After changing a preference of images with Mozilla, the program crashed. Stacktrace with GDB. (gdb) where #0 0x40661761 in nanosleep () from /lib/libc.so.6 #1 0x406615f6 in sleep () from /lib/libc.so.6 #2 0x080675d8 in ah_crap_handler (signum=11) at nsSigHandlers.cpp:144 #3 0x40cf64c5 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileAccess.cpp:1668 #4 0x40312307 in pthread_sighandler () from /lib/libpthread.so.0 #5 <signal handler called> #6 0x094220f5 in ?? () #7 0x41a17668 in nsCOMPtr<nsIDocShellTreeItem>::assign_from_helper ( this=0xbfffe304, helper=@0xbfffe2f4, aIID=@0x41c30840) at ../../../../dist/include/xpcom/nsCOMPtr.h:922 #8 0x41a14bf9 in nsCOMPtr<nsIDocShellTreeItem>::nsCOMPtr (this=0xbfffe304, helper=@0xbfffe2f4) at ../../../../dist/include/xpcom/nsCOMPtr.h:565 #9 0x41b8a3de in nsPresContext::PreferenceChanged (this=0x93c63c8, aPrefName=0x9437a50 "network.image.imageBehavior") at nsPresContext.cpp:601 #10 0x41b87fda in nsPresContext::PrefChangedCallback ( aPrefName=0x9437a50 "network.image.imageBehavior", instance_data=0x93c63c8) at nsPresContext.cpp:101 #11 0x40a19d48 in pref_DoCallback ( changed_pref=0x9437a50 "network.image.imageBehavior") at prefapi.cpp:1187 #12 0x40a19a52 in pref_HashPref (key=0x9437a50 "network.image.imageBehavior", value={stringVal = 0x0, intVal = 0, boolVal = 0}, type=PREF_INT, action=PREF_SETUSER) at prefapi.cpp:1073 The crash seems to be caused by an invalid value of mContainer in nsPresContext. It seems that mContainer is not initialized in the constructor of nsPresContext. It should be initialized to null.

-> Kevin for reasignment

how to reproduce?

In my case, the crash ocurred: 1) I am in a page with images 2) Go to Preferences, and change preferences and specify that images should never be loaded 3) crash. I do not know if is reproducible or not. Since the cause is a dangling pointer, it is likely that it is not reproducible. Anyway, the patch is quite obvious, since there are two uninitialized pointers inside nsPresContext.

Comment on attachment 93697 [details] [diff] [review] Suggested fix r=jkeiser, whether this fixes the crash or not it is silly not to initialize these variables.

=> patch author

*** Bug 154223 has been marked as a duplicate of this bug. ***

Comment on attachment 93697 [details] [diff] [review] Suggested fix sr=bzbarsky. good catch!

Fix checked in. Thanks Ramon!

Is there any automated way to scan the tree for other such errors?

*** Bug 156486 has been marked as a duplicate of this bug. ***

Tacking on some of the Talkback decorations from duped bug 156486 so that Talkback automation can watch it disappear. This crash has been lingering in the Talkback reports for quite a while. We'll be happy to see it go. Thanks again, Ramon.

This just happened to me again using FizzillaCFM/2002083017. Mozilla crashed after editing font prefs and closing the prefs window. Thread 0 Crashed: #0 0x006a1504 in nsQueryInterface::_cl( const(nsID const &, void **)) #1 0xbfffe14c in 0xbfffe14c #2 0x006a16ec in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const &, nsID const &) #3 0x02b55b7c in nsPresContext::PreferenceChanged(char const *) #4 0x02b535b4 in nsPresContext::PrefChangedCallback(char const *, void *) ...etc. Recommendations?

*** Bug 166289 has been marked as a duplicate of this bug. ***

Reopening per comment 13 (and no response).

More of these stacks attached to bug 158680.

*** Bug 158680 has been marked as a duplicate of this bug. ***

I can repeatably crash OS X trunk builds (currently 2002092303) by Preferences --> Colors --> change the default background color, then press OK.

I believe that this bug, and bug 156486, are both dupes of bug 150893. (All three have essentially the same stack trace attached.)

*** This bug has been marked as a duplicate of 156486 ***

*** Bug 84879 has been marked as a duplicate of this bug. ***