Bug 480046
Summary: | Firefox crashes when opened on page with JavaScript alert | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matt McCutchen <matt> | ||||
Component: | firefox | Assignee: | Martin Stransky <stransky> | ||||
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 10 | CC: | gecko-bugs-nobody, iarlyy, stransky, walters | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-01-19 14:48:39 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Matt McCutchen
2009-01-14 18:13:12 UTC
i get the following error when try it: [iarly@ski0s ~]$ firefox http://mattmccutchen.net/private/crash-firefox.git/?a=project_list /usr/lib/firefox-3.0.5/run-mozilla.sh: line 131: 4487 Segmentation fault "$prog" ${1+"$@"} The stacktrace looks nice, I'll try to reproduce it. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208424752 (LWP 15041)] 0x00000400 in ?? () It looks like a memory corruption in nsRefPtr::nsRefPtr() #1 0x018881d9 in nsRefPtr (this=0xbffb0a9c, aRawPtr=0xaa3cf40) at ../../../dist/include/xpcom/nsAutoPtr.h:980 980 mRawPtr->AddRef(); (gdb) disas 0x018881d9 Dump of assembler code for function nsRefPtr: 0x018881ac <nsRefPtr+0>: push ebp 0x018881ad <nsRefPtr+1>: mov ebp,esp 0x018881af <nsRefPtr+3>: sub esp,0x8 0x018881b2 <nsRefPtr+6>: mov edx,DWORD PTR [ebp+8] 0x018881b5 <nsRefPtr+9>: mov eax,DWORD PTR [ebp+12] 0x018881b8 <nsRefPtr+12>: mov DWORD PTR [edx],eax 0x018881ba <nsRefPtr+14>: mov eax,DWORD PTR [ebp+8] 0x018881bd <nsRefPtr+17>: mov eax,DWORD PTR [eax] 0x018881bf <nsRefPtr+19>: test eax,eax 0x018881c1 <nsRefPtr+21>: je 0x18881d9 <nsRefPtr+45> 0x018881c3 <nsRefPtr+23>: mov eax,DWORD PTR [ebp+8] 0x018881c6 <nsRefPtr+26>: mov eax,DWORD PTR [eax] 0x018881c8 <nsRefPtr+28>: mov eax,DWORD PTR [eax] 0x018881ca <nsRefPtr+30>: add eax,0x4 0x018881cd <nsRefPtr+33>: mov edx,DWORD PTR [eax] 0x018881cf <nsRefPtr+35>: mov eax,DWORD PTR [ebp+8] 0x018881d2 <nsRefPtr+38>: mov eax,DWORD PTR [eax] 0x018881d4 <nsRefPtr+40>: mov DWORD PTR [esp],eax 0x018881d7 <nsRefPtr+43>: call edx 0x018881d9 <nsRefPtr+45>: leave 0x018881da <nsRefPtr+46>: ret where edx is: (gdb) info registers edx edx 0x400 1024 Fully reproducible with upstream binaries... It looks like nsWindow structure attached to GdkWindow and obtained by get_window_for_gdk_window() is already released so firefox tries to AddRef already released memory. Moved upstream - https://bugzilla.mozilla.org/show_bug.cgi?id=474303 The upstream bug seems to have become private since I last tried to view it. May I have access to view it? |