Bug 451309 - crashes on closing of a tab
crashes on closing of a tab
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
9
All Linux
low Severity urgent
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-13 15:32 EDT by Bill Nottingham
Modified: 2018-04-11 12:06 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-04 12:40:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Valgrind log (103.07 KB, text/plain)
2008-07-04 10:29 EDT, Erik van Pienbroek
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 443637 None None None Never

  None (edit)
Description Bill Nottingham 2008-06-13 15:32:09 EDT
Description of problem:

Crash log is:

Program received signal SIGSEGV, Segmentation fault.
0x00000039517e3e80 in ReleaseObjects (aElement=<value optimized out>)
    at nsCOMArray.cpp:151
151         NS_IF_RELEASE(element);
#2  <signal handler called>
#3  0x00000039517e3e80 in ReleaseObjects (aElement=<value optimized out>)
    at nsCOMArray.cpp:151
#4  0x00000039517e68f0 in nsVoidArray::EnumerateForwards (this=<value optimized
out>, 
    aFunc=<value optimized out>, aData=<value optimized out>) at nsVoidArray.cpp:678
#5  0x00000039517e3e9c in nsCOMArray_base::Clear (this=<value optimized out>)
    at nsCOMArray.cpp:158
#6  0x0000003951786866 in nsDocAccessible::FlushPendingEvents (
    this=<value optimized out>) at ../../../dist/include/xpcom/nsCOMArray.h:217
#7  0x0000003951818ee2 in nsTimerImpl::Fire (this=<value optimized out>)
    at nsTimerImpl.cpp:400
#8  0x0000003951818f49 in nsTimerEvent::Run (this=<value optimized out>)
    at nsTimerImpl.cpp:490
#9  0x0000003951816a9e in nsThread::ProcessNextEvent (this=<value optimized out>, 
    mayWait=<value optimized out>, result=<value optimized out>) at nsThread.cpp:510
#10 0x00000039517e82f6 in NS_ProcessNextEvent_P (thread=<value optimized out>, 
    mayWait=<value optimized out>) at nsThreadUtils.cpp:227
#11 0x000000395176010d in nsBaseAppShell::Run (this=<value optimized out>)
    at nsBaseAppShell.cpp:170
#12 0x00000039516235bd in nsAppStartup::Run (this=<value optimized out>)
    at nsAppStartup.cpp:181
#13 0x000000395101f73b in XRE_main (argc=<value optimized out>, 
    argv=<value optimized out>, aAppData=<value optimized out>)
    at nsAppRunner.cpp:3154
#14 0x0000000000401665 in __gxx_personality_v0 ()
    at ../../../../libstdc++-v3/libsupc++/eh_personality.cc:363
#15 0x0000003ce241e32a in __libc_start_main (main=<value optimized out>, 
    argc=<value optimized out>, ubp_av=<value optimized out>, 
    init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=Could not find the frame base for
"__libc_start_main".
) at libc-start.c:220
#16 0x0000000000401159 in __gxx_personality_v0 ()
    at ../../../../libstdc++-v3/libsupc++/eh_personality.cc:363
#17 0x00007fff0df62378 in ?? ()
#18 0x000000000000001c in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x00007fff0df62729 in ?? ()
#21 0x0000000000000000 in ?? ()

Version-Release number of selected component (if applicable):

firefox-3.0-0.60.beta5.fc9.x86_64
xulrunner-1.9-0.60.beta5.fc9.x86_64

How reproducible:

Fairly often

Steps to Reproduce:
1. Open a bunch of tabs
2. Start closing them
  
Actual results:

Crash
Comment 1 Bill Nottingham 2008-06-13 15:55:12 EDT
Another crash log:

Program received signal SIGABRT, Aborted.
0x0000003ce2432215 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
#0  0x0000003ce2432215 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003ce2433d83 in abort () at abort.c:88
#2  0x0000003ce2472858 in __libc_message (do_abort=<value optimized out>,
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x0000003ce2478158 in malloc_printerr (action=<value optimized out>,
    str=<value optimized out>, ptr=<value optimized out>) at malloc.c:5949
#4  0x0000003ce247a796 in __libc_free (mem=<value optimized out>) at malloc.c:3625
#5  0x000000000118af9e in nsAccessNode::Release (this=0x7023) at
nsAccessNode.cpp:120
#6  0x0000000001190e9c in nsDocAccessible::FlushPendingEvents (this=0x7f011c2028d0)
    at nsDocAccessible.cpp:1640
#7  0x000000000122350e in nsTimerImpl::Fire (this=0x7f0117c3a470)
    at nsTimerImpl.cpp:400
#8  0x0000000001223575 in nsTimerEvent::Run (this=<value optimized out>)
    at nsTimerImpl.cpp:490
#9  0x00000000012210ca in nsThread::ProcessNextEvent (this=0x2579060, mayWait=1,
    result=0x7fff2d2b4c9c) at nsThread.cpp:510
#10 0x00000000011f2922 in NS_ProcessNextEvent_P (thread=0x7023, mayWait=1)
    at nsThreadUtils.cpp:227
#11 0x000000000116a739 in nsBaseAppShell::Run (this=0x2659ac0)
    at nsBaseAppShell.cpp:170
#12 0x000000000102d97d in nsAppStartup::Run (this=0x7f0120647090)
    bat nsAppStartup.cpp:181
#13 0x0000000000a29afb in XRE_main (argc=<value optimized out>,
    argv=<value optimized out>, aAppData=<value optimized out>)
    at nsAppRunner.cpp:3154
#14 0x0000000000401665 in __gxx_personality_v0 ()
    at ../../../../libstdc++-v3/libsupc++/eh_personality.cc:363
#15 0x0000003ce241e32a in __libc_start_main (main=<value optimized out>,
    argc=<value optimized out>, ubp_av=<value optimized out>,
Comment 2 Bill Nottingham 2008-06-18 23:09:38 EDT
Still happens with 3.0-1 & xulrunner-1.9-1.

General trigger is:

1) have more than one tab
2) have a logged-in gmail window in one of those tabs
3) close said tab
Comment 3 Matěj Cepl 2008-06-20 11:24:36 EDT
Weird, by following steps from comment 2 I cannot reproduce -- it just closes
GMail window. Any interesting plugins (try to run with -safe-mode)?
Comment 4 Bill Nottingham 2008-06-20 12:15:11 EDT
safe-mode does not crash.

Disabling all add-ons (AdblockPlus, CustomizeGoogle) and plugins (flash,
standard totem set, gcj) by hand and doing it still crashes.
Comment 5 Matěj Cepl 2008-06-20 16:11:15 EDT
(In reply to comment #4)
> safe-mode does not crash.
> 
> Disabling all add-ons (AdblockPlus, CustomizeGoogle) and plugins (flash,
> standard totem set, gcj) by hand and doing it still crashes.

Still the same backtrace?

ASSIGNing to caillon and martin.
Comment 6 Christopher Aillon 2008-07-02 16:12:11 EDT
Also, the trace indicates this is a11y related.  I'd wager that turning off a11y
gets it to not crash... 
Comment 7 Bill Nottingham 2008-07-03 10:59:39 EDT
Haven't seen it since turning off a11y a while ago.
Comment 8 Erik van Pienbroek 2008-07-04 10:29:54 EDT
Created attachment 311044 [details]
Valgrind log

Hi,

I was also having stability issues with Firefox 3. To find out more of the
cause of these crashes I've run Firefox 3 through valgrind to detect invalid
memory usage.

From line 1043 on there are several 'invalid read' actions which are caused by
Firefox/Xulrunner (the ones earlier are glibc dlopen bugs I think). The
backtrace given earlier in this report is also present and marked as an
'invalid read' action. There's also an invalid free/delete in this log which
would cause Firefox to crash frequently.

This valgrind log is created on a up-to-date rawhide system
Comment 9 Matěj Cepl 2008-07-04 12:32:47 EDT
Erik, please, file a separate bug for this and don't hijack this bug.
Comment 10 Matěj Cepl 2008-07-04 12:40:19 EDT
We have registered this bug in the upstream database
(https://bugzilla.mozilla.org/show_bug.cgi?id=443637) and believe that it is
more appropriate to let it be resolved upstream.

Red Hat will continue to track the issue in the centralized upstream bug
tracker, and will review any bug fixes that become available for consideration
in future updates.

Thank you for the bug report.

Note You need to log in before you can comment on or make changes to this bug.