Closed Bug 958563 Opened 11 years ago Closed 11 years ago

crash in NodeBinding::removeChild

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
26 Branch
Platform:
x86_64
FreeBSD
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: avg, Unassigned)

Details

(Keywords: crash, Whiteboard: [bugday-20140113])

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release) Build ID: 20131214190525 Steps to reproduce: I had many tabs open and I was switching between two of them. Actual results: (gdb) bt #0 thr_kill () at thr_kill.S:3 #1 0x00000008021e925a in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffffffa8b0, context=0x7fffffffa540) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/profile/dirserviceprovider/src/nsProfileLock.cpp:180 #2 0x0000000800f8c596 in handle_signal (actp=<optimized out>, sig=11, info=0x7fffffffa8b0, ucp=0x7fffffffa540) at /usr/src/lib/libthr/thread/thr_sig.c:237 #3 0x0000000800f8c13f in thr_sighandler (sig=11, info=0x0, _ucp=0x7fffffffa540) at /usr/src/lib/libthr/thread/thr_sig.c:182 #4 <signal handler called> #5 0x0000000801248a06 in __jemalloc_tcache_dalloc_small (ptr=<optimized out>, binind=<optimized out>, tcache=<optimized out>, tcache=<optimized out>, ptr=<optimized out>, binind=<optimized out>) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/tcache.h:405 #6 __jemalloc_arena_dalloc (arena=<optimized out>, try_tcache=<optimized out>, ptr=<optimized out>, chunk=<optimized out>, arena=<optimized out>, chunk=<optimized out>, ptr=<optimized out>, try_tcache=<optimized out>) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h:1019 #7 __jemalloc_idallocx (try_tcache=<optimized out>, ptr=<optimized out>, ptr=<optimized out>, try_tcache=<optimized out>) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:925 #8 __jemalloc_iqallocx (ptr=<optimized out>, try_tcache=<optimized out>, ptr=<optimized out>, try_tcache=<optimized out>) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:944 #9 __jemalloc_iqalloc (ptr=<optimized out>) at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:951 #10 __free (ptr=0x89fc76890) at jemalloc_jemalloc.c:1277 #11 0x000000080265d3eb in Free (ptr=<optimized out>) at ../../dist/include/nsTArray.h:209 #12 nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyElements<RuleValue> >::ShrinkCapacity (this=this@entry=0x89fc36888, elemSize=elemSize@entry=40, elemAlign=elemAlign@entry=8) at ../../dist/include/nsTArray-inl.h:203 #13 0x000000080265d514 in ShiftData (elemAlign=8, elemSize=40, newLen=0, oldLen=<optimized out>, start=0, this=0x89fc36888) at ../../dist/include/nsTArray-inl.h:237 #14 RemoveElementsAt (count=<optimized out>, start=0, this=0x89fc36888) at ../../dist/include/nsTArray.h:1287 #15 Clear (this=0x89fc36888) at ../../dist/include/nsTArray.h:1297 #16 ~nsTArray_Impl (this=0x89fc36888, __in_chrg=<optimized out>) at ../../dist/include/nsTArray.h:748 #17 ~nsTArray (this=0x89fc36888, __in_chrg=<optimized out>) at ../../dist/include/nsTArray.h:1642 #18 ~nsAutoArrayBase (this=0x89fc36888, __in_chrg=<optimized out>) at ../../dist/include/nsTArray.h:1681 #19 ~nsAutoTArray (this=0x89fc36888, __in_chrg=<optimized out>) at ../../dist/include/nsTArray.h:1752 #20 ~RuleHashTableEntry (this=0x89fc36880, __in_chrg=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsCSSRuleProcessor.cpp:169 #21 RuleHash_ClearEntry (table=<optimized out>, hdr=0x89fc36880) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsCSSRuleProcessor.cpp:258 #22 0x00000008038348d7 in PL_DHashTableFinish (table=0x8845dd308) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/xpcom/glue/pldhash.cpp:361 #23 0x000000080265d425 in RuleHash::~RuleHash (this=0x8845dd300, __in_chrg=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsCSSRuleProcessor.cpp:571 #24 0x000000080265f465 in ClearRuleCascades (this=0x870e9a680) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsCSSRuleProcessor.cpp:2825 #25 nsCSSRuleProcessor::~nsCSSRuleProcessor (this=0x870e9a680, __in_chrg=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsCSSRuleProcessor.cpp:1073 #26 0x000000080265f5a9 in nsCSSRuleProcessor::~nsCSSRuleProcessor (this=0x870e9a680, __in_chrg=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsCSSRuleProcessor.cpp:1074 #27 0x0000000802657855 in nsCSSRuleProcessor::Release (this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsCSSRuleProcessor.cpp:1076 #28 0x00000008026cd4ed in operator= (rhs=0x0, this=0x85108a550) at ../../dist/include/nsCOMPtr.h:656 #29 nsStyleSet::GatherRuleProcessors (this=0x85108a500, aType=aType@entry=nsStyleSet::eUserSheet) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsStyleSet.cpp:330 #30 0x00000008026ce570 in DirtyRuleProcessors (aType=nsStyleSet::eUserSheet, this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsStyleSet.cpp:523 #31 nsStyleSet::RemoveStyleSheet (this=<optimized out>, aType=aType@entry=nsStyleSet::eUserSheet, aSheet=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsStyleSet.cpp:486 #32 0x000000080254beb3 in ClearPreferenceStyleRules (this=0x7fffffffacd0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsPresShell.cpp:1155 #33 PresShell::Destroy (this=0x7fffffffacd0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsPresShell.cpp:955 #34 0x0000000802514c4a in nsDocumentViewer::DestroyPresShell (this=this@entry=0x8657a81c0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsDocumentViewer.cpp:4395 #35 0x0000000802514fec in nsDocumentViewer::Hide (this=0x8657a81c0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsDocumentViewer.cpp:2015 #36 0x0000000802f953ae in nsDocShell::SetVisibility (this=<optimized out>, aVisibility=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/docshell/base/nsDocShell.cpp:5476 #37 0x0000000802819295 in nsFrameLoader::Hide (this=0x84692eb60) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/base/src/nsFrameLoader.cpp:998 #38 0x00000008025f3357 in nsHideViewer::Run (this=0x84c407550) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/generic/nsSubDocumentFrame.cpp:778 #39 0x00000008027c6948 in nsContentUtils::RemoveScriptBlocker () at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/base/src/nsContentUtils.cpp:4756 #40 0x000000080280e62f in nsDocument::EndUpdate (this=this@entry=0x82e550800, aUpdateType=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/base/src/nsDocument.cpp:4419 #41 0x0000000802b00dce in mozilla::dom::XULDocument::EndUpdate (this=0x82e550800, aUpdateType=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/xul/document/src/XULDocument.cpp:3359 #42 0x0000000802836448 in ~mozAutoDocUpdate (this=<synthetic pointer>, __in_chrg=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/base/src/mozAutoDocUpdate.h:38 #43 nsINode::doRemoveChildAt (this=this@entry=0x8452d7020, aIndex=aIndex@entry=0, aNotify=aNotify@entry=true, aKid=aKid@entry=0x84476a9c0, aChildArray=...) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/base/src/nsINode.cpp:1516 #44 0x000000080278c403 in mozilla::dom::FragmentOrElement::RemoveChildAt (this=this@entry=0x8452d7020, aIndex=aIndex@entry=0, aNotify=aNotify@entry=true) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/base/src/FragmentOrElement.cpp:964 #45 0x0000000802deaab9 in nsXULElement::RemoveChildAt (this=0x8452d7020, aIndex=0, aNotify=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/xul/content/src/nsXULElement.cpp:853 #46 0x0000000802834acc in nsINode::RemoveChild (this=this@entry=0x8452d7020, aOldChild=..., aError=...) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/base/src/nsINode.cpp:459 #47 0x00000008035f8b03 in mozilla::dom::NodeBinding::removeChild (cx=0x842443640, obj=..., self=0x8452d7020, args=...) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/obj-x86_64-unknown-freebsd11.0/dom/bindings/NodeBinding.cpp:628 #48 0x00000008035f7be0 in mozilla::dom::NodeBinding::genericMethod (cx=0x842443640, argc=<optimized out>, vp=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/obj-x86_64-unknown-freebsd11.0/dom/bindings/NodeBinding.cpp:1230 #49 0x0000000803f32785 in CallJSNative (args=..., native=0x8035f7980 <mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*)>, cx=0x842443640) at ../../../js/src/jscntxtinlines.h:218 #50 js::Invoke (cx=cx@entry=0x842443640, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:478 #51 0x0000000803f3859f in Interpret (cx=cx@entry=0x842443640, state=...) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:2454 #52 0x0000000803f3260d in RunScript (state=..., cx=0x842443640) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:435 #53 js::Invoke (cx=cx@entry=0x842443640, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:497 #54 0x0000000803f41e96 in js::Invoke (cx=cx@entry=0x842443640, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=...) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:528 #55 0x000000080400278d in JS_CallFunctionValue (cx=cx@entry=0x842443640, objArg=<optimized out>, fval=..., argc=argc@entry=1, argv=<optimized out>, rval=rval@entry=0x7fffffffbcc0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/js/src/jsapi.cpp:5048 #56 0x00000008034aeafa in mozilla::dom::EventHandlerNonNull::Call (this=this@entry=0x88ba1f5e0, cx=0x842443640, aThisObj=aThisObj@entry=..., event=..., aRv=...) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/obj-x86_64-unknown-freebsd11.0/dom/bindings/EventHandlerBinding.cpp:36 #57 0x0000000802beb964 in Call<nsISupports*> (aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aRv=..., event=..., thisObj=@0x861ff1418: 0x84675eb00, this=0x88ba1f5e0) at ../../../dist/include/mozilla/dom/EventHandlerBinding.h:59 #58 nsJSEventListener::HandleEvent (this=0x861ff1400, aEvent=0x842e8b6a0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/dom/src/events/nsJSEventListener.cpp:247 #59 0x0000000802ae4520 in nsXBLPrototypeHandler::ExecuteHandler (this=<optimized out>, aTarget=<optimized out>, aEvent=aEvent@entry=0x842e8b6a0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/xbl/src/nsXBLPrototypeHandler.cpp:341 #60 0x0000000802ad7dc4 in nsXBLEventHandler::HandleEvent (this=0x829a70b40, aEvent=0x842e8b6a0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/xbl/src/nsXBLEventHandler.cpp:48 #61 0x0000000802921185 in nsEventListenerManager::HandleEventSubType (this=this@entry=0x8508b00c0, aListenerStruct=<optimized out>, aListenerStruct@entry=0x849a60148, aDOMEvent=0x842e8b6a0, aCurrentTarget=aCurrentTarget@entry=0x84675eb00, aPusher=aPusher@entry=0x7fffffffc4b0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/events/src/nsEventListenerManager.cpp:968 #62 0x00000008029216c0 in nsEventListenerManager::HandleEventInternal (this=0x8508b00c0, aPresContext=<optimized out>, aEvent=0x83d027cf0, aDOMEvent=aDOMEvent@entry=0x7fffffffc490, aCurrentTarget=0x84675eb00, aEventStatus=aEventStatus@entry=0x7fffffffc498, aPusher=<optimized out>, aPusher@entry=0x7fffffffc4b0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/events/src/nsEventListenerManager.cpp:1041 #63 0x000000080291d09f in HandleEvent (aPusher=0x7fffffffc4b0, aEventStatus=0x7fffffffc498, aCurrentTarget=<optimized out>, aDOMEvent=0x7fffffffc490, aEvent=<optimized out>, aPresContext=<optimized out>, this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/events/src/nsEventListenerManager.h:326 #64 HandleEvent (aPusher=0x7fffffffc4b0, aCd=..., aVisitor=..., this=0x8792e90a8) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/events/src/nsEventDispatcher.cpp:191 #65 nsEventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=..., aPusher=aPusher@entry=0x7fffffffc4b0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/events/src/nsEventDispatcher.cpp:307 #66 0x000000080291ffd5 in nsEventDispatcher::Dispatch (aTarget=<optimized out>, aPresContext=<optimized out>, aEvent=0x83d027cf0, aDOMEvent=aDOMEvent@entry=0x0, aEventStatus=aEventStatus@entry=0x0, aCallback=aCallback@entry=0x0, aTargets=aTargets@entry=0x0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/content/events/src/nsEventDispatcher.cpp:603 #67 0x00000008026e0495 in nsTransitionManager::FlushTransitions (this=0x82b8ede20, aFlags=mozilla::css::CommonAnimationManager::Can_Throttle) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/style/nsTransitionManager.cpp:1150 #68 0x000000080255537d in nsRefreshDriver::Tick (this=0x83e0a0600, aNowEpoch=aNowEpoch@entry=1389369451193193, aNowTime=...) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsRefreshDriver.cpp:1070 #69 0x0000000802555eeb in TickDriver (now=..., jsnow=1389369451193193, driver=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsRefreshDriver.cpp:166 #70 Tick (this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsRefreshDriver.cpp:158 #71 mozilla::RefreshDriverTimer::TimerTick (aTimer=<optimized out>, aClosure=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/layout/base/nsRefreshDriver.cpp:183 #72 0x0000000803881eea in Fire (this=0x818d3add0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/xpcom/threads/nsTimerImpl.cpp:546 #73 nsTimerEvent::Run (this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/xpcom/threads/nsTimerImpl.cpp:630 #74 0x000000080387dc9b in nsThread::ProcessNextEvent (this=0x81147a1a0, mayWait=<optimized out>, result=0x7fffffffca20) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/xpcom/threads/nsThread.cpp:622 #75 0x0000000803832cd8 in NS_ProcessNextEvent (thread=<optimized out>, mayWait=mayWait@entry=true) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/xpcom/glue/nsThreadUtils.cpp:238 #76 0x000000080329394b in mozilla::ipc::MessagePump::Run (this=0x811402fc0, aDelegate=0x8017a4a80) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/ipc/glue/MessagePump.cpp:116 #77 0x00000008038b90dd in RunInternal (this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/ipc/chromium/src/base/message_loop.cc:220 #78 RunHandler (this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/ipc/chromium/src/base/message_loop.cc:213 #79 MessageLoop::Run (this=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/ipc/chromium/src/base/message_loop.cc:187 #80 0x000000080320e908 in nsBaseAppShell::Run (this=0x81148d940) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/widget/xpwidgets/nsBaseAppShell.cpp:161 #81 0x0000000803031bee in nsAppStartup::Run (this=0x8114e4600) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/toolkit/components/startup/nsAppStartup.cpp:269 #82 0x00000008021e37a2 in XREMain::XRE_mainRun (this=this@entry=0x7fffffffcca0) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/toolkit/xre/nsAppRunner.cpp:3869 #83 0x00000008021e3eb1 in XREMain::XRE_main (this=this@entry=0x7fffffffcca0, argc=argc@entry=3, argv=argv@entry=0x7fffffffd3d8, aAppData=aAppData@entry=0x7fffffffcf40) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/toolkit/xre/nsAppRunner.cpp:3937 #84 0x00000008021e420f in XRE_main (argc=3, argv=0x7fffffffd3d8, aAppData=0x7fffffffcf40, aFlags=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/toolkit/xre/nsAppRunner.cpp:4139 #85 0x0000000000403680 in do_main (xreDirectory=0x80171efc0, argv=0x7fffffffd3d8, argc=3) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/browser/app/nsBrowserApp.cpp:275 #86 main (argc=<optimized out>, argv=<optimized out>) at /usr/obj/ports/usr/ports/www/firefox/work/mozilla-release/browser/app/nsBrowserApp.cpp:636
Severity: normal → critical
Keywords: crash
Whiteboard: [bugday-20140113]
Looks like this was caused by a defect in a cutting edge kernel that I used. The defect caused swapped out pages to become zeroed out under some very specific conditions.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.