Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 208795

Summary: crash when printing page
Product: Red Hat Enterprise Linux 5 Reporter: Lawrence Lim <llim>
Component: firefoxAssignee: Behdad Esfahbod <behdad>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: caillon, desktop-bugs, iboverma, jan.kratochvil, tools-bugs, wtogami, zcerza
Target Milestone: ---Keywords: Desktop, TestBlocker
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: ReviewOct23
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-10 02:18:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 208240    
Bug Blocks:    
Attachments:
Description Flags
.tar.gz of core + gdb session log
none
valgrind --trace-children=yes firefox 2>&1|tee /tmp/firefox-vagrind.log
none
patch none

Description Lawrence Lim 2006-10-01 23:47:57 UTC 
+++ This bug was initially created as a clone of Bug #208240 +++

Description of problem:

* firefox-1.5.0.7-3.fc6
* surf to www.paypal.com
* print page
* kaboom.

[hanwen@haring tmp]$ gdb /usr/lib/firefox-1.5.0.7/firefox-bin 
GNU gdb Red Hat Linux (6.5-8_jkratoch0.fc6rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) r
Starting program: /usr/lib/firefox-1.5.0.7/firefox-bin 
[Thread debugging using libthread_db enabled]
[New Thread -1208886528 (LWP 3778)]
[New Thread -1211155568 (LWP 3784)]
[New Thread -1225786480 (LWP 3785)]
[New Thread -1236276336 (LWP 3787)]
Adblock Plus: abp.QI to an unknown interface: {a6cf906b-15b3-11d2-932e-00805f8add32}
Adblock Plus: abp.QI to an unknown interface: {a6cf906b-15b3-11d2-932e-00805f8add32}
Adblock Plus: abp.QI to an unknown interface: {a6cf906b-15b3-11d2-932e-00805f8add32}
[New Thread -1247294576 (LWP 3789)]
[New Thread -1257784432 (LWP 3790)]
[Thread -1247294576 (LWP 3789) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208886528 (LWP 3778)]
IA__FcCharSetDestroy (fcs=0xb70db2e8) at fccharset.c:57
57          if (fcs->ref == FC_REF_CONSTANT)
Current language:  auto; currently c
(gdb) p fcs
$1 = (FcCharSet *) 0xb70db2e8
(gdb) p *fcs
Cannot access memory at address 0xb70db2e8
(gdb) bt
#0  IA__FcCharSetDestroy (fcs=0xb70db2e8) at fccharset.c:57
#1  0x054572d3 in ~nsFontMetricsPS (this=0xab46cb8) at nsFontMetricsPS.cpp:111
#2  0x05456fab in nsFontMetricsPS::Release (this=0x0) at nsFontMetricsPS.cpp:135
#3  0x006757c7 in nsFontCache::Flush (this=0xaa98270) at nsDeviceContext.cpp:715
#4  0x006758c4 in ~nsFontCache (this=0xaa98270) at nsDeviceContext.cpp:580
#5  0x0545448a in ~nsFontCachePS (this=0xaa98270) at nsDeviceContextPS.cpp:547
#6  0x00675188 in ~DeviceContextImpl (this=0xb6fa4b78) at nsDeviceContext.cpp:88
#7  0x054539d8 in ~nsDeviceContextPS (this=0xb6fa4b78) at nsDeviceContextPS.cpp:134
#8  0x00675a24 in DeviceContextImpl::Release (this=0x0) at nsDeviceContext.cpp:54
#9  0x054537f8 in nsDeviceContextPS::Release (this=0xb6fa4b78)
    at nsDeviceContextPS.cpp:179
#10 0x02d676ad in ~nsCOMPtr_base (this=<value optimized out>) at nsCOMPtr.cpp:81
#11 0x0651c652 in ~nsCOMPtr (this=0xb71b135c) at dist/include/xpcom/nsCOMPtr.h:542
#12 0x066058e4 in ~nsPrintData (this=0xb71b1358) at nsPrintData.cpp:159
#13 0x06601fb3 in nsPrintEngine::Destroy (this=0xb6f6aa80) at nsPrintEngine.cpp:283
#14 0x06519f1e in DocumentViewerImpl::OnDonePrinting (this=0xa665de0)
    at nsDocumentViewer.cpp:4141
#15 0x065fc722 in HandlePLEvent (aEvent=0xb6facfa0) at nsPrintEngine.cpp:4549
#16 0x02da8bfd in PL_HandleEvent (self=0xb6facfa0) at plevent.c:688
#17 0x02da8e86 in PL_ProcessPendingEvents (self=0x9cd30f0) at plevent.c:623
#18 0x02daa6b3 in nsEventQueueImpl::ProcessPendingEvents (this=0x9cd30a8)
    at nsEventQueue.cpp:417
#19 0x00e3ac16 in event_processor_callback (source=0x9dbf320, condition=G_IO_IN, 
    data=0x0) at nsAppShell.cpp:67
#20 0x0029494d in g_io_channel_unix_get_fd () from /lib/libglib-2.0.so.0
#21 0x0026b342 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#22 0x0026e31f in g_main_context_check () from /lib/libglib-2.0.so.0
#23 0x0026e6c9 in g_main_loop_run () from /lib/libglib-2.0.so.0
#24 0x027621c4 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#25 0x09e01ef0 in ?? ()
#26 0x09e01ef0 in ?? ()
#27 0x00000001 in ?? ()
#28 0x00000001 in ?? ()
#29 0x00000000 in ?? ()
(gdb)
Comment 1 RHEL Program Management 2006-10-02 00:02:45 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.
Comment 3 Lawrence Lim 2006-10-02 01:10:21 UTC 
Sure. Thanks for the info.

Reference to Release Criteria:
Section 1.D.1

Desktop->Firefox->Smoketest passes 100%
Comment 4 Jan Kratochvil 2006-10-15 09:37:07 UTC 
Confirming on RHEL5 running: firefox-1.5.0.7-7.fc6.i386
Despite the original RawHide Bug 208240 for firefox-1.5.0.7-3.fc6 has been
CLOSED. The Bug still looks to be the same. Reproducibility: Always.
1. http://www.redhat.com/
2. Print Preview
3. Close (Preview)

#0  0x0079aa77 in FcCharSetDestroy () from /usr/lib/libfontconfig.so.1
#1  0x018da2d3 in ~nsFontMetricsPS (this=0xb2d60e30) at nsFontMetricsPS.cpp:111
#2  0x018d9fab in nsFontMetricsPS::Release (this=0x0) at nsFontMetricsPS.cpp:135
#3  0x00d8a7c7 in nsFontCache::Flush (this=0xb2fcb4a8) at nsDeviceContext.cpp:715
#4  0x00d8a8c4 in ~nsFontCache (this=0xb2fcb4a8) at nsDeviceContext.cpp:580
#5  0x018d748a in ~nsFontCachePS (this=0xb2fcb4a8) at nsDeviceContextPS.cpp:547
#6  0x00d8a188 in ~DeviceContextImpl (this=0xb31e4b90) at nsDeviceContext.cpp:88
#7  0x018d69d8 in ~nsDeviceContextPS (this=0xb31e4b90) at nsDeviceContextPS.cpp:134
#8  0x00d8aa24 in DeviceContextImpl::Release (this=0x0) at nsDeviceContext.cpp:54
#9  0x018d67f8 in nsDeviceContextPS::Release (this=0xb31e4b90) at
nsDeviceContextPS.cpp:179
#10 0x06e23909 in nsCOMPtr_base::assign_assuming_AddRef (this=0x0, newPtr=0x0)
at ../dist/include/xpcom/nsCOMPtr.h:531
#11 0x06e236ee in nsCOMPtr_base::assign_with_AddRef (this=0x9972e28, rawPtr=0x0)
at nsCOMPtr.cpp:89
#12 0x00d8b517 in nsCOMPtr<nsIDeviceContext>::operator= (this=0x9972e28,
rhs=0x0) at dist/include/xpcom/nsCOMPtr.h:713
#13 0x00d89971 in DeviceContextImpl::SetAltDevice (this=0x9972df0, aAltDC=0x0)
at nsDeviceContext.cpp:547
#14 0x012285a0 in DocumentViewerImpl::InitInternal (this=0xb3e70f40,
aParentWidget=0xb3f7c360, aState=0x0, 
    aDeviceContext=0x9972df0, aBounds=@0xbfd8f988, aDoCreation=1,
aInPrintPreview=1) at nsDocumentViewer.cpp:786
#15 0x0122b960 in DocumentViewerImpl::ReturnToGalleyPresentation
(this=0xb3e70f40) at nsDocumentViewer.cpp:3972
#16 0x01226c7f in DocumentViewerImpl::ExitPrintPreview (this=0xb3e70f40) at
nsDocumentViewer.cpp:3650
#17 0x06e7bbe1 in XPTC_InvokeByIndex () at dist/include/xpcom/xptcstubsdef.inc:251
#18 0x0053843f in XPCWrappedNative::CallMethod (ccx=@0xbfd8fc5c,
mode=XPCWrappedNative::CALL_METHOD)
    at xpcwrappednative.cpp:2156
#19 0x0053c119 in XPC_WN_CallMethod (cx=0x956e9d0, obj=0x947ec80, argc=0,
argv=0x9af82a0, vp=0xbfd8fd7c)
    at xpcwrappednativejsops.cpp:1445
#20 0x0013daa7 in js_Invoke (cx=0x956e9d0, argc=0, flags=2) at jsinterp.c:1187
#21 0x00131026 in js_InternalInvoke (cx=0x956e9d0, obj=0x947ec80,
fval=155708608, flags=2, argc=0, argv=0x9af8284, 
    rval=0xbfd8ff58) at jsinterp.c:1284
#22 0x0010ca48 in JS_CallFunctionValue (cx=0x956e9d0, obj=0x947ec80,
fval=155708608, argc=0, argv=0x9af8284, rval=0xbfd8ff58)
    at jsapi.c:4186
#23 0x0053f941 in XPC_NW_FunctionWrapper (cx=0x956e9d0, obj=0x947ec88, argc=0,
argv=0x9af8284, rval=0xbfd8fffc)
    at XPCNativeWrapper.cpp:385
#24 0x0013daa7 in js_Invoke (cx=0x956e9d0, argc=0, flags=0) at jsinterp.c:1187
#25 0x00138641 in js_Interpret (cx=0x956e9d0, pc=0x95aaee5 ":",
result=0xbfd90328) at jsinterp.c:3583
#26 0x0013db00 in js_Invoke (cx=0x956e9d0, argc=1, flags=2) at jsinterp.c:1207
#27 0x00131026 in js_InternalInvoke (cx=0x956e9d0, obj=0x9828598,
fval=155707856, flags=2, argc=1, argv=0xbfd9057c, 
    rval=0xbfd9056c) at jsinterp.c:1284
#28 0x0010ca48 in JS_CallFunctionValue (cx=0x956e9d0, obj=0x9828598,
fval=155707856, argc=1, argv=0xbfd9057c, 
    rval=0xbfd9056c) at jsapi.c:4186
#29 0x0149b9db in nsJSContext::CallEventHandler (this=0x955cc50,
aTarget=0x9828598, aHandler=0x947e9d0, argc=1, 
    argv=0xbfd9057c, rval=0xbfd9056c) at nsJSEnvironment.cpp:1456
#30 0x014d64eb in nsJSEventListener::HandleEvent (this=0xb2af4328,
aEvent=0x99621e0) at nsJSEventListener.cpp:186
#31 0x013cae23 in nsEventListenerManager::HandleEventSubType (this=0xb2f6cef0,
aListenerStruct=0xb3ed9c60, 
    aDOMEvent=0x99621e0, aCurrentTarget=0x9a94350, aSubType=8, aPhaseFlags=7) at
nsEventListenerManager.cpp:1687
#32 0x013cc1b7 in nsEventListenerManager::HandleEvent (this=0xb2f6cef0,
aPresContext=0x965c978, aEvent=0xbfd90980, 
    aDOMEvent=0xbfd9083c, aCurrentTarget=0x9a94350, aFlags=7,
aEventStatus=0xbfd909c8) at nsEventListenerManager.cpp:1788
#33 0x01474a7e in nsXULElement::HandleDOMEvent (this=0xb2af42f0,
aPresContext=0x965c978, aEvent=0xbfd90980, 
    aDOMEvent=0xbfd9083c, aFlags=7, aEventStatus=0xbfd909c8) at
nsXULElement.cpp:2152
#34 0x0123ff1f in PresShell::HandleDOMEventWithTarget (this=0x92b01c0,
aTargetContent=0xb2af42f0, aEvent=0xbfd90980, 
    aStatus=0xbfd909c8) at nsPresShell.cpp:6519
#35 0x013471e2 in nsButtonBoxFrame::DoMouseClick (this=0xb3dde094,
aEvent=0xbfd90b78, aTrustEvent=0)
    at nsButtonBoxFrame.cpp:179
#36 0x0133e0b3 in nsButtonBoxFrame::MouseClicked (this=0xb3dde094,
aPresContext=0x965c978, aEvent=0xbfd90b78)
    at nsButtonBoxFrame.h:61
#37 0x01347434 in nsButtonBoxFrame::HandleEvent (this=0xb3dde094,
aPresContext=0x965c978, aEvent=0xbfd90b78, 
    aEventStatus=0xbfd91020) at nsButtonBoxFrame.cpp:149
#38 0x0123a9b2 in PresShell::HandleEventInternal (this=0x92b01c0,
aEvent=0xbfd90b78, aView=0x0, aFlags=1, aStatus=0xbfd91020)
    at nsPresShell.cpp:6464
#39 0x0123b082 in PresShell::HandleEventWithTarget (this=0x92b01c0,
aEvent=0xbfd90b78, aFrame=0xb3dde094, 
    aContent=0xb2af42f0, aFlags=1, aStatus=0xbfd91020) at nsPresShell.cpp:6320
#40 0x013cef25 in nsEventStateManager::CheckForAndDispatchClick (this=0x961a508,
aPresContext=0x965c978, aEvent=0xbfd91174, 
    aStatus=0xbfd91020) at nsEventStateManager.cpp:3049
#41 0x013d55ea in nsEventStateManager::PostHandleEvent (this=0x961a508,
aPresContext=0x965c978, aEvent=0xbfd91174, 
    aTargetFrame=0xb3dde094, aStatus=0xbfd91020, aView=0x96344b0) at
nsEventStateManager.cpp:2027
#42 0x0123aae3 in PresShell::HandleEventInternal (this=0x92b01c0,
aEvent=0xbfd91174, aView=0x96344b0, aFlags=513, 
    aStatus=0xbfd91020) at nsPresShell.cpp:6495
#43 0x012440dd in PresShell::HandleEvent (this=0x92b01c0, aView=0x96344b0,
aEvent=0xbfd91174, aEventStatus=0xbfd91020, 
    aForceHandle=1, aHandled=@0xbfd91018) at nsPresShell.cpp:6259
#44 0x01492e28 in nsViewManager::HandleEvent (this=0x96a6c78, aView=0x96344b0,
aEvent=0xbfd91174, aCaptured=0)
    at nsViewManager.cpp:2557
#45 0x01496d0e in nsViewManager::DispatchEvent (this=0x96a6c78,
aEvent=0xbfd91174, aStatus=0xbfd91130)
    at nsViewManager.cpp:2246
#46 0x0148dfa5 in HandleEvent (aEvent=0xbfd91174) at nsView.cpp:171
#47 0x00d504c0 in nsCommonWidget::DispatchEvent (this=0x9634518,
aEvent=0xbfd91174, aStatus=@0xbfd911bc)
    at nsCommonWidget.cpp:219
#48 0x00d4b01e in nsWindow::OnButtonReleaseEvent (this=0x9634518,
aWidget=0x93bdd48, aEvent=0x9576400) at nsWindow.cpp:1600
#49 0x00d4b049 in button_release_event_cb (widget=0x93bdd48, event=0x9576400) at
nsWindow.cpp:3731
#50 0x009fe0c0 in gtk_marshal_BOOLEAN__VOID () from /usr/lib/libgtk-x11-2.0.so.0
#51 0x006a6f0b in IA__g_closure_invoke (closure=0x955ccc0,
return_value=0xbfd91340, n_param_values=2, 
    param_values=0xbfd9141c, invocation_hint=0xbfd9132c) at gclosure.c:490
#52 0x006b7e83 in signal_emit_unlocked_R (node=0x932cf60, detail=0,
instance=0x93bdd48, emission_return=0xbfd915dc, 
    instance_and_params=0xbfd9141c) at gsignal.c:2438
#53 0x006b9147 in IA__g_signal_emit_valist (instance=0x93bdd48, signal_id=29,
detail=0, var_args=0xbfd91660 "x\026ٿ")
    at gsignal.c:2207
#54 0x006b9539 in IA__g_signal_emit (instance=0x93bdd48, signal_id=29, detail=0)
at gsignal.c:2241
#55 0x00b12118 in gtk_widget_get_default_style () from /usr/lib/libgtk-x11-2.0.so.0
#56 0x009f7563 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#57 0x009f8767 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#58 0x0082a0ea in gdk_add_client_message_filter () from /usr/lib/libgdk-x11-2.0.so.0
#59 0x005f4342 in IA__g_main_context_dispatch (context=0x9157368) at gmain.c:2045
#60 0x005f731f in g_main_context_iterate (context=0x9157368, block=1,
dispatch=1, self=0x93385a8) at gmain.c:2677
#61 0x005f76c9 in IA__g_main_loop_run (loop=0x95060a8) at gmain.c:2881
#62 0x009f8be4 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#63 0x00d4efeb in nsAppShell::Run (this=0x9349378) at nsAppShell.cpp:139
#64 0x01c0ff86 in nsAppStartup::Run (this=0x9352840) at nsAppStartup.cpp:150
#65 0x0804f66f in XRE_main (argc=3, argv=0xbfd91d94, aAppData=0x8065480) at
nsAppRunner.cpp:2374
#66 0x0804ab90 in main (argc=Cannot access memory at address 0x1
) at nsBrowserApp.cpp:61
#67 0x00322f2c in __libc_start_main (main=0x804ab64 <main>, argc=3,
ubp_av=0xbfd91d94, init=0x8059660 <__libc_csu_init>, 
    fini=0x8059650 <__libc_csu_fini>, rtld_fini=0x2fe390 <_dl_fini>,
stack_end=0xbfd91d8c) at libc-start.c:231
#68 0x0804aae1 in _start ()
Comment 5 Behdad Esfahbod 2006-10-19 18:40:46 UTC 
Can you by any chance install debuginfo packages for fontconfig, and reproduce
this under valgrind?
Comment 6 Jan Kratochvil 2006-10-19 20:31:46 UTC 
Created attachment 138903 [details]
.tar.gz of core + gdb session log

Ran under valgrind, externally attached gdb(1), "gcore" generated core file
(crashed "thread 8" in the core file).
No firefox plugins installed (even no libnullplugin.so).
Comment 7 Behdad Esfahbod 2006-10-19 21:46:23 UTC 
No, I really need the valgrind output, not the core or gdb log.
Comment 8 Jan Kratochvil 2006-10-20 12:04:10 UTC 
Created attachment 138965 [details]
valgrind --trace-children=yes firefox 2>&1|tee /tmp/firefox-vagrind.log
Comment 9 Zack Cerza 2006-10-20 19:02:06 UTC 
*** Bug 211669 has been marked as a duplicate of this bug. ***
Comment 10 Matthias Clasen 2006-10-23 17:55:58 UTC 
Behdad says that this will most likely be fixed when the 
firefox/pango printing changes land (see bug 182533)
Comment 11 Behdad Esfahbod 2006-10-24 19:08:35 UTC 
Created attachment 139257 [details]
patch
Comment 12 Behdad Esfahbod 2006-10-24 19:16:08 UTC 
Upstreamed: https://bugzilla.mozilla.org/show_bug.cgi?id=357859
Comment 13 Behdad Esfahbod 2006-10-24 20:16:56 UTC 
This is actually already fixed upstream, with a better patch (on Oct 6).  Please
pick from there:

      https://bugzilla.mozilla.org/show_bug.cgi?id=294879
Comment 14 Jonathan Blandford 2006-10-24 21:29:43 UTC 
has this been built?  Can we move it to modified?
Comment 15 Behdad Esfahbod 2006-10-25 02:33:37 UTC 
(In reply to comment #14)
> has this been built?

No.  However, caillon has been building firefox with the pango printing patch,
and with that patch this bug will not be hit (unless user uses MOZ_DISABLE_PANGO=1)
Comment 16 Matthias Clasen 2006-10-25 15:54:37 UTC 
firefox-1.5.0.7-8.el5 has the pango printing patch
Comment 18 Nicole Dai 2006-10-27 07:36:13 UTC 
Verified the crash was not found in firefox-1.5.0.7-8.el5.
Comment 19 Nicole Dai 2006-11-10 02:18:20 UTC 
Retested the bug with firefox-1.5.0.7-8.el5. on RHEL5-Client-20061108.nightly
and verfied again it has been fixed. Resolve it now.