Crash when selecting an item in the Applications tab of Firefox pref window




11 years ago
11 years ago


(Reporter: florian, Assigned: hwaara)



Bug Flags:
blocking1.9 +

Firefox Tracking Flags

(Not tracked)



(2 attachments)



11 years ago
Created attachment 290473 [details]
where full from gdb

Sometimes when I select a row in the Applications tab of the pref window, I get a crash with a stack like this one:

#0  0x00312173 in nsQueryInterface::operator() (this=0xbfffbdd4, aIID=@0x12fe8640, answer=0xbfffbdbc) at nsCOMPtr.cpp:47
#1  0x1295c80c in nsCOMPtr<nsIContent>::assign_from_qi (this=0xbfffbf6c, qi={mRawPtr = 0x1f5393ac}, aIID=@0x12fe8640) at nsCOMPtr.h:1275
#2  0x12786cc0 in nsCOMPtr<nsIContent>::nsCOMPtr (this=0xbfffbf6c, qi={mRawPtr = 0x1f5393ac}) at nsCOMPtr.h:645
#3  0x12786cde in nsCOMPtr<nsIContent>::nsCOMPtr (this=0xbfffbf6c, qi={mRawPtr = 0x1f5393ac}) at nsCOMPtr.h:645
#4  0x12c85945 in nsXULDocument::AttributeChanged (this=0xc0b800, aDocument=0xc0b800, aElement=0x1f344b60, aNameSpaceID=0, aAttribute=0x8d55fc, aModType=2, aStateMask=0) at /Users/fqueze/moz/mozilla/content/xul/document/src/nsXULDocument.cpp:954
#5  0x12aa6b65 in nsNodeUtils::AttributeChanged (aContent=0x1f344b60, aNameSpaceID=0, aAttribute=0x8d55fc, aModType=2, aStateMask=0) at /Users/fqueze/moz/mozilla/content/base/src/nsNodeUtils.cpp:108
#6  0x12a931a6 in nsGenericElement::SetAttrAndNotify (this=0x1f344b60, aNamespaceID=0, aName=0x8d55fc, aPrefix=0x0, aOldValue=@0xbfffc2dc, aParsedValue=@0xbfffc378, aModification=0, aFireMutation=0, aNotify=1) at /Users/fqueze/moz/mozilla/content/base/src/nsGenericElement.cpp:3643
#7  0x12a9381a in nsGenericElement::SetAttr (this=0x1f344b60, aNamespaceID=0, aName=0x8d55fc, aPrefix=0x0, aValue=@0xbfffc4a4, aNotify=1) at /Users/fqueze/moz/mozilla/content/base/src/nsGenericElement.cpp:3574
#8  0x12863c68 in nsIContent::SetAttr (this=0x1f344b60, aNameSpaceID=0, aName=0x8d55fc, aValue=@0xbfffc4a4, aNotify=1) at nsIContent.h:246
#9  0x12c51a84 in nsXBLPrototypeBinding::AttributeChanged (this=0x1f26d1e0, aAttribute=0x8d3ed4, aNameSpaceID=0, aRemoveFlag=0, aChangedElement=0x1f561c30, aAnonymousContent=0x1f605320, aNotify=1) at /Users/fqueze/moz/mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp:596
#10 0x12c4a531 in nsXBLBinding::AttributeChanged (this=0x1f27c730, aAttribute=0x8d3ed4, aNameSpaceID=0, aRemoveFlag=0, aNotify=1) at /Users/fqueze/moz/mozilla/content/xbl/src/nsXBLBinding.cpp:945
#11 0x12a930ec in nsGenericElement::SetAttrAndNotify (this=0x1f561c30, aNamespaceID=0, aName=0x8d3ed4, aPrefix=0x0, aOldValue=@0xbfffc89c, aParsedValue=@0xbfffc938, aModification=0, aFireMutation=0, aNotify=1) at /Users/fqueze/moz/mozilla/content/base/src/nsGenericElement.cpp:3632
#12 0x12a9381a in nsGenericElement::SetAttr (this=0x1f561c30, aNamespaceID=0, aName=0x8d3ed4, aPrefix=0x0, aValue=@0x1efc3590, aNotify=1) at /Users/fqueze/moz/mozilla/content/base/src/nsGenericElement.cpp:3574
#13 0x12a955ac in nsGenericElement::SetAttr (this=0x1f561c30, aNameSpaceID=0, aName=0x8d3ed4, aValue=@0x1efc3590, aNotify=1) at nsGenericElement.h:392
#14 0x12a8e4c8 in nsGenericElement::SetAttribute (this=0x1f561c30, aName=@0x1efc35a0, aValue=@0x1efc3590) at /Users/fqueze/moz/mozilla/content/base/src/nsGenericElement.cpp:1496
#15 0x12db3bad in nsXULElement::SetAttribute (this=0x1f561c30, name=@0x1efc35a0, value=@0x1efc3590) at nsXULElement.h:611
#16 0x003a8597 in NS_InvokeByIndex_P (that=0x1f561c4c, methodIndex=30, paramCount=2, params=0xbfffcc24) at /Users/fqueze/moz/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
#17 0x1114ef3e in XPCWrappedNative::CallMethod (ccx=@0xbfffce74, mode=XPCWrappedNative::CALL_METHOD) at /Users/fqueze/moz/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2339
#18 0x111593c9 in XPC_WN_CallMethod (cx=0x1ed3a250, obj=0x125f4960, argc=2, argv=0xd1a954, vp=0xbfffcf94) at /Users/fqueze/moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1467
#19 0x00224fb7 in js_Invoke (cx=0x1ed3a250, argc=2, vp=0xd1a94c, flags=0) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:1358
#20 0x002367ca in js_Interpret (cx=0x1ed3a250, pc=0xa8079d ":", result=0xbfffd60c) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:4112
#21 0x00225042 in js_Invoke (cx=0x1ed3a250, argc=1, vp=0xd1a920, flags=2) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:1378
#22 0x00225305 in js_InternalInvoke (cx=0x1ed3a250, obj=0x125f4960, fval=518942816, flags=0, argc=1, argv=0xbfffdb38, rval=0xbfffdb38) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:1434
#23 0x00225551 in js_InternalGetOrSet (cx=0x1ed3a250, obj=0x125f4960, id=495971164, fval=518942816, mode=JSACC_WRITE, argc=1, argv=0xbfffdb38, rval=0xbfffdb38) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:1497
#24 0x002553b0 in js_SetProperty (cx=0x1ed3a250, obj=0x125f4960, id=495971164, vp=0xbfffdb38) at /Users/fqueze/moz/mozilla/js/src/jsobj.c:3768
#25 0x00234fb9 in js_Interpret (cx=0x1ed3a250, pc=0xc693b3 "6", result=0xbfffdddc) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:3837
#26 0x00225042 in js_Invoke (cx=0x1ed3a250, argc=0, vp=0xd1a818, flags=2) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:1378
#27 0x00225305 in js_InternalInvoke (cx=0x1ed3a250, obj=0x1f1940e0, fval=308234784, flags=0, argc=0, argv=0x0, rval=0xbfffdf6c) at /Users/fqueze/moz/mozilla/js/src/jsinterp.c:1434
#28 0x001e262a in JS_CallFunctionValue (cx=0x1ed3a250, obj=0x1f1940e0, fval=308234784, argc=0, argv=0x0, rval=0xbfffdf6c) at /Users/fqueze/moz/mozilla/js/src/jsapi.c:4926
#29 0x12c5d48c in nsXBLProtoImplAnonymousMethod::Execute (this=0x1f261940, aBoundElement=0x1f692780) at /Users/fqueze/moz/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:351
#30 0x12c4f47d in nsXBLPrototypeBinding::BindingAttached (this=0x1f261160, aBoundElement=0x1f692780) at /Users/fqueze/moz/mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp:483
#31 0x12c4b3a3 in nsXBLBinding::ExecuteAttachedHandler (this=0x1f2324b0) at /Users/fqueze/moz/mozilla/content/xbl/src/nsXBLBinding.cpp:956
#32 0x12c6ca72 in nsBindingManager::ProcessAttachedQueue (this=0x1ef5b460, aSkipSize=0) at /Users/fqueze/moz/mozilla/content/xbl/src/nsBindingManager.cpp:961
#33 0x1280c522 in PresShell::DoFlushPendingNotifications (this=0xbfea00, aType=Flush_Style, aInterruptibleReflow=0) at /Users/fqueze/moz/mozilla/layout/base/nsPresShell.cpp:4468
#34 0x1280c75c in PresShell::FlushPendingNotifications (this=0xbfea00, aType=Flush_Style) at /Users/fqueze/moz/mozilla/layout/base/nsPresShell.cpp:4425
#35 0x1278d6be in nsCSSFrameConstructor::RestyleEvent::Run (this=0x1ef360b0) at /Users/fqueze/moz/mozilla/layout/base/nsCSSFrameConstructor.cpp:13329
#36 0x0038f75c in nsThread::ProcessNextEvent (this=0x614ce0, mayWait=0, result=0xbfffe1d4) at /Users/fqueze/moz/mozilla/xpcom/threads/nsThread.cpp:490
#37 0x0031ba74 in NS_ProcessPendingEvents_P (thread=0x614ce0, timeout=20) at nsThreadUtils.cpp:180
#38 0x1161d215 in nsBaseAppShell::NativeEventCallback (this=0x62fbd0) at /Users/fqueze/moz/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:112
#39 0x115f8186 in nsAppShell::ProcessGeckoEvents (aInfo=0x62fbd0) at /Users/fqueze/moz/mozilla/widget/src/cocoa/
#40 0x9633064e in CFRunLoopRunSpecific ()
#41 0x96330d38 in CFRunLoopRunInMode ()
#42 0x907ca8a4 in RunCurrentEventLoopInMode ()
#43 0x907ca5f6 in ReceiveNextEventCommon ()
#44 0x907ca531 in BlockUntilNextEventMatchingListInMode ()
#45 0x94b14d5b in _DPSNextEvent ()
#46 0x94b146a0 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#47 0x94b0d6d1 in -[NSApplication run] ()
#48 0x115f7179 in nsAppShell::Run (this=0x62fbd0) at /Users/fqueze/moz/mozilla/widget/src/cocoa/
#49 0x12336d16 in nsAppStartup::Run (this=0x656000) at /Users/fqueze/moz/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170
#50 0x000f09a1 in XRE_main (argc=3, argv=0xbffff718, aAppData=0x60edb0) at /Users/fqueze/moz/mozilla/toolkit/xre/nsAppRunner.cpp:3142
#51 0x000026d3 in main (argc=3, argv=0xbffff718) at /Users/fqueze/moz/mozilla/browser/app/nsBrowserApp.cpp:153

(Probably unrelated:) Before the crash, I got this assertion a lot:
###!!! ASSERTION: cannot call on a dirty frame not currently being reflowed: '!NS_SUBTREE_DIRTY(this) || (GetStateBits() & NS_FRAME_IN_REFLOW)', file /Users/fqueze/moz/mozilla/layout/generic/nsFrame.cpp, line 556

The last warnings before the crash were:
WARNING: Write failed (non-fatal): file /Users/fqueze/moz/mozilla/xpcom/io/nsInputStreamTee.cpp, line 84
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /Users/fqueze/moz/mozilla/modules/libpr0n/decoders/icon/mac/, line 218

I had this crash on Windows on Linux too while trying to fix bug 398445 so it's not mac only.

In case this can help, I'm attaching the output of "where full" from gdb.

Comment 1

11 years ago
I get this fairly often, nominating for blocking1.9.
Flags: blocking1.9?

Comment 2

11 years ago
Still happening in recent nightlies?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3

Comment 3

11 years ago
(In reply to comment #2)
> Still happening in recent nightlies?

Yes.  I still got it last Friday with my Mac trunk build and on a Windows nightly.
Is this showing up as a top crash in crash reporter data?  Do you have steps to reproduce reliably?

Comment 5

11 years ago
Created attachment 298416 [details] [diff] [review]
patch to reproduce

(In reply to comment #4)
> Is this showing up as a top crash in crash reporter data?

I don't know.

> Do you have steps to reproduce reliably?

To check that the bug is still there, I just selected random rows in the Applications prefpane until it crashed.

When applying the attached patch and opening the Applications prefpane, it usually crashes in less than a minute.
Flags: blocking1.9+ → blocking1.9-

Comment 6

11 years ago
I think this is now showing up as top crashes in the crash reporter data for Firefox 3.0b3pre with these signatures:

9  nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) (windows only)
27 nsQueryInterface::operator()(nsID const&, void**) const (mac and linux)

These frames are very similar in these reports:
2 nsCOMPtr<nsIContent>::nsCOMPtr(nsQueryInterface)
3 nsXULDocument::AttributeChanged(nsIDocument*, nsIContent*, int, nsIAtom*, int, unsigned int)
4 nsNodeUtils::AttributeChanged(nsIContent*, int, nsIAtom*, int, unsigned int)

Bug 411145 and bug 411147 seem related, though they were filed against thunderbird.

Renominating, as I suspect showing up in the top crash data gives more importance to this bug.
Severity: normal → critical
Flags: blocking1.9- → blocking1.9?
Keywords: topcrash
Flags: blocking1.9? → blocking1.9+
Priority: P3 → P2
hwaara, it would be great if you can look into this. I'll take the liberty of assigning it to you.
Assignee: nobody → hwaara

Comment 8

11 years ago
Florian, can you still reproduce this on today's trunk?

I manually applied your patch (since it didn't apply cleanly any longer), and the selection travels all the way through the listbox and restarts (over and over) without any problems. I've tried stress-testing it in different ways, but no crash.

Comment 9

11 years ago
I just tried to reproduce it with my current trunk build and couldn't get it to crash.  Also, I don't see any related stack in the Firefox 3b4pre crash reporter data, so I think for now we can assume it was fixed somewhere else.

Feel free to resolve as FIXED or WORKSFORME and I'll reopen if I get this crash again.
Great! Guess I'll have to find another bug for Håkan :-).
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.