756157 - XSLT form crashes Firefox when using oracle java plugin

Status: RESOLVED WONTFIX

(Core :: XSLT, defect)

Description

[Ritesh Khadgaray]

Attachment: test.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0
Build ID: 20120509213847

Steps to reproduce:

Firefox crashes when performing an XSLT transformation when also loading any <applet> stanza when the Oracle java plugin is used.

= Environment =

* oracle jre 6u31 (*any* oracle/sun java plugin)
* Firefox (any version)
* Ubuntu 10.04 LTS , 11.04, 11.10 or 12.04 LTS 32-bit
* Web page containing xslt reproducer (attached)

= Reproducible =
100% (see attachment reproducer) but only with the Oracle Java plugin, not the iced tea plugins in the archive.

= Workaround =
Use the OpenJDK/IcedTea plugin - this is not a viable option .

= Further Information =
Reproducing on Ubuntu 12.04 LTS 32-bit with Firefox 12

*. Download the two JRE's from:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

* . Extract both Oracle JRE's:
$ cd /usr
$ tar -xvf jre-7u3-linux-i586.tar.gz

* . Install the plugins into the alternatives system to switch easily:
$ ln -s /usr/jre1.6.0_31/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins

* . Unpack test.zip
$ unzip test.zip

* . Open Firefox and check "about:plugins", open file:///path/to/test1.html .

= backtrace =

[Thread 0xa38a7b40 (LWP 2384) exited]
nsPluginNativeWindowGtk2: call SetWindow with xid=0x3e00291
--DOMWINDOW == 14 (0x811f4368) [serial = 14] [outer = 0x811e7e58] [url = about:blank]

Program received signal SIGSEGV, Segmentation fault.
0xb5fd9fbb in AssertActivityIsLegal ()
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:167
167 /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp: No such file or directory.
(gdb) bt
#0 0xb5fd9fbb in AssertActivityIsLegal ()
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:167
#1 0xb5fdc8d2 in NS_LogDtor_P (aPtr=0x81405fe0,
    aType=0xb6a941ab "txInstruction", aInstanceSize=8)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:1148
#2 0xb5232e0e in txInstruction::~txInstruction (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:64
#3 0xb5237966 in txStartLREElement::~txStartLREElement (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:388
#4 0xb52379a7 in txStartLREElement::~txStartLREElement (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:388
#5 0xb5237187 in nsAutoPtr<txInstruction>::~nsAutoPtr (this=0x81405fc4,
    __in_chrg=<optimized out>) at ../../../../dist/include/nsAutoPtr.h:105
#6 0xb5232e1c in txInstruction::~txInstruction (this=0x81405fc0,
    __in_chrg=<optimized out>)
...

#6479 0xb522b2f5 in txStylesheet::Release (this=0x81394ac8)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txStylesheet.h:71


#6480 0xb522db66 in nsRefPtr<txStylesheet>::~nsRefPtr (this=0x81392bec, __in_chrg=<optimized out>)
    at ../../../../dist/include/nsAutoPtr.h:908
#6481 0xb526f59f in txMozillaXSLTProcessor::~txMozillaXSLTProcessor (this=0x81392bd0, 
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp:359



#6482 0xb526f021 in txMozillaXSLTProcessor::Release (this=0x81392bd0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp:338
#6483 0xb582bc11 in DoDeferredRelease<nsISupports*> (array=...)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/js/xpconnect/src/XPCJSRuntime.cpp:656

#6484 0xb5826a1b in XPCJSRuntime::GCCallback (cx=0x8029ffd8, status=JSGC_END)
---Type <return> to continue, or q <return> to quit---
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/js/xpconnect/src/XPCJSRuntime.cpp:952
#6485 0xb653b523 in js_GC (cx=0x8029ffd8, comp=0x0, gckind=GC_NORMAL, reason=js::gcreason::CC_FORCED)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/js/src/jsgc.cpp:3019
#6486 0xb65250fa in js::GCForReason (cx=0x8029ffd8, reason=js::gcreason::CC_FORCED)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/js/src/jsfriendapi.cpp:134
#6487 0xb57f1a1c in nsXPConnect::Collect (this=0x80296ee8, reason=14, kind=0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/js/xpconnect/src/nsXPConnect.cpp:433
#6488 0xb5fe20d7 in nsCycleCollector::GCIfNeeded (this=0x800c5ee0, aForceGC=false)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsCycleCollector.cpp:2826
#6489 0xb5fe3206 in nsCycleCollectorRunner::Collect (this=0x800c6818, aListener=0x0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsCycleCollector.cpp:3741
#6490 0xb5fe3895 in nsCycleCollector_collect (aListener=0x0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsCycleCollector.cpp:3856
#6491 0xb52ebe29 in nsJSContext::CycleCollectNow (aListener=0x0, aExtraForgetSkippableCalls=0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/dom/base/nsJSEnvironment.cpp:3270
#6492 0xb52ec3f2 in CCTimerFired (aTimer=0x8046a870, aClosure=0x0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/dom/base/nsJSEnvironment.cpp:3385
#6493 0xb5fcfcaf in nsTimerImpl::Fire (this=0x8046a870)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/threads/nsTimerImpl.cpp:428
#6494 0xb5fd00a9 in nsTimerEvent::Run (this=0xb2054ef0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/threads/nsTimerImpl.cpp:524
#6495 0xb5fc86e3 in nsThread::ProcessNextEvent (this=0x800b7518, mayWait=true, result=0xbfffceef)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/threads/nsThread.cpp:657
#6496 0xb5f5f6d8 in NS_ProcessNextEvent_P (thread=0x800b7518, mayWait=true)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/obj-i686-linux-gnu/xpcom/build/nsThreadUtils.cpp:245
#6497 0xb5e27302 in mozilla::ipc::MessagePump::Run (this=0x800b0560, aDelegate=0x8006c728)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/ipc/glue/MessagePump.cpp:134
#6498 0xb6012afe in MessageLoop::RunInternal (this=0x8006c728)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/ipc/chromium/src/base/message_loop.cc:208
#6499 0xb6012a89 in MessageLoop::RunHandler (this=0x8006c728)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/ipc/chromium/src/base/message_loop.cc:201
---Type <return> to continue, or q <return> to quit---
#6500 0xb6012a6b in MessageLoop::Run (this=0x8006c728)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/ipc/chromium/src/base/message_loop.cc:175
#6501 0xb5ccb9db in nsBaseAppShell::Run (this=0x8023e9b0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/widget/xpwidgets/nsBaseAppShell.cpp:189
#6502 0xb5a1a694 in nsAppStartup::Run (this=0x80280850)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/toolkit/components/startup/nsAppStartup.cpp:220
#6503 0xb48ecaec in XRE_main (argc=2, argv=0xbffff734, aAppData=0x80007da0)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/toolkit/xre/nsAppRunner.cpp:3537
#6504 0x8000151f in do_main (exePath=0xbfffe68c "/usr/lib/firefox/", argc=2, argv=0xbffff734)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/browser/app/nsBrowserApp.cpp:205
#6505 0x80001771 in main (argc=2, argv=0xbffff734)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/browser/app/nsBrowserApp.cpp:295



Actual results:

ff crashes

Comment 1

[Sylvestre Ledru [:Sylvestre]]

Closing because no crash reported since 12 weeks.