Closed Bug 720991 Opened 12 years ago Closed 8 years ago

Crash @ nsXBLService::GetBinding

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox16 - wontfix
firefox17 - wontfix
firefox18 --- wontfix
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- wontfix
firefox22 --- wontfix
firefox23 --- wontfix
firefox24 --- wontfix
firefox32 --- wontfix
firefox33 --- wontfix
firefox34 --- wontfix
firefox35 --- wontfix
firefox36 --- wontfix
firefox37 --- wontfix
firefox38 - wontfix
firefox38.0.5 - wontfix
firefox39 + wontfix
firefox-esr17 --- wontfix

People

(Reporter: scoobidiver, Unassigned)

References

Details

(5 keywords, Whiteboard: [external regression on 2015-03-14?])

Crash Data

It's #92 top browser crasher in 10.0b5, but only #12 top crasher on Mac OS X.

All reports contain the Firefox hotfix extension

Signature 	nsXBLService::GetBinding More Reports Search
UUID	7cd3be46-a29f-41b8-90af-bd18e2120124
Date Processed	2012-01-24 19:24:10
Uptime	824
Last Crash	1.7 hours before submission
Install Age	13.7 minutes since version was first installed.
Install Time	2012-01-24 19:10:18
Product	Firefox
Version	10.0
Build ID	20120118081945
Release Channel	beta
OS	Mac OS X
OS Version	10.5.8 9L31a
Build Architecture	x86
Build Architecture Info	family 6 model 15 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0xffffffffc9a4d7af
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	XUL 	nsXBLService::GetBinding 	content/xbl/src/nsXBLService.cpp:831
1 	XUL 	nsXBLService::GetBinding 	content/xbl/src/nsXBLService.cpp:908
2 	XUL 	nsXBLService::GetBinding 	content/xbl/src/nsXBLService.cpp:811
3 	XUL 	nsXBLService::LoadBindings 	content/xbl/src/nsXBLService.cpp:561
4 	XUL 	nsElementSH::PostCreate 	dom/base/nsDOMClassInfo.cpp:7603
5 	XUL 	FinishCreate 	js/xpconnect/src/XPCWrappedNative.cpp:642
6 	XUL 	XPCWrappedNative::GetNewOrUsed 	js/xpconnect/src/XPCWrappedNative.cpp:580
7 	XUL 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:1179
8 	XUL 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:489
9 	XUL 	XPCWrappedNative::CallMethod 	js/xpconnect/src/xpcprivate.h:3256
10 	XUL 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1554
11 	XUL 	js::InvokeKernel 	js/src/jscntxtinlines.h:297
12 	XUL 	js::Interpret 	js/src/jsinterp.cpp:3948
13 	XUL 	js::RunScript 	js/src/jsinterp.cpp:584
14 	XUL 	js::ExecuteKernel 	js/src/jsinterp.cpp:783
15 	XUL 	js::Execute 	js/src/jsinterp.cpp:822
16 	XUL 	EvaluateUCScriptForPrincipalsCommon 	js/src/jsapi.cpp:5093
17 	XUL 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:5105
18 	XUL 	nsJSContext::EvaluateStringWithValue 	dom/base/nsJSEnvironment.cpp:1288
19 	XUL 	nsXBLProtoImplField::InstallField 	content/xbl/src/nsXBLProtoImplField.cpp:151
20 	XUL 	XBLResolve 	content/xbl/src/nsXBLBinding.cpp:199
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsXBLService%3A%3AGetBinding%28nsIContent*%2C+nsIURI*%2C+bool%2C+nsIPrincipal*%2C+bool*%2C+nsXBLBinding**%2C+nsTArray%3CnsIURI*%2C+nsTArrayDefaultAllocator%3E%26%29
https://crash-stats.mozilla.com/report/list?signature=nsXBLService%3A%3AGetBinding
got this crash while saving a jetpack-addon locally.
This signature jumped from a residual crash to a top-20 crash for 12.* between 2012-04-19 and 2012-04-21, the 20th has >30x the crash volume than the 19th, so either we regressed something in 12.0b6 or there was an add-on release on the 20th that triggered this.
This is #16 in 12.0b6 but also exists in 12.0b5, it's at #66 there for 14-day and #41 for 7-day, #10 for 3-day and #12 for yesterday, so this is probably not our regression but something that made this rise starting Friday.
Summary: Crash @ nsXBLService::GetBinding with Firefox Hotfix extension → Crash @ nsXBLService::GetBinding
It's #9 top crasher in the first days of 12.0 while it was above #300 in 11.0.

In addition to the stack in comment 0, there's also the following stack:
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsXBLService::GetBinding 	content/xbl/src/nsXBLService.cpp:870
1 	xul.dll 	nsXBLService::GetBinding 	content/xbl/src/nsXBLService.cpp:904
2 	xul.dll 	nsXBLService::GetBinding 	content/xbl/src/nsXBLService.cpp:904
3 	xul.dll 	nsXBLService::GetBinding 	content/xbl/src/nsXBLService.cpp:904
4 	xul.dll 	nsXBLService::LoadBindings 	content/xbl/src/nsXBLService.cpp:559
5 	xul.dll 	nsCSSFrameConstructor::AddFrameConstructionItemsInternal 	layout/base/nsCSSFrameConstructor.cpp:5139
6 	xul.dll 	nsCSSFrameConstructor::AddFrameConstructionItems 	layout/base/nsCSSFrameConstructor.cpp:5077
7 	xul.dll 	nsCSSFrameConstructor::ContentRangeInserted 	layout/base/nsCSSFrameConstructor.cpp:7167
8 	xul.dll 	nsCSSFrameConstructor::RecreateFramesForContent 	layout/base/nsCSSFrameConstructor.cpp:9195
9 	xul.dll 	nsCSSFrameConstructor::ProcessRestyledFrames 	layout/base/nsCSSFrameConstructor.cpp:8029
10 	xul.dll 	mozilla::css::RestyleTracker::DoProcessRestyles 	layout/base/RestyleTracker.cpp:242
11 	xul.dll 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4089
12 	xul.dll 	CanCacheSubDocument 	content/base/src/nsDocument.cpp:6938
13 	xul.dll 	ExternalResourceTraverser 	content/base/src/nsDocument.cpp:793
14 	xul.dll 	nsViewManager::CallWillPaintOnObservers 	view/src/nsViewManager.cpp:1573
15 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:867
...
Keywords: topcrash
It's #198 top browser crasher in 13.0.1.
Keywords: topcrash
Now that 714187 has been marked as a duplicate, shouldn't this bug be marked as [sg:critical], since some of these crashes are EXCEPTION_ACCESS_VIOLATION_EXEC and EXCEPTION_ILLEGAL_INSTRUCTION?

https://crash-stats.mozilla.com/report/index/c79ec247-e51c-4f49-83d6-a53852120727
https://crash-stats.mozilla.com/report/index/57483d53-0bac-427c-8b95-608332120727
It's currently #1 top crasher in 16.0 on Mac.
I see no correlations per extension.
tracking-firefox16: --- → ?
Keywords: topcrash
Version: 10 Branch → 16 Branch
Leaving this nominated - the crash volume is too low to know for sure whether this will be a top issue.
(In reply to Alex Keybl [:akeybl] from comment #9)
> Leaving this nominated - the crash volume is too low to know for sure
> whether this will be a top issue.
It's still #3 top browser crasher on Mac in 16.0.1. 17.0b1 is unaffected.
(In reply to Scoobidiver from comment #8)
> It's currently #1 top crasher in 16.0 on Mac.
> I see no correlations per extension.

bz - do you have any ideas about what's going on here? People have crashed when:

"A page was reloading after I hit Back, and in the meantime I had just told it to open Add-ons."
"I was actually doing nothing at this point other - pages were loading and an update was being DLd."
"I right-clicked a link on an eBay page. The page doesn't matter, because it crashes on many different pages. "

Comment 10 means we may wontfix, but let's try to understand what's going on here first.
I have no idea why this is crashing.  At first glance at the stack from comment 0 someone managed to pass in a bogus nsIURI somehow.  I have no idea how.
(In reply to Scoobidiver from comment #8)
> It's currently #1 top crasher in 16.0 on Mac.
> I see no correlations per extension.

Any DLL correlations? Given this is only occurring on the release channel, a 3rd party cause would be most likely.
(In reply to Alex Keybl [:akeybl] from comment #13)
> Any DLL correlations? Given this is only occurring on the release channel, a
> 3rd party cause would be most likely.
Not on Mac:
  nsXBLService::GetBinding|EXC_BAD_ACCESS / 0x0000000d (24 crashes)
    183% (44/24) vs.  96% (773/803) cl_kernels
    100% (24/24) vs.  59% (474/803) libtidy.A.dylib
    100% (24/24) vs.  61% (488/803) ColorSyncDeprecated.dylib
(In reply to JK from comment #7)
> shouldn't this bug be marked as [sg:critical], since some of these
> crashes are EXCEPTION_ACCESS_VIOLATION_EXEC

Possibly, it would be critical if this can be triggered by web content. If it's just Firefox getting itself into an inconsistent state then not necessarily. Still a potential security issue though since we might write more code that exposes these conditions to web content.
(In reply to Boris Zbarsky (:bz) from comment #12)
> I have no idea why this is crashing.  At first glance at the stack from
> comment 0 someone managed to pass in a bogus nsIURI somehow.  I have no idea
> how.

Without reproducible steps, are there any speculative/exploratory fixes we can take, or leads for QA to follow up on? If not, I'm not sure we can do much other than hope for a telling crash comment.
I can't think of anything here offhand.  :(
Keywords: needURLs
259 	about:newtab
99 	http://www.facebook.com/
84 	about:blank
53 	about:home
48 	https://www.facebook.com/
23 	https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&cont
23 	https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&cont
14 	https://mail.google.com/mail/u/0/?shva=1#compose
9 	https://mail.google.com/mail/?shva=1#compose
8 	https://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
7 	http://www.gmx.net/
6 	https://login.yahoo.com/config/login_verify2?&.src=ym
6 	about:addons
6 	https://twitter.com/
5 	https://www.facebook.com/login.php
5 	http://www.ebay.de/
5 	http://www.baixaki.com.br/
5 	http://de-de.facebook.com/
5 	https://mail.google.com/mail/u/0/?tab=wm#compose
4 	http://www.odnoklassniki.ru/
4 	http://www.seznam.cz/
4 	bar:tabs
4 	http://www.ebay.com/
4 	http://www.ig.com.br/
4 	https://login.yahoo.com/config/login
4 	http://www.google.com/
4 	about:privatebrowsing
3 	https://mail.google.com/mail/u/0/?shva=1#inbox
3 	http://www.yahoo.co.jp/
3 	http://mail.ru/
3 	http://www.itau.com.br/index.htm
3 	http://www.youtube.com/
3 	https://www.google.com/
3 	http://facebook.com/
3 	http://www.yahoo.com/
3 	http://mail.aol.com/
3 	http://dragonbound.net/
3 	http://tr-tr.facebook.com/
3 	http://pt-br.facebook.com/
3 	http://thepiratebay.se/


From the second signature:

2 	https://www.usaa.com/
2 	https://www.e-qip.opm.gov/eqip-applicant/applicant/EditFormData/editForm
2 	http://www.yahoo.com/
2 	http://www.lovefilm.com/visitor/login_lf.html
2 	about:blank
2 	https://accounts.google.com/
2 	https://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
1 	http://baike.baidu.com/view/4236.htm
1 	https://www.directv.com/
1 	http://www.ixtractor.com/instructions.php
1 	https://www.thomsoninnovation.com/login
1 	http://www.cpb.org/jobline/results.php?q=new
1 	https://www.bol.com/nl/account/login.html
1 	http://www.vogue.co.jp/collection/brand/Vivienne-Westeood/13ss-mens
1 	http://www.futureshop.ca/en-CA/home.aspx
1 	http://www.barbarakrakowgallery.com/artists
1 	http://www.sfgate.com/
Keywords: needURLs
This jumped significantly in yesterday's data in 16 (and also 15, BTW), it's topcrash #11 on that day for 16.0.1
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #19)
> This jumped significantly in yesterday's data in 16 (and also 15, BTW), it's
> topcrash #11 on that day for 16.0.1

Sadly, this is looking like a wontfix for FF16. Thankfully FF17 remains unaffected.
status-firefox16: --- → wontfix
status-firefox17: --- → unaffected
It's no longer a top crasher in 17.0 and 18.0b1 on Mac OS X.
status-firefox17: unaffectedaffected
status-firefox18: --- → affected
tracking-firefox17: +?
Keywords: topcrash
Crash Signature: [@ nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*, nsTArrayDefaultAllocator>&)] [@ nsXBLService::GetBinding] → [@ nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*, nsTArrayDefaultAllocator>&)] [@ @0x0 | nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding** nsTArray<nsIU…
status-firefox19: --- → affected
status-firefox20: --- → affected
status-firefox21: --- → affected
Version: 16 Branch → Trunk
https://crash-stats.mozilla.com/report/index/bp-86a3a311-64fb-49ab-a47a-44e8b2130116

Crash while deleting a number of profiles from the profile manager in quick succession.
(In reply to Alex Keybl [:akeybl] from comment #16)
> Without reproducible steps, are there any speculative/exploratory fixes we
> can take, or leads for QA to follow up on? If not, I'm not sure we can do
> much other than hope for a telling crash comment.

Reproducible STR :

1. Open the profile manager. Create 4-5 new profiles.
2. Copy the complete contents of your main profile to each of the new profiles.
3. Open the profile manager. In quick succession, delete the newly created profiles.

Expected : no crash
Actual : Crash.

Using latest Nightly. Has happened to me once in the past one month.
Keywords: reproducible
I can also reproduce by deleting several profiles consecutively.
It's #4 top browser crasher in 17.0.2esr.
status-firefox-esr17: --- → affected
Not sure if this is related, but I can sometimes crash Firefox 19 with a SIGSEV when I update an add-on's panel content:

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsXBLService::GetBinding 	nsXBLService.cpp:763
1 	libxul.so 	nsXBLService::GetBinding 	nsXBLService.cpp:850
2 	libxul.so 	nsXBLService::GetBinding 	nsXBLService.cpp:743
3 	libxul.so 	nsXBLService::LoadBindings 	nsXBLService.cpp:504
4 	libxul.so 	nsCSSFrameConstructor::AddFrameConstructionItemsInternal 	nsCSSFrameConstructor.cpp:5133
5 	libxul.so 	nsCSSFrameConstructor::AddFrameConstructionItems 	nsCSSFrameConstructor.cpp:5076
6 	libxul.so 	nsCSSFrameConstructor::ContentAppended 	nsCSSFrameConstructor.cpp:6649
7 	libxul.so 	PresShell::ContentAppended 	nsPresShell.cpp:4071
8 	libxul.so 	nsNodeUtils::ContentAppended 	nsNodeUtils.cpp:124
9 	libxul.so 	nsINode::doInsertChildAt 	nsINode.cpp:1327
10 	libxul.so 	nsINode::ReplaceOrInsertBefore 	nsINode.cpp:1913
11 	libxul.so 	nsIDOMNode_AppendChild 	nsINode.h:1451
12 	libxul.so 	js::InvokeKernel 	jscntxtinlines.h:364
13 	libxul.so 	js::Invoke 	jsinterp.h:109
14 	libxul.so 	js::BaseProxyHandler::call 	jsproxy.cpp:266
15 	libxul.so 	js::Wrapper::call 	jswrapper.cpp:302
16 	libxul.so 	js::CrossCompartmentWrapper::call 	jswrapper.cpp:635
17 	libxul.so 	proxy_Call 	jsproxy.cpp:2466
18 	libxul.so 	js::InvokeKernel 	jscntxtinlines.h:364
19 	libxul.so 	js::Interpret 	jsinterp.cpp:2336
20 	libxul.so 	js::RunScript 	jsinterp.cpp:324 
[...]
Ove, if you have reliable STR, file a bug as your stack trace is slightly different.
Depends on: 855402
In case this is useful, I crashed on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 ID:20131003030203 CSet: 0e26e6f12ad9 like bp-4cd74c5f-e70e-4b16-b7a5-c49fc2131007
Crashed again on Nightly.

Report ID 	Date Submitted
bp-27ad844b-3062-4a4a-ba06-1718e2140318	3/18/2014	9:48 AM

Is this bug or something else?
Just got this on Firefox 32 on Linux (locally built from m-c), after opening a new tab and attempting to type into the location bar:

 0  libxul.so!nsXBLService::GetBinding [nsXBLService.cpp:90267d87c375 : 663 + 0x0]
 1  libxul.so!nsXBLService::GetBinding [nsXBLService.cpp:90267d87c375 : 750 + 0x12]
 2  libxul.so!nsXBLService::GetBinding [nsXBLService.cpp:90267d87c375 : 643 + 0x9]
 3  libxul.so!nsXBLService::LoadBindings [nsXBLService.cpp:90267d87c375 : 444 + 0x1e]
 4  libxul.so!nsCSSFrameConstructor::AddFrameConstructionItemsInternal [nsCSSFrameConstructor.cpp:90267d87c375 : 5211 + 0x21]
 5  libxul.so!nsCSSFrameConstructor::AddFrameConstructionItems [nsCSSFrameConstructor.cpp:90267d87c375 : 5154 + 0x42]
 6  libxul.so!nsCSSFrameConstructor::ContentAppended [nsCSSFrameConstructor.cpp:90267d87c375 : 6746 + 0x1a]
 7  libxul.so!PresShell::ContentAppended [nsPresShell.cpp:90267d87c375 : 4273 + 0x14]
 8  libxul.so!nsNodeUtils::ContentAppended [nsNodeUtils.cpp:90267d87c375 : 134 + 0x1f]
 9  libxul.so!nsINode::doInsertChildAt [nsINode.cpp:90267d87c375 : 1506 + 0x8]
10  libxul.so!nsINode::ReplaceOrInsertBefore [nsINode.cpp:90267d87c375 : 2174 + 0x14]
11  libxul.so!mozilla::dom::NodeBinding::appendChild [nsINode.h:90267d87c375 : 1583 + 0x8]

That looks similar to the stack from comment #27.

Interestingly, the kernel reported what looks like an uncaught child process crash around the same time:

Chrome_ChildThr[20788]: segfault at 0 ip 00007fccc12533bc sp 00007fccaddc9430 error 6 in libmozalloc.so[7fccc1252000+2000]

But the minidump I found wasn't for plugin-container, so that would be the parent process.  I'm not using e10s directly, and I have the newtab tiles disabled, but if I enable them then a child process is started in order to render the thumbnails.

Sadly, no STR.
This is now the #2 topcrash on Firefox 34.0 with 966/15392 crashes in the last 7 days. 

crashing thread:

 0 	xul.dll 	nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*>&) 	dom/xbl/nsXBLService.cpp
1 	xul.dll 	nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*>&) 	dom/xbl/nsXBLService.cpp
2 	xul.dll 	nsXBLService::LoadBindings(nsIContent*, nsIURI*, nsIPrincipal*, nsXBLBinding**, bool*) 	dom/xbl/nsXBLService.cpp
3 		@0x2299daff
Most of the stacks are really odd.
.
Comment 32 mentions plugin containers and the other new topcrash on the 34 release this week is bug 1107963 which looks plugin related. It might be worth a look to see if there's any chance they're related.
FWIW it happened to me when I right-clicked on 'Lock issue' at https://github.com/firebug/firebug.next/issues/283. Here's the crash report:

https://crash-stats.mozilla.com/report/index/429f088d-400b-425e-92f3-263782150128

I have multiple extensions installed, which extend the page's context menu. These extensions are Firebug 2.0.7, Adblock Plus 2.6.7, Dict.cc Translation 3.5 and Web Developer 1.2.5 and I just updated Adblock Plus before the crash happened.

Sebastian
My installed addons:
Adblock Edge	2.1.8	true	{fe272bd1-5f76-4ea4-8501-a05d35d823fc}
Adblock Plus Pop-up Addon	0.9.2	true	adblockpopups@jessehakanen.net
Add-on Compatibility Reporter	2.0.5	true	compatibility@addons.mozilla.org
Add-on Toolbarbutton	1.0.3	true	addontbb@byo.co.il
Addons Manager Hilite	2.1.2	true	addonsmgrhilte@cfl
AddThis	3.6.5	true	{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
Anti-Aliasing Tuner	14.12.03.01	true	aatuner@hotmint.com
auto-plugin-checker	0.6.4.2	true	auto-plugin-checker@jetpack
Awesome screenshot: Capture and Annotate	2.4.4	true	jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
Battlefield Play4Free	1.0.96.0	true	battlefieldplay4free@ea.com
Bug 566510 - Allow multiselect operations on tabs	0.12.4	true	bug566510@vovcacik.addons.mozilla.org">bug566510@vovcacik.addons.mozilla.org
bug419911 (diagonal dragging)	2.1	true	bug419911@alice
Classic Theme Restorer (Customize UI)	1.2.9.6	true	ClassicThemeRestorer@ArisT2Noia4dev
Configuration Mania	1.20.2015021801	true	{c4d362ec-1cff-4ca0-9031-99a8fad7995a}
ContextMenuPlus	1.4.5	true	jid1-JslOo8hXnC8AZA@jetpack
CookieKeeper	1.8.3	true	cookiekeeper@cookiekeeper.mozdev.org
Customizations for Adblock Plus	1.0.3	true	customization@adblockplus.org
Diagnostics for Adblock Plus	1.2.4	true	abpwatcher@adblockplus.org
DownThemAll!	2.0.18	true	{DDC359D1-844A-42a7-9AA1-88A850A938A8}
DownThemAll! AntiContainer	1.3	true	anticontainer@downthemall.net
Element Hiding Helper dla Adblock Plusa	1.3.1	true	elemhidehelper@adblockplus.org
Enhanced Steam	7.3	true	jid1-YdiFiTEkQgInxA@jetpack
Fasterfox	3.9.85	true	{c36177c0-224a-11da-8cd6-0800200c9a91}
FEBE	8.5.1	true	{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
Firebug	2.0.8	true	firebug@software.joehewitt.com
Firefinder for Firebug	1.4	true	firefinder@robertnyman.com
FireFTP	2.0.22	true	{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
Flash Game Maximizer	1.3.6	true	{258735dc-6743-4805-95fc-f95941fffdad}
FlashGot	1.5.6.10	true	{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FlashStopper	1.2.5	true	flashstopper@byo.co.il
FMix	0.3	true	id@baku.fmix
Google search link fix	1.4.9	true	jid0-XWJxt5VvCXkKzQK99PhZqAn7Xbg@jetpack
Google Shortcuts	2.1.8.2	true	{5C46D283-ABDE-4dce-B83C-08881401921C}
Greasemonkey	2.3	true	{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
Hola Better Internet	1.6.850	true	jid1-4P0kohSJxU1qGg@jetpack
IE Tab 2 (FF 3.6+)	5.12.12.1	true	{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
LastPass	3.1.77	true	support@lastpass.com
MEGA	2.0.219	true	firefox@mega.co.nz
Microsoft .NET Framework Assistant	1.3.1	true	{20a82645-c095-46ed-80e3-08825760534b}
MinimizeToTray revived (MinTrayR)	1.1.2	true	mintrayr@tn123.ath.cx
New Tab Tools	39	true	newtabtools@darktrojan.net
Open With Photoshop	35.2	true	{f3f219f9-cbce-467e-b8fe-6e076d29665c}
Permanent List-all-tabs Button	1.0	true	listalltabs@sdrocking.com
Personas Plus	1.7.3	true	personas@christopher.beard
Priv8	0.0.7	true	id@baku.priv8
Prywatna karta	0.1.7.3	true	privateTab@infocatcher
Restart	1.2.3	true	Restart@schuzak.jp
S3.Google Translator	3.09	true	s3google@translator
Saved Password Editor	2.8.3	true	savedpasswordeditor@daniel.dawson
SettingSanity	0.8.2	true	{12A60D0F-0077-4F41-81B2-1286DDD278BB}
Stylish	2.0.2	true	{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
Theme Font & Size Changer	35.4	true	{f69e22c7-bc50-414a-9269-0f5c344cd94c}
TV-Fox	19.0.0	true	{2f17f610-5e97-4fed-828f-9940b7b577a4}
Weather Forecast	0.1.6	true	jid1-aqwHRwQpv3JUMs@jetpack
Webmail Ad Blocker	4.28	true	gmailnoads@mywebber.com
Xmarks	4.3.5	true	foxmarks@kei.com
Yet Another Smooth Scrolling	3.1.7	true	yetanothersmoothscrolling@kataho
Auto Refresh	1.0.2	false	autorefresh@plugin
ChatZilla	0.9.91.1	false	{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
EPUBReader	1.5.0.4	false	{5384767E-00D9-40E9-B72F-9CC39D655D6F}
FavIconReloader	0.8	false	FavIconReloader@mozilla.org
FBMemes.org	1.0.7	false	{e7b8f3ea-257c-44c7-86b6-5e8803761d7f}
Font Finder	1.1.1	false	fontfinder@bendodson.com
FoxLingo	2.7.8	false	{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
FxKeyboard	2.4.2	false	fxkeyboard@zabreznik.net
ProxMate	4.1.2	false	jid1-QpHD8URtZWJC2A@jetpack
RealDownloader	17.0.15	false	{338950EA-82DB-44C1-930D-0C28E023C9F0}
Russian Hunspell spellchecking dictionary	1.0.20131101	false	hunspell-ru@dictionaries.addons.mozilla.org
Security Plus	0.1.2	false	jid0-DjsrWcAS3Wgq2xyyqqVL8Dqk1Lo@jetpack
Shumway	0.10.212	false	shumway@research.mozilla.org
Site Information Tool	1.2	false	siteinfo@wmtips
Tile View	4.3	false	tileview@DW-dev
Windows Media Player Extension for Firefox	1.1	false	jid0-nRwp7VvCqZcSRTppwWz2npqGEKw@jetpack
I suspect that the STR in comment 24 was fixed by bug 855402, so we need new STR.

FWIW, it's currently #12 in 36.0.1 Top Crash list and rising.
Keywords: reproducibleqawanted, steps-wanted
Blocks: 1139018
This signature made a significant jump in crash-stats on 2015-03-14, across multiple channels/trains. Sounds a lot like some external factor, like add-on, website or 3rd-party software being updated.
We got bug 1144248 filed yesterday where Martin gets a similar crash when running our Mozmill tests and having a specific installed bootstrapped add-on uninstalled. The strack looks a bit different but maybe it is the same? 

Robert, do we have any correlation for which add-ons are involved in those crashes? Might be we can figure more details out with that information.
I will add that I have enabled DEP(Data Execution Prevention) for all programs - OptOut option. I have exceptions in DEP, for old games only.
(In reply to Henrik Skupin (:whimboo) from comment #43)
> Robert, do we have any correlation for which add-ons are involved in those
> crashes? Might be we can figure more details out with that information.

Unfortunately, I didn't see any correlations of use at all when filing this, otherwise I would have noted them. I probably should have mentioned that fact, though.
Robert, do you have a link to the crash listing? The one in the URL field seems to be outdated and doesn't list any current ones.
Nowadays, the links in the Crash Signature field actually point to reports, but this is the signature we are seeing now: https://crash-stats.mozilla.com/report/list?signature=nsXBLService%3A%3AGetBinding%28nsIContent*%2C+nsIURI*%2C+bool%2C+nsIPrincipal*%2C+bool*%2C+nsXBLBinding**%2C+nsTArray%3CnsIURI*%3E%26%29

And it's now even listed as #5 for 36.0.1
(In reply to Richard Newman [:rnewman] from comment #48)
> atoll reported getting this clicking a tab in preferences.
> 
> https://crash-stats.mozilla.org/report/index/8b6ee15e-8a1d-435b-9fe9-
> 391b62150330

I updated to 36.0.4, then opening the Preferences dialog, clicking to various tabs in this order:

Security, Privacy, Sync, Advanced, Certificates, (viewed a certificate or two), General, Tabs, Search, Content, Applications

When it hit the Applications tab, it crashed before displaying the pane (to the best of my perception).

I am not able to reproduce this after the crash, so I have no idea what's going on.
If it's of any help, the last time I clicked on the Applications tab was at least 1-3 years ago.
Neither deleting mimeTypes.rdf nor restoring it from yesterday's backup (dated Oct 01 2014) helped me repro this issue.
along the same lines, I crashed doing 
  tools | options

bp-abb5c779-f4bb-416c-a0d1-ffe8b2150403

Crashed today with 38.0.1 in a profile I created just this morning (has one extension).

https://crash-stats.mozilla.com/report/index/82042572-39ef-4e58-9269-ce8372150515

Flagging for tracking in 38.
status-firefox38.0.5: --- → ?
tracking-firefox38: --- → ?
tracking-firefox38.0.5: --- → ?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #42)
> This signature made a significant jump in crash-stats on 2015-03-14, across
> multiple channels/trains. Sounds a lot like some external factor, like
> add-on, website or 3rd-party software being updated.

Is this still a working assumption?


(In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #52)
> along the same lines, I crashed doing 
>   tools | options 
> bp-abb5c779-f4bb-416c-a0d1-ffe8b2150403

I just crashed again bp-5c7c8512-8d7f-4c6b-9345-1bc302150520 in a more complex scenario - so I don't have steps.  In fact it's a convoluted mess.

I had two firefox instances of 2015-05-10 build running. Instance 1 ~150 tabs running for a couple days.  Instance two firefox -P -no-remote  was running for about 15 minutes, and it background updated firefox before I could tweak the options to have it not update, and it was wanting to restart.  In the first instance, I had just clicked a URL in thunderbird, and had attempted to close a tab. And somewhere in there I also clicked update for 4 addons that showed up under available updates (but two disabled addons Greasmonkey and Gecko Profiler were still wanting to update after I restarted, so those updates apparently failed on first attempt).  I then discovered crash reporter window hidden because instance 1 had crashed.

Only AV I have running is Malwarebytes. The only notable addons I have enabled are Flashblock, Session manager, Tabhunter, Treesyletabs
Whiteboard: [external regression on 2015-03-14?]
There are also many user examples with no addons. In fact in my sample size of 6, 4 have no addons:
bp-6e88948f-1839-4511-b2a5-7b4602150517
bp-8ddc4a91-6b35-4922-845a-8bd9e2150516
bp-e821b3e3-4e58-4bec-a86f-655922150514 CrashAddr 0x5a5a5a5a
"I just refreshed Firefox and tried to sign in to Gmail to do my survey."
bp-8a2ed0e4-992e-48f6-95f9-78afa2150515 CrashAddr 0x5a5a5a5a

with addons:
bp-7b163422-0b30-4f4f-a4e9-ec8902150516 CrashAddr 0x5a5a5a5a
bp-1f2ddb69-cd5c-48ce-8564-d19092150518 (one addon)
Too late for 39 beta. 

Do we really want to be tracking this since we've been wontfixing it since Firefox 16? We are seeing some crashes in 38+.

bholly, what do you think? Is this something that would be worth digging into? I'm asking since you're listed as a peer for XBL.
status-firefox38: affectedwontfix
status-firefox39: affectedwontfix
Flags: needinfo?(bobbyholley)
(In reply to Liz Henry (:lizzard) from comment #57)
> bholly, what do you think? Is this something that would be worth digging
> into? I'm asking since you're listed as a peer for XBL.

The stacks don't point to an obvious XBL problem, and some of the stacks also look corrupt.

An obvious thing would be to make baseBindingURI an nsCOMPtr, but I don't think it should matter, since the entire setup should be held alive by the reference to the nsXBLDocumentInfo at the top.

Whether or not we spend more time investigating this depends on how bad the crash is. If we do, we probably need a crash specialist to look at it. I don't have any more cycles right now to give this myself, unfortunately.
Flags: needinfo?(bobbyholley)
(In reply to Bobby Holley (:bholley) from comment #58)
> An obvious thing would be to make baseBindingURI an nsCOMPtr, but I don't
> think it should matter, since the entire setup should be held alive by the
> reference to the nsXBLDocumentInfo at the top.

Is it possible to make it an nsCOMPtr and assert that the refcount is at least 2 at that point, or would that not actually result is useful information?
(In reply to Jed Davis [:jld] {UTC-7} from comment #59)
> (In reply to Bobby Holley (:bholley) from comment #58)
> > An obvious thing would be to make baseBindingURI an nsCOMPtr, but I don't
> > think it should matter, since the entire setup should be held alive by the
> > reference to the nsXBLDocumentInfo at the top.
> 
> Is it possible to make it an nsCOMPtr and assert that the refcount is at
> least 2 at that point, or would that not actually result is useful
> information?

Well, my reading of the code shows that the value being returned comes from an nsCOMPtr that doesn't change over the lifetime of the nsXBLPrototypeBinding, which should span the scope of the method. So I don't think that assert would help all that much, though it certainly can't hurt.

It seems like the most likely that the nsXBLPrototypeBinding itself has been freed somehow, but I'm not sure how that would happen.
These have all similar backtraces:
bp-d7769428-d57d-468f-abd8-ebb752150619 2015-06-19 21:58
bp-be58025f-fca6-4590-964b-937ba2150606 2015-06-06 16:42
bp-c804c8f3-ca01-465c-92cd-a77eb2150602 2015-06-02 20:40
bp-14c01d53-b05f-4347-94e7-58e9a2150513 2015-05-13 20:03
bp-c96b7ecb-16c7-4966-b5ea-545ac2150429 2015-04-29 19:26
bp-5eb518fd-7856-4bba-9671-638b22150109 2015-01-09 20:37
bp-e6bb2589-e7ca-4d72-943b-cd84a2150108 2015-01-08 19:21
bp-2e9de339-9f3c-4af7-9a63-bbd6d2150104 2015-01-04 18:58
bp-a0c08c13-b921-4842-8e85-eb51f2141205 2014-12-05 21:15
bp-9cc614ad-15dc-4613-929e-6367f2140924 2014-09-24 21:56
bp-ce2796b8-18e9-481e-9adc-e1b4b2140513 2014-05-14 24:01
bp-74797531-8e19-4b6d-b61f-32e4e2130408 2013-04-08 20:39
bp-f1f1f2e2-5de3-4134-bf40-048ac2130227 2013-02-27 22:49

The older ones don't seem to be available anymore, but I'm pretty sure the crashes were in nsXBLService::GetBinding. I say "similar" because only the top 5 frames are the same. Eg comparing:
  e6bb2589-e7ca-4d72-943b-cd84a2150108 (report points to this bug)
with
  c96b7ecb-16c7-4966-b5ea-545ac2150429 (report does not point to a bug)

Also note the sudden increase in crashes in 2015. There were more crashes actually, but I didn't bother submitting them.
several addons updated. I clicked a non-firefox window. crash
nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<T>&)
bp-7c42ed1a-c649-4f0c-b650-b385f2150704
And another one:
  88f866f5-9686-41ec-9813-43de92150711
What I did: middle-click a link to open in a new tab. A download was in progress. FF is becoming too unstable. When are you going to do something about this?
Another one that seems related:
  9a3d53ce-acb4-409a-940e-29ea12150822
It has a different backtrace, top 3 frames seem random. But it has nsXBLService::LoadBindings in it. Looks like some memory corruption, uninitialized var or maybe use-after-free? I also think it's a lot more crashes that just don't get correlated having different top frames.
Crash Signature: , bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*>&)] → , bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*>&)] [@ @0x0 | nsXBLService::GetBinding]
Just FYI: This crash (any similar looking ones) did not happen again for me since this commit:
  Bug 1202844, make nsXBLService::GetBinding deal with shutting down during binding loading, r=bz
In fact I did not have any crashes for the last 5 months.
That's awesome to hear!  Going to mark this fixed, then.
Status: NEW → RESOLVED
Closed: 8 years ago
Depends on: 1202844
Resolution: --- → FIXED

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
You need to log in before you can comment on or make changes to this bug.