Following a pdf link causes Conkeror to segmentation fault.

I'm using the latest Conkeror git and xulrunner 7 (the currently stable package in Arch Linux).

This behavior seems to be caused by:

    set_protocol_handler("mailto", "https://mail.google.com/mail/?extsrc=mailto&url=%s");

As we had discussed on the mailing list and on irc, use of
set_protocol_handler seems to trigger this problem.  We might as well move
the discussion here to the bug tracker..

To bring this problem on, do, for example:

  set_protocol_handler("mailto", "https://mail.google.com/mail/?extsrc=mailto&url=%s");

Then follow a link to some content type that is not internally supported
by Gecko.  PDF is a convenient test case.

GDB Error and backtrace, when doing this in XULRunner 8.0:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6bcbcb9 in nsExternalAppHandler::~nsExternalAppHandler (this=0x7fffd857c980,
__in_chrg=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp:1267
1267    /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp: No such file or
directory.
        in /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp
(gdb) bt
#0  0x00007ffff6bcbcb9 in nsExternalAppHandler::~nsExternalAppHandler (this=0x7fffd857c980,
__in_chrg=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp:1267
#1  0x00007ffff6bcbd89 in Release (this=0x7fffd857c980)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp:1197
#2  nsExternalAppHandler::Release (this=0x7fffd857c980)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp:1197
#3  0x00007ffff6b2ca76 in DoDeferredRelease<nsISupports*> (array=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/js/src/xpconnect/src/xpcjsruntime.cpp:617
#4  XPCJSRuntime::GCCallback (cx=0x7fffe5d16400, status=JSGC_END)
    at /tmp/buildd/iceweasel-8.0~b2/js/src/xpconnect/src/xpcjsruntime.cpp:927
#5  0x00007ffff68fc07b in DOMGCCallback (cx=0x7fffe5d16400, status=JSGC_END)
    at /tmp/buildd/iceweasel-8.0~b2/dom/base/nsJSEnvironment.cpp:3452
#6  0x00007ffff4e20835 in js_GC (cx=0x7fffe5d16400, comp=0x0, gckind=GC_NORMAL)
    at /tmp/buildd/iceweasel-8.0~b2/js/src/jsgc.cpp:2744
#7  0x00007ffff6b14900 in nsXPConnect::Collect (this=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/js/src/xpconnect/src/nsXPConnect.cpp:414
#8  0x00007ffff6b13bfc in nsXPConnect::GarbageCollect (this=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/js/src/xpconnect/src/nsXPConnect.cpp:422
#9  0x00007ffff6e62626 in nsTimerImpl::Fire (this=0x7fffd8282b00)
    at /tmp/buildd/iceweasel-8.0~b2/xpcom/threads/nsTimerImpl.cpp:424
#10 0x00007ffff6e626ef in nsTimerEvent::Run (this=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/xpcom/threads/nsTimerImpl.cpp:520
#11 0x00007ffff6e5fc70 in nsThread::ProcessNextEvent (this=0x7fffebc122f0, mayWait=1, result=0x7fffffffdbcc)
    at /tmp/buildd/iceweasel-8.0~b2/xpcom/threads/nsThread.cpp:631
#12 0x00007ffff6e346e0 in NS_ProcessNextEvent_P (thread=<optimized out>, mayWait=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/build-xulrunner/xpcom/build/nsThreadUtils.cpp:245
#13 0x00007ffff6dc20a5 in mozilla::ipc::MessagePump::Run (this=0x7fffebc56900, aDelegate=0x7fffebc820b0)
    at /tmp/buildd/iceweasel-8.0~b2/ipc/glue/MessagePump.cpp:134
#14 0x00007ffff6e7e797 in RunHandler (this=0x7fffebc820b0)
    at /tmp/buildd/iceweasel-8.0~b2/ipc/chromium/src/base/message_loop.cc:205
#15 MessageLoop::Run (this=0x7fffebc820b0) at
/tmp/buildd/iceweasel-8.0~b2/ipc/chromium/src/base/message_loop.cc:179
#16 0x00007ffff6d3f9d0 in nsBaseAppShell::Run (this=0x7fffebc29e10)
    at /tmp/buildd/iceweasel-8.0~b2/widget/src/xpwidgets/nsBaseAppShell.cpp:189
#17 0x00007ffff6c1651e in nsAppStartup::Run (this=0x7fffe5d51bc0)
    at /tmp/buildd/iceweasel-8.0~b2/toolkit/components/startup/nsAppStartup.cpp:224
#18 0x00007ffff64faa7e in XRE_main (argc=<optimized out>, argv=<optimized out>, aAppData=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/toolkit/xre/nsAppRunner.cpp:3544
#19 0x00000000004024c4 in main (argc=4, argv=0x7fffffffe560)
    at /tmp/buildd/iceweasel-8.0~b2/xulrunner/app/nsXULRunnerApp.cpp:383

Here is another GDB error and backtrace, also produced in XULRunner 8.0.
It is exceedingly strange that two segfaults, produced by doing the same
thing, only minutes apart, should produce two completely different
backtraces.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6bcc039 in nsExternalAppHandler::nsExternalAppHandler (this=0x7fffd7014440,
aMIMEInfo=<optimized out>,
    aTempFileExtension=<optimized out>, aWindowContext=<optimized out>, aSuggestedFilename=<optimized out>,
    aReason=<optimized out>, aForceSave=0)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp:1256
1256    /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp: No such file or
directory.
        in /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp
(gdb) bt
#0  0x00007ffff6bcc039 in nsExternalAppHandler::nsExternalAppHandler (this=0x7fffd7014440,
aMIMEInfo=<optimized out>,
    aTempFileExtension=<optimized out>, aWindowContext=<optimized out>, aSuggestedFilename=<optimized out>,
    aReason=<optimized out>, aForceSave=0)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp:1256
#1  0x00007ffff6bce7c0 in nsExternalHelperAppService::DoContent (this=<optimized out>,
aMimeContentType=<optimized out>,
    aRequest=<optimized out>, aWindowContext=0x7fffdb921830, aForceSave=0, aStreamListener=0x7fffd27cda28)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/exthandler/nsExternalHelperAppService.cpp:853
#2  0x00007ffff6bc8833 in nsDocumentOpenInfo::DispatchContent (this=0x7fffd27cda10, request=0x7fffd273c850,
    aCtxt=<optimized out>) at /tmp/buildd/iceweasel-8.0~b2/uriloader/base/nsURILoader.cpp:614
#3  0x00007ffff6bc89ac in nsDocumentOpenInfo::OnStartRequest (this=0x7fffd27cda10,
request=0x7fffd273c850, aCtxt=0x0)
    at /tmp/buildd/iceweasel-8.0~b2/uriloader/base/nsURILoader.cpp:294
#4  0x00007ffff6574698 in nsHttpChannel::CallOnStartRequest (this=0x7fffd273c800)
    at /tmp/buildd/iceweasel-8.0~b2/netwerk/protocol/http/nsHttpChannel.cpp:720
#5  0x00007ffff6574aae in ContinueProcessNormal (this=0x7fffd273c800, rv=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/netwerk/protocol/http/nsHttpChannel.cpp:1171
#6  nsHttpChannel::ContinueProcessNormal (this=0x7fffd273c800, rv=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/netwerk/protocol/http/nsHttpChannel.cpp:1112
#7  0x00007ffff6574b96 in nsHttpChannel::ProcessNormal (this=0x7fffd273c800)
    at /tmp/buildd/iceweasel-8.0~b2/netwerk/protocol/http/nsHttpChannel.cpp:1108
#8  0x00007ffff65770cd in nsHttpChannel::ProcessResponse (this=0x7fffd273c800)
    at /tmp/buildd/iceweasel-8.0~b2/netwerk/protocol/http/nsHttpChannel.cpp:1058
#9  0x00007ffff650ddaf in nsInputStreamPump::OnStateStart (this=0x7fffd7c0ea50)
    at /tmp/buildd/iceweasel-8.0~b2/netwerk/base/src/nsInputStreamPump.cpp:441
#10 0x00007ffff650e00f in nsInputStreamPump::OnInputStreamReady (this=0x7fffd7c0ea50, stream=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/netwerk/base/src/nsInputStreamPump.cpp:397
#11 0x00007ffff6e51916 in nsInputStreamReadyEvent::Run (this=0x7fffd7c04130)
    at /tmp/buildd/iceweasel-8.0~b2/xpcom/io/nsStreamUtils.cpp:114
#12 0x00007ffff6e5fc70 in nsThread::ProcessNextEvent (this=0x7fffebc122f0, mayWait=1, result=0x7fffffffdbcc)
    at /tmp/buildd/iceweasel-8.0~b2/xpcom/threads/nsThread.cpp:631
#13 0x00007ffff6e346e0 in NS_ProcessNextEvent_P (thread=<optimized out>, mayWait=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/build-xulrunner/xpcom/build/nsThreadUtils.cpp:245
#14 0x00007ffff6dc20a5 in mozilla::ipc::MessagePump::Run (this=0x7fffebc56900, aDelegate=0x7fffebc820b0)
    at /tmp/buildd/iceweasel-8.0~b2/ipc/glue/MessagePump.cpp:134
#15 0x00007ffff6e7e797 in RunHandler (this=0x7fffebc820b0)
    at /tmp/buildd/iceweasel-8.0~b2/ipc/chromium/src/base/message_loop.cc:205
#16 MessageLoop::Run (this=0x7fffebc820b0) at
/tmp/buildd/iceweasel-8.0~b2/ipc/chromium/src/base/message_loop.cc:179
#17 0x00007ffff6d3f9d0 in nsBaseAppShell::Run (this=0x7fffebc29e10)
    at /tmp/buildd/iceweasel-8.0~b2/widget/src/xpwidgets/nsBaseAppShell.cpp:189
#18 0x00007ffff6c1651e in nsAppStartup::Run (this=0x7fffe5d51bc0)
    at /tmp/buildd/iceweasel-8.0~b2/toolkit/components/startup/nsAppStartup.cpp:224
#19 0x00007ffff64faa7e in XRE_main (argc=<optimized out>, argv=<optimized out>, aAppData=<optimized out>)
    at /tmp/buildd/iceweasel-8.0~b2/toolkit/xre/nsAppRunner.cpp:3544
#20 0x00000000004024c4 in main (argc=4, argv=0x7fffffffe560)
    at /tmp/buildd/iceweasel-8.0~b2/xulrunner/app/nsXULRunnerApp.cpp:383

It seems to be that the segfaults only occur after calling set_protocol_handler.  For example,
if you call set_protocol_handler, then restart conkeror, and do not call it in the new instance,
no segfault occurs when following a link to a pdf.  Can others confirm this?

I can cause the segfault to happen simply by calling the following function
before attempting to follow a pdf link.  Note, sometimes it takes a couple
of attempts on the link for the failure to manifest.

  function query_eps () {
      var eps = Cc["@mozilla.org/uriloader/external-protocol-service;1"]
          .createInstance()
          .QueryInterface(Ci.nsIExternalProtocolService);
  }

Nothing more than simply QI'ing nsIExternalProtocolService.  What is going on here?

Should have noticed earlier the queer form of that QI that i had
copy-pasted from who knows where..  It should be like this, instead:

  var eps = Cc["@mozilla.org/uriloader/external-protocol-service;1"]
      .getService(Ci.nsIExternalProtocolService);

Is that the whole problem?  Test results promising so far.....

that was it!  fixed!