442023 – Firefox crashes in nsPresContext::GetViewManager

Bug 442023 - Firefox crashes in nsPresContext::GetViewManager

Summary: Firefox crashes in nsPresContext::GetViewManager

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	firefox
Sub Component:
Version:	5.1
Hardware:	i386
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Stransky
QA Contact:	desktop-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	433823
Blocks:
TreeView+	depends on / blocked

Reported:	2008-04-11 11:33 UTC by Martin Stransky
Modified:	2008-05-06 06:58 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-06 06:58:56 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Stransky 2008-04-11 11:33:46 UTC

I found a web page that crashes firefox 100% of the time:
http://www.worldtimeserver.com/convert_time_in_US-MN.aspx

Sometimes just visiting that page will crash it, but if you choose a country on
the right (I've been choosing UTC), firefox will crash.  Looking at the bt, it's
similar to crashes I get in less reproduceable scenarios.  I tested multiple
systems with freshly created users and they all crash.  I removed all plugins
from the systems as well.

I've tested the current firefox (firefox-1.5.0.12-14.el5_1) and the debug
edition posted here (referenced in comment 57).  They both crash on that page.

It does not affect Firefox 3.

BT:

#0  0x00002aaab3f49aca in nsIPresShell::GetViewManager (this=0x0) at
../../../../../base/nsIPresShell.h:179
#1  0x00002aaab3f49bb1 in nsPresContext::GetViewManager (this=0x1e50250) at
../../../../../base/nsPresContext.h:170
#2  0x00002aaab430f4f5 in nsGlobalWindow::GetScrollInfo (this=0x1c7df60,
aScrollableView=0x7fff89b824e0, 
    aP2T=0x7fff89b824dc, aT2P=0x7fff89b824d8) at nsGlobalWindow.cpp:6953
#3  0x00002aaab4312cb4 in nsGlobalWindow::ScrollTo (this=0x1c7df60, aXScroll=0,
aYScroll=0) at nsGlobalWindow.cpp:3951
#4  0x00002aaaab065ea5 in XPTC_InvokeByIndex (that=0x1c7df60, methodIndex=14,
paramCount=2, params=0x7fff89b826e0)
    at xptcinvoke_x86_64_linux.cpp:209
#5  0x00002aaab2c1e5f2 in XPCWrappedNative::CallMethod (ccx=@0x7fff89b82b00,
mode=XPCWrappedNative::CALL_METHOD)
    at xpcwrappednative.cpp:2156
#6  0x00002aaab2c2a04f in XPC_WN_CallMethod (cx=0x1c86090, obj=0x1ecda40,
argc=2, argv=0x1c587a0, vp=0x7fff89b82cf0)
    at xpcwrappednativejsops.cpp:1451
#7  0x00002aaaaab0311d in js_Invoke (cx=0x1c86090, argc=2, flags=0) at
jsinterp.c:1175
#8  0x00002aaaaab118ac in js_Interpret (cx=0x1c86090, pc=0x1b6a3ba ":",
result=0x7fff89b83b38) at jsinterp.c:3599
#9  0x00002aaaaab0318e in js_Invoke (cx=0x1c86090, argc=1, flags=2) at
jsinterp.c:1195
#10 0x00002aaaaab03507 in js_InternalInvoke (cx=0x1c86090, obj=0x1f3af20,
fval=32753488, flags=0, argc=1, 
    argv=0x7fff89b84090, rval=0x7fff89b84070) at jsinterp.c:1272
#11 0x00002aaaaaac956b in JS_CallFunctionValue (cx=0x1c86090, obj=0x1f3af20,
fval=32753488, argc=1, argv=0x7fff89b84090, 
    rval=0x7fff89b84070) at jsapi.c:4191
#12 0x00002aaab4307e74 in nsJSContext::CallEventHandler (this=0x1ab19a0,
aTarget=0x1f3af20, aHandler=0x1f3c750, argc=1, 
    argv=0x7fff89b84090, rval=0x7fff89b84070) at nsJSEnvironment.cpp:1456
#13 0x00002aaab435b3ad in nsJSEventListener::HandleEvent (this=0x1e0d0f0,
aEvent=0x1e9be10) at nsJSEventListener.cpp:186
#14 0x00002aaab41e5c2a in nsEventListenerManager::HandleEventSubType
(this=0x1c0f590, aListenerStruct=0x1d3a330, 
    aDOMEvent=0x1e9be10, aCurrentTarget=0x1c7dfb8, aSubType=1, aPhaseFlags=7) at
nsEventListenerManager.cpp:1687
#15 0x00002aaab41e674b in nsEventListenerManager::HandleEvent (this=0x1c0f590,
aPresContext=0x1e50250, 
    aEvent=0x7fff89b845c0, aDOMEvent=0x7fff89b84570, aCurrentTarget=0x1c7dfb8,
aFlags=7, aEventStatus=0x7fff89b84638)
    at nsEventListenerManager.cpp:1788
#16 0x00002aaab4315859 in nsGlobalWindow::HandleDOMEvent (this=0x1a75df0,
aPresContext=0x1e50250, aEvent=0x7fff89b845c0, 
    aDOMEvent=0x7fff89b84570, aFlags=7, aEventStatus=0x7fff89b84638) at
nsGlobalWindow.cpp:1636
#17 0x00002aaab3f6ca91 in DocumentViewerImpl::LoadComplete (this=0x13a1990,
aStatus=0) at nsDocumentViewer.cpp:1013
#18 0x00002aaab7092987 in nsDocShell::EndPageLoad (this=0x1c7dc60,
aProgress=0x1c7dc88, aChannel=0x1e9caa8, aStatus=0)
    at nsDocShell.cpp:4894
#19 0x00002aaab70ab15b in nsWebShell::EndPageLoad (this=0x1c7dc60,
aProgress=0x1c7dc88, channel=0x1e9caa8, aStatus=0)
    at nsWebShell.cpp:667
#20 0x00002aaab7095151 in nsDocShell::OnStateChange (this=0x1c7dc60,
aProgress=0x1c7dc88, aRequest=0x1e9caa8, 
    aStateFlags=131088, aStatus=0) at nsDocShell.cpp:4820
#21 0x00002aaab70ba4d3 in nsDocLoader::FireOnStateChange (this=0x1c7dc60,
aProgress=0x1c7dc88, aRequest=0x1e9caa8, 
    aStateFlags=131088, aStatus=0) at nsDocLoader.cpp:1210
#22 0x00002aaab70ba55d in nsDocLoader::doStopDocumentLoad (this=0x1c7dc60,
request=0x1e9caa8, aStatus=0)
    at nsDocLoader.cpp:833
#23 0x00002aaab70bb7a1 in nsDocLoader::DocLoaderIsEmpty (this=0x1c7dc60) at
nsDocLoader.cpp:739

Comment 1 Martin Stransky 2008-04-11 11:36:42 UTC

Can be reproduced with 1.5.0.12-15.

Comment 2 Martin Stransky 2008-05-06 06:58:56 UTC

Will be fixed in RHEL_5.2. No update for 1.5 line.

Note You need to log in before you can comment on or make changes to this bug.