Bug 231773

Summary: Firefox segfault
Product: [Fedora] Fedora Reporter: Sam Varshavchik <mrsam>
Component: firefoxAssignee: Christopher Aillon <caillon>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: gecko-bugs-nobody, mcepl, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-12 11:17:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sam Varshavchik 2007-03-11 15:40:14 UTC 
Description of problem:

Firefox bombs out with a segfault

Version-Release number of selected component (if applicable):

firefox-1.5.0.10-1.fc6

How reproducible:

Always

Steps to Reproduce:
1. Open a SEP retirement plan with T Rowe Price
2. Sign up for online access
3. Log on to www.troweprice.com
4. In the account tab, click on the link for your retirement plan
  
Actual results:

Firefox crashes with a segfault

Expected results:

I get to ponder on my golden retirement years.

Additional info:

This is an x86_64-specific issue.  T Rowe Price uses flash.  There is no flash
plugin for x86_64.  On a different laptop, with flash installed firefox does not
crash.  Firefox has a history of crashing on sites with Flash, when the flash
plugin is not installed or available.


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912496257664 (LWP 3640)]
0x00002aaab6e9bcf2 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libgklayout.so
(gdb) where
#0  0x00002aaab6e9bcf2 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libgklayout.so
#1  0x00002aaab6e9bd8c in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libgklayout.so
#2  0x00002aaaba8c30ce in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libgkplugin.so
#3  0x00002aaaba8be665 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libgkplugin.so
#4  0x00002aaaba8c1ee7 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libgkplugin.so
#5  0x00002aaaba8bfda4 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libgkplugin.so
#6  0x00002aaaaeca92bb in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libnecko.so
#7  0x00002aaaaeca9499 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libnecko.so
#8  0x00002aaaaec422ec in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libnecko.so
#9  0x00002aaaaec425c3 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libnecko.so
#10 0x000000351686128b in NS_AsyncCopy ()
   from /usr/lib64/firefox-1.5.0.10/libxpcom_core.so
#11 0x0000003516872319 in PL_HandleEvent ()
---Type <return> to continue, or q <return> to quit---
   from /usr/lib64/firefox-1.5.0.10/libxpcom_core.so
#12 0x000000351687252b in PL_ProcessPendingEvents ()
   from /usr/lib64/firefox-1.5.0.10/libxpcom_core.so
#13 0x00000035168737cd in nsAutoMonitor::NewMonitor ()
   from /usr/lib64/firefox-1.5.0.10/libxpcom_core.so
#14 0x00002aaaaf8be232 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libwidget_gtk2.so
#15 0x0000003087c2cf64 in g_main_context_dispatch ()
   from /lib64/libglib-2.0.so.0
#16 0x0000003087c2fd9d in g_main_context_check () from /lib64/libglib-2.0.so.0
#17 0x0000003087c300aa in g_main_loop_run () from /lib64/libglib-2.0.so.0
#18 0x000000375bb2d023 in gtk_main () from /usr/lib64/libgtk-x11-2.0.so.0
#19 0x00002aaaaf8be616 in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libwidget_gtk2.so
#20 0x00002aaab421b13a in __cxa_pure_virtual ()
   from /usr/lib64/firefox-1.5.0.10/components/libtoolkitcomps.so
#21 0x0000000000408284 in __cxa_pure_virtual ()
#22 0x0000003a5a81da44 in __libc_start_main () from /lib64/libc.so.6
#23 0x0000000000403939 in __cxa_pure_virtual ()
#24 0x00007fff40ba3dd8 in ?? ()
#25 0x0000000000000000 in ?? ()
Comment 1 Matěj Cepl 2007-03-13 12:59:33 UTC 
Reporter, I really cannot create an investment account just to triage a bug. So,
please, help me a little to understand better what's going on, please.

First of all, I am really not quite sure, that I understand what exactly the
problem is and whether it is site-specific or general problem with flash. Could
you go to the canonical Flash-testing site http://www.badgerbadgerbadger.com and
tell me what happens? When I do that here with RHEL5/x86_64 (no flash installed)
I get a blank rectangle in middle of the screen saying "Click here to download
plugin". When I click on it finder of plugins jumps up and says, that no plugin
is available. Is it the same for you or does you firefox crash?

Second, if that works for you (i.e., flash doesn't work but firefox doesn't
crash either), than could you try website mentioned in the upstream bug
https://bugzilla.mozilla.org/show_bug.cgi?id=301802 and
https://bugzilla.mozilla.org/show_bug.cgi?id=301802#c7 and tell me whether
actually you bug is not a duplicate of the upstream one?

Thanks a lot for the cooperation
Comment 2 Sam Varshavchik 2007-03-13 23:23:29 UTC 
I get the same results as you on www.badgerbadgerbadger.com, and this is not the
upstream bug.

The upstream bug is an X window error being reported on standard error.  I get a
full-blown segfault.  Completely different.

I tried to get something useful out of firefox-debuginfo, but given the
sophisticated nature of the firefox startup shell script wrapper, I could not
easily figure out how to make it run the debuginfo version of the firefox
binary. If I can have the instructions for starting the debuginfo version of
firefox-bin, together with the debuginfo version of all the component libraries,
then I can perhaps be able to obtain more information about the crash.
Comment 3 Christopher Aillon 2007-03-14 00:38:21 UTC 
if you have both gdb and firefox-debuginfo installed, run `firefox -g`
Comment 4 Sam Varshavchik 2007-03-14 01:41:19 UTC 
Nice trick.  

The segfault is caused by a null pointer derefence in nsObjectFrame.cpp, line
3098, which reads:

    GetParent()->ReflowDirtyChild(mContent->GetDocument()->GetShellAt(0),
                                  this);

mContent->GetDocument() returns a NULL pointer -- BOOM!


Breakpoint 1, nsObjectFrame::PluginNotAvailable (this=0x2193cd0,
aMimeType=<value optimized out>) at nsObjectFrame.cpp:3096
(gdb) next
(gdb) p mContent
$1 = (nsIContent *) 0x21ce4c0
(gdb) p *mContent
$2 = {<nsISupports> = {_vptr.nsISupports = 0x2aaab343d0f0}, static
sTabFocusModel = 7, static sTabFocusModelAppliesToXUL = 0, mParentPtrBits =
35437616}
(gdb) p mContent->GetDocument()
[Thread 1126189376 (LWP 6604) exited]
$3 = (class nsIDocument *) 0x0
Comment 5 Christopher Aillon 2007-03-14 05:00:33 UTC 
Appears to be https://bugzilla.mozilla.org/show_bug.cgi?id=282933
Comment 6 Christopher Aillon 2007-03-14 15:06:40 UTC 
Can you try this build:
http://people.redhat.com/caillon/RPMS/fc6/firefox-1.5.0.10-5.fc6.caillon.x86_64.rpm
to see if it helps.  It is the same as the current fc6 version but adds the
patch from the upstream bug.
Comment 7 Sam Varshavchik 2007-03-14 23:57:45 UTC 
Yup -- the upstream patch completely fixes the bug.  Perfect.