It's #2 top browser crasher in 14.0.1 on Linux and first appeared in 13.0.1 and 14.0.1 on July 12. Signature uGlobalMenu::OnOpen More Reports Search UUID c8bba6db-a6eb-43d6-b736-f55602120718 Date Processed 2012-07-18 15:23:27 Uptime 1975 Last Crash 42.1 minutes before submission Install Age 32.9 minutes since version was first installed. Install Time 2012-07-18 14:49:44 Product Firefox Version 14.0.1 Build ID 20120713224758 Release Channel release OS Linux OS Version 0.0.0 Linux 3.2.0-26-generic-pae #41-Ubuntu SMP Thu Jun 14 16:45:14 UTC 2012 i686 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason SIGSEGV Crash Address 0x36 User Comments hit alt-tab, alt was held too long and opened the heads-up display App Notes OpenGL: Tungsten Graphics, Inc -- Mesa DRI Intel(R) Sandybridge Mobile x86/MMX/SSE2 -- 3.0 Mesa 8.0.2 -- texture_from_pixmap EMCheckCompatibility True Frame Module Signature Source 0 libglobalmenu.so uGlobalMenu::OnOpen nsIContent.h:379 1 libglobalmenu.so uGlobalMenu::MenuEventCallback uGlobalMenu.cpp:134 2 libdbusmenu-glib.so.4.0.13 _dbusmenu_menuitem_marshal_BOOLEAN__STRING_VARIANT_UINT menuitem-marshal.c:205 3 libgobject-2.0.so.0.3200.3 g_closure_invoke gclosure.c:777 4 libgobject-2.0.so.0.3200.3 signal_emit_unlocked_R gsignal.c:3547 5 libgobject-2.0.so.0.3200.3 g_signal_emit_valist gsignal.c:3306 6 libgobject-2.0.so.0.3200.3 g_signal_emit gsignal.c:3352 7 libdbusmenu-glib.so.4.0.13 dbusmenu_menuitem_handle_event menuitem.c:1755 8 libdbusmenu-glib.so.4.0.13 event_local_handler server.c:1642 9 libglib-2.0.so.0.3200.3 g_timeout_dispatch gmain.c:3882 10 libglib-2.0.so.0.3200.3 g_main_context_dispatch gmain.c:2539 11 libglib-2.0.so.0.3200.3 g_main_context_iterate gmain.c:3146 12 libglib-2.0.so.0.3200.3 g_main_context_iteration gmain.c:3207 13 libxul.so nsAppShell::ProcessNextNativeEvent nsAppShell.cpp:162 14 libxul.so nsBaseAppShell::DoProcessNextNativeEvent nsBaseAppShell.cpp:171 15 libxul.so nsBaseAppShell::OnProcessNextEvent nsBaseAppShell.cpp:306 16 libxul.so nsThread::ProcessNextEvent nsThread.cpp:618 17 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:245 18 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:114 19 libxul.so MessageLoop::RunInternal message_loop.cc:208 20 libxul.so MessageLoop::Run message_loop.cc:201 21 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:189 22 libxul.so nsAppStartup::Run nsAppStartup.cpp:295 23 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3780 24 libxul.so XREMain::XRE_main nsAppRunner.cpp:3857 25 libxul.so XRE_main nsAppRunner.cpp:3933 26 firefox main nsBrowserApp.cpp:190 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=uGlobalMenu%3A%3AOnOpen
I can reproduce this too actually. It's been reported a few times to our bug tracker too, and seems to require Firebug to be installed to trigger it. It happens only when opening the "Firebug UI Location" submenu. The crash occurs when calling nsINode::OwnerDoc() on the menupopup associated with this menu, because mNodeInfo is null. Why would this happen?? :/ (Note, I'm the developer of the addon which seems to cause this crash)
So, the issue is actually a long-standing dormant bug in our addon that has surfaced now because of this change in Firebug: https://github.com/firebug/firebug/commit/f2b23d0ec2ac886418032fd66f040bfbfeea0ad9 For anyone who isn't familiar, we ship an addon in Ubuntu to put the Firefox menubar in the Unity panel, and this works in a similar fashion to the Mac native menu. What this means is that the "state" property for a menupopup doesn't work because it depends on there being a frame (it always returns "closed"). We have some workarounds in our addon to make other menus that depend on this feature work correctly (eg, the Edit menu). What happens now in the Firebug case is that a submenu opening causes the Firebug top-level menu to remove all of its children (including the submenu that the popupshowing event is currently being dispatched to), because the 'if (popup.state == "open")' check fails in Firebug.GlobalUI.onMenuShowing(). This triggers a use-after-free in our addon. The actual crash is easily fixable, but the Firebug menu is still broken (basically, a submenu disappears as it is opening). I thought I could fix this by providing my own binding for menupopups which derives from chrome://global/content/bindings/popup.xml#popup, and then implementing the "state" property in my derived binding. However, whilst this works correctly for most menupopups, it doesn't work for the Firebug menus. The menupopups for Firebug never actually get a binding attached, despite us doing the same dance as http://hg.mozilla.org/mozilla-central/file/a3e1c960433b/widget/cocoa/nsMenuX.mm#l408 in our addon. I'm not entirely sure why this is, but I guess it is because Firebug creates the menupopup with document.createElement("menupopup"), so the popup is wrapped by xpconnect before it is inserted in to the document (and obviously, the binding will never be attached by the frame constructor, because it never gets a frame). I could probably manually attach the binding from our addon, but nsIXBLService has been removed in Firefox 15 which makes that quite difficult (the removal of that also means we can no longer do this: http://hg.mozilla.org/mozilla-central/file/a3e1c960433b/widget/cocoa/nsMenuX.mm#l690, although that is a separate issue). I'm pretty stuck with how to proceed here to fix our addon :(
There are no crashes in 15.0.1 and above.