Closed Bug 293460 Opened 19 years ago Closed 19 years ago

Crash when navigating preferences with arrow keys [@ nsXULDocument::ResumeWalk]


(Core :: XUL, defect)

Not set





(Reporter: jim_nance, Assigned: bugs)



(Keywords: crash, regression, verified1.8, Whiteboard: [ETA 8/19])

Crash Data


(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050508 Firefox/1.0+
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050508 Firefox/1.0+

I have a reproducable crash in nsXULDocument::ResumeWalk() which I can trigger
by using the down arrow key to navigate the preferences window.

Reproducible: Sometimes

Steps to Reproduce:
1. enable the fast front/back preference.  Dont know if this is required but I
have it turned on.
2. firefox -url about:blank
3. open Edit->Preferences
4. In the preferences window, select Privacy
5. Click in center of the window
6. Hold down the down array key.  This will start scrolling through the
preferences.  It will crash at some point.

This may be a duplicate of 283949, but it's hard for me to tell.

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ../../../../dist/include/xpcom/nsCOMPtr.h, line 849
Break: at file ../../../../dist/include/xpcom/nsCOMPtr.h, line 849

Program received signal SIGSEGV, Segmentation fault.
0x40f90956 in nsXULDocument::ResumeWalk (this=0x8372070)
    at ../../../../../content/xul/document/src/nsXULDocument.cpp:3204
3204                    obs->Observe(overlayURI, "xul-overlay-merged",
(gdb) p obs
$2 = {mRawPtr = 0x0}
(gdb) bt 
#0  0x40f90956 in nsXULDocument::ResumeWalk (this=0x8372070)
    at ../../../../../content/xul/document/src/nsXULDocument.cpp:3204
#1  0x40f87f73 in nsXULDocument::EndLoad (this=0x8372070)
    at ../../../../../content/xul/document/src/nsXULDocument.cpp:741
#2  0x40f815ad in XULContentSinkImpl::DidBuildModel (this=0x8b2f420)
    at ../../../../../content/xul/document/src/nsXULContentSink.cpp:406
#3  0x4084d4bb in nsExpatDriver::DidBuildModel (this=0x8b5e8a0, anErrorCode=0, 
    aNotifySink=1, aParser=0x8b2f480, aSink=0x8b2f420)
    at ../../../../parser/htmlparser/src/nsExpatDriver.cpp:1105
#4  0x40868db5 in nsParser::DidBuildModel (this=0x8b2f480, anErrorCode=0)
    at ../../../../parser/htmlparser/src/nsParser.cpp:1319
#5  0x4086a2c1 in nsParser::ResumeParse (this=0x8b2f480, allowIteration=1, 
    aIsFinalChunk=1, aCanInterrupt=1)
    at ../../../../parser/htmlparser/src/nsParser.cpp:1987
#6  0x4086bbda in nsParser::OnStopRequest (this=0x8b2f480, request=0x8b2f948, 
    aContext=0x0, status=0)
    at ../../../../parser/htmlparser/src/nsParser.cpp:2670
#7  0x407aa6fb in nsJARChannel::OnStopRequest (this=0x8b2f948, req=0x8b2fbb0, 
    ctx=0x0, status=0) at ../../../modules/libjar/nsJARChannel.cpp:688
#8  0x406777f0 in nsInputStreamPump::OnStateStop (this=0x8b2fbb0)
    at ../../../../netwerk/base/src/nsInputStreamPump.cpp:506
#9  0x40677107 in nsInputStreamPump::OnInputStreamReady (this=0x8b2fbb0, 
    stream=0x8b3104c) at ../../../../netwerk/base/src/nsInputStreamPump.cpp:343
#10 0x4014f318 in nsInputStreamReadyEvent::EventHandler (plevent=0x8b3120c)
    at ../../../xpcom/io/nsStreamUtils.cpp:119
#11 0x40172446 in PL_HandleEvent (self=0x8b3120c)
    at ../../../xpcom/threads/plevent.c:698
#12 0x401722e7 in PL_ProcessPendingEvents (self=0x812d1b0)
    at ../../../xpcom/threads/plevent.c:633
#13 0x4017577a in nsEventQueueImpl::ProcessPendingEvents (this=0x812d168)
    at ../../../xpcom/threads/nsEventQueue.cpp:417
#14 0x40a9fcb4 in event_processor_callback (source=0x8306968, 
    condition=G_IO_IN, data=0x812d168)
    at ../../../../widget/src/gtk2/nsAppShell.cpp:67
#15 0x47b889c7 in g_vasprintf () from /usr/lib/
#16 0x47b647bb in g_main_context_dispatch () from /usr/lib/
#17 0x47b66242 in g_main_context_acquire () from /usr/lib/
#18 0x47b664ef in g_main_loop_run () from /usr/lib/
#19 0x47f2df97 in gtk_main () from /usr/lib/
#20 0x40aa0366 in nsAppShell::Run (this=0x81bcb28)
    at ../../../../widget/src/gtk2/nsAppShell.cpp:139
#21 0x415c3464 in nsAppStartup::Run (this=0x81bcae0)
    at ../../../../../toolkit/components/startup/src/nsAppStartup.cpp:144
#22 0x080529b5 in XRE_main (argc=1, argv=0xbffff5d4, aAppData=0x8069020)
    at ../../../toolkit/xre/nsAppRunner.cpp:2012
#23 0x0804adbe in main (argc=1, argv=0xbffff5d4)
Component: Preferences → XP Toolkit/Widgets: XUL
Keywords: crash
Product: Firefox → Core
QA Contact: preferences
Summary: Crash when navigating preferences with arrow keys → Crash when navigating preferences with arrow keys [@ nsXULDocument::ResumeWalk]
Version: unspecified → Trunk
Looks like more dynamic overlay observer stuff...
Flags: blocking1.8b3?
Flags: blocking-aviary1.1?
Keywords: regression
Blocks: 282103
BTW: Another possibility to trigger a similar/same crash is a missing entity in
a DTD; to test this either download
(this build references some new entities which weren't in the dtd at that time)
or open en-US.jar and remove the showUpdates.* lines from
advanced.dtd&repackage. Then open Firefox with a new profile, open preferences
and click on Advanced ==> crash, Stacktrace:
nsXULDocument::ResumeWalk(nsXULDocument * const 0x00000000) line 3206 + 12 bytes
nsXULDocument::ParserObserver::OnStopRequest(nsXULDocument::ParserObserver *
const 0x02938eb0, nsIRequest * 0x02938eb0, nsISupports * 0x00000000, unsigned
int 43161480) line 4431
nsParser::OnStopRequest(nsParser * const 0x00000000, nsIRequest * 0x02938eb0,
nsISupports * 0x00000000, unsigned int 2147549183) line 2704
nsJARChannel::OnStopRequest(nsJARChannel * const 0x0295b9a0, nsIRequest *
0x0295b9b8, nsISupports * 0x0045a0c7, unsigned int 43224760) line 705
XPCOM_CORE! @ILT+590(?QueryInterface@nsJARChannel@@W3AGIABUnsID@@PAPAX@Z)
address 0x0017187f
This is very important for certain kinds of extensions which need to overlay the
preferences window (think CCK).
Flags: blocking1.8b4+
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking1.8b3? → blocking1.8b3-
Assignee: nobody → bugs
Whiteboard: [no l10n impact]
Whiteboard: [no l10n impact] → [no l10n impact] SWAG: 7d
Whiteboard: [no l10n impact] SWAG: 7d → [no l10n impact] ETA: 8/10
Whiteboard: [no l10n impact] ETA: 8/10 → [no l10n impact][1.8 Branch ETA 8/10]
I was able to trigger this on windows too, although its sort of hard to
reproduce. I think moving to a XULOverlayMerged event where an observer is not
assumed will fix the bug. 
Blocks: branching1.8
Whiteboard: [no l10n impact][1.8 Branch ETA 8/10] → [ETA 8/19]
I'm holding off on my more elaborate dynamic overlay patch for now, and
sprinkling in a null check instead.
Attachment #193200 - Flags: superreview?(bryner)
Attachment #193200 - Flags: review?(jst)
Attachment #193200 - Flags: superreview?(bryner) → superreview+
Comment on attachment 193200 [details] [diff] [review]
null check to avoid crash

Attachment #193200 - Flags: review?(jst) → review+
Attachment #193200 - Flags: approval1.8b4?
Attachment #193200 - Flags: approval1.8b4? → approval1.8b4+
Landed the fix. branch and trunk. 
Closed: 19 years ago
Resolution: --- → FIXED
Keywords: fixed1.8
verified with Linux Deer PArk Branch build 2005-09-01-06-mozilla1.8
Keywords: fixed1.8verified1.8
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.widgets
Crash Signature: [@ nsXULDocument::ResumeWalk]
You need to log in before you can comment on or make changes to this bug.