crash [@ nsStyleContext::GetRuleNode] (this=0xdadadada) involving multiple Java applets

RESOLVED INCOMPLETE

Status

()

--
critical
RESOLVED INCOMPLETE
12 years ago
2 years ago

People

(Reporter: moco, Unassigned)

Tracking

({crash})

Trunk
x86
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

crash @ nsStyleContext::GetRuleNode() (this=0xdadadada)

sorry, I saved my stack but forgot what I was doing or what URL I was visiting.

but it was with my trunk, debug mac 10.4.8 build:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a2pre) Gecko/20070102 Minefield/3.0a2pre

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadaf2
0x194d2355 in nsStyleContext::GetRuleNode (this=0xdadadada) at ../../dist/include/layout/nsStyleContext.h:114
114       nsRuleNode* GetRuleNode() { return mRuleNode; }
(gdb) where     
#0  0x194d2355 in nsStyleContext::GetRuleNode (this=0xdadadada) at ../../dist/include/layout/nsStyleContext.h:114
#1  0x194d23d1 in nsIFrame::GetPresContext (this=0x3649c2ac) at /Users/sspitzer/Desktop/trunk/mozilla/layout/base/../generic/nsIFrame.h:415
#2  0x18fb1dfc in nsObjectFrame::InstantiatePlugin (this=0x3649c2ac, aPluginHost=0x3479f754, aMimeType=0x400ff488 "application/x-java-vm", aURI=0x382488a0) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:764
#3  0x18fb66d7 in nsObjectFrame::Instantiate (this=0x3649c2ac, aMimeType=0x400ff488 "application/x-java-vm", aURI=0x382488a0) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1352
#4  0x1915d7e5 in nsObjectLoadingContent::Instantiate (this=0x400feccc, aMIMEType=@0x38248f34, aURI=0x382488a0) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1360
#5  0x1915df2e in nsAsyncInstantiateEvent::Run (this=0x38248f20) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:142
#6  0x015efa24 in nsThread::ProcessNextEvent (this=0x23190f0, mayWait=0, result=0xbfff85f4) at /Users/sspitzer/Desktop/trunk/mozilla/xpcom/threads/nsThread.cpp:482
#7  0x015986c1 in NS_ProcessPendingEvents_P (thread=0x23190f0, timeout=20) at nsThreadUtils.cpp:179
#8  0x15b5527b in nsBaseAppShell::NativeEventCallback (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:111
#9  0x15b3eed3 in nsAppShell::ProcessGeckoEvents (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:198
#10 0x15b3f6bb in -[AppShellDelegate handlePortMessage:] (self=0x2344bb0, _cmd=0x90aa7c40, aPortMessage=0x391b74e0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:407
#11 0x92646a4c in __NSFireMachPort ()
#12 0x90839773 in __CFMachPortPerform ()
#13 0x90829a14 in CFRunLoopRunSpecific ()
#14 0x90828eb5 in CFRunLoopRunInMode ()
#15 0x92dcdb90 in RunCurrentEventLoopInMode ()
#16 0x92dcd1ce in ReceiveNextEventCommon ()
#17 0x92dcd0ee in BlockUntilNextEventMatchingListInMode ()
#18 0x9326f465 in _DPSNextEvent ()
#19 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#20 0x35b16a7b in -[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x233f300, _cmd=0x90ab4b5c, mask=4294967295, expiration=0x0, mode=0xa25dd1e0, flag=0 '\0') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:207
#21 0x35b0b800 in +[AppletView maybeCreateJavaVM:extraOptsNum:vmPtr:envPtr:initAWT:] (self=0x35b47780, _cmd=0x38205150, jvmExtraOpts=0x0, jvmExtraOptsNum=0, vmPtr=0xbfff95a4, envPtr=0x0, initAWT=0 '\0') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../AppletView.m:1828
#22 0x35b292c8 in JEPCreateJavaApplet (docbase=0x36955960, attributes=0x35ca52b0, parentWindow=0x3473abf0, options=0xbfff96c8, handle=0x37d017bc) at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:6541
#23 0x39b7986a in JEPCreateJavaApplet (docbase=0x36955960, attributes=0x35ca52b0, parentWindow=0x3473abf0, options=0xbfff96c8, handle=0x37d017bc) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/JavaEmbeddingPlugin.cpp:169
#24 0x39b7c9d9 in MRJContext::loadApplet (this=0x37d01760) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJContext.cp:1263
#25 0x39b7e9cf in MRJContext::setWindow (this=0x37d01760, pluginWindow=0x32ee9204) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJContext.cp:1899
#26 0x39b8236a in MRJPluginInstance::SetWindow (this=0x40008a70, pluginWindow=0x32ee9204) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJPlugin.cpp:974
#27 0x3703de31 in nsPluginNativeWindow::CallSetWindow (this=0x32ee9200, aPluginInstance=@0xbfff99ec) at ../../../../dist/include/plugin/nsPluginNativeWindow.h:93
#28 0x3701e92b in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3479f750, aMimeType=0x400fec98 "application/x-java-vm", aURL=0x400feb50, aOwner=0x37d7a9e0) at /Users/sspitzer/Desktop/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3463
#29 0x18fb1dd1 in nsObjectFrame::InstantiatePlugin (this=0x3649c224, aPluginHost=0x3479f754, aMimeType=0x400fec98 "application/x-java-vm", aURI=0x400feb50) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:754
#30 0x18fb66d7 in nsObjectFrame::Instantiate (this=0x3649c224, aMimeType=0x400fec98 "application/x-java-vm", aURI=0x400feb50) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1352
#31 0x1915d7e5 in nsObjectLoadingContent::Instantiate (this=0x400fe3fc, aMIMEType=@0x38248ea4, aURI=0x400feb50) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1360
#32 0x1915df2e in nsAsyncInstantiateEvent::Run (this=0x38248e90) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:142
#33 0x015efa24 in nsThread::ProcessNextEvent (this=0x23190f0, mayWait=0, result=0xbfff9dc4) at /Users/sspitzer/Desktop/trunk/mozilla/xpcom/threads/nsThread.cpp:482
#34 0x015986c1 in NS_ProcessPendingEvents_P (thread=0x23190f0, timeout=20) at nsThreadUtils.cpp:179
#35 0x15b5527b in nsBaseAppShell::NativeEventCallback (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:111
#36 0x15b3eed3 in nsAppShell::ProcessGeckoEvents (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:198
#37 0x15b3f6bb in -[AppShellDelegate handlePortMessage:] (self=0x2344bb0, _cmd=0x90aa7c40, aPortMessage=0x40089f00) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:407
#38 0x92646a4c in __NSFireMachPort ()
#39 0x90839773 in __CFMachPortPerform ()
#40 0x90829a14 in CFRunLoopRunSpecific ()
#41 0x90828eb5 in CFRunLoopRunInMode ()
#42 0x92dcdb90 in RunCurrentEventLoopInMode ()
#43 0x92dcd1ce in ReceiveNextEventCommon ()
#44 0x92dcd0ee in BlockUntilNextEventMatchingListInMode ()
#45 0x9326f465 in _DPSNextEvent ()
#46 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#47 0x35b16a7b in -[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x233f300, _cmd=0x90ab4b5c, mask=4294967295, expiration=0x0, mode=0xa25dd1e0, flag=0 '\0') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:207
#48 0x35b0b800 in +[AppletView maybeCreateJavaVM:extraOptsNum:vmPtr:envPtr:initAWT:] (self=0x35b47780, _cmd=0x38205150, jvmExtraOpts=0x0, jvmExtraOptsNum=0, vmPtr=0xbfffad74, envPtr=0x0, initAWT=0 '\0') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../AppletView.m:1828
#49 0x35b292c8 in JEPCreateJavaApplet (docbase=0x382e0410, attributes=0x382e02f0, parentWindow=0x3473abf0, options=0xbfffae98, handle=0x382de1fc) at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:6541
#50 0x39b7986a in JEPCreateJavaApplet (docbase=0x382e0410, attributes=0x382e02f0, parentWindow=0x3473abf0, options=0xbfffae98, handle=0x382de1fc) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/JavaEmbeddingPlugin.cpp:169
#51 0x39b7c9d9 in MRJContext::loadApplet (this=0x382de1a0) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJContext.cp:1263
#52 0x39b7e9cf in MRJContext::setWindow (this=0x382de1a0, pluginWindow=0x382ddf14) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJContext.cp:1899
#53 0x39b8236a in MRJPluginInstance::SetWindow (this=0x382de040, pluginWindow=0x382ddf14) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJPlugin.cpp:974
#54 0x3703de31 in nsPluginNativeWindow::CallSetWindow (this=0x382ddf10, aPluginInstance=@0xbfffb1bc) at ../../../../dist/include/plugin/nsPluginNativeWindow.h:93
#55 0x3701e92b in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3479f750, aMimeType=0x400fe3c8 "application/x-java-vm", aURL=0x400fe280, aOwner=0x382dde90) at /Users/sspitzer/Desktop/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3463
#56 0x18fb1dd1 in nsObjectFrame::InstantiatePlugin (this=0x3649c19c, aPluginHost=0x3479f754, aMimeType=0x400fe3c8 "application/x-java-vm", aURI=0x400fe280) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:754
#57 0x18fb66d7 in nsObjectFrame::Instantiate (this=0x3649c19c, aMimeType=0x400fe3c8 "application/x-java-vm", aURI=0x400fe280) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1352
#58 0x1915d7e5 in nsObjectLoadingContent::Instantiate (this=0x400fdb1c, aMIMEType=@0x38248e14, aURI=0x400fe280) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1360
#59 0x1915df2e in nsAsyncInstantiateEvent::Run (this=0x38248e00) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:142
#60 0x015efa24 in nsThread::ProcessNextEvent (this=0x23190f0, mayWait=0, result=0xbfffb594) at /Users/sspitzer/Desktop/trunk/mozilla/xpcom/threads/nsThread.cpp:482
#61 0x015986c1 in NS_ProcessPendingEvents_P (thread=0x23190f0, timeout=20) at nsThreadUtils.cpp:179
#62 0x15b5527b in nsBaseAppShell::NativeEventCallback (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:111
#63 0x15b3eed3 in nsAppShell::ProcessGeckoEvents (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:198
#64 0x15b3f6bb in -[AppShellDelegate handlePortMessage:] (self=0x2344bb0, _cmd=0x90aa7c40, aPortMessage=0x37f9efe0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:407
#65 0x92646a4c in __NSFireMachPort ()
#66 0x90839773 in __CFMachPortPerform ()
#67 0x90829a14 in CFRunLoopRunSpecific ()
#68 0x90828eb5 in CFRunLoopRunInMode ()
#69 0x92dcdb90 in RunCurrentEventLoopInMode ()
#70 0x92dcd1ce in ReceiveNextEventCommon ()
#71 0x92dcd0ee in BlockUntilNextEventMatchingListInMode ()
#72 0x9326f465 in _DPSNextEvent ()
#73 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#74 0x35b16a7b in -[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x233f300, _cmd=0x90ab4b5c, mask=4294967295, expiration=0x0, mode=0xa25dd1e0, flag=0 '\0') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:207
#75 0x35b0b800 in +[AppletView maybeCreateJavaVM:extraOptsNum:vmPtr:envPtr:initAWT:] (self=0x35b47780, _cmd=0x38205150, jvmExtraOpts=0x0, jvmExtraOptsNum=0, vmPtr=0xbfffc544, envPtr=0x0, initAWT=0 '\0') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../AppletView.m:1828
#76 0x35b292c8 in JEPCreateJavaApplet (docbase=0x400130d0, attributes=0x40012fb0, parentWindow=0x3473abf0, options=0xbfffc668, handle=0x37802cfc) at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:6541
#77 0x39b7986a in JEPCreateJavaApplet (docbase=0x400130d0, attributes=0x40012fb0, parentWindow=0x3473abf0, options=0xbfffc668, handle=0x37802cfc) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/JavaEmbeddingPlugin.cpp:169
#78 0x39b7c9d9 in MRJContext::loadApplet (this=0x37802ca0) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJContext.cp:1263
#79 0x39b7e9cf in MRJContext::setWindow (this=0x37802ca0, pluginWindow=0x382d6284) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJContext.cp:1899
#80 0x39b8236a in MRJPluginInstance::SetWindow (this=0x382d9de0, pluginWindow=0x382d6284) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJPlugin.cpp:974
#81 0x3703de31 in nsPluginNativeWindow::CallSetWindow (this=0x382d6280, aPluginInstance=@0xbfffc98c) at ../../../../dist/include/plugin/nsPluginNativeWindow.h:93
#82 0x3701e92b in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3479f750, aMimeType=0x400fdae8 "application/x-java-vm", aURL=0x400fd9a0, aOwner=0x3911c210) at /Users/sspitzer/Desktop/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3463
#83 0x18fb1dd1 in nsObjectFrame::InstantiatePlugin (this=0x3649c114, aPluginHost=0x3479f754, aMimeType=0x400fdae8 "application/x-java-vm", aURI=0x400fd9a0) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:754
#84 0x18fb66d7 in nsObjectFrame::Instantiate (this=0x3649c114, aMimeType=0x400fdae8 "application/x-java-vm", aURI=0x400fd9a0) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1352
#85 0x1915d7e5 in nsObjectLoadingContent::Instantiate (this=0x400fd27c, aMIMEType=@0x38248d84, aURI=0x400fd9a0) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1360
#86 0x1915df2e in nsAsyncInstantiateEvent::Run (this=0x38248d70) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:142
#87 0x015efa24 in nsThread::ProcessNextEvent (this=0x23190f0, mayWait=0, result=0xbfffcd64) at /Users/sspitzer/Desktop/trunk/mozilla/xpcom/threads/nsThread.cpp:482
#88 0x015986c1 in NS_ProcessPendingEvents_P (thread=0x23190f0, timeout=20) at nsThreadUtils.cpp:179
#89 0x15b5527b in nsBaseAppShell::NativeEventCallback (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:111
#90 0x15b3eed3 in nsAppShell::ProcessGeckoEvents (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:198
#91 0x15b3f6bb in -[AppShellDelegate handlePortMessage:] (self=0x2344bb0, _cmd=0x90aa7c40, aPortMessage=0x38226bb0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:407
#92 0x92646a4c in __NSFireMachPort ()
#93 0x90839773 in __CFMachPortPerform ()
#94 0x90829a14 in CFRunLoopRunSpecific ()
#95 0x90828eb5 in CFRunLoopRunInMode ()
#96 0x92dcdb90 in RunCurrentEventLoopInMode ()
#97 0x92dcd1ce in ReceiveNextEventCommon ()
#98 0x92dcd0ee in BlockUntilNextEventMatchingListInMode ()
#99 0x9326f465 in _DPSNextEvent ()
#100 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#101 0x35b16a7b in -[MyNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x233f300, _cmd=0x90ab4b5c, mask=4294967295, expiration=0x0, mode=0xa25dd1e0, flag=0 '\0') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:207
#102 0x35b0b800 in +[AppletView maybeCreateJavaVM:extraOptsNum:vmPtr:envPtr:initAWT:] (self=0x35b47780, _cmd=0x38205150, jvmExtraOpts=0xbfffddb4, jvmExtraOptsNum=2, vmPtr=0x0, envPtr=0x0, initAWT=1 '\001') at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../AppletView.m:1828
#103 0x35b28fc7 in JEPCreateJavaVMAndInitAWT (jvmExtraOpts=0xbfffddb4, jvmExtraOptsNum=2, vm=0x0, env=0x0, runAfterInitAWT=0x39b83f78 <afterInitAWT(void*)>, runAfterInitAWTInfo=0x400c6f40) at /Volumes/Storage2/Developer/JavaEmbeddingPlugin/Project/JavaEmbeddingPlugin0.9.6/i386/../Controller.m:6485
#104 0x39b79807 in JEPCreateJavaVMAndInitAWT (jvmExtraOpts=0xbfffddb4, jvmExtraOptsNum=2, vm=0x0, env=0x0, runAfterInitAWT=0x39b83f78 <afterInitAWT(void*)>, runAfterInitAWTInfo=0x400c6f40) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/JavaEmbeddingPlugin.cpp:160
#105 0x39b847b5 in MRJSession::open (this=0x400c6f40, consolePath=0xbfffde0a "/Users/sspitzer/Library/Logs/Java Console.log") at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJSession.cpp:928
#106 0x39b810b3 in MRJPlugin::StartupJVM (this=0x38206180) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJPlugin.cpp:548
#107 0x39b818e0 in MRJPlugin::CreateInstance (this=0x38206180, aOuter=0x0, aIID=@0x3702b328, aResult=0xbfffe258) at /Volumes/Storage2/Developer/Mozilla/mozilla-1.6/plugin/oji/MRJCarbon/plugin/i386/../Source/MRJPlugin.cpp:403
#108 0x3701efa6 in nsPluginHostImpl::TrySetUpPluginInstance (this=0x3479f750, aMimeType=0x400fd248 "application/x-java-vm", aURL=0x400fd100, aOwner=0x382bfe20) at /Users/sspitzer/Desktop/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3876
#109 0x37016e49 in nsPluginHostImpl::SetUpPluginInstance (this=0x3479f750, aMimeType=0x400fd248 "application/x-java-vm", aURL=0x400fd100, aOwner=0x382bfe20) at /Users/sspitzer/Desktop/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3731
#110 0x3701e6a4 in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3479f750, aMimeType=0x400fd248 "application/x-java-vm", aURL=0x400fd100, aOwner=0x382bfe20) at /Users/sspitzer/Desktop/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3405
#111 0x18fb1dd1 in nsObjectFrame::InstantiatePlugin (this=0x3649c08c, aPluginHost=0x3479f754, aMimeType=0x400fd248 "application/x-java-vm", aURI=0x400fd100) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:754
#112 0x18fb66d7 in nsObjectFrame::Instantiate (this=0x3649c08c, aMimeType=0x400fd248 "application/x-java-vm", aURI=0x400fd100) at /Users/sspitzer/Desktop/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1352
#113 0x1915d7e5 in nsObjectLoadingContent::Instantiate (this=0x40059c4c, aMIMEType=@0x38248ca4, aURI=0x400fd100) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1360
#114 0x1915df2e in nsAsyncInstantiateEvent::Run (this=0x38248c90) at /Users/sspitzer/Desktop/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:142
#115 0x015efa24 in nsThread::ProcessNextEvent (this=0x23190f0, mayWait=1, result=0xbfffe8cc) at /Users/sspitzer/Desktop/trunk/mozilla/xpcom/threads/nsThread.cpp:482
#116 0x01598560 in NS_ProcessNextEvent_P (thread=0x23190f0, mayWait=1) at nsThreadUtils.cpp:225
#117 0x15b5536e in nsBaseAppShell::Run (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:153
#118 0x15b3f392 in nsAppShell::Run (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:319
#119 0x15b3f6fe in -[AppShellDelegate runAppShell] (self=0x2344bb0, _cmd=0x2338ac0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:418
#120 0x9260b0c7 in __NSFireDelayedPerform ()
#121 0x90829bc9 in CFRunLoopRunSpecific ()
#122 0x90828eb5 in CFRunLoopRunInMode ()
#123 0x92dcdb90 in RunCurrentEventLoopInMode ()
#124 0x92dcd297 in ReceiveNextEventCommon ()
#125 0x92dcd0ee in BlockUntilNextEventMatchingListInMode ()
#126 0x9326f465 in _DPSNextEvent ()
#127 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#128 0x93268ddb in -[NSApplication run] ()
#129 0x15b3f366 in nsAppShell::Run (this=0x23367d0) at /Users/sspitzer/Desktop/trunk/mozilla/widget/src/cocoa/nsAppShell.mm:315
#130 0x16db3ee7 in nsAppStartup::Run (this=0x234af70) at /Users/sspitzer/Desktop/trunk/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:171
#131 0x0020f273 in XRE_main (argc=2, argv=0xbffffb6c, aAppData=0x2040) at /Users/sspitzer/Desktop/trunk/mozilla/toolkit/xre/nsAppRunner.cpp:2520
#132 0x00001f32 in main (argc=2, argv=0xbffffb6c) at /Users/sspitzer/Desktop/trunk/mozilla/browser/app/nsBrowserApp.cpp:61
Looks Java-related, from the stack.
Component: General → General
Product: Firefox → Core
QA Contact: general → general
As you must be aware, your report is pretty useless unless you can
figure out how to reproduce it.

That said, I can tell from your crash log that the crash happened as a
page was loaded that contains at least five Java applets, and that
these applets were loaded recursively (i.e. successive applets started
loading before any of the previous applets had finished loading) --
which is probably what triggered the crash.

I've been seeing this kind of silliness on the trunk since the
nsIThreadManager changes were landed on 2006-05-11 (see bug 326273) --
particularly when you load a page containing multiple Java applets, or
when you reload a page that contains at least one Java applet.
Sometimes a single applet will get loaded more than once.  In effect
the nsIThreadManager changes broke the JEP.

JEP 0.9.6 (which you're using) contains workarounds to alleviate these
problems, and I'm not able to reproduce your crash (or any crash),
reloading applets or loading multiple applets, in either
firefox-2007-01-03-04-trunk or camino-2007-01-03-01-trunk.  But I'd
still bet your crash is fallout from the nsIThreadManager changes.

By the way, a crash at 0xdadadaf2 or 0xdadadada indicates that the
instruction pointer was set to the middle of a string -- which
suggests buffer overflows and/or heap corruption.  If you do figure
out how to reproduce this problem, you (or someone) should mark this
bug as security-sensitive before you describe how it can be reproduced
:-)

Comment 3

12 years ago
<Jesse> 0xdadadada?
<word> well, 0xdadadada is what 0xbabybaby calls his pop or the MSVC debug-alloc boundary-marker or PL_FREE_PATTERN (deallocated PLArena) or JS_FREE_PATTERN (deallocated JSArena - GC()d)

I don't see an indication from the stack trace that the instruction pointer was in a bad place.  But this=0xdadadada means (debug) Gecko took a pointer from deallocated memoroy and then dereferenced it, and depending on exactly what it does with that pointer, it's likely to be exploitable in a non-debug build.
Severity: normal → critical
Keywords: crash
Summary: crash @ nsStyleContext::GetRuleNode() (this=0xdadadada) → crash @ nsStyleContext::GetRuleNode() (this=0xdadadada) involving multiple Java applets

Updated

12 years ago
Summary: crash @ nsStyleContext::GetRuleNode() (this=0xdadadada) involving multiple Java applets → crash [@ nsStyleContext::GetRuleNode] (this=0xdadadada) involving multiple Java applets
> <Jesse> 0xdadadada?

It's also a bunch of CRLFs, very likely from the middle of a string.

But you're right that the instruction pointer probably wasn't set to
0xdadadada or 0xdadadaf2.  Instead 0xdadadaf2 may be what the code
thinks is the address of mRuleNode.

However, if 0xdadadada _is_ from the middle of a string, this shows
that whoever controls the contents of the string could (in principle)
have changed 0xdadadada to something more useful ... or malicious.

Comment 5

12 years ago
CRLF would be 0x0d0a (ASCII, UTF-8) or 0x000d000a (UTF-16), not 0xda.
> CRLF would be 0x0d0a (ASCII, UTF-8) or 0x000d000a (UTF-16), not
> 0xda.

Oops!  You're right.  Sigh.
I've now created my own debug build of Minefield, using source pulled
from CVS this afternoon (about 4:30 CST, 2:30 PST).  I tested with a
couple of sites that have multiple applets on a single page, reloading
each page several times ... and didn't see any crashes testing with
the bundled JEP 0.9.6.  I did see one crash testing with JEP
0.9.5+g+2, but it wasn't the same, and showed no evidence of re-using
deleted objects (no 0xdadadada).

The most challenging of these sites was http://brittnysseafood.com/.
Seth, I'm curious to see what happens when you test your debug build
at this site.  Each of its pages has many applets (particularly the
main page).

I also wonder if your debug build was configured differently from
mine.  Here's my .mozconfig file:

. $topsrcdir/browser/config/mozconfig
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-firefox-debug
ac_add_options --disable-optimize --enable-debug
mk_add_options MOZ_CO_PROJECT=browser

Comment 8

12 years ago
i hit a similar crash w/ realplayer on windows except it's 0xdddddddd and i only had one plugin on my stack :) - Bug 369332.
Component: General → Plug-ins
QA Contact: general → plugins
(Assignee)

Updated

8 years ago
Crash Signature: [@ nsStyleContext::GetRuleNode]
You need to log in before you can comment on or make changes to this bug.