759198 - segfault in nightly on blogspot

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect)

Description

[Bas Hickendorff]

User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120511 Iceweasel/3.5.16 (like Firefox/3.5.16)
Build ID: 20120511091848

Steps to reproduce:

Load  http://ganeshtiwaridotcomdotnp.blogspot.com/2012/05/eclipse-proguard-maven-project.html in the current (may 28 2012) firefox nightly.  This is on a clean build (no extensions etc.)

OS: debian / linux



Actual results:

Firefox segfaults a short moment after loading the page. Sometimes it takes a reload or two, but it is reproducible.

backtrace:

Program received signal SIGSEGV, Segmentation fault.
IndexOf<nsIAtom*, nsDefaultComparator<nsCOMPtr<nsIAtom>, nsIAtom*> > (this=0xaa158e30, aValue=0xaa158dc0, aCaseSensitive=eCaseMatters)
    at ../../../dist/include/nsTArray.h:620
620	    const elem_type* iter = Elements() + start, *end = Elements() + Length();
(gdb) bt
#0  IndexOf<nsIAtom*, nsDefaultComparator<nsCOMPtr<nsIAtom>, nsIAtom*> > (this=0xaa158e30, aValue=0xaa158dc0, aCaseSensitive=eCaseMatters)
    at ../../../dist/include/nsTArray.h:620
#1  IndexOf<nsIAtom*> (this=0xaa158e30, aValue=0xaa158dc0, aCaseSensitive=eCaseMatters) at ../../../dist/include/nsTArray.h:636
#2  Contains<nsIAtom*> (this=0xaa158e30, aValue=0xaa158dc0, aCaseSensitive=eCaseMatters) at ../../../dist/include/nsTArray.h:608
#3  nsAttrValue::Contains (this=0xaa158e30, aValue=0xaa158dc0, aCaseSensitive=eCaseMatters) at /home/bas/mozilla/src/content/base/src/nsAttrValue.cpp:1045
#4  0xb67156c0 in MatchClassNames (aContent=0x9eed4e20, aNamespaceID=0, aAtom=0x0, aData=0xaad551a8) at /home/bas/mozilla/src/content/base/src/nsContentUtils.cpp:5969
#5  0xb670b8d9 in nsContentList::Match (this=0x9d473330, aElement=0x11) at /home/bas/mozilla/src/content/base/src/nsContentList.cpp:807
#6  0xb670cb8c in nsContentList::PopulateSelf (this=0x9d473330, aNeededLength=4294967295) at /home/bas/mozilla/src/content/base/src/nsContentList.cpp:899
#7  0xb670cd18 in nsContentList::Length (this=0x9d473330, aLength=0xbfffc358) at /home/bas/mozilla/src/content/base/src/nsContentList.cpp:508
#8  nsContentList::GetLength (this=0x9d473330, aLength=0xbfffc358) at /home/bas/mozilla/src/content/base/src/nsContentList.cpp:591
#9  0xb6c2d605 in mozilla::dom::binding::ListBase<mozilla::dom::binding::ListClass<nsIHTMLCollection, mozilla::dom::binding::Ops<mozilla::dom::binding::Getter<nsIContent*>, mozilla::dom::binding::NoOp>, mozilla::dom::binding::Ops<mozilla::dom::binding::Getter<mozilla::dom::binding::nsISupportsResult>, mozilla::dom::binding::NoOp> > >::getPropertyOnPrototype (cx=0xab728460, proxy=0x9eb89850, id=-1324275840, found=0xbfffc3cf, vp=0xbfffc758)
    at /home/bas/mozilla/src/js/xpconnect/src/dombindings.cpp:1002
#10 0xb6c3358e in mozilla::dom::binding::ListBase<mozilla::dom::binding::ListClass<nsIHTMLCollection, mozilla::dom::binding::Ops<mozilla::dom::binding::Getter<nsIContent*>, mozilla::dom::binding::NoOp>, mozilla::dom::binding::Ops<mozilla::dom::binding::Getter<mozilla::dom::binding::nsISupportsResult>, mozilla::dom::binding::NoOp> > >::get (this=0xb78b3d84, cx=0xab728460, proxy=0x9eb89850, receiver=0x9eb89850, id=-1324275840, vp=0xbfffc758)
    at /home/bas/mozilla/src/js/xpconnect/src/dombindings.cpp:1078
#11 0xb72dcde2 in js::Proxy::get (cx=0x19, obj=..., receiver=..., id=..., vp=0xbfffc758) at /home/bas/mozilla/src/js/src/jsproxy.cpp:1090
#12 proxy_GetGeneric (cx=0x19, obj=..., receiver=..., id=..., vp=0xbfffc758) at /home/bas/mozilla/src/js/src/jsproxy.cpp:1303
#13 0xb7283ac0 in JSObject::getGeneric (this=0x9eb89850, cx=0x11, id=..., vp=0xbfffc758) at /home/bas/mozilla/src/js/src/jsobjinlines.h:159
#14 JSObject::getGeneric (this=0x9eb89850, cx=0x11, id=..., vp=0xbfffc758) at /home/bas/mozilla/src/js/src/jsobjinlines.h:177
#15 0xb7285897 in GetPropertyGenericMaybeCallXML (cx=0xab728460, entryFrame=0xb1aff020, interpMode=js::JSINTERP_NORMAL)
    at /home/bas/mozilla/src/js/src/jsinterpinlines.h:164
#16 GetPropertyOperation (cx=0xab728460, entryFrame=0xb1aff020, interpMode=js::JSINTERP_NORMAL) at /home/bas/mozilla/src/js/src/jsinterpinlines.h:227
#17 js::Interpret (cx=0xab728460, entryFrame=0xb1aff020, interpMode=js::JSINTERP_NORMAL) at /home/bas/mozilla/src/js/src/jsinterp.cpp:2407
#18 0xb729125f in js::RunScript (cx=0xab728460, script=0x9d852100, fp=0xb1aff020) at /home/bas/mozilla/src/js/src/jsinterp.cpp:266
#19 0xb72921ea in ExecuteKernel (cx=0xab728460, script=0x9d852100, scopeChainArg=..., rval=0x0) at /home/bas/mozilla/src/js/src/jsinterp.cpp:466
#20 js::Execute (cx=0xab728460, script=0x9d852100, scopeChainArg=..., rval=0x0) at /home/bas/mozilla/src/js/src/jsinterp.cpp:508
#21 0xb720c7ef in EvaluateUCScriptForPrincipalsCommon (cx=0xab728460, obj_=0xb101b040, principals=0xa9777244, originPrincipals=0x9d0a3244, chars=0x9c95b008, 
    length=6491, filename=0x9eedddc8 "http://widgets.digg.com/buttons.js", lineno=1, rval=0x0, compileVersion=JSVERSION_DEFAULT)
    at /home/bas/mozilla/src/js/src/jsapi.cpp:5371
#22 0xb720c8f7 in JS_EvaluateUCScriptForPrincipalsVersionOrigin (cx=0xab728460, obj=0xb101b040, principals=0xa9777244, originPrincipals=0x9d0a3244, chars=0x9c95b008, 
    length=6491, filename=0x9eedddc8 "http://widgets.digg.com/buttons.js", lineno=1, rval=0x0, version=JSVERSION_DEFAULT)
    at /home/bas/mozilla/src/js/src/jsapi.cpp:5408
#23 0xb69101c7 in nsJSContext::EvaluateString (this=0xab058ba0, aScript=..., aScopeObject=0xb101b040, aPrincipal=0xa9777240, aOriginPrincipal=0x9d0a3240, 
    aURL=0x9eedddc8 "http://widgets.digg.com/buttons.js", aLineNo=1, aVersion=JSVERSION_DEFAULT, aRetValue=0x0, aIsUndefined=0xbfffcbaf)
    at /home/bas/mozilla/src/dom/base/nsJSEnvironment.cpp:1452
#24 0xb677bd69 in nsScriptLoader::EvaluateScript (this=0xa9777200, aRequest=0x9eedddf0, aScript=...) at /home/bas/mozilla/src/content/base/src/nsScriptLoader.cpp:877
#25 0xb677c03d in nsScriptLoader::ProcessRequest (this=0xa9777200, aRequest=0x9eedddf0) at /home/bas/mozilla/src/content/base/src/nsScriptLoader.cpp:770
#26 0xb677e081 in nsScriptLoader::ProcessPendingRequests (this=0xa9777200) at /home/bas/mozilla/src/content/base/src/nsScriptLoader.cpp:926
#27 0xb677e322 in nsScriptLoader::OnStreamComplete (this=0xa9777200, aLoader=0xa9777200, aContext=0x9eedddf0, aStatus=2666388976, aStringLen=0, 
    aString=0x195b <Address 0x195b out of bounds>) at /home/bas/mozilla/src/content/base/src/nsScriptLoader.cpp:1145
#28 0xb644c71e in nsStreamLoader::OnStopRequest (this=0xa4cd8f20, request=0x9ee71c30, ctxt=0x9eedddf0, aStatus=0)
    at /home/bas/mozilla/src/netwerk/base/src/nsStreamLoader.cpp:95
#29 0xb645f462 in nsHTTPCompressConv::OnStopRequest (this=0x9cbe4b80, request=0x9ee71c30, aContext=0x9eedddf0, aStatus=0)
    at /home/bas/mozilla/src/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:94
#30 0xb644c521 in nsStreamListenerTee::OnStopRequest (this=0x9cbf61c0, request=0x9ee71c30, context=0x9eedddf0, status=0)
    at /home/bas/mozilla/src/netwerk/base/src/nsStreamListenerTee.cpp:49
#31 0xb64b63ca in nsHttpChannel::OnStopRequest (this=0x9ee71c00, request=0x9db47c90, ctxt=0x0, status=0)
    at /home/bas/mozilla/src/netwerk/protocol/http/nsHttpChannel.cpp:4482
#32 0xb6433366 in nsInputStreamPump::OnStateStop (this=0x9db47c90) at /home/bas/mozilla/src/netwerk/base/src/nsInputStreamPump.cpp:555
#33 0xb64336eb in nsInputStreamPump::OnInputStreamReady (this=0x9db47c90, stream=0x9db412a8) at /home/bas/mozilla/src/netwerk/base/src/nsInputStreamPump.cpp:373
#34 0xb6f7389d in nsInputStreamReadyEvent::Run (this=0x9f039f40) at /home/bas/mozilla/src/xpcom/io/nsStreamUtils.cpp:81
#35 0xb6f83632 in nsThread::ProcessNextEvent (this=0xb7b8aee0, mayWait=false, result=0xbfffcf3f) at /home/bas/mozilla/src/xpcom/threads/nsThread.cpp:624
#36 0xb6f51f23 in NS_ProcessNextEvent_P (thread=0xaa158dc0, mayWait=false) at /home/bas/mozilla/src/obj-i686-pc-linux-gnu/xpcom/build/nsThreadUtils.cpp:213
#37 0xb6ec842d in mozilla::ipc::MessagePump::Run (this=0xb7bdb5b0, aDelegate=0xb7b1c900) at /home/bas/mozilla/src/ipc/glue/MessagePump.cpp:82
#38 0xb6fa6d6b in MessageLoop::RunInternal (this=0xb7b1c900) at /home/bas/mozilla/src/ipc/chromium/src/base/message_loop.cc:208
#39 0xb6fa6db0 in MessageLoop::RunHandler (this=0xaa158dc0) at /home/bas/mozilla/src/ipc/chromium/src/base/message_loop.cc:201
#40 MessageLoop::Run (this=0xaa158dc0) at /home/bas/mozilla/src/ipc/chromium/src/base/message_loop.cc:175
#41 0xb6e1030d in nsBaseAppShell::Run (this=0xb3aa6240) at /home/bas/mozilla/src/widget/xpwidgets/nsBaseAppShell.cpp:163
#42 0xb6cc25a2 in nsAppStartup::Run (this=0xb3aa7250) at /home/bas/mozilla/src/toolkit/components/startup/nsAppStartup.cpp:256
#43 0xb640d43b in XREMain::XRE_mainRun (this=0xbfffd1f4) at /home/bas/mozilla/src/toolkit/xre/nsAppRunner.cpp:3786
#44 0xb64118a4 in XREMain::XRE_main (this=0xbfffd1f4, argc=1, argv=0xbffff4b4, aAppData=0xbffff4b4) at /home/bas/mozilla/src/toolkit/xre/nsAppRunner.cpp:3863
#45 0xb6411b0a in XRE_main (argc=1, argv=0xbffff4b4, aAppData=0x8057018, aFlags=0) at /home/bas/mozilla/src/toolkit/xre/nsAppRunner.cpp:3939
#46 0x0804a199 in do_main (argc=1, argv=0xbffff4b4) at /home/bas/mozilla/src/browser/app/nsBrowserApp.cpp:157
#47 main (argc=1, argv=0xbffff4b4) at /home/bas/mozilla/src/browser/app/nsBrowserApp.cpp:296



Expected results:

It should not crash :)

Comment 1

[Bas Hickendorff]

Attachment: Reduced testcase

I have managed to reduce the testcase. The bug seems to originate from the fact that the javascript is used twice on the page, if I remove one, the crash disappears. 

The javascript is a very common Google ads script if I am not mistaken.

Loading this testcase in Nightly crashes the browser reproducibly.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Hmm.  I can't reproduce a crash on Mac with my debug build from earlier today.....

Comment 3

[Bas Hickendorff]

(un)fortunately, I cannot reproduce it any more on the current nightly.... I'm sorry for the bugspam...

Comment 4

[Wayne Mery (:wsmwk)]

WFM per comment 3