Ubuntu
firefox package

MASTER Firefox Crashed [@nsTextControlFrame::SetValue] ] [@nsTextControlFrame::SetProperty]

Bug #89090 reported by siucdude
110
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Invalid
Critical
firefox (Ubuntu)
Fix Released
High
Mozilla Bugs
firefox-3.0 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: firefox

this is new since 2.02 version

ProblemType: Crash
Architecture: i386
CrashCounter: 1
Date: Thu Mar 1 19:30:40 2007
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/lib/firefox/firefox-bin
Package: firefox 2.0.0.2+1-0ubuntu1
ProcCmdline: /usr/lib/firefox/firefox-bin
ProcCwd: /home/siucdude
ProcEnviron:
 SHELL=/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
 LANG=en_US.UTF-8
Signal: 11
SourcePackage: firefox
StacktraceTop:
 __kernel_vsyscall ()
 raise () from /lib/tls/i686/cmov/libpthread.so.0
 ?? ()
 ?? ()
 ?? ()
Uname: Linux siucdude-laptop 2.6.20-9-generic #2 SMP Mon Feb 26 03:01:44 UTC 2007 i686 GNU/Linux
UserGroups: adm admin audio cdrom dialout dip floppy lpadmin netdev plugdev powerdev scanner video

From the retraced stacktrace:
#0 __kernel_vsyscall ()
#1 raise () from /lib/tls/i686/cmov/libpthread.so.0
#2 nsProfileLock::FatalSignalHandler (signo=11)
#3 <signal handler called>
#4 nsTextControlFrame::SetValue (this=0xa2c5b5c,
#5 nsTextControlFrame::SetProperty (this=0xa2c5b5c,
#6 nsHTMLInputElement::SetValueInternal (this=0xa6d44c0,
#7 nsHTMLInputElement::SetValue (this=0xa6d44c0,
#8 XPTC_InvokeByIndex () at xptcinvoke_gcc_x86_unix.cpp:50
#9 XPCWrappedNative::CallMethod (ccx=@0xbfcd87e8,
#10 XPC_WN_GetterSetter (cx=0xa0e56f0, obj=0xa97d210, argc=1,
#11 js_Invoke (cx=0xa0e56f0, argc=1, flags=2) at jsinterp.c:1396
#12 js_InternalInvoke (cx=0xa0e56f0, obj=0xa97d210,
#13 js_InternalGetOrSet (cx=0xa0e56f0, obj=0xa97d210,
#14 js_SetProperty (cx=0xa0e56f0, obj=0xa97d210, id=135312344,
#15 js_Interpret (cx=0xa0e56f0,
#16 js_Invoke (cx=0xa0e56f0, argc=1, flags=2) at jsinterp.c:1415
#17 js_InternalInvoke (cx=0xa0e56f0, obj=0xa97d218,
...

See original description
Revision history for this message
siucdude (siucdude) wrote :
John Vivirito (gnomefreak)
Changed in firefox:
assignee: nobody → mozilla-bugs
importance: Undecided → High
status: Unconfirmed → Needs Info
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote : Re: Firefox Crashed

Retrace done.

Marked as mt-confirm for further analysis.

Alexander Sack (asac)
Changed in firefox:
status: Needs Info → Confirmed
Hilario J. Montoliu (hjmf) (hmontoliu)
description: updated
description: updated
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

Related to upstream's https://bugzilla.mozilla.org/show_bug.cgi?id=357030

Changed in firefox:
status: Confirmed → In Progress
description: updated
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Rejected
Revision history for this message
In , Borsboom (borsboom) wrote :

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/20070603 BonEcho/2.0.0.5pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/20070603 BonEcho/2.0.0.5pre

Firefox intermittently crashes with a SIGSEGV on opening a popup window with window.open javascript code.

Reproducible: Sometimes

Steps to Reproduce:
1. clicking the 'tekstlink' link in the middle of the given URL
2.
3.
Actual Results:
a crash with SIGSEGV

Expected Results:
appearance of a new popup window

Have tried a clean install and a new profile, but this does not resolve the issue.

The same crash can be intermittently evoked when clicking 'Internetbankieren' in the blue bar on the page http://www.rabobank.nl/particulieren/

OS:
Linux nb_knorkaan 2.6.20.11 #1 SMP PREEMPT Thu May 3 20:52:41 CEST 2007 i686 GNU/Linux

Revision history for this message
In , Borsboom (borsboom) wrote :

Created attachment 267134
stack backtrace

Revision history for this message
In , Borsboom (borsboom) wrote :

A critical element in the crash seems to be GetFormControlFrame in nsHTMLInputElement::SetValueInternal returning a non-NULL value when clicking the link described above. In that case, the crash happens. When GetFormControlFrame returns NULL, the window pops up as expected.

Revision history for this message
In , Ria-klaassen (ria-klaassen) wrote :

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5pre) Gecko/20070604 BonEcho/2.0.0.5pre
WFM.

Revision history for this message
In , Adam Guthrie (ispiked) wrote :

Stack is similar to the one in bug 301270. It would be great if you could attach a minimized testcase including steps on what to do to crash.

Revision history for this message
In , Borsboom (borsboom) wrote :

Created attachment 267169
testcase using window.open

this minimal testcase crashes my firefox when repeatedly clicking the link and closing the popup window

Revision history for this message
In , Borsboom (borsboom) wrote :

bug 357030 also has a similar stack trace

Revision history for this message
In , Vladimir-sukhoy (vladimir-sukhoy) wrote :

Works for me, Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/2007051502 Firefox/2.0.0.4

It does seem odd that timer routines are in the stack frame.. Maybe some extension is to blame...

Revision history for this message
In , Borsboom (borsboom) wrote :

a method that seems to trigger the bug in 100% of the cases for me:

* run firefox in gdb
* set a breakpoint on nsAppShell::Spindown
* run the test testcase which should trigger the breakpoint
* continue execution which leads to a SIGSEGV with the same stack backtrace

I have no idea why, but this bug seems to be introduced by the commit from bug 368501. When I undo this commit in the current cvs 1.8 branch, the testcase above does not crash firefox anymore.

Revision history for this message
In , Olli-pettay (olli-pettay) wrote :

Works for me, 1.8 branch/Linux (x86/Fedora7 and x86_64/Fedora5)

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

A workaround suggested by upstream is to use a clean profile to get rid of this issue.

Any feedback on this will be appreciated.

Revision history for this message
Adam Guthrie (ispiked) wrote :

It sounds like this crash might be caused by an extension people are using. For those of you who are seeing this, are you using any extensions with Firefox, and if so, does it happen when you run Firefox in safe mode [0]; i.e. with extensions and themes disabled?

[0] http://kb.mozillazine.org/Safe_mode

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 89090] Re: MASTER Firefox Crashed [@nsTextControlFrame::SetValue] ] [@nsTextControlFrame::SetProperty]

On Thu, Jun 07, 2007 at 06:45:19PM -0000, Adam Guthrie wrote:
> It sounds like this crash might be caused by an extension people are
> using. For those of you who are seeing this, are you using any
> extensions with Firefox, and if so, does it happen when you run Firefox
> in safe mode [0]; i.e. with extensions and themes disabled?
>
> [0] http://kb.mozillazine.org/Safe_mode
>

Actually, we definitly would need someone that can reproduce to tell
us how to reproduce. Only then we can tackle this crash which appears
to happen not only to a few users.

So a simple testcase is most appreciated. If you see this crash,
please track it down for us.

 - Alexander

Revision history for this message
In , Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

At ubuntu's bug tracker we have received 6 crashes with this stacktrace [1]. Btw I cannot reproduce the test case proposed in comment #5.

[1] https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/89090

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

I added a testcase (with enhanced privileges) in bug 373586 that crashes with this stacktrace.

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Unconfirmed
Revision history for this message
In , Dveditz (dveditz) wrote :

How would a bug that was post-1.8 branch be relevant to this bug? or to flip it around, why isn't that test case here rather than added to a fixed bug?

Revision history for this message
In , Dveditz (dveditz) wrote :

Don't see how we can block on an unconfirmed bug. Renominate if there's more progress here.

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

Possible test case (from dup bug #123795) [1]:

Go to the page [2] ; As soon as you can see the image (K-EUROPAHAV.jpg), click on it repeatedly. I notice high CPU usage for a couple of seconds then itcrashes.

(not yet tested)

[1] https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/123795
[2] http://hd.se/inrikes/2007/07/03/algblomning-paa-gaang-i/

Revision history for this message
Johnathon (kirrus) wrote :

We've found that in our instance (using scalix webmail, http://scalix.com), clearing Cookies and Authenticated sessions has solved this issue for now. (I've already moved the user onto a clean Firefox profile, that worked for a time, and then FF started crashing with the same error again.)

Will post if we get more errors with this one...

Revision history for this message
In , Alexander Sack (asac) wrote :

we still see dupes coming in from 2.0.0.4/1.5.0.12 ... so confirming as a first step.

Revision history for this message
In , Alexander Sack (asac) wrote :

note: the attached testcase doesn't crash for me.

Revision history for this message
In , Martijn-martijn (martijn-martijn) wrote :

A patch was checked in in bug 386254, that fixed a crash with a similar stacktrace.
This was checked in on the 1.8.1.5 and 1.8.0.13 branch, so hopefully that fixes it.

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: New → Confirmed
Revision history for this message
Alexander Sack (asac) wrote :

we should search for dupes against the firefox-3.0 package.

Changed in firefox-3.0:
status: New → Incomplete
Revision history for this message
Alexander Sack (asac) wrote :

according to upstream a similar backtrace was fixed.

Changed in firefox:
status: In Progress → Fix Released
Revision history for this message
In , Alexander Sack (asac) wrote :

*** This bug has been marked as a duplicate of bug 386254 ***

Revision history for this message
Alexander Sack (asac) wrote :

ok, appears to be really fixed upstream.

Changed in firefox-3.0:
status: Incomplete → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Confirmed → Invalid
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
importance: Unknown → Critical
status: Invalid → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.