[tbb-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 3 07:44:19 UTC 2015
#16495: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: | Milestone:
critical | Version:
Component: Tor | Keywords: tbb-crash, tbb-5.0a,
Browser | TorBrowserTeam201507
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
After building a recent GDB I got a better stacktrace:
{{{
Program received signal SIGSEGV, Segmentation fault.
0xb3d62e2a in BaseType (this=0x5a5a5a5a)
at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
455 /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h: Datei oder
Verzeichnis nicht gefunden.
(gdb) bt
#0 0xb3d62e2a in BaseType (this=0x5a5a5a5a)
at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
#1 nsAttrValue::Type (this=0x5a5a5a5a)
at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:186
#2 0xb3d62f45 in nsAttrValue::GetAtomCount (this=0x5a5a5a5a)
at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:807
#3 0xb476c61e in RuleHash::EnumerateAllRules (this=0x97ecea80,
aElement=0x9a1d01a0,
aData=0xbfffbbcc, aNodeContext=...)
at /home/ubuntu/build/tor-
browser/layout/style/nsCSSRuleProcessor.cpp:677
#4 0xb476ddb9 in nsCSSRuleProcessor::RulesMatching (this=0x9a9c4160,
aData=0xbfffbbcc)
at /home/ubuntu/build/tor-
browser/layout/style/nsCSSRuleProcessor.cpp:2551
#5 0xb47bff07 in EnumRulesMatching<ElementRuleProcessorData>
(aProcessor=0x9a9c4160,
aData=0xbfffbbcc)
at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:719
#6 0xb47cbbb5 in nsStyleSet::FileRules (this=0x93d97aa0,
aCollectorFunc=0xb47bfef6
<EnumRulesMatching<ElementRuleProcessorData>(nsIStyleRuleProcessor*,
void*)>, aData=0xbfffbbcc, aElement=0x9a1d01a0, aRuleWalker=0xbfffbbc0)
at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:1026
#7 0xb47d0947 in nsStyleSet::ResolveStyleFor (this=0x93d97aa0,
aElement=0x9a1d01a0,
aParentContext=0x92f88238, aTreeMatchContext=...)
at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:1265
#8 0xb481c70e in nsCSSFrameConstructor::ResolveStyleContext
(this=0x96ad4c80,
aParentStyleContext=0x92f88238, aContent=0x9a1d01a0,
aState=0xbfffd6e0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:4831
#9 0xb4839988 in nsCSSFrameConstructor::BuildInlineChildItems
(this=0x96ad4c80,
aState=..., aParentItem=..., aItemIsWithinSVGText=false,
aItemAllowsTextPathChild=false)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:11734
#10 0xb4838aa9 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal
(
this=0x96ad4c80, aState=..., aContent=0x9a80bb70,
aParentFrame=0x92f89308, aTag=
0xb108a5e0, aNameSpaceID=3, aSuppressWhiteSpaceOptimizations=false,
aStyleContext=0x92f88238, aFlags=3, aAnonChildren=0x0, aItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5726
#11 0xb483955e in nsCSSFrameConstructor::DoAddFrameConstructionItems (
this=0x96ad4c80, aState=..., aContent=0x9a80bb70,
aStyleContext=0x92f88238,
aSuppressWhiteSpaceOptimizations=false, aParentFrame=0x92f89308,
aAnonChildren=0x0, aItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5401
#12 0xb48395cc in nsCSSFrameConstructor::AddFrameConstructionItems
(this=0x96ad4c80,
aState=..., aContent=0x9a80bb70,
aSuppressWhiteSpaceOptimizations=false,
aInsertion=..., aItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5419
#13 0xb483d122 in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80,
aState=..., aContent=0x9a1d00b0, aStyleContext=0x92f871c8,
aFrame=0x92f89308,
aCanHaveGeneratedContent=true, aFrameItems=...,
aAllowBlockStyles=true,
aPendingBinding=0x0, aPossiblyLeafFrame=0x92f89308)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10409
#14 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80,
aState=...,
aDisplay=0x92f87258, aContent=0x9a1d00b0, aParentFrame=0x92f86870,
aContentParentFrame=0x92f86870, aStyleContext=0x92f871c8,
aNewFrame=0xbfffc09c,
aFrameItems=..., aPositionedFrameForAbsPosContainer=0x0,
aPendingBinding=0x0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:11445
#15 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x92f86870,
aDisplay=0x92f87258, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:4742
#16 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x92f86870,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:3746
#17 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem
(this=0x96ad4c80,
aState=..., aIter=..., aParentFrame=0x92f86870, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5920
#18 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x92f86870,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10227
#19 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80,
aState=..., aContent=0x9a1cfc40, aStyleContext=0x93bf0898,
aFrame=0x92f86870,
aCanHaveGeneratedContent=true, aFrameItems=...,
aAllowBlockStyles=true,
aPendingBinding=0x0, aPossiblyLeafFrame=0x92f86870)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10426
#20 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80,
aState=...,
aDisplay=0x93bf0928, aContent=0x9a1cfc40, aParentFrame=0x93bf0198,
aContentParentFrame=0x93bf0198, aStyleContext=0x93bf0898,
aNewFrame=0xbfffc4ec,
aFrameItems=..., aPositionedFrameForAbsPosContainer=0x92f86870,
aPendingBinding=0x0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:11445
#21 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x93bf0198,
aDisplay=0x93bf0928, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:4742
#22 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x93bf0198,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:3746
#23 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem
(this=0x96ad4c80,
aState=..., aIter=..., aParentFrame=0x93bf0198, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5920
#24 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x93bf0198,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10227
#25 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80,
aState=..., aContent=0x9a1cf600, aStyleContext=0x93bef7e0,
aFrame=0x93bf0198,
aCanHaveGeneratedContent=true, aFrameItems=...,
aAllowBlockStyles=true,
aPendingBinding=0x0, aPossiblyLeafFrame=0x93bf0198)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10426
#26 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80,
aState=...,
aDisplay=0x93bef870, aContent=0x9a1cf600, aParentFrame=0x93bef6d8,
aContentParentFrame=0x93bef6d8, aStyleContext=0x93bef7e0,
aNewFrame=0xbfffc93c,
aFrameItems=..., aPositionedFrameForAbsPosContainer=0x93bf0198,
aPendingBinding=0x0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:11445
#27 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x93bef6d8,
aDisplay=0x93bef870, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:4742
#28 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x93bef6d8,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:3746
#29 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem
(this=0x96ad4c80,
aState=..., aIter=..., aParentFrame=0x93bef6d8, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5920
#30 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x93bef6d8,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10227
#31 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80,
aState=..., aContent=0x9a1cf560, aStyleContext=0x93bef4b0,
aFrame=0x93bef6d8,
aCanHaveGeneratedContent=true, aFrameItems=...,
aAllowBlockStyles=true,
aPendingBinding=0x0, aPossiblyLeafFrame=0x93bef6d8)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10426
#32 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80,
aState=...,
aDisplay=0x93bef540, aContent=0x9a1cf560, aParentFrame=0x93bef158,
aContentParentFrame=0x93bef158, aStyleContext=0x93bef4b0,
aNewFrame=0xbfffcd8c,
aFrameItems=..., aPositionedFrameForAbsPosContainer=0x93bef6d8,
aPendingBinding=0x0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:11445
#33 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x93bef158,
aDisplay=0x93bef540, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:4742
#34 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x93bef158,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:3746
#35 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem
(this=0x96ad4c80,
aState=..., aIter=..., aParentFrame=0x93bef158, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5920
#36 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x93bef158,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10227
#37 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80,
aState=..., aContent=0x93b5add0, aStyleContext=0x92f2ff10,
aFrame=0x93bef158,
aCanHaveGeneratedContent=true, aFrameItems=...,
aAllowBlockStyles=true,
aPendingBinding=0x0, aPossiblyLeafFrame=0x93bef158)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10426
#38 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80,
aState=...,
aDisplay=0x9a0a58a8, aContent=0x93b5add0, aParentFrame=0x92f2faf0,
aContentParentFrame=0x92f2faf0, aStyleContext=0x92f2ff10,
aNewFrame=0xbfffd1dc,
aFrameItems=..., aPositionedFrameForAbsPosContainer=0x0,
aPendingBinding=0x0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:11445
#39 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x92f2faf0,
aDisplay=0x9a0a58a8, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:4742
#40 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x92f2faf0,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:3746
#41 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem
(this=0x96ad4c80,
aState=..., aIter=..., aParentFrame=0x92f2faf0, aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:5920
#42 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x92f2faf0,
aFrameItems=...)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10227
#43 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80,
aState=..., aContent=0x9a2ef6a0, aStyleContext=0x92f2fa88,
aFrame=0x92f2faf0,
aCanHaveGeneratedContent=true, aFrameItems=...,
aAllowBlockStyles=true,
aPendingBinding=0x0, aPossiblyLeafFrame=0x92f2faf0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:10426
#44 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80,
aState=...,
aDisplay=0x9a0a5618, aContent=0x9a2ef6a0, aParentFrame=0x9a0a59f8,
aContentParentFrame=0x9a0a59f8, aStyleContext=0x92f2fa88,
aNewFrame=0xbfffd62c,
aFrameItems=..., aPositionedFrameForAbsPosContainer=0x0,
aPendingBinding=0x0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:11445
#45 0xb4840aea in nsCSSFrameConstructor::ConstructDocElementFrame
(this=0x96ad4c80,
aDocElement=0x9a2ef6a0, aFrameState=0x0)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:2608
#46 0xb48410c0 in nsCSSFrameConstructor::ContentRangeInserted
(this=0x96ad4c80,
aContainer=0x0, aStartChild=0x9a2ef6a0, aEndChild=0x0,
aFrameState=0x0,
aAllowLazyConstruction=false)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:7469
#47 0xb48418c2 in nsCSSFrameConstructor::ContentInserted (this=0x96ad4c80,
aContainer=0x0, aChild=0x9a2ef6a0, aFrameState=0x0,
aAllowLazyConstruction=false)
at /home/ubuntu/build/tor-
browser/layout/base/nsCSSFrameConstructor.cpp:7358
#48 0xb485ee79 in PresShell::Initialize (this=0x947e70e0, aWidth=60000,
aHeight=42000)
at /home/ubuntu/build/tor-browser/layout/base/nsPresShell.cpp:1911
#49 0xb3d68774 in nsContentSink::StartLayout (this=0x93e32de0,
aIgnorePendingSheets=false)
at /home/ubuntu/build/tor-browser/dom/base/nsContentSink.cpp:1171
#50 0xb3d73be1 in nsContentSink::StyleSheetLoaded (this=0x93e32de0,
aSheet=0x9a36f940, aWasAlternate=false, aStatus=nsresult::NS_OK)
at /home/ubuntu/build/tor-browser/dom/base/nsContentSink.cpp:231
#51 0xb47869f5 in mozilla::css::Loader::SheetComplete (this=0x96acabe0,
aLoadData=0x9a0da9b0, aStatus=nsresult::NS_OK)
at /home/ubuntu/build/tor-browser/layout/style/Loader.cpp:1791
#52 0xb4786ed0 in mozilla::css::Loader::HandleLoadEvent (this=0x96acabe0,
aEvent=0x9a0da9b0) at /home/ubuntu/build/tor-
browser/layout/style/Loader.cpp:2424
#53 0xb4786efe in mozilla::css::SheetLoadData::Run (this=0x9a0da9b0)
at /home/ubuntu/build/tor-browser/layout/style/Loader.cpp:431
#54 0xb36f73c7 in nsThread::ProcessNextEvent (this=0xb7af2cf0,
aMayWait=false,
aResult=0xbfffdc2f)
at /home/ubuntu/build/tor-browser/xpcom/threads/nsThread.cpp:855
#55 0xb370ca73 in NS_ProcessNextEvent (aThread=<optimized out>,
aMayWait=false)
at /home/ubuntu/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:265
#56 0xb38a38a4 in mozilla::ipc::MessagePump::Run (this=0xb1008730,
aDelegate=0xb7a6e100)
at /home/ubuntu/build/tor-browser/ipc/glue/MessagePump.cpp:99
#57 0xb388d2c6 in MessageLoop::RunInternal (this=0xb7a6e100)
at /home/ubuntu/build/tor-
browser/ipc/chromium/src/base/message_loop.cc:233
#58 0xb388d400 in RunHandler (this=0xb7a6e100)
at /home/ubuntu/build/tor-
browser/ipc/chromium/src/base/message_loop.cc:226
#59 MessageLoop::Run (this=0xb7a6e100)
at /home/ubuntu/build/tor-
browser/ipc/chromium/src/base/message_loop.cc:200
#60 0xb46b6411 in nsBaseAppShell::Run (this=0xaca3e3d0)
at /home/ubuntu/build/tor-browser/widget/nsBaseAppShell.cpp:164
#61 0xb4aff699 in nsAppStartup::Run (this=0xacaad8e0)
at /home/ubuntu/build/tor-
browser/toolkit/components/startup/nsAppStartup.cpp:281
#62 0xb4b31b4c in XREMain::XRE_mainRun (this=0xbfffde78)
at /home/ubuntu/build/tor-browser/toolkit/xre/nsAppRunner.cpp:4432
#63 0xb4b31e08 in XREMain::XRE_main (this=0xbfffde78, argc=3,
argv=0xbffff1a4,
aAppData=0xbfffdfcc)
at /home/ubuntu/build/tor-browser/toolkit/xre/nsAppRunner.cpp:4512
#64 0xb4b32034 in XRE_main (argc=3, argv=0xbffff1a4, aAppData=0xbfffdfcc,
aFlags=0)
at /home/ubuntu/build/tor-browser/toolkit/xre/nsAppRunner.cpp:4731
#65 0x80003c50 in do_main (argc=3, argv=0xbffff1a4,
xreDirectory=0xb7a2c280)
at /home/ubuntu/build/tor-browser/browser/app/nsBrowserApp.cpp:294
#66 0x80003460 in main (argc=3, argv=0xbffff1a4)
at /home/ubuntu/build/tor-browser/browser/app/nsBrowserApp.cpp:667
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16495#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list