequential_handler_number = 1126
>         return_value_altered = 0
> #17 0x00007ffff2e04e05 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffbb60) at gsignal.c:3395
>         return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
>         error = 0x0
>         rtype = 20
>         static_scope = 0
>         instance_and_params = 0x7fffffffb9a0
>         signal_return_type = <optimized out>
>         param_values = 0x7fffffffb9b8
>         i = <optimized out>
>         n_params = <optimized out>
>         __func__ = "g_signal_emit_valist"
> #18 0x00007ffff2e05737 in g_signal_emit (instance=instance@entry=0x7fffd5030d50, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3441
>         var_args = <error reading variable var_args (Attempt to dereference a generic pointer.)>
> #19 0x00007ffff5b54c14 in gtk_widget_event_internal (widget=widget@entry=0x7fffd5030d50, event=event@entry=0x7fffb6ea1e00) at gtkwidget.c:7704
>         signal_num = <optimized out>
>         return_val = 0
>         handled = 0
> #20 0x00007ffff5b570ab in gtk_widget_event_internal (event=<optimized out>, widget=<optimized out>) at gtkwidget.c:7265
>         return_val = <optimized out>
> #21 gtk_widget_event (widget=widget@entry=0x7fffb6ea1e00, event=event@entry=0x7fffd4fcef20) at gtkwidget.c:7264
>         __func__ = "gtk_widget_event"
> #22 0x00007ffff5b67b41 in gtk_widget_send_focus_change (widget=0x7fffb6ea1e00, widget@entry=0x7fffd5030d50, event=0x7fffd4fcef20, event@entry=0x7fffb6ea1e00) at gtkwidget.c:16135
>         res = <optimized out>
>         __func__ = "gtk_widget_send_focus_change"
> #23 0x00007ffff5b6bba0 in do_focus_change (widget=0x7fffd5030d50, in=1) at gtkwindow.c:8152
>         dev = 0x7ffff6b5a700
>         fevent = 0x7fffb6ea1e00
>         device_manager = <optimized out>
>         devices = 0x7fffb6ea7560
>         d = 0x7fffb6ea7560
> #24 0x00007ffff5b7ceb9 in window_update_has_focus (window=0x7fffd495d640) at gtkwindow.c:11816
>         priv = 0x7fffd495d400
>         widget = 0x7fffd495d640
>         has_focus = <optimized out>
> #25 _gtk_window_set_is_active (window=0x7fffd495d640, is_active=1) at gtkwindow.c:11852
>         priv = 0x7fffd495d400
> #26 0x00007ffff5b7d1ea in gtk_window_focus_in_event (widget=widget@entry=0x7fffd495d640, event=<optimized out>) at gtkwindow.c:8205
>         event = <optimized out>
>         widget = 0x7fffd495d640
>         window = 0x7fffd495d640
> #27 0x00007ffff59d345c in _gtk_marshal_BOOLEAN__BOXED (closure=0x7fffe4736660, return_value=0x7fffffffbef0, n_param_values=<optimized out>, param_values=0x7fffffffbf60, invocation_hint=<optimized out>, marshal_data=<optimized out>) at gtkmarshalers.c:86
>         callback = 0x7ffff5b7d180 <gtk_window_focus_in_event>
>         cc = 0x7fffe4736660
>         data1 = 0x7fffd495d640
>         data2 = <optimized out>
>         v_return = <optimized out>
>         __func__ = "_gtk_marshal_BOOLEAN__BOXED"
> #28 0x00007ffff2de8ea5 in g_closure_invoke (closure=closure@entry=0x7fffe4736660, return_value=return_value@entry=0x7fffffffbef0, n_param_values=2, param_values=param_values@entry=0x7fffffffbf60, invocation_hint=invocation_hint@entry=0x7fffffffbed0) at gclosure.c:804
>         marshal = <optimized out>
>         marshal_data = <optimized out>
>         in_marshal = 0
>         real_closure = 0x7fffe4736640
>         __func__ = "g_closure_invoke"
> #29 0x00007ffff2dfb6a3 in signal_emit_unlocked_R (node=node@entry=0x7fffe47314a0, detail=detail@entry=0, instance=instance@entry=0x7fffd495d640, emission_return=emission_return@entry=0x7fffffffc070, instance_and_params=instance_and_params@entry=0x7fffffffbf60) at gsignal.c:3667
>         accumulator = 0x7fffe4729620
>         emission = {next = 0x0, instance = 0x7fffd495d640, ihint = {signal_id = 66, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 140737026184576}
>         handler_list = <optimized out>
>         return_accu = 0x7fffffffbef0
>         accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
>         signal_id = 66
>         max_sequential_handler_number = 1125
>         return_value_altered = 1
> #30 0x00007ffff2e04e05 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffc120) at gsignal.c:3395
>         return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
>         error = 0x0
>         rtype = 20
>         static_scope = 0
>         instance_and_params = 0x7fffffffbf60
>         signal_return_type = <optimized out>
>         param_values = 0x7fffffffbf78
>         i = <optimized out>
>         n_params = <optimized out>
>         __func__ = "g_signal_emit_valist"
> #31 0x00007ffff2e05737 in g_signal_emit (instance=instance@entry=0x7fffd495d640, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3441
>         var_args = <error reading variable var_args (Attempt to dereference a generic pointer.)>
> #32 0x00007ffff5b54c14 in gtk_widget_event_internal (widget=widget@entry=0x7fffd495d640, event=event@entry=0x7fffb9cb30d0) at gtkwidget.c:7704
>         signal_num = <optimized out>
>         return_val = 0
>         handled = 0
> #33 0x00007ffff5b570ab in gtk_widget_event_internal (event=<optimized out>, widget=<optimized out>) at gtkwidget.c:7265
>         return_val = <optimized out>
> #34 gtk_widget_event (widget=widget@entry=0x7fffd495d640, event=event@entry=0x7fffe4726880) at gtkwidget.c:7264
>         __func__ = "gtk_widget_event"
> #35 0x00007ffff59d1cde in gtk_main_do_event (event=0x7fffe4726880) at gtkmain.c:1820
>         event_widget = 0x7fffd495d640
>         grab_widget = 0x7fffd495d640
>         topmost_widget = <optimized out>
>         rewritten_event = <optimized out>
>         device = 0x7ffff6b5a700
>         tmp_list = <optimized out>
>         __func__ = "gtk_main_do_event"
> #36 0x00007ffff54b4145 in _gdk_event_emit (event=event@entry=0x7fffb9cb30d0) at gdkevents.c:73
> No locals.
> #37 0x00007ffff54e7cf2 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkeventsource.c:369
>         display = <optimized out>
>         event = <optimized out>
> #38 0x00007ffff2b05617 in g_main_dispatch (context=0x7fffe470a690) at gmain.c:3154
>         dispatch = 0x7ffff54e7cd0 <gdk_event_source_dispatch>
>         prev_source = 0x0
>         was_in_call = 0
>         user_data = 0x0
>         callback = 0x0
>         cb_funcs = <optimized out>
>         cb_data = <optimized out>
>         need_destroy = <optimized out>
>         source = 0x7fffe4726880
>         current = 0x7ffff6bc0b70
>         i = 0
> #39 g_main_context_dispatch (context=context@entry=0x7fffe470a690) at gmain.c:3769
> No locals.
> #40 0x00007ffff2b058a0 in g_main_context_iterate (context=context@entry=0x7fffe470a690, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3840
>         max_priority = 0
>         timeout = 0
>         some_ready = 1
>         nfds = <optimized out>
>         allocated_nfds = 6
>         fds = 0x7fffc67f19d0
> #41 0x00007ffff2b0594c in g_main_context_iteration (context=0x7fffe470a690, may_block=1) at gmain.c:3901
>         retval = <optimized out>
> #42 0x00007fffe8c7e32f in nsAppShell::ProcessNextNativeEvent(bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #43 0x00007fffe8c7b026 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #44 0x00007fffe89ea87c in nsThread::ProcessNextEvent(bool, bool*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #45 0x00007fffe8a00928 in NS_ProcessNextEvent(nsIThread*, bool) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #46 0x00007fffe8a5351f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #47 0x00007fffe8a498e0 in MessageLoop::Run() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #48 0x00007fffe93d6175 in nsBaseAppShell::Run() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #49 0x00007fffe949267e in nsAppStartup::Run() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #50 0x00007fffe94a7cca in XREMain::XRE_mainRun() () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #51 0x00007fffe94a52cb in XREMain::XRE_main(int, char**, nsXREAppData const*) () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #52 0x00007fffe94a5081 in XRE_main () from /usr/lib/firefox-developer-edition/libxul.so
> No symbol table info available.
> #53 0x0000555555566c73 in do_main(int, char**, char**, nsIFile*) ()
> No symbol table info available.
> #54 0x0000555555561a5a in main ()
> No symbol table info available.

This one probably crashes in one of the GTK_WIDGET() type-checked casts in nsWindow::NativeShow. This time, I took a look at the instance value, and the class pointer had a repeating "e5" pattern:

> (gdb) print *(GTypeInstance*)(0x7fffb75b4e40)
> $1 = {g_class = 0xe5e5e5e5e5e5e5e5}

Is this a marker for freed memory?
(Reporter)

Comment 14

2 years ago
Setting `nglayout.enable_drag_images` to false with multi-process enabled prevents the crash from happening in Firefox Developer Edition and Nightly.
Yes, same here.

So it seems the widget for the drag image gets destroyed too soon, and this blows up in FDE because it poisons memory on free (with 0xE5), unlike release.

I suspect that bug 1265254 is a duplicate of this one, and on release it shows corruption instead of crashing.

Updated

2 years ago
Duplicate of this bug: 1265469
(In reply to Jan Steffens from comment #13)
> > (gdb) print *(GTypeInstance*)(0x7fffb75b4e40)
> > $1 = {g_class = 0xe5e5e5e5e5e5e5e5}
> 
> Is this a marker for freed memory?

Yes.

https://dxr.mozilla.org/mozilla-central/rev/fc15477ce628599519cb0055f52cc195d640dc94/memory/mozjemalloc/jemalloc.c#4607

A workaround was applied in bug 1264454.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
See Also: bug 1264454
Duplicate of bug: 1264454
You need to log in before you can comment on or make changes to this bug.