Last Comment Bug 775143 - crash in uGlobalMenu::OnOpen when activating HUD in Ubuntu with Firebug
: crash in uGlobalMenu::OnOpen when activating HUD in Ubuntu with Firebug
Status: RESOLVED WORKSFORME
: crash, topcrash
Product: Firefox
Classification: Client Software
Component: Extension Compatibility (show other bugs)
: 14 Branch
: All Linux
: -- critical with 4 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-18 09:44 PDT by Scoobidiver (away)
Modified: 2012-09-24 02:49 PDT (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Scoobidiver (away) 2012-07-18 09:44:32 PDT
It's #2 top browser crasher in 14.0.1 on Linux and first appeared in 13.0.1 and 14.0.1 on July 12.

Signature 	uGlobalMenu::OnOpen More Reports Search
UUID	c8bba6db-a6eb-43d6-b736-f55602120718
Date Processed	2012-07-18 15:23:27
Uptime	1975
Last Crash	42.1 minutes before submission
Install Age	32.9 minutes since version was first installed.
Install Time	2012-07-18 14:49:44
Product	Firefox
Version	14.0.1
Build ID	20120713224758
Release Channel	release
OS	Linux
OS Version	0.0.0 Linux 3.2.0-26-generic-pae #41-Ubuntu SMP Thu Jun 14 16:45:14 UTC 2012 i686
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	SIGSEGV
Crash Address	0x36
User Comments	hit alt-tab, alt was held too long and opened the heads-up display
App Notes 	
OpenGL: Tungsten Graphics, Inc -- Mesa DRI Intel(R) Sandybridge Mobile x86/MMX/SSE2 -- 3.0 Mesa 8.0.2 -- texture_from_pixmap
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libglobalmenu.so 	uGlobalMenu::OnOpen 	nsIContent.h:379
1 	libglobalmenu.so 	uGlobalMenu::MenuEventCallback 	uGlobalMenu.cpp:134
2 	libdbusmenu-glib.so.4.0.13 	_dbusmenu_menuitem_marshal_BOOLEAN__STRING_VARIANT_UINT 	menuitem-marshal.c:205
3 	libgobject-2.0.so.0.3200.3 	g_closure_invoke 	gclosure.c:777
4 	libgobject-2.0.so.0.3200.3 	signal_emit_unlocked_R 	gsignal.c:3547
5 	libgobject-2.0.so.0.3200.3 	g_signal_emit_valist 	gsignal.c:3306
6 	libgobject-2.0.so.0.3200.3 	g_signal_emit 	gsignal.c:3352
7 	libdbusmenu-glib.so.4.0.13 	dbusmenu_menuitem_handle_event 	menuitem.c:1755
8 	libdbusmenu-glib.so.4.0.13 	event_local_handler 	server.c:1642
9 	libglib-2.0.so.0.3200.3 	g_timeout_dispatch 	gmain.c:3882
10 	libglib-2.0.so.0.3200.3 	g_main_context_dispatch 	gmain.c:2539
11 	libglib-2.0.so.0.3200.3 	g_main_context_iterate 	gmain.c:3146
12 	libglib-2.0.so.0.3200.3 	g_main_context_iteration 	gmain.c:3207
13 	libxul.so 	nsAppShell::ProcessNextNativeEvent 	nsAppShell.cpp:162
14 	libxul.so 	nsBaseAppShell::DoProcessNextNativeEvent 	nsBaseAppShell.cpp:171
15 	libxul.so 	nsBaseAppShell::OnProcessNextEvent 	nsBaseAppShell.cpp:306
16 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:618
17 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:245
18 	libxul.so 	mozilla::ipc::MessagePump::Run 	MessagePump.cpp:114
19 	libxul.so 	MessageLoop::RunInternal 	message_loop.cc:208
20 	libxul.so 	MessageLoop::Run 	message_loop.cc:201
21 	libxul.so 	nsBaseAppShell::Run 	nsBaseAppShell.cpp:189
22 	libxul.so 	nsAppStartup::Run 	nsAppStartup.cpp:295
23 	libxul.so 	XREMain::XRE_mainRun 	nsAppRunner.cpp:3780
24 	libxul.so 	XREMain::XRE_main 	nsAppRunner.cpp:3857
25 	libxul.so 	XRE_main 	nsAppRunner.cpp:3933
26 	firefox 	main 	nsBrowserApp.cpp:190 
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=uGlobalMenu%3A%3AOnOpen
Comment 1 Chris Coulson 2012-07-19 00:20:07 PDT
I can reproduce this too actually. It's been reported a few times to our bug tracker too, and seems to require Firebug to be installed to trigger it. It happens only when opening the "Firebug UI Location" submenu.

The crash occurs when calling nsINode::OwnerDoc() on the menupopup associated with this menu, because mNodeInfo is null. Why would this happen?? :/

(Note, I'm the developer of the addon which seems to cause this crash)
Comment 2 Chris Coulson 2012-07-21 14:35:31 PDT
So, the issue is actually a long-standing dormant bug in our addon that has surfaced now because of this change in Firebug:

https://github.com/firebug/firebug/commit/f2b23d0ec2ac886418032fd66f040bfbfeea0ad9

For anyone who isn't familiar, we ship an addon in Ubuntu to put the Firefox menubar in the Unity panel, and this works in a similar fashion to the Mac native menu. What this means is that the "state" property for a menupopup doesn't work because it depends on there being a frame (it always returns "closed").

We have some workarounds in our addon to make other menus that depend on this feature work correctly (eg, the Edit menu). What happens now in the Firebug case is that a submenu opening causes the Firebug top-level menu to remove all of its children (including the submenu that the popupshowing event is currently being dispatched to), because the 'if (popup.state == "open")' check fails in Firebug.GlobalUI.onMenuShowing(). This triggers a use-after-free in our addon.

The actual crash is easily fixable, but the Firebug menu is still broken (basically, a submenu disappears as it is opening).

I thought I could fix this by providing my own binding for menupopups which derives from chrome://global/content/bindings/popup.xml#popup, and then implementing the "state" property in my derived binding.

However, whilst this works correctly for most menupopups, it doesn't work for the Firebug menus. The menupopups for Firebug never actually get a binding attached, despite us doing the same dance as http://hg.mozilla.org/mozilla-central/file/a3e1c960433b/widget/cocoa/nsMenuX.mm#l408 in our addon. I'm not entirely sure why this is, but I guess it is because Firebug creates the menupopup with document.createElement("menupopup"), so the popup is wrapped by xpconnect before it is inserted in to the document (and obviously, the binding will never be attached by the frame constructor, because it never gets a frame).

I could probably manually attach the binding from our addon, but nsIXBLService has been removed in Firefox 15 which makes that quite difficult (the removal of that also means we can no longer do this: http://hg.mozilla.org/mozilla-central/file/a3e1c960433b/widget/cocoa/nsMenuX.mm#l690, although that is a separate issue).

I'm pretty stuck with how to proceed here to fix our addon :(
Comment 3 Scoobidiver (away) 2012-09-24 02:49:37 PDT
There are no crashes in 15.0.1 and above.

Note You need to log in before you can comment on or make changes to this bug.