Closed Bug 306056 Opened 19 years ago Closed 19 years ago

window.stop() crashes Firefox [@ nsGlobalWindow::ScrollByLines]

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
1.5.0.x Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: mozilla2005, Assigned: dveditz)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(3 files, 2 obsolete files)

crashes mozilla when opened by script
248 bytes, text/html
Details
button that opens previous attachment with window.open()
253 bytes, text/html
Details
with the change jst requested
971 bytes, patch
dveditz
: review+
dveditz
: superreview+
asa
: approval1.8b4+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050813 Firefox/1.0.4 (Debian package 1.0.4-2sarge2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050813 Firefox/1.0.4 (Debian package 1.0.4-2sarge2)

The following javascript code, run on a window opened by script, crashes Firefox
(tested on Linux and Windows with several releases, including latests nightly
build) :

window.setTimeout("window.close()", 100);
alert('Testcase Message');
window.stop();

Testcase attached.

Marked security to reduce short-term annoyance (it is easy to use script
injection techniques to trigger the bug).


Reproducible: Always

Steps to Reproduce:
1. open http://julien.plissonneau.duquene.net/mozilla_crash_testcase_20050826.html
2. click [crash]

Actual Results:  
The alert dialog is shown, disappears almost immediately, and Firefox crashes.

Does not crash when any of the three lines is commented out.
When removing window.stop(), the window closes, but also removes the alert box
before the user clicks on OK.

Expected Results:  
Keep running.

Wait until the user clicks "OK" on the alert box (MSIE does this with similar
code) to close the child window.


according to Windows, modName: firefox.exe

  

  



    
    

    
  


  

  

  



    
  
Keywords: crash, 
          
            testcase

    
    

    
  
> Marked security to reduce short-term annoyance (it is easy to use script
> injection techniques to trigger the bug).

I don't understand why this is worse than any other DoS that requires
JavaScript. Can you elaborate?

  

  



    
    

    
  


  
First attachment, edited so the URL it opens is the URL of the second
attachment.

  

  



        Attachment #193919 -
        Attachment is obsolete: true

    
    

    
  
Crash confirmed: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
rv:1.8b4) Gecko/20050825 Firefox/1.0+

  

  



    
    

    
  
TB8751639Z (bad stack trace due to bug 304842).

  

  



    
    

    
  
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20050826 Firefox/1.6a1
ID:2005082619

Incident ID: 8759007
Stack Signature	nsGlobalWindow::ScrollByLines() 65b4abda
Product ID	FirefoxTrunk
Build ID	2005082205
Trigger Time	2005-08-26 20:55:52.0
Platform	LinuxIntel
Operating System	Linux 2.6.12-1.1398_FC4
Module	firefox-bin + (00387675)
URL visited
User Comments	
Since Last Crash	0 sec
Total Uptime	18 sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.
/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 3674
Stack Trace 	
nsGlobalWindow::ScrollByLines() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 3674]
invoke_copy_to_stack() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_gcc_x86_unix.cpp,
line 64]
XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 872]
XPCWrappedNativeProto::~XPCWrappedNativeProto() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativeproto.cpp,
line 842]
js_Invoke() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsinterp.c,
line 1209]
js_Interpret() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsinterp.c,
line 3488]
js_Execute() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsinterp.c,
line 1412]
JS_EvaluateUCScriptForPrincipals() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsapi.c,
line 3864]
nsJSContext::CallEventHandler() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1416]
nsScriptLoader::OnStreamComplete() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 496]
nsScriptLoader::ConvertToUTF16() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 496]
nsScriptLoader::FireScriptEvaluated() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/base/src/nsScriptLoader.cpp,
line 688]
non-virtual thunk to nsHTMLSharedElement::GetName()
SpacerMapAttributesIntoRule() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/html/content/src/nsHTMLSharedElement.cpp,
line 348]
nsGenericElement::InsertBefore() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 3050]
non-virtual thunk to HTMLContentSink::FlushContent()
HTMLContentSink::AddDocTypeDecl() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 323]
HTMLContentSink::AddDocTypeDecl() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 174]
CElementTable::InitializeElements() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/COtherDTD.cpp,
line 437]
CNavDTD::HandleSavedTokens() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 2021]
CNavDTD::HandleDefaultStartToken() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 1198]
CNavDTD::HandleToken() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 810]
ParserWriteFunc() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 2594]
nsParser::DetectMetaTag() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 352]
CParserContext::~CParserContext() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CParserContext.cpp,
line 137]
nsExternalHelperAppService::DoContent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/uriloader/exthandler/nsExternalHelperAppService.cpp,
line 62]
nsSyncStreamListener::OnDataAvailable() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsSyncStreamListener.cpp,
line 131]
nsHttpChannel::ClearPasswordManagerEntry() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 681]
nsOutputStreamTransport::SetEventSink() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsStreamTransportService.cpp,
line 378]
nsOutputStreamTransport::QueryInterface() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsStreamTransportService.cpp,
line 309]
nsStreamCopierOB::DoCopy()
PL_InitEvent() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/plevent.c,
line 666]
PL_ProcessPendingEvents() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/plevent.c,
line 644]
nsEventQueueImpl::PendingEvents() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/nsEventQueue.cpp,
line 242]
nsCommonWidget::Resize() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsCommonWidget.cpp,
line 321]
libglib-2.0.so.0 + 0x4c11c (0x009c311c)
libglib-2.0.so.0 + 0x2507e (0x0099c07e)
libglib-2.0.so.0 + 0x28096 (0x0099f096)
libglib-2.0.so.0 + 0x28383 (0x0099f383)
libgtk-x11-2.0.so.0 + 0x1091b5 (0x0021d1b5)
GdkKeyCodeToDOMKeyCode() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsGtkKeyUtils.cpp,
line 197]
nsDownloadManager::Observe() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/components/downloads/src/nsDownloadManager.cpp,
line 262]
XRE_main() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/xre/nsAppRunner.cpp,
line 850]
RemoveArg() 
[/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/xre/nsAppRunner.cpp,
line 302]
libc.so.6 + 0x1549f (0x00e0249f)

  

  


Status: UNCONFIRMED → NEW
Ever confirmed: true

    
  
Summary: window.stop() crashes Firefox → window.stop() crashes Firefox [@ nsGlobalWindow::ScrollByLines]

    
    

    
  
(In reply to comment #3)
> > Marked security to reduce short-term annoyance (it is easy to use script
> > injection techniques to trigger the bug).
> 
> I don't understand why this is worse than any other DoS that requires
> JavaScript. Can you elaborate?

It is actually no worse, just easy to implement in a user-written comment with a
DOM event listener for example. "Security" may be inappropriate, I just wanted
to give the team a chance to fix it before it is noticed by the wrong people.


  

  



    
    

    
  
Not a security hole.  If a site allows comments containing JavaScript, it has
bigger problems than a comment being able to crash Firefox directly.

  

  


Group: security

    
    

    
  
Below is an Apple Crash Report for Firefox 1.0.6. I also tested Camino, it did
not crash. Apparently the crash occurs in GlobalWindowImpl::Stop().

Date/Time:      2005-08-28 11:31:53.171 +0200
OS Version:     10.4.2 (Build 8C46)
Report Version: 3

Command: firefox-bin
Path:    /Applications/Firefox.app/Contents/MacOS/firefox-bin
Parent:  WindowServer [67]

Version: 1.0.6 (1.0.6)

PID:    206
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   org.mozilla.firefox 	0x002f5d64 GlobalWindowImpl::Stop() + 56
1   libxpcom.dylib      	0x0705997c _XPTC_InvokeByIndex + 216
2   org.mozilla.firefox 	0x000330a0
XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 2508
3   org.mozilla.firefox 	0x00028f34 XPC_WN_CallMethod(JSContext*, JSObject*,
unsigned, long*, long*) + 220
4   libmozjs.dylib      	0x060291a8 js_Invoke + 1716
5   libmozjs.dylib      	0x060305c4 js_Interpret + 26324
6   libmozjs.dylib      	0x06029784 js_Execute + 496
7   libmozjs.dylib      	0x06007228 JS_EvaluateUCScriptForPrincipals + 88
8   org.mozilla.firefox 	0x00416414 nsJSContext::EvaluateString(nsAString
const&, void*, nsIPrincipal*, char const*, unsigned, char const*, nsAString&,
int*) + 860
9   org.mozilla.firefox 	0x003d32f0
nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&) + 420
10  org.mozilla.firefox 	0x003d2f24
nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) + 180
11  org.mozilla.firefox 	0x003d2cd0
nsScriptLoader::ProcessScriptElement(nsIDOMHTMLScriptElement*,
nsIScriptLoaderObserver*) + 2948
12  org.mozilla.firefox 	0x003fc4b0 nsHTMLScriptElement::MaybeProcessScript() + 152
13  org.mozilla.firefox 	0x0030556c nsGenericElement::AppendChildTo(nsIContent*,
int, int) + 284
14  org.mozilla.firefox 	0x00293670
HTMLContentSink::ProcessSCRIPTTag(nsIParserNode const&) + 1068
15  org.mozilla.firefox 	0x002911e4 HTMLContentSink::AddLeaf(nsIParserNode
const&) + 284
16  org.mozilla.firefox 	0x0029109c
HTMLContentSink::AddHeadContent(nsIParserNode const&) + 276
17  org.mozilla.firefox 	0x0014e594 CNavDTD::AddHeadLeaf(nsIParserNode*) + 300
18  org.mozilla.firefox 	0x0014b25c CNavDTD::HandleStartToken(CToken*) + 592
19  org.mozilla.firefox 	0x00149c38 CNavDTD::HandleToken(CToken*, nsIParser*) + 1724
20  org.mozilla.firefox 	0x00148db8 CNavDTD::BuildModel(nsIParser*,
nsITokenizer*, nsITokenObserver*, nsIContentSink*) + 648
21  org.mozilla.firefox 	0x00151314 nsParser::BuildModel() + 180
22  org.mozilla.firefox 	0x0015101c nsParser::ResumeParse(int, int, int) + 292
23  org.mozilla.firefox 	0x001523e0 nsParser::OnDataAvailable(nsIRequest*,
nsISupports*, nsIInputStream*, unsigned, unsigned) + 316
24  org.mozilla.firefox 	0x0053d384
nsDocumentOpenInfo::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*,
unsigned, unsigned) + 44
25  org.mozilla.firefox 	0x000bdfd8
nsStreamListenerTee::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*,
unsigned, unsigned) + 304
26  org.mozilla.firefox 	0x000d0a78 nsHttpChannel::OnDataAvailable(nsIRequest*,
nsISupports*, nsIInputStream*, unsigned, unsigned) + 308
27  org.mozilla.firefox 	0x000ad1b4 nsInputStreamPump::OnStateTransfer() + 248
28  org.mozilla.firefox 	0x000acf9c
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 116
29  libxpcom.dylib      	0x0708010c
nsAStreamCopier::PostContinuationEvent_Locked() + 1240
30  libxpcom.dylib      	0x07041cf8 PL_HandleEvent + 36
31  libxpcom.dylib      	0x07041c1c PL_ProcessPendingEvents + 128
32  libxpcom.dylib      	0x07042100 PL_IsQueueNative + 136
33  com.apple.HIToolbox 	0x931288d4 DispatchEventToHandlers(EventTargetRec*,
OpaqueEventRef*, HandlerCallRec*) + 692
34  com.apple.HIToolbox 	0x9312802c
SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*,
HandlerCallRec*) + 372
35  com.apple.HIToolbox 	0x93127ea8 SendEventToEventTargetWithOptions + 40
36  com.apple.HIToolbox 	0x9312f1ec
ToolboxEventDispatcherHandler(OpaqueEventHandlerCallRef*, OpaqueEventRef*,
void*) + 704
37  com.apple.HIToolbox 	0x93128b24 DispatchEventToHandlers(EventTargetRec*,
OpaqueEventRef*, HandlerCallRec*) + 1284
38  com.apple.HIToolbox 	0x9312802c
SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*,
HandlerCallRec*) + 372
39  com.apple.HIToolbox 	0x9312edb0 SendEventToEventTarget + 40
40  com.apple.HIToolbox 	0x9316fce0 ToolboxEventDispatcher + 92
41  com.apple.HIToolbox 	0x9320ece4 TryEventDispatcher + 112
42  com.apple.HIToolbox 	0x9320e938 GetOrPeekEvent + 304
43  com.apple.HIToolbox 	0x9320e674 GetNextEventMatchingMask + 156
44  com.apple.HIToolbox 	0x9320e51c WNEInternal + 140
45  com.apple.HIToolbox 	0x9320e47c WaitNextEvent + 76
46  org.mozilla.firefox 	0x001d5934 nsMacMessagePump::GetEvent(EventRecord&) + 116
47  org.mozilla.firefox 	0x001d5818 nsMacMessagePump::DoMessagePump() + 48
48  org.mozilla.firefox 	0x001bcd0c nsAppShell::Run() + 56
49  org.mozilla.firefox 	0x007f1904 xre_main(int, char**, nsXREAppData const*) +
2752
50  org.mozilla.firefox 	0x0000f54c start + 432
51  org.mozilla.firefox 	0x0000f3cc start + 48

Thread 1:
0   libSystem.B.dylib   	0x9001efec select + 12
1   libnspr4.dylib      	0x0301f7dc poll + 392
2   libnspr4.dylib      	0x0301c028 PR_OpenDir + 944
3   org.mozilla.firefox 	0x000b98b0 nsSocketTransportService::Run() + 408
4   libxpcom.dylib      	0x070449c4 nsThread::Main(void*) + 56
5   libnspr4.dylib      	0x0301d470 PR_Select + 828
6   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 2:
0   libSystem.B.dylib   	0x9000a778 mach_msg_trap + 8
1   libSystem.B.dylib   	0x9000a6bc mach_msg + 60
2   libjvm.dylib        	0x94deae48 JNI_CreateJavaVM_Impl + 5936
3   libjvm.dylib        	0x94deaddc JNI_CreateJavaVM_Impl + 5828
4   libjvm.dylib        	0x94dabfe0 JVM_GetClassMethodsCount + 520
5   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 3:
0   libSystem.B.dylib   	0x9000a778 mach_msg_trap + 8
1   libSystem.B.dylib   	0x9000a6bc mach_msg + 60
2   libjvm.dylib        	0x94d48cb4 JVM_NewInstance + 8136
3   libjvm.dylib        	0x94d68304 JVM_FillInStackTrace + 692
4   libjvm.dylib        	0x94d6dd10 JVM_Send + 17088
5   libjvm.dylib        	0x94dffd38 JNI_CreateJavaVM_Impl + 91680
6   libjvm.dylib        	0x94dabfe0 JVM_GetClassMethodsCount + 520
7   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 4:
0   libSystem.B.dylib   	0x9000a778 mach_msg_trap + 8
1   libSystem.B.dylib   	0x9000a6bc mach_msg + 60
2   libjvm.dylib        	0x94d48c20 JVM_NewInstance + 7988
3   libjvm.dylib        	0x94d50df0 JVM_ArrayCopy + 1240
4   libjvm.dylib        	0x94d66f28 JVM_MonitorNotify + 1908
5   libjvm.dylib        	0x94d67b9c JVM_MonitorWait + 216
6   <<00000000>> 	0x0e10a668 0 + 235972200
7   <<00000000>> 	0x0e10868c 0 + 235964044
8   <<00000000>> 	0x0e10868c 0 + 235964044
9   <<00000000>> 	0xa4d51f30 typeinfo name for std::bad_exception + 28296
10  libjvm.dylib        	0x94d464ac JVM_CurrentTimeMillis + 4968
11  libjvm.dylib        	0x94d7b970 JVM_GetCPClassNameUTF + 6044
12  libjvm.dylib        	0x94d811e4 JVM_FindClassFromClass + 2668
13  libjvm.dylib        	0x94d9a508 JVM_IsSameClassPackage + 4016
14  libjvm.dylib        	0x94d94adc JVM_GetMethodIxExceptionTableEntry + 8240
15  libjvm.dylib        	0x94e82f08 JVM_FindSignal + 208316
16  libjvm.dylib        	0x94dabfe0 JVM_GetClassMethodsCount + 520
17  libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 5:
0   libSystem.B.dylib   	0x9000a778 mach_msg_trap + 8
1   libSystem.B.dylib   	0x9000a6bc mach_msg + 60
2   libjvm.dylib        	0x94d48c20 JVM_NewInstance + 7988
3   libjvm.dylib        	0x94d50df0 JVM_ArrayCopy + 1240
4   libjvm.dylib        	0x94d66f28 JVM_MonitorNotify + 1908
5   libjvm.dylib        	0x94d67b9c JVM_MonitorWait + 216
6   <<00000000>> 	0x0e10a668 0 + 235972200
7   <<00000000>> 	0x0e10868c 0 + 235964044
8   <<00000000>> 	0x0e1085cc 0 + 235963852
9   <<00000000>> 	0x0e1085cc 0 + 235963852
10  <<00000000>> 	0xa4d51f30 typeinfo name for std::bad_exception + 28296
11  libjvm.dylib        	0x94d464ac JVM_CurrentTimeMillis + 4968
12  libjvm.dylib        	0x94d7b970 JVM_GetCPClassNameUTF + 6044
13  libjvm.dylib        	0x94d811e4 JVM_FindClassFromClass + 2668
14  libjvm.dylib        	0x94d9a508 JVM_IsSameClassPackage + 4016
15  libjvm.dylib        	0x94d94adc JVM_GetMethodIxExceptionTableEntry + 8240
16  libjvm.dylib        	0x94e82f08 JVM_FindSignal + 208316
17  libjvm.dylib        	0x94dabfe0 JVM_GetClassMethodsCount + 520
18  libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 6:
0   libSystem.B.dylib   	0x9000a778 mach_msg_trap + 8
1   libSystem.B.dylib   	0x9000a6bc mach_msg + 60
2   libjvm.dylib        	0x94d48cb4 JVM_NewInstance + 8136
3   libjvm.dylib        	0x94d4fdcc JVM_GetClassLoader + 6148
4   libjvm.dylib        	0x94d4fb74 JVM_GetClassLoader + 5548
5   libjvm.dylib        	0x94dabfe0 JVM_GetClassMethodsCount + 520
6   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 7:
0   libSystem.B.dylib   	0x9000a778 mach_msg_trap + 8
1   libSystem.B.dylib   	0x9000a6bc mach_msg + 60
2   libjvm.dylib        	0x94d48c20 JVM_NewInstance + 7988
3   libjvm.dylib        	0x94d6835c JVM_FillInStackTrace + 780
4   libjvm.dylib        	0x94e020a4 JVM_InitProperties + 6836
5   libjvm.dylib        	0x94e01ea0 JVM_InitProperties + 6320
6   libjvm.dylib        	0x94e82f08 JVM_FindSignal + 208316
7   libjvm.dylib        	0x94dabfe0 JVM_GetClassMethodsCount + 520
8   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 8:
0   libSystem.B.dylib   	0x9000a778 mach_msg_trap + 8
1   libSystem.B.dylib   	0x9000a6bc mach_msg + 60
2   libjvm.dylib        	0x94d48c20 JVM_NewInstance + 7988
3   libjvm.dylib        	0x94d6835c JVM_FillInStackTrace + 780
4   libjvm.dylib        	0x94d90710 JVM_StartThread + 1388
5   libjvm.dylib        	0x94d7f280 JVM_FindLoadedClass + 2632
6   libjvm.dylib        	0x94e82f08 JVM_FindSignal + 208316
7   libjvm.dylib        	0x94dabfe0 JVM_GetClassMethodsCount + 520
8   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 9:
0   libSystem.B.dylib   	0x90056418 semaphore_timedwait_signal_trap + 8
1   libSystem.B.dylib   	0x90056284 pthread_cond_timedwait + 704
2   libnspr4.dylib      	0x03018390 PR_Unlock + 300
3   libnspr4.dylib      	0x030185f4 PR_WaitCondVar + 136
4   libxpcom.dylib      	0x070474d8 TimerThread::Run() + 428
5   libxpcom.dylib      	0x070449c4 nsThread::Main(void*) + 56
6   libnspr4.dylib      	0x0301d470 PR_Select + 828
7   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 10:
0   libSystem.B.dylib   	0x90056418 semaphore_timedwait_signal_trap + 8
1   libSystem.B.dylib   	0x90056284 pthread_cond_timedwait + 704
2   libnspr4.dylib      	0x03018390 PR_Unlock + 300
3   libnspr4.dylib      	0x030185f4 PR_WaitCondVar + 136
4   org.mozilla.firefox 	0x00078088 nsIOThreadPool::ThreadFunc(void*) + 116
5   libnspr4.dylib      	0x0301d470 PR_Select + 828
6   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 11:
0   libSystem.B.dylib   	0x90056418 semaphore_timedwait_signal_trap + 8
1   libSystem.B.dylib   	0x90056284 pthread_cond_timedwait + 704
2   libnspr4.dylib      	0x03018390 PR_Unlock + 300
3   libnspr4.dylib      	0x030185f4 PR_WaitCondVar + 136
4   org.mozilla.firefox 	0x000c5c58
nsHostResolver::GetHostToLookup(nsHostRecord**) + 132
5   org.mozilla.firefox 	0x000c5f68 nsHostResolver::ThreadFunc(void*) + 116
6   libnspr4.dylib      	0x0301d470 PR_Select + 828
7   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 12:
0   libSystem.B.dylib   	0x90056418 semaphore_timedwait_signal_trap + 8
1   libSystem.B.dylib   	0x90056284 pthread_cond_timedwait + 704
2   libnspr4.dylib      	0x03018390 PR_Unlock + 300
3   libnspr4.dylib      	0x030185f4 PR_WaitCondVar + 136
4   org.mozilla.firefox 	0x00078088 nsIOThreadPool::ThreadFunc(void*) + 116
5   libnspr4.dylib      	0x0301d470 PR_Select + 828
6   libSystem.B.dylib   	0x9002c3d4 _pthread_body + 96

Thread 0 crashed with PPC Thread State 64:
  srr0: 0x00000000002f5d64 srr1: 0x000000000200f930                       
vrsave: 0x0000000000000000
    cr: 0x48044222          xer: 0x0000000020000007   lr: 0x00000000002f5d5c 
ctr: 0x00000000070655c0
    r0: 0x00000000002f5d5c   r1: 0x00000000bfffd3c0   r2: 0x000000000208ab38  
r3: 0x0000000000000000
    r4: 0x0000000000000003   r5: 0x00000000bfffd3a0   r6: 0x0000000000000003  
r7: 0x00000000bfffd5a0
    r8: 0x000000000233d428   r9: 0x0000000000000000  r10: 0x00000000056547e0 
r11: 0x0000000000992bd8
   r12: 0x00000000070655c0  r13: 0x0000000000990000  r14: 0x0000000000000000 
r15: 0x0000000001924c40
   r16: 0x0000000000000000  r17: 0x0000000000000000  r18: 0x00000000bfffd5a0 
r19: 0x000000000233d428
   r20: 0x0000000000000000  r21: 0x00000000056547e0  r22: 0x0000000000000048 
r23: 0x0000000000000000
   r24: 0x000000000194d760  r25: 0x00000000bfffd520  r26: 0x00000000bfffd740 
r27: 0x0000000000000000
   r28: 0x00000000bfffd400  r29: 0x0000000000000000  r30: 0x0000000000000000 
r31: 0x00000000bfffd440

Binary Images Description:
    0x1000 -   0x977fff org.mozilla.firefox 1.0.6
/Applications/Firefox.app/Contents/MacOS/firefox-bin
  0xdf9000 -   0xdf93c2 Java Applet Plugin Enabler 	PEF binary: Java Applet
Plugin Enabler
  0xfbf000 -   0xfc8fff libqfaservices.dylib 
/Applications/Firefox.app/Contents/MacOS/components/libqfaservices.dylib
 0x1808000 -  0x182ffff talkback.dylib 
/Applications/Firefox.app/Contents/MacOS/components/talkback/talkback.dylib
 0x18e1000 -  0x18edfff com.apple.JavaAppletPlugin 10.0.0	/Library/Internet
Plug-Ins/Java Applet.plugin/Contents/MacOS/Java Applet
 0x193d990 -  0x193da42 CFMPriv_CoreFoundation 	PEF binary: CFMPriv_CoreFoundation
 0x193e550 -  0x193e5c7 CFMPriv_System 	PEF binary: CFMPriv_System
 0x193e840 -  0x193e910 CFMPriv_CarbonSound 	PEF binary: CFMPriv_CarbonSound
 0x193e980 -  0x193ea53 CFMPriv_CommonPanels 	PEF binary: CFMPriv_CommonPanels
 0x193eb20 -  0x193ebdb CFMPriv_Help 	PEF binary: CFMPriv_Help
 0x193ebe0 -  0x193ecaa CFMPriv_HIToolbox 	PEF binary: CFMPriv_HIToolbox
 0x193ed20 -  0x193edf6 CFMPriv_HTMLRendering 	PEF binary: CFMPriv_HTMLRendering
 0x193ee60 -  0x193ef33 CFMPriv_ImageCapture 	PEF binary: CFMPriv_ImageCapture
 0x193efb0 -  0x193f095 CFMPriv_NavigationServices 	PEF binary:
CFMPriv_NavigationServices
 0x193f100 -  0x193f1d6 CFMPriv_OpenScripting&#63743;MacBLib 	PEF binary:
CFMPriv_OpenScripting&#63743;MacBLib
 0x193f2a0 -  0x193f35e CFMPriv_Print 	PEF binary: CFMPriv_Print
 0x193f370 -  0x193f43d CFMPriv_SecurityHI 	PEF binary: CFMPriv_SecurityHI
 0x193f4b0 -  0x193f592 CFMPriv_SpeechRecognition 	PEF binary:
CFMPriv_SpeechRecognition
 0x193f600 -  0x193f6d3 CFMPriv_CarbonCore 	PEF binary: CFMPriv_CarbonCore
 0x193f740 -  0x193f813 CFMPriv_OSServices 	PEF binary: CFMPriv_OSServices
 0x193f8e0 -  0x193f9a2 CFMPriv_AE 	PEF binary: CFMPriv_AE
 0x193f9b0 -  0x193fa75 CFMPriv_ATS 	PEF binary: CFMPriv_ATS
 0x193fae0 -  0x193fbb7 CFMPriv_ColorSync 	PEF binary: CFMPriv_ColorSync
 0x193fc30 -  0x193fd13 CFMPriv_FindByContent 	PEF binary: CFMPriv_FindByContent
 0x193fd80 -  0x193fe5a CFMPriv_HIServices 	PEF binary: CFMPriv_HIServices
 0x193fec0 -  0x193ffa0 CFMPriv_LangAnalysis 	PEF binary: CFMPriv_LangAnalysis
 0x1940020 -  0x1940106 CFMPriv_LaunchServices 	PEF binary: CFMPriv_LaunchServices
 0x19401d0 -  0x19402a7 CFMPriv_PrintCore 	PEF binary: CFMPriv_PrintCore
 0x19402b0 -  0x1940372 CFMPriv_QD 	PEF binary: CFMPriv_QD
 0x1940460 -  0x1940549 CFMPriv_SpeechSynthesis 	PEF binary: CFMPriv_SpeechSynthesis
 0x1b81000 -  0x1bd03c7 CarbonLibpwpc 	PEF binary: CarbonLibpwpc
 0x2ffa000 -  0x2ffcfff com.apple.textencoding.unicode 2.0
/System/Library/TextEncodings/Unicode Encodings.bundle/Contents/MacOS/Unicode
Encodings
 0x3000000 -  0x3032fff libnspr4.dylib 
/Applications/Firefox.app/Contents/MacOS/libnspr4.dylib
 0x3e3a000 -  0x3e40fff com.apple.DictionaryServiceComponent 1.0.0
/System/Library/Components/DictionaryService.component/Contents/MacOS/DictionaryService
 0x4000000 -  0x400dfff libplds4.dylib 
/Applications/Firefox.app/Contents/MacOS/libplds4.dylib
 0x5000000 -  0x500efff libplc4.dylib 
/Applications/Firefox.app/Contents/MacOS/libplc4.dylib
 0x6000000 -  0x6068fff libmozjs.dylib 
/Applications/Firefox.app/Contents/MacOS/libmozjs.dylib
 0x7000000 -  0x7083fff libxpcom.dylib 
/Applications/Firefox.app/Contents/MacOS/libxpcom.dylib
 0x8000000 -  0x801afff libssl3.dylib 
/Applications/Firefox.app/Contents/MacOS/libssl3.dylib
 0x9000000 -  0x905dfff libnss3.dylib 
/Applications/Firefox.app/Contents/MacOS/libnss3.dylib
 0xa000000 -  0xa01dfff libsmime3.dylib 
/Applications/Firefox.app/Contents/MacOS/libsmime3.dylib
 0xb000000 -  0xb079fff libsoftokn3.dylib 
/Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib
 0xc000000 -  0xc019fff libxpcom_compat.dylib 
/Applications/Firefox.app/Contents/MacOS/libxpcom_compat.dylib
0x8fe00000 - 0x8fe51fff dyld 43.1	/usr/lib/dyld
0x90000000 - 0x901a6fff libSystem.B.dylib 	/usr/lib/libSystem.B.dylib
0x901fe000 - 0x90202fff libmathCommon.A.dylib 	/usr/lib/system/libmathCommon.A.dylib
0x90204000 - 0x90257fff com.apple.CoreText 1.0.0 (???)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
0x90284000 - 0x90335fff ATS 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
0x90364000 - 0x9069dfff com.apple.CoreGraphics 1.256.14 (???)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x90728000 - 0x90801fff com.apple.CoreFoundation 6.4.3 (368.12)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x9084a000 - 0x9084afff com.apple.CoreServices 10.4 (???)
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x9084c000 - 0x9094efff libicucore.A.dylib 	/usr/lib/libicucore.A.dylib
0x909a8000 - 0x90a2cfff libobjc.A.dylib 	/usr/lib/libobjc.A.dylib
0x90a56000 - 0x90acafff com.apple.framework.IOKit 1.4 (???)
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x90ae4000 - 0x90af6fff libauto.dylib 	/usr/lib/libauto.dylib
0x90afd000 - 0x90dc2fff com.apple.CoreServices.CarbonCore 10.4.1 (611.1)
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x90e25000 - 0x90ea5fff com.apple.CoreServices.OSServices 4.0 (4.0.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x90eef000 - 0x90f2ffff com.apple.CFNetwork 10.4.2 (80)
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x90f44000 - 0x90f5cfff com.apple.WebServices 1.1.2 (1.1.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore
0x90f6c000 - 0x90feafff com.apple.SearchKit 1.0.3
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x9102f000 - 0x91056fff com.apple.Metadata 1.1 (121.6)
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x91077000 - 0x91239fff com.apple.security 4.0.1 (223)
/System/Library/Frameworks/Security.framework/Versions/A/Security
0x9133b000 - 0x91344fff com.apple.DiskArbitration 2.1
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x9134b000 - 0x91372fff com.apple.SystemConfiguration 1.8.0
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x91385000 - 0x9138dfff libbsm.dylib 	/usr/lib/libbsm.dylib
0x91391000 - 0x9140ffff com.apple.audio.CoreAudio 3.0.1
/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x9144d000 - 0x9144dfff com.apple.ApplicationServices 10.4 (???)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x9144f000 - 0x91487fff com.apple.AE 1.5 (297)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x914a2000 - 0x9156dfff com.apple.ColorSync 4.4
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
0x915c2000 - 0x91655fff com.apple.print.framework.PrintCore 4.0 (172.1)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore
0x9169b000 - 0x91758fff com.apple.QD 3.8.6 (???)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
0x91796000 - 0x917f4fff com.apple.HIServices 1.5.0 (???)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
0x91822000 - 0x91845fff com.apple.LangAnalysis 1.6
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis
0x91859000 - 0x9187efff com.apple.FindByContent 1.5
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent
0x91891000 - 0x918d2fff com.apple.LaunchServices 10.4.3 (157)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x918ed000 - 0x91901fff com.apple.speech.synthesis.framework 3.3
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis
0x9190f000 - 0x91945fff com.apple.ImageIO.framework 1.0.2
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x91959000 - 0x91a1ffff libcrypto.0.9.7.dylib 	/usr/lib/libcrypto.0.9.7.dylib
0x91a6c000 - 0x91a81fff libcups.2.dylib 	/usr/lib/libcups.2.dylib
0x91a86000 - 0x91aa2fff libJPEG.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib
0x91aa7000 - 0x91b16fff libJP2.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
0x91b2d000 - 0x91b31fff libGIF.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib
0x91b33000 - 0x91b4bfff libRaw.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib
0x91b4e000 - 0x91b91fff libTIFF.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
0x91b98000 - 0x91bb1fff libPng.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib
0x91bb6000 - 0x91bb9fff libRadiance.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib
0x91bbb000 - 0x91bbbfff com.apple.Accelerate 1.1.1 (Accelerate 1.1.1)
/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x91bbd000 - 0x91ca7fff com.apple.vImage 2.0
/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x91caf000 - 0x91ccefff com.apple.Accelerate.vecLib 3.1.1 (vecLib 3.1.1)
/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x91d3a000 - 0x91d5afff libmx.A.dylib 	/usr/lib/libmx.A.dylib
0x91d60000 - 0x91dc5fff libvMisc.dylib 
/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x91dcf000 - 0x91e61fff libvDSP.dylib 
/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x91e7b000 - 0x9240bfff libBLAS.dylib 
/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x92453000 - 0x92763fff libLAPACK.dylib 
/System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x92790000 - 0x9281bfff com.apple.DesktopServices 1.3
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
0x9285d000 - 0x92a86fff com.apple.Foundation 6.4.1 (567.12)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x92ba4000 - 0x92c82fff libxml2.2.dylib 	/usr/lib/libxml2.2.dylib
0x92ca2000 - 0x92d90fff libiconv.2.dylib 	/usr/lib/libiconv.2.dylib
0x92da2000 - 0x92dc0fff libGL.dylib 
/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib
0x92dcb000 - 0x92e25fff libGLU.dylib 
/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib
0x92e43000 - 0x92e43fff com.apple.Carbon 10.4 (???)
/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x92e45000 - 0x92e59fff com.apple.ImageCapture 3.0
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture
0x92e71000 - 0x92e81fff com.apple.speech.recognition.framework 3.4
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition
0x92e8d000 - 0x92ea2fff com.apple.securityhi 2.0 (203)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
0x92eb4000 - 0x92f3bfff com.apple.ink.framework 101.2 (69)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink
0x92f4f000 - 0x92f5afff com.apple.help 1.0.3 (32)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help
0x92f64000 - 0x92f91fff com.apple.openscripting 1.2.2 (???)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
0x92fab000 - 0x92fbbfff com.apple.print.framework.Print 4.0 (187)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print
0x92fc7000 - 0x9302dfff com.apple.htmlrendering 1.1.2
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering
0x9305e000 - 0x930b0fff com.apple.NavigationServices 3.4.1 (3.4)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices
0x930dc000 - 0x930f9fff com.apple.audio.SoundManager 3.9
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound
0x9310b000 - 0x93118fff com.apple.CommonPanels 1.2.2 (73)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels
0x93121000 - 0x93431fff com.apple.HIToolbox 1.4.3 (???)
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
0x9357c000 - 0x93588fff com.apple.opengl 1.4.0
/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x935bc000 - 0x935c0fff com.apple.JavaVM 10.0.0
/System/Library/Frameworks/JavaVM.framework/Versions/A/JavaVM
0x93628000 - 0x93628fff com.apple.Cocoa 6.4 (???)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x9362a000 - 0x93c5bfff com.apple.AppKit 6.4.2 (824.11)
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x93fe7000 - 0x94051fff com.apple.CoreData 1.0 (46)
/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
0x94089000 - 0x94153fff com.apple.audio.toolbox.AudioToolbox 1.4.1
/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x941a7000 - 0x941a7fff com.apple.audio.units.AudioUnit 1.4
/System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x941a9000 - 0x94308fff com.apple.QuartzCore 1.4.1
/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x94350000 - 0x9438dfff libsqlite3.0.dylib 	/usr/lib/libsqlite3.0.dylib
0x94395000 - 0x943e0fff libGLImage.dylib 
/System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLImage.dylib
0x94581000 - 0x94590fff libCGATS.A.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
0x94598000 - 0x945a4fff libCSync.A.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
0x945e9000 - 0x945fdfff libRIP.A.dylib 
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
0x94603000 - 0x94865fff com.apple.QuickTime 7.0.1
/System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime
0x94938000 - 0x94957fff com.apple.vecLib 3.1.1 (vecLib 3.1.1)
/System/Library/Frameworks/vecLib.framework/Versions/A/vecLib
0x94d3e000 - 0x94ed4fff libjvm.dylib 
/System/Library/Frameworks/JavaVM.framework/Versions/1.3/Libraries/libjvm.dylib
0x94f15000 - 0x94f16fff com.apple.JavaCarbonSupport 10.0.0
/System/Library/PrivateFrameworks/JavaCarbonSupport.framework/Versions/A/JavaCarbonSupport
0x94f18000 - 0x94f22fff libverify.dylib 
/System/Library/Frameworks/JavaVM.framework/Versions/1.3.1/Libraries/libverify.dylib
0x94f57000 - 0x94f70fff libjava.jnilib 
/System/Library/Frameworks/JavaVM.framework/Versions/1.3.1/Libraries/libjava.jnilib
0x95069000 - 0x95074fff libzip.jnilib 
/System/Library/Frameworks/JavaVM.framework/Versions/1.3.1/Libraries/libzip.jnilib
0x9878d000 - 0x9879bfff com.apple.JavaEmbedding 10.0.0
/System/Library/Frameworks/JavaEmbedding.framework/Versions/A/JavaEmbedding
0x9cbba000 - 0x9cbc8fff libz.1.dylib 	/usr/lib/libz.1.dylib

Model: PowerMac10,1, BootROM 4.8.9f1, 1 processors, PowerPC G4  (1.2), 1.42 GHz,
512 MB
Graphics: ATI Radeon 9200, ATY,RV280, AGP, 32 MB
Memory Module: DIMM0/J11, 512 MB, DDR SDRAM, PC3200U-30330
AirPort: AirPort Extreme, 400.17 (3.90.34.0.p11)
Modem: Jump, , V.92, Version 1.0, 
Bluetooth: Version 1.6.0f2, 2 service, 1 devices, 0 incoming serial ports
Network Service: Ethernet intégré, Ethernet, en0
Parallel ATA Device: ST9808210A, 74.53 GB
Parallel ATA Device: MATSHITACD-RW  CW-8124, 
USB Device: Bluetooth HCI, , Up to 12 Mb/sec, 500 mA
USB Device: Hub, , Up to 12 Mb/sec, 500 mA
USB Device: RadioSHARK, Griffin Technology, Inc., Up to 12 Mb/sec, 500 mA
USB Device: USB Keyboard, HEWLETT PACKARD, Up to 1.5 Mb/sec, 500 mA
USB Device: USB Audio, , Up to 12 Mb/sec, 500 mA
USB Device: USB Device, , Up to 1.5 Mb/sec, 500 mA


  

  



    
    

    
  
I do not have a build tree here, but maybe adding the following check will
prevent the crash.

In /dom/src/base/nsGlobalWindow.cpp, GlobalWindowImpl::Stop() definition:

 NS_IMETHODIMP
 GlobalWindowImpl::Stop()
 {
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(mDocShell));
+  NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
+
   return webNav->Stop(nsIWebNavigation::STOP_ALL);
 }

But there are other issues:
 - the javascript line following alert() is still executed though the window is
closed
 - IMO more things should be blocked until the alert() is dismissed by the user,
like closing the window, issuing another alert(), loading another URL...


  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed patch (obsolete)
        — Splinter Review
      

    


  
Tested with a fresh CVS build, does not crash anymore.

  

  



    
    

    
  
Comment on attachment 194153 [details] [diff] [review]
proposed patch

r=dveditz. All other uses of webNavigation in this file correctly check that it
still exists.

  

  



        Attachment #194153 -
        Flags: superreview?(jst)

        Attachment #194153 -
        Flags: review+

    
  
Status: NEW → ASSIGNED

    
    

    
  
Hm, "Accepting" a bug changes it to assigned but doesn't reassign to the acceptor.

  

  


Assignee: nobody → dveditz
Status: ASSIGNED → NEW

    
    

    
  
dveditz: right, it lets a manager indicate that you've accepted it in a triage 
meeting.

  

  



    
    

    
  
Comment on attachment 194153 [details] [diff] [review]
proposed patch

 nsGlobalWindow::Stop()
 {
   FORWARD_TO_OUTER(Stop, (), NS_ERROR_NOT_INITIALIZED);

   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(mDocShell));
+  NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
+
   return webNav->Stop(nsIWebNavigation::STOP_ALL);

I'd argue that we should simply return NS_OK if stop() is called after the
window is closed. There's nothing wrong with that, pointless, maybe, but
nothing worth throwing an exception at the caller for IMO.

sr=jst with this changed to return NS_OK if !webNav.

  

  



        Attachment #194153 -
        Flags: superreview?(jst) → superreview+

    
    

    
  


  

  

  



        Attachment #194153 -
        Attachment is obsolete: true

        Attachment #194515 -
        Flags: superreview+

        Attachment #194515 -
        Flags: review+

        Attachment #194515 -
        Flags: approval1.8b5?

        Attachment #194515 -
        Flags: approval1.8b4?

    
    

    
  
let's get this landed and resolved+verified on the trunk then consider for the
branch.

  

  



    
    

    
  
Fix checked into the trunk. Thanks, Julien, for catching this and the original
patch.

  

  


Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
patch actually went into the branch by mistake :-( retroactive a=asa rather than
back out and re-check-in this simple fix.

*now* it's on the trunk.

  

  


Keywords: fixed1.8

    
  

        Attachment #194515 -
        Flags: approval1.8b5?

        Attachment #194515 -
        Flags: approval1.8b4?

        Attachment #194515 -
        Flags: approval1.8b4+

    
    

    
  
I'm still seeing this crash on Mac Firefox mozilla1.8 builds. Also, Windows Firefox doesn't crash, but the Alert box is closed before I am able to click okay in it.

  

  


Status: RESOLVED → REOPENED
Flags: blocking1.8rc2?
Keywords: fixed1.8
Resolution: FIXED → ---

    
    

    
  
Mac crash Incidents:
TB11453728Q
TB11453795M

  

  



    
  
Keywords: talkbackid
Version: unspecified → 1.5 Branch

    
    

    
  
(In reply to comment #21)
> I'm still seeing this crash on Mac Firefox mozilla1.8 builds.

The crashes you posted have a different stack than the original problem.

> Windows Firefox doesn't crash, but the Alert box is closed before I am able
> to click okay in it.

The testcase forces a window.close(). You can click on it on the Mac before it crashes deep in the alert() code? What about Linux?


  

  



    
    

    
  
Tracy, can you create a new bug. Jay, can you look through talkback and see if this new issues is a topcrasher?

  

  


Flags: blocking1.8rc2? → blocking1.8rc2-

    
    

    
  
Returning to r.fixed, I don't see any crashes with this particular signature in the latest Talkback data.

I also looked into Tracy's Mac crash, and it definitely isn't a topcrasher, but go ahead and log a new bug Tracy, and cc me on it.

  

  


Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED

    
    

    
  
If this is actually fixed on the 1.8 branch, could you readd the fixed1.8 keyword?

  

  


Keywords: verified1.8
Crash Signature: [@ nsGlobalWindow::ScrollByLines]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: