Bug 477232

Summary: Crashes (not only) on the print dialog (nsAutoptr)
Product: [Fedora] Fedora Reporter: Jan Kratochvil <jan.kratochvil>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 10CC: gecko-bugs-nobody, mcepl, stransky, walters
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
URL: http://zpravy.idnes.cz/tiskni.asp?r=krimi&c=A081219_131955_krimi_itu
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-31 13:58:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Full backtrace.
none
Backtrace from crashed firefox
none
Another one, similiar content.
none
Verified on firefox-3.0.5-1.fc10.x86_64.
none
another backtrace of the reproduction none

Description Jan Kratochvil 2008-12-19 18:54:59 UTC 
Created attachment 327486 [details]
Full backtrace.

Description of problem:
While clicking on the print (`tisknout') webpage button on http://idnes.cz articles it often crashes.

Version-Release number of selected component (if applicable):
firefox-3.0.4-1.fc10.x86_64
xulrunner-1.9.0.4-1.fc10.x86_64
(updated F-10)

How reproducible:
Approx. 1 in 20 cases or so while the web page uses window.print();
Did not try to artificially reproduce it.

Steps to Reproduce:
1. Open: http://zpravy.idnes.cz/tiskni.asp?r=krimi&c=A081219_131955_krimi_itu

Actual results:
Crash.

Expected results:
No crash and displayed print dialog.

Additional info:
No proprietary driver installed (such as Adobe Flash, even no gnash/swfdec).
Having installed these plugins but all of them disabled in Firefox:
java-1.6.0-openjdk-plugin-1.6.0.0-7.b12.fc10.x86_64
gecko-mediaplayer-0.9.2-2.fc10.x86_64
totem-mozplugin-2.24.3-1.fc10.x86_64

I can be supplying more such guessing-similiar backtraces.
(gdb) bt
#0  0x000000340540efab in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x0000003d7082fbc5 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:212
#2  <signal handler called>
#3  0x0000003d70f5ca0e in nsRefPtr (this=<value optimized out>, aRawPtr=0x7fc157c14610) at ../../../dist/include/xpcom/nsAutoPtr.h:980
#4  0x0000003d70f592c5 in leave_notify_event_cb (widget=0x7fc159319210, event=0x7fc15706cd50) at nsWindow.cpp:4609
#5  0x0000003d6fb294c8 in _gtk_marshal_BOOLEAN__BOXED (closure=0x7fc1636e5c40, return_value=0x7fff7287b040, n_param_values=<value optimized out>, param_values=0x7fc161a5cd20, invocation_hint=<value optimized out>, marshal_data=0x3d70f5926e) at gtkmarshalers.c:84
#6  0x000000340680b7dd in IA__g_closure_invoke (closure=0x7fc1636e5c40, return_value=0x7fff7287b040, n_param_values=2, param_values=0x7fc161a5cd20, invocation_hint=0x7fff7287b000) at gclosure.c:767
#7  0x00000034068214bd in signal_emit_unlocked_R (node=0x2500610, detail=0, instance=0x7fc159319210, emission_return=0x7fff7287b180, instance_and_params=0x7fc161a5cd20) at gsignal.c:3244
#8  0x00000034068229ea in IA__g_signal_emit_valist (instance=0x7fc159319210, signal_id=<value optimized out>, detail=0, var_args=0x7fff7287b1e0) at gsignal.c:2987
#9  0x0000003406823093 in IA__g_signal_emit (instance=0x7fc157c14610, signal_id=1472284176, detail=1668176960) at gsignal.c:3034
#10 0x0000003d6fc2c1de in gtk_widget_event_internal (widget=0x7fc159319210, event=0x7fc15706cd50) at gtkwidget.c:4745
#11 0x0000003d6fc2c3fe in synth_crossing (widget=0x7fc159319210, type=<value optimized out>, window=0x7fc158cfeb20, mode=GDK_CROSSING_GTK_GRAB, detail=GDK_NOTIFY_NONLINEAR) at gtkwidget.c:8142
#12 0x0000003d6fc2eb01 in _gtk_widget_synthesize_crossing (from=0x7fc159319210, to=0x7fc157b8e000, mode=GDK_CROSSING_GTK_GRAB) at gtkwidget.c:8337
#13 0x0000003d6fb22972 in gtk_grab_notify_foreach (child=0x7fc159319210, data=<value optimized out>) at gtkmain.c:1712
#14 0x0000003d6fb22992 in gtk_grab_notify_foreach (child=0x7fc164f7d9a0, data=<value optimized out>) at gtkmain.c:1705
#15 0x0000003d6fb22a53 in gtk_grab_notify (group=0x7fc160456760, old_grab_widget=<value optimized out>, new_grab_widget=<value optimized out>, from_grab=<value optimized out>) at gtkmain.c:1764
#16 0x0000003d6fc44829 in gtk_window_show (widget=0x7fc157b8e000) at gtkwindow.c:4345
#17 0x000000340680b7dd in IA__g_closure_invoke (closure=0x24bc280, return_value=0x0, n_param_values=1, param_values=0x7fc15b6ddb40, invocation_hint=0x7fff7287b620) at gclosure.c:767
#18 0x0000003406820dd8 in signal_emit_unlocked_R (node=0x24fea90, detail=0, instance=0x7fc157b8e000, emission_return=0x0, instance_and_params=0x7fc15b6ddb40) at gsignal.c:3174
#19 0x0000003406822b68 in IA__g_signal_emit_valist (instance=0x7fc157b8e000, signal_id=<value optimized out>, detail=0, var_args=0x7fff7287b800) at gsignal.c:2977
#20 0x0000003406823093 in IA__g_signal_emit (instance=0x7fc157c14610, signal_id=1472284176, detail=1668176960) at gsignal.c:3034
#21 0x0000003d6fc355bc in IA__gtk_widget_show (widget=0x7fc157b8e000) at gtkwidget.c:3003
#22 0x0000003d6fab10b7 in IA__gtk_dialog_run (dialog=0x7fc157b8e000) at gtkdialog.c:1039
#23 0x0000003d70f6b1a7 in RunDialog (aDialog=0x7fc157b8e000) at nsAccessibilityHelper.cpp:52
#24 0x0000003d70f6c789 in nsPrintDialogWidgetGTK::Run (this=0x7fff7287b9c0) at nsPrintDialogGTK.cpp:404
#25 0x0000003d70f6d5f9 in nsPrintDialogServiceGTK::Show (this=<value optimized out>, aParent=<value optimized out>, aSettings=0x7fc15c2df460) at nsPrintDialogGTK.cpp:577
#26 0x0000003d70e070ee in nsPrintingPromptService::ShowPrintDialog (this=0x7fc156d2f4b0, parent=0x7fc1597b7450, webBrowserPrint=0x7fc1574aeea8, printSettings=0x7fc15c2df460) at nsPrintingPromptService.cpp:117
#27 0x0000003d70c85904 in nsPrintEngine::DoCommonPrint (this=0x7fc156dd18f0, aIsPrintPreview=0, aPrintSettings=0x7fc15c2df460, aWebProgressListener=<value optimized out>) at nsPrintEngine.cpp:589
#28 0x0000003d70c85f75 in nsPrintEngine::CommonPrint (this=0x7fc157c14610, aIsPrintPreview=1472284176, aPrintSettings=0x7fc1636e5c40, aWebProgressListener=0x3d711babc7) at nsPrintEngine.cpp:418
#29 0x0000003d7099c573 in DocumentViewerImpl::Print (this=0x7fc1574aee80, aPrintSettings=0x7fc15c2df460, aWebProgressListener=0x0) at nsDocumentViewer.cpp:3489
Comment 1 Matěj Cepl 2008-12-20 22:33:40 UTC 
Created attachment 327554 [details]
Backtrace from crashed firefox

I was quite surprised how easy it was to reproduce this -- first attempt: click on the first article on the homepage of idnes.cz ("Dana Matulková won StarDance III" -- really important piece of news ;-), click on print button, and although the print dialog window starts to draw, it never draws completely, kernel load goes through the roof (something between 7 and 10), and firefox crashes.
Comment 2 Jan Kratochvil 2008-12-21 12:28:47 UTC 
Created attachment 327575 [details]
Another one, similiar content.
Comment 3 Jan Kratochvil 2008-12-21 23:23:41 UTC 
Created attachment 327597 [details]
Verified on firefox-3.0.5-1.fc10.x86_64.

firefox-3.0.5-1.fc10.x86_64
xulrunner-1.9.0.5-1.fc10.x86_64
Comment 4 Matěj Cepl 2008-12-22 00:58:17 UTC 
Created attachment 327602 [details]
another backtrace of the reproduction

Actually this one is even more interesting. I have a Greasemonkey script for fixing all those silly bugzilla attachments MIME types "application/octet-stream" (it changes the MIME type to "text/plain") and when trying to add "text/x-log" as another MIME type which needs to be removed, I made a mistake in Javascript of the function which is run inside of array.filter method.

function isOctetStream(element, index, array) {
	var inArray = ["application/octet-stream","text/x-log"];
	return(inArray.indexOf(element) != -1);
// the previous line should read -- see missing indexing of the array
//	return(inArray.indexOf(element[2]) != -1);
}

...
var badAttachments = getAttachments(aTable).filter(isOctetStream);

When running this script on bugzilla, firefox constantly crashed with the attached backtrace. When I fixed the script, the bug is gone.

So, it looks to me like firefox (yes, I have firefox-3.0.5-1.fc10.i386 as well) doesn't recover well from Javascript bugs and crashes.
Comment 6 Matěj Cepl 2008-12-22 18:11:09 UTC 
We filed this bug in the upstream database (https://bugzilla.mozilla.org/show_bug.cgi?id=470789) and believe that it is more appropriate to let it be resolved upstream.

Red Hat will continue to track the issue in the centralized upstream bug tracker, and will review any bug fixes that become available for consideration in future updates.

Thank you for the bug report.
Comment 7 Jan Kratochvil 2009-03-30 13:57:16 UTC 
Reproducer cookbook:
Open http://zpravy.idnes.cz/archiv.asp .
Open each of the articles there into a new tab, open 10-20 tabs at once this way into the same window.
Then click on "Print" ("Tisk") in each of the tabs.
If Firefox survives close the whole window and start again. On the 2nd or 3rd window it will crash.
Reproduced now on updated F10, firefox-3.0.8-1.fc10.x86_64.
Comment 8 Martin Stransky 2009-03-30 14:13:29 UTC 
Okay, taking this one.
Comment 9 Jan Kratochvil 2009-03-31 12:47:05 UTC 
On
ftp://ftp.mozilla.org/pub/firefox/releases/3.1b3/linux-i686/en-US/firefox-3.1b3.tar.bz2
it is unreproducible for me in Fedora 10 i686 in qemu-kvm -smp 1.
Forgot in the reproducer cookbook above I also use for Firefox:
export MALLOC_CHECK_=3
(I did not try if is required for the reproducibility on native F10 Firefox.)
Comment 10 Martin Stransky 2009-03-31 13:55:03 UTC 
Hm, it's really strange. I tried to reproduce it with 3.0.8, 3.1b3, both i386 & x86_64 but all works for me...
Comment 11 Martin Stransky 2009-03-31 13:58:57 UTC 
Let's hope it's fixed in the upcoming 3.5 release.
Comment 12 Jan Kratochvil 2009-04-30 16:46:30 UTC 
FYI on full F11.x86_64 it is no longer reproducible for me.
(firefox-3.5-0.20.beta4.fc11.x86_64 if it was not caused by some of the .so's)
Comment 13 Martin Stransky 2009-04-30 19:44:19 UTC 
yes, I see the patch in 3.1 line - https://bugzilla.mozilla.org/show_bug.cgi?id=451341

So upgrade to f11 will resolve this issue.
Comment 14 Jan Kratochvil 2009-04-30 19:47:26 UTC 
FYI
https://bugzilla.mozilla.org/show_bug.cgi?id=451341
gives to mortals:
You are not authorized to access bug #451341. 
But I believe.
Comment 15 Martin Stransky 2009-04-30 19:52:57 UTC 
I see. Anyway mozilla BZ claims it should be fixed in upcoming firefox 3.0.11 so you can easily test it in ~ month ;-)