451309 – crashes on closing of a tab

Bug 451309 - crashes on closing of a tab

Summary: crashes on closing of a tab

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	urgent
Target Milestone:	---
Assignee:	Gecko Maintainer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-13 19:32 UTC by Bill Nottingham
Modified:	2018-04-11 16:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-07-04 16:40:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Valgrind log (103.07 KB, text/plain) 2008-07-04 14:29 UTC, Erik van Pienbroek	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	443637	0	None	None	None	Never

Description Bill Nottingham 2008-06-13 19:32:09 UTC

Description of problem:

Crash log is:

Program received signal SIGSEGV, Segmentation fault.
0x00000039517e3e80 in ReleaseObjects (aElement=<value optimized out>)
    at nsCOMArray.cpp:151
151         NS_IF_RELEASE(element);
#2  <signal handler called>
#3  0x00000039517e3e80 in ReleaseObjects (aElement=<value optimized out>)
    at nsCOMArray.cpp:151
#4  0x00000039517e68f0 in nsVoidArray::EnumerateForwards (this=<value optimized
out>, 
    aFunc=<value optimized out>, aData=<value optimized out>) at nsVoidArray.cpp:678
#5  0x00000039517e3e9c in nsCOMArray_base::Clear (this=<value optimized out>)
    at nsCOMArray.cpp:158
#6  0x0000003951786866 in nsDocAccessible::FlushPendingEvents (
    this=<value optimized out>) at ../../../dist/include/xpcom/nsCOMArray.h:217
#7  0x0000003951818ee2 in nsTimerImpl::Fire (this=<value optimized out>)
    at nsTimerImpl.cpp:400
#8  0x0000003951818f49 in nsTimerEvent::Run (this=<value optimized out>)
    at nsTimerImpl.cpp:490
#9  0x0000003951816a9e in nsThread::ProcessNextEvent (this=<value optimized out>, 
    mayWait=<value optimized out>, result=<value optimized out>) at nsThread.cpp:510
#10 0x00000039517e82f6 in NS_ProcessNextEvent_P (thread=<value optimized out>, 
    mayWait=<value optimized out>) at nsThreadUtils.cpp:227
#11 0x000000395176010d in nsBaseAppShell::Run (this=<value optimized out>)
    at nsBaseAppShell.cpp:170
#12 0x00000039516235bd in nsAppStartup::Run (this=<value optimized out>)
    at nsAppStartup.cpp:181
#13 0x000000395101f73b in XRE_main (argc=<value optimized out>, 
    argv=<value optimized out>, aAppData=<value optimized out>)
    at nsAppRunner.cpp:3154
#14 0x0000000000401665 in __gxx_personality_v0 ()
    at ../../../../libstdc++-v3/libsupc++/eh_personality.cc:363
#15 0x0000003ce241e32a in __libc_start_main (main=<value optimized out>, 
    argc=<value optimized out>, ubp_av=<value optimized out>, 
    init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=Could not find the frame base for
"__libc_start_main".
) at libc-start.c:220
#16 0x0000000000401159 in __gxx_personality_v0 ()
    at ../../../../libstdc++-v3/libsupc++/eh_personality.cc:363
#17 0x00007fff0df62378 in ?? ()
#18 0x000000000000001c in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x00007fff0df62729 in ?? ()
#21 0x0000000000000000 in ?? ()

Version-Release number of selected component (if applicable):

firefox-3.0-0.60.beta5.fc9.x86_64
xulrunner-1.9-0.60.beta5.fc9.x86_64

How reproducible:

Fairly often

Steps to Reproduce:
1. Open a bunch of tabs
2. Start closing them
  
Actual results:

Crash

Comment 1 Bill Nottingham 2008-06-13 19:55:12 UTC

Another crash log:

Program received signal SIGABRT, Aborted.
0x0000003ce2432215 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
#0  0x0000003ce2432215 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003ce2433d83 in abort () at abort.c:88
#2  0x0000003ce2472858 in __libc_message (do_abort=<value optimized out>,
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x0000003ce2478158 in malloc_printerr (action=<value optimized out>,
    str=<value optimized out>, ptr=<value optimized out>) at malloc.c:5949
#4  0x0000003ce247a796 in __libc_free (mem=<value optimized out>) at malloc.c:3625
#5  0x000000000118af9e in nsAccessNode::Release (this=0x7023) at
nsAccessNode.cpp:120
#6  0x0000000001190e9c in nsDocAccessible::FlushPendingEvents (this=0x7f011c2028d0)
    at nsDocAccessible.cpp:1640
#7  0x000000000122350e in nsTimerImpl::Fire (this=0x7f0117c3a470)
    at nsTimerImpl.cpp:400
#8  0x0000000001223575 in nsTimerEvent::Run (this=<value optimized out>)
    at nsTimerImpl.cpp:490
#9  0x00000000012210ca in nsThread::ProcessNextEvent (this=0x2579060, mayWait=1,
    result=0x7fff2d2b4c9c) at nsThread.cpp:510
#10 0x00000000011f2922 in NS_ProcessNextEvent_P (thread=0x7023, mayWait=1)
    at nsThreadUtils.cpp:227
#11 0x000000000116a739 in nsBaseAppShell::Run (this=0x2659ac0)
    at nsBaseAppShell.cpp:170
#12 0x000000000102d97d in nsAppStartup::Run (this=0x7f0120647090)
    bat nsAppStartup.cpp:181
#13 0x0000000000a29afb in XRE_main (argc=<value optimized out>,
    argv=<value optimized out>, aAppData=<value optimized out>)
    at nsAppRunner.cpp:3154
#14 0x0000000000401665 in __gxx_personality_v0 ()
    at ../../../../libstdc++-v3/libsupc++/eh_personality.cc:363
#15 0x0000003ce241e32a in __libc_start_main (main=<value optimized out>,
    argc=<value optimized out>, ubp_av=<value optimized out>,

Comment 2 Bill Nottingham 2008-06-19 03:09:38 UTC

Still happens with 3.0-1 & xulrunner-1.9-1.

General trigger is:

1) have more than one tab
2) have a logged-in gmail window in one of those tabs
3) close said tab

Comment 3 Matěj Cepl 2008-06-20 15:24:36 UTC

Weird, by following steps from comment 2 I cannot reproduce -- it just closes
GMail window. Any interesting plugins (try to run with -safe-mode)?

Comment 4 Bill Nottingham 2008-06-20 16:15:11 UTC

safe-mode does not crash.

Disabling all add-ons (AdblockPlus, CustomizeGoogle) and plugins (flash,
standard totem set, gcj) by hand and doing it still crashes.

Comment 5 Matěj Cepl 2008-06-20 20:11:15 UTC

(In reply to comment #4)
> safe-mode does not crash.
> 
> Disabling all add-ons (AdblockPlus, CustomizeGoogle) and plugins (flash,
> standard totem set, gcj) by hand and doing it still crashes.

Still the same backtrace?

ASSIGNing to caillon and martin.

Comment 6 Christopher Aillon 2008-07-02 20:12:11 UTC

Also, the trace indicates this is a11y related.  I'd wager that turning off a11y
gets it to not crash...

Comment 7 Bill Nottingham 2008-07-03 14:59:39 UTC

Haven't seen it since turning off a11y a while ago.

Comment 8 Erik van Pienbroek 2008-07-04 14:29:54 UTC

Created attachment 311044 [details]
Valgrind log

Hi,

I was also having stability issues with Firefox 3. To find out more of the
cause of these crashes I've run Firefox 3 through valgrind to detect invalid
memory usage.

From line 1043 on there are several 'invalid read' actions which are caused by
Firefox/Xulrunner (the ones earlier are glibc dlopen bugs I think). The
backtrace given earlier in this report is also present and marked as an
'invalid read' action. There's also an invalid free/delete in this log which
would cause Firefox to crash frequently.

This valgrind log is created on a up-to-date rawhide system

Comment 9 Matěj Cepl 2008-07-04 16:32:47 UTC

Erik, please, file a separate bug for this and don't hijack this bug.

Comment 10 Matěj Cepl 2008-07-04 16:40:19 UTC

We have registered this bug in the upstream database
(https://bugzilla.mozilla.org/show_bug.cgi?id=443637) and believe that it is
more appropriate to let it be resolved upstream.

Red Hat will continue to track the issue in the centralized upstream bug
tracker, and will review any bug fixes that become available for consideration
in future updates.

Thank you for the bug report.

Note You need to log in before you can comment on or make changes to this bug.