Bug#693765: [amd64] segfault when accessing specific page

Tue Nov 20 05:03:21 UTC 2012

Package: iceweasel
Version: 16.0.2-1

URL: http://zh.wikipedia.org/w/index.php?title=User:%E5%86%B2%E4%B9%8B&oldid=21755993

Program received signal SIGSEGV, Segmentation fault.
nsFrameManager::ReResolveStyleContext (this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
aFrame=aFrame at entry=0x0,
    aParentContent=aParentContent at entry=0x7fffce582280,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
aMinChange=aMinChange at entry=0,
    aRestyleHint=aRestyleHint at entry=eRestyle_Subtree, aRestyleTracker=...,
    aDesiredA11yNotifications=aDesiredA11yNotifications at entry=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=...,
    aTreeMatchContext=...) at
/tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1037
1037	/tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp: No
such file or directory.

This also happens in 10.0.10esr-1 (testing) but the following
backtrace was taken from 16.0.2-1 (experimental).

#0  nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
aFrame=aFrame at entry=0x0,
    aParentContent=aParentContent at entry=0x7fffce582280,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
aMinChange=aMinChange at entry=0,
    aRestyleHint=aRestyleHint at entry=eRestyle_Subtree, aRestyleTracker=...,
    aDesiredA11yNotifications=aDesiredA11yNotifications at entry=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=...,
    aTreeMatchContext=...) at
/tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1037
#1  0x00007ffff54b9d8a in nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
    aFrame=aFrame at entry=0x7fffcb636020,
aParentContent=aParentContent at entry=0x7fffce582280,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
    aMinChange=aMinChange at entry=0, aRestyleHint=<optimized out>,
aRestyleTracker=...,
    aDesiredA11yNotifications=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=..., aTreeMatchContext=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1565
#2  0x00007ffff54b9e22 in nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
    aFrame=aFrame at entry=0x7fffcb636160,
aParentContent=aParentContent at entry=0x7fffce566a80,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
    aMinChange=aMinChange at entry=0, aRestyleHint=<optimized out>,
aRestyleTracker=...,
    aDesiredA11yNotifications=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=..., aTreeMatchContext=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1586
#3  0x00007ffff54b9e22 in nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
    aFrame=aFrame at entry=0x7fffdddbcd40,
aParentContent=aParentContent at entry=0x7fffce565c00,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
    aMinChange=aMinChange at entry=0, aRestyleHint=<optimized out>,
aRestyleTracker=...,
    aDesiredA11yNotifications=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=..., aTreeMatchContext=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1586
#4  0x00007ffff54b9e22 in nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
    aFrame=aFrame at entry=0x7fffdddba8c0,
aParentContent=aParentContent at entry=0x7fffcda94a80,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
    aMinChange=aMinChange at entry=0, aRestyleHint=<optimized out>,
aRestyleTracker=...,
    aDesiredA11yNotifications=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=..., aTreeMatchContext=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1586
#5  0x00007ffff54b9e22 in nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
    aFrame=aFrame at entry=0x7fffdddb8090,
aParentContent=aParentContent at entry=0x7fffcce25580,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
    aMinChange=aMinChange at entry=0, aRestyleHint=<optimized out>,
aRestyleTracker=...,
    aDesiredA11yNotifications=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=..., aTreeMatchContext=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1586
#6  0x00007ffff54b9e22 in nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400,
aPresContext=aPresContext at entry=0x7fffc16c2800,
    aFrame=aFrame at entry=0x7fffde0dbae0,
aParentContent=aParentContent at entry=0x7fffbe4b0ca0,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
    aMinChange=aMinChange at entry=0, aRestyleHint=<optimized out>,
aRestyleTracker=...,
    aDesiredA11yNotifications=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=..., aTreeMatchContext=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1586
#7  0x00007ffff54b9e22 in nsFrameManager::ReResolveStyleContext
(this=this at entry=0x7fffc1489400, aPresContext=0x7fffc16c2800,
aFrame=0x7fffde0db1b8,
    aParentContent=aParentContent at entry=0x0,
aChangeList=aChangeList at entry=0x7fffffff3fc0,
aMinChange=aMinChange at entry=0,
    aRestyleHint=<optimized out>, aRestyleHint at entry=eRestyle_Subtree,
aRestyleTracker=...,
    aDesiredA11yNotifications=aDesiredA11yNotifications at entry=nsFrameManager::eSendAllNotifications,
aVisibleKidsOfHiddenElement=...,
    aTreeMatchContext=...) at
/tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1586
#8  0x00007ffff54ba371 in nsFrameManager::ComputeStyleChangeFor
(this=0x7fffc1489400, aFrame=<optimized out>,
aChangeList=0x7fffffff3fc0,
    aMinChange=<optimized out>, aRestyleTracker=...,
aRestyleDescendants=true) at
/tmp/buildd/iceweasel-16.0.2/layout/base/nsFrameManager.cpp:1677
#9  0x00007ffff549a57c in nsCSSFrameConstructor::RestyleElement
(this=0x7fffc1489400, aElement=<optimized out>,
aPrimaryFrame=0x7fffde0db1b8,
    aMinHint=<optimized out>, aRestyleTracker=...,
aRestyleDescendants=<optimized out>)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsCSSFrameConstructor.cpp:8157
#10 0x00007ffff548c782 in
mozilla::css::RestyleTracker::ProcessOneRestyle
(this=this at entry=0x7fffc14894e8, aElement=<optimized out>,
    aRestyleHint=<optimized out>, aChangeHint=<optimized out>) at
/tmp/buildd/iceweasel-16.0.2/layout/base/RestyleTracker.cpp:124
#11 0x00007ffff548cddb in
mozilla::css::RestyleTracker::DoProcessRestyles (this=0x7fffc14894e8)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/RestyleTracker.cpp:209
#12 0x00007ffff549a4c9 in ProcessRestyles (this=0x7fffc14894e8) at
/tmp/buildd/iceweasel-16.0.2/layout/base/RestyleTracker.h:68
#13 nsCSSFrameConstructor::ProcessPendingRestyles
(this=0x7fffc1489400) at
/tmp/buildd/iceweasel-16.0.2/layout/base/nsCSSFrameConstructor.cpp:11979
#14 0x00007ffff54d6284 in PresShell::FlushPendingNotifications
(this=0x7fffc219be60, aType=Flush_Style)
    at /tmp/buildd/iceweasel-16.0.2/layout/base/nsPresShell.cpp:3820
#15 0x00007ffff562765f in nsDocument::FlushPendingNotifications
(this=0x7fffc0df0000, aType=Flush_Style)
    at /tmp/buildd/iceweasel-16.0.2/content/base/src/nsDocument.cpp:6294
#16 0x00007ffff55765e4 in nsComputedDOMStyle::GetPropertyCSSValue
(this=this at entry=0x7fffd242b940, aPropertyName=...,
aReturn=0x7fffffff4bc8)
    at /tmp/buildd/iceweasel-16.0.2/layout/style/nsComputedDOMStyle.cpp:474
#17 0x00007ffff556f6f3 in nsComputedDOMStyle::GetPropertyValue
(this=this at entry=0x7fffd242b940, aPropertyName=..., aReturn=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/style/nsComputedDOMStyle.cpp:283
#18 0x00007ffff556f8b3 in nsComputedDOMStyle::GetPropertyValue
(this=0x7fffd242b940, aPropID=<optimized out>, aValue=...)
    at /tmp/buildd/iceweasel-16.0.2/layout/style/nsComputedDOMStyle.cpp:228
#19 0x00007ffff5a2ef5e in nsIDOMCSS2Properties_Get (cx=0x7fffce5e2ec0,
obj=..., id=..., prop=eCSSProperty_display, vp=0x7fffe0600da0)
    at /tmp/buildd/iceweasel-16.0.2/build-xulrunner/js/xpconnect/src/dom_quickstubs.cpp:6520
#20 0x00007ffff48466ff in CallJSPropertyOp (id=..., receiver=...,
op=<optimized out>, vp=0x7fffe0600da0, cx=0x7fffce5e2ec0)
    at ../../../js/src/jscntxtinlines.h:431
#21 get (vp=0x7fffe0600da0, pobj=0x7fffdfb45760, obj=<optimized out>,
receiver=..., cx=0x7fffce5e2ec0, this=0x7fffdfbb4ba0)
    at ../../../js/src/jsscopeinlines.h:286
#22 js_NativeGetInline (shape=<optimized out>, pobj=<optimized out>,
receiver=..., vp=0x7fffe0600da0, obj=<optimized out>,
cx=0x7fffce5e2ec0,
    getHow=<optimized out>) at
/tmp/buildd/iceweasel-16.0.2/js/src/jsobj.cpp:4599
#23 js_GetPropertyHelperInline (vp=0x7fffe0600da0, getHow=0,
id_=<optimized out>, receiver=..., obj=..., cx=0x7fffce5e2ec0)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsobj.cpp:4747
#24 js::baseops::GetProperty (cx=0x7fffce5e2ec0, obj=...,
receiver=..., id=..., vp=0x7fffe0600da0)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsobj.cpp:4763
#25 0x00007ffff482e3b0 in getGeneric (vp=<optimized out>, id=...,
receiver=..., cx=<optimized out>, this=<optimized out>)
    at ../../../js/src/jsobjinlines.h:176
#26 getGeneric (vp=<optimized out>, id=..., cx=<optimized out>,
this=<optimized out>) at ../../../js/src/jsobjinlines.h:193
#27 getProperty (vp=<optimized out>, name=<optimized out>,
cx=<optimized out>, this=<optimized out>) at
../../../js/src/jsobjinlines.h:200
#28 GetObjectElementOperation (obj=..., res=0x7fffe0600da0, rref=...,
op=JSOP_GETELEM, cx=0x7fffce5e2ec0)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterpinlines.h:685
#29 GetElementOperation (res=0x7fffe0600da0, rref=..., lref=...,
op=JSOP_GETELEM, cx=0x7fffce5e2ec0)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterpinlines.h:732
#30 js::Interpret (cx=cx at entry=0x7fffce5e2ec0,
entryFrame=entryFrame at entry=0x7fffe0600bb8,
interpMode=interpMode at entry=js::JSINTERP_NORMAL)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:2368
#31 0x00007ffff482fc3d in js::RunScript (cx=cx at entry=0x7fffce5e2ec0,
script=<optimized out>, fp=0x7fffe0600bb8)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:301
#32 0x00007ffff483053d in js::InvokeKernel (cx=0x7fffce5e2ec0,
args=..., construct=js::NO_CONSTRUCT)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:355
#33 0x00007ffff47f8de1 in Invoke (construct=js::NO_CONSTRUCT,
args=..., cx=0x7fffce5e2ec0) at
/tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.h:119
#34 js_fun_apply (cx=0x7fffce5e2ec0, argc=<optimized out>,
vp=0x7fffe0600b88) at
/tmp/buildd/iceweasel-16.0.2/js/src/jsfun.cpp:740
#35 0x00007ffff483047c in CallJSNative (args=..., native=<optimized
out>, cx=0x7fffce5e2ec0) at ../../../js/src/jscntxtinlines.h:382
#36 js::InvokeKernel (cx=cx at entry=0x7fffce5e2ec0, args=...,
construct=construct at entry=js::NO_CONSTRUCT)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:344
#37 0x00007ffff4821add in js::Interpret (cx=cx at entry=0x7fffce5e2ec0,
entryFrame=entryFrame at entry=0x7fffe0600a68,
    interpMode=interpMode at entry=js::JSINTERP_NORMAL) at
/tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:2442
#38 0x00007ffff482fc3d in js::RunScript (cx=cx at entry=0x7fffce5e2ec0,
script=<optimized out>, fp=0x7fffe0600a68)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:301
#39 0x00007ffff483053d in js::InvokeKernel (cx=0x7fffce5e2ec0,
args=..., construct=js::NO_CONSTRUCT)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:355
#40 0x00007ffff47f8944 in Invoke (construct=js::NO_CONSTRUCT,
args=..., cx=0x7fffce5e2ec0) at
/tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.h:119
#41 js_fun_call (cx=0x7fffce5e2ec0, argc=2, vp=0x7fffe0600a08) at
/tmp/buildd/iceweasel-16.0.2/js/src/jsfun.cpp:658
#42 0x00007ffff483047c in CallJSNative (args=..., native=<optimized
out>, cx=0x7fffce5e2ec0) at ../../../js/src/jscntxtinlines.h:382
#43 js::InvokeKernel (cx=cx at entry=0x7fffce5e2ec0, args=...,
construct=construct at entry=js::NO_CONSTRUCT)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:344
#44 0x00007ffff4821add in js::Interpret (cx=0x7fffce5e2ec0,
entryFrame=0x7fffe06007f8, interpMode=js::JSINTERP_NORMAL)
    at /tmp/buildd/iceweasel-16.0.2/js/src/jsinterp.cpp:2442
#45 0x00007ffff4a13bbc in UncachedInlineCall (f=...,
initial=<optimized out>, pret=0x7fffffff6c88,
unjittable=0x7fffffff6c90, argc=argc at entry=1)
    at /tmp/buildd/iceweasel-16.0.2/js/src/methodjit/InvokeHelpers.cpp:327
#46 0x00007ffff4a16234 in js::mjit::stubs::UncachedCallHelper (f=...,
argc=1, lowered=<optimized out>, ucr=<optimized out>)
    at /tmp/buildd/iceweasel-16.0.2/js/src/methodjit/InvokeHelpers.cpp:410
#47 0x00007ffff4a0260a in js::mjit::CallCompiler::update
(this=this at entry=0x7fffffff6ce0)
    at /tmp/buildd/iceweasel-16.0.2/js/src/methodjit/MonoIC.cpp:936
#48 0x00007ffff4a027f3 in js::mjit::ic::Call (f=..., ic=<optimized
out>) at /tmp/buildd/iceweasel-16.0.2/js/src/methodjit/MonoIC.cpp:998
#49 0x00007fffd4ed934f in ?? ()
#50 0x00007fff00000001 in ?? ()
#51 0x000000000000010b in ?? ()
#52 0x00007fffffff7770 in ?? ()
#53 0x0000000000000000 in ?? ()