It's #2 top browser crasher in 14.0.1 on Linux and first appeared in 13.0.1 and 14.0.1 on July 12.
Signature uGlobalMenu::OnOpen More Reports Search
Date Processed 2012-07-18 15:23:27
Last Crash 42.1 minutes before submission
Install Age 32.9 minutes since version was first installed.
Install Time 2012-07-18 14:49:44
Build ID 20120713224758
Release Channel release
OS Version 0.0.0 Linux 3.2.0-26-generic-pae #41-Ubuntu SMP Thu Jun 14 16:45:14 UTC 2012 i686
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 42 stepping 7
Crash Reason SIGSEGV
Crash Address 0x36
User Comments hit alt-tab, alt was held too long and opened the heads-up display
OpenGL: Tungsten Graphics, Inc -- Mesa DRI Intel(R) Sandybridge Mobile x86/MMX/SSE2 -- 3.0 Mesa 8.0.2 -- texture_from_pixmap
Frame Module Signature Source
0 libglobalmenu.so uGlobalMenu::OnOpen nsIContent.h:379
1 libglobalmenu.so uGlobalMenu::MenuEventCallback uGlobalMenu.cpp:134
2 libdbusmenu-glib.so.4.0.13 _dbusmenu_menuitem_marshal_BOOLEAN__STRING_VARIANT_UINT menuitem-marshal.c:205
3 libgobject-2.0.so.0.3200.3 g_closure_invoke gclosure.c:777
4 libgobject-2.0.so.0.3200.3 signal_emit_unlocked_R gsignal.c:3547
5 libgobject-2.0.so.0.3200.3 g_signal_emit_valist gsignal.c:3306
6 libgobject-2.0.so.0.3200.3 g_signal_emit gsignal.c:3352
7 libdbusmenu-glib.so.4.0.13 dbusmenu_menuitem_handle_event menuitem.c:1755
8 libdbusmenu-glib.so.4.0.13 event_local_handler server.c:1642
9 libglib-2.0.so.0.3200.3 g_timeout_dispatch gmain.c:3882
10 libglib-2.0.so.0.3200.3 g_main_context_dispatch gmain.c:2539
11 libglib-2.0.so.0.3200.3 g_main_context_iterate gmain.c:3146
12 libglib-2.0.so.0.3200.3 g_main_context_iteration gmain.c:3207
13 libxul.so nsAppShell::ProcessNextNativeEvent nsAppShell.cpp:162
14 libxul.so nsBaseAppShell::DoProcessNextNativeEvent nsBaseAppShell.cpp:171
15 libxul.so nsBaseAppShell::OnProcessNextEvent nsBaseAppShell.cpp:306
16 libxul.so nsThread::ProcessNextEvent nsThread.cpp:618
17 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:245
18 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:114
19 libxul.so MessageLoop::RunInternal message_loop.cc:208
20 libxul.so MessageLoop::Run message_loop.cc:201
21 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:189
22 libxul.so nsAppStartup::Run nsAppStartup.cpp:295
23 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3780
24 libxul.so XREMain::XRE_main nsAppRunner.cpp:3857
25 libxul.so XRE_main nsAppRunner.cpp:3933
26 firefox main nsBrowserApp.cpp:190
More reports at:
I can reproduce this too actually. It's been reported a few times to our bug tracker too, and seems to require Firebug to be installed to trigger it. It happens only when opening the "Firebug UI Location" submenu.
The crash occurs when calling nsINode::OwnerDoc() on the menupopup associated with this menu, because mNodeInfo is null. Why would this happen?? :/
(Note, I'm the developer of the addon which seems to cause this crash)
So, the issue is actually a long-standing dormant bug in our addon that has surfaced now because of this change in Firebug:
For anyone who isn't familiar, we ship an addon in Ubuntu to put the Firefox menubar in the Unity panel, and this works in a similar fashion to the Mac native menu. What this means is that the "state" property for a menupopup doesn't work because it depends on there being a frame (it always returns "closed").
We have some workarounds in our addon to make other menus that depend on this feature work correctly (eg, the Edit menu). What happens now in the Firebug case is that a submenu opening causes the Firebug top-level menu to remove all of its children (including the submenu that the popupshowing event is currently being dispatched to), because the 'if (popup.state == "open")' check fails in Firebug.GlobalUI.onMenuShowing(). This triggers a use-after-free in our addon.
The actual crash is easily fixable, but the Firebug menu is still broken (basically, a submenu disappears as it is opening).
I thought I could fix this by providing my own binding for menupopups which derives from chrome://global/content/bindings/popup.xml#popup, and then implementing the "state" property in my derived binding.
However, whilst this works correctly for most menupopups, it doesn't work for the Firebug menus. The menupopups for Firebug never actually get a binding attached, despite us doing the same dance as http://hg.mozilla.org/mozilla-central/file/a3e1c960433b/widget/cocoa/nsMenuX.mm#l408 in our addon. I'm not entirely sure why this is, but I guess it is because Firebug creates the menupopup with document.createElement("menupopup"), so the popup is wrapped by xpconnect before it is inserted in to the document (and obviously, the binding will never be attached by the frame constructor, because it never gets a frame).
I could probably manually attach the binding from our addon, but nsIXBLService has been removed in Firefox 15 which makes that quite difficult (the removal of that also means we can no longer do this: http://hg.mozilla.org/mozilla-central/file/a3e1c960433b/widget/cocoa/nsMenuX.mm#l690, although that is a separate issue).
I'm pretty stuck with how to proceed here to fix our addon :(
There are no crashes in 15.0.1 and above.