Bug 871568 - Flash/firefox interaction crash ESR 10.0.10 RHEL 5 x86_64
Summary: Flash/firefox interaction crash ESR 10.0.10 RHEL 5 x86_64
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: firefox
Version: 5.8
Hardware: x86_64
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Martin Stransky
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-30 18:02 UTC by roger.bivand
Modified: 2018-11-29 19:34 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-06 14:05:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
bug-report (32.13 KB, text/plain)
2012-10-31 17:14 UTC, roger.bivand
no flags Details
Firefox gdb session (4.23 KB, text/plain)
2012-11-01 14:34 UTC, derek
no flags Details
crash_bt (98.24 KB, text/plain)
2012-11-01 16:55 UTC, derek
no flags Details
crash_bt (141.14 KB, text/plain)
2012-11-01 17:30 UTC, roger.bivand
no flags Details
crash_bt 10.0.8 (144.06 KB, text/plain)
2012-11-02 15:41 UTC, roger.bivand
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:1429 0 normal SHIPPED_LIVE firefox bug fix update 2012-11-06 19:02:36 UTC

Description roger.bivand 2012-10-30 18:02:08 UTC
Description of problem:


Version-Release number of selected component (if applicable):

Sunday October 28 RHN update to Firefox/xulrunner on RHEL 5 64-bit (fully updated) is completely broken - any web page with Java/Flash crashes Firefox, often immediately: 

firefox-10.0.10-1.el5_8 (both 32 and 64) 
xulrunner-10.0.10-1.el5_8 (both 32 and 64) 
flash-plugin-11.2.202.243-1.el5 
java-1.6.0-openjdk-1.6.0.0-1.28.1.10.10.el5_8 

Until today stable, now unusable.


Erasing both firefox matches, and re-installing the 32-bit version only appears to resolve the issue, but this is not an adequate solution, since all users with 64-bit installed < 10.0.10 will fall into the same trap. The 64-bit version needs to be revised at your earliest convenience.

Seems also do be resolved for the x86_64 firefox using: 

https://access.redhat.com/knowledge/solutions/219073

which says:

Navigate your browser to about:config and change following to match exactly:
dom.ipc.plugins.enabled true
dom.ipc.plugins.nswrapper* true

Note that this will cause flash to run in sandbox and therefore external devices like Webcameras, microphones, etc. will not work in flash Add-ons.

The previous firefox x86_64 release version was not affected by this, sometimes a bit flaky, but not an immediate crash of the application.



How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Martin Stransky 2012-10-31 12:16:11 UTC
That's strange because flash is supposed to run inside plugin-container. Can you attach a bactrace of the crash? (see http://fedoraproject.org/wiki/Debugging_guidelines_for_Mozilla_products)

Comment 2 roger.bivand 2012-10-31 17:14:59 UTC
Created attachment 636235 [details]
bug-report

Comment 3 Martin Stransky 2012-11-01 07:20:06 UTC
Thanks, but please provide stacktrace of the cras (see http://fedoraproject.org/wiki/Debugging_guidelines_for_Mozilla_products#Application_crash)

Comment 4 derek 2012-11-01 14:34:43 UTC
Created attachment 636690 [details]
Firefox gdb session

#rpm -q firefox
firefox-10.0.10-1.el5_8
firefox-10.0.10-1.el5_8
# rpm -q flash-plugin
flash-plugin-11.2.202.243-1.el5
# cat /etc/redhat-release 
Red Hat Enterprise Linux Client release 5.8 (Tikanga)

Attached is the application crash as asked for.  I can confirm this is only happening in the x86_64 version of firefox. Downgrading to ESR 10.0.9 solves the issue however this leaves open the vulnerability patched in RHSA-2012:1407-1.

Comment 5 Martin Stransky 2012-11-01 15:03:04 UTC
Thanks, but the trace is incomplete. Please follow the instructions from the box:

set logging on crash_bt
thread apply all bt full
print DumpJSStack()
set logging off

and attach the full backtrace from all threards.

Comment 6 roger.bivand 2012-11-01 16:22:57 UTC
(In reply to comment #5)
> Thanks, but the trace is incomplete. Please follow the instructions from the
> box:
> 
> set logging on crash_bt
> thread apply all bt full
> print DumpJSStack()
> set logging off
> 
> and attach the full backtrace from all threards.

Martin:

This is not helpful on your part. I have, and I guess Derek has too, attempted to follow the instructions. I see:

# debuginfo-install firefox.x86_64
Loaded plugins: rhnplugin
enabling epel-debuginfo
Reading repository metadata in from local files
Could not find debuginfo for main pkg: firefox-10.0.10-1.el5_8.x86_64
Could not find debuginfo pkg for dependency package glibc-2.5-81.el5_8.7.x86_64
Could not find debuginfo pkg for dependency package glibc-2.5-81.el5_8.7.x86_64
Could not find debuginfo pkg for dependency package atk-1.12.2-1.fc6.x86_64
Could not find debuginfo pkg for dependency package cairo-1.2.4-5.el5.x86_64
...

So when doing:
$ firefox -g -d gdb
MOZILLA_FIVE_HOME=/usr/lib64/firefox
  LD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox/plugins:/usr/lib64/firefox
DISPLAY=:0.0
FONTCONFIG_PATH=/etc/fonts:/usr/lib64/firefox/res/Xft
DYLD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox
     LIBRARY_PATH=
       SHLIB_PATH=/usr/lib64/firefox:/usr/lib64/firefox
          LIBPATH=/usr/lib64/firefox:/usr/lib64/firefox
       ADDON_PATH=
      MOZ_PROGRAM=/usr/lib64/firefox/firefox
      MOZ_TOOLKIT=
        moz_debug=1
     moz_debugger=gdb
moz_debugger_args=
/usr/bin/gdb  --args /usr/lib64/firefox/firefox
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5_8.1)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib64/firefox/firefox...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/lib64/firefox/firefox 
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaaab000
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 5364.
Program exited normally.
(gdb) set logging on crash_bt
Copying output to crash_bt.
(gdb) thread apply all bt full
(gdb) print DumpJSStack()
No symbol table is loaded.  Use the "file" command.
(gdb) set logging off
Done logging to crash_bt.
(gdb) quit
$ more crash_bt
No symbol table is loaded.  Use the "file" command.

If the first part worked, the gdb handles would be present, but it doesn't, implying that the required debug-info packages are not available.

Comment 7 roger.bivand 2012-11-01 16:30:27 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > Thanks, but the trace is incomplete. Please follow the instructions from the
> > box:
> > 
> > set logging on crash_bt
> > thread apply all bt full
> > print DumpJSStack()
> > set logging off
> > 
> > and attach the full backtrace from all threards.
> 
> Martin:
> 
> This is not helpful on your part. I have, and I guess Derek has too,
> attempted to follow the instructions. I see:
> 
> # debuginfo-install firefox.x86_64
> Loaded plugins: rhnplugin
> enabling epel-debuginfo
> Reading repository metadata in from local files
> Could not find debuginfo for main pkg: firefox-10.0.10-1.el5_8.x86_64
> Could not find debuginfo pkg for dependency package
> glibc-2.5-81.el5_8.7.x86_64
> Could not find debuginfo pkg for dependency package
> glibc-2.5-81.el5_8.7.x86_64
> Could not find debuginfo pkg for dependency package atk-1.12.2-1.fc6.x86_64
> Could not find debuginfo pkg for dependency package cairo-1.2.4-5.el5.x86_64
> ...
> 
> So when doing:
> $ firefox -g -d gdb
> MOZILLA_FIVE_HOME=/usr/lib64/firefox
>  
> LD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox/plugins:/usr/lib64/
> firefox
> DISPLAY=:0.0
> FONTCONFIG_PATH=/etc/fonts:/usr/lib64/firefox/res/Xft
> DYLD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox
>      LIBRARY_PATH=
>        SHLIB_PATH=/usr/lib64/firefox:/usr/lib64/firefox
>           LIBPATH=/usr/lib64/firefox:/usr/lib64/firefox
>        ADDON_PATH=
>       MOZ_PROGRAM=/usr/lib64/firefox/firefox
>       MOZ_TOOLKIT=
>         moz_debug=1
>      moz_debugger=gdb
> moz_debugger_args=
> /usr/bin/gdb  --args /usr/lib64/firefox/firefox
> GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5_8.1)
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /usr/lib64/firefox/firefox...(no debugging symbols
> found)...done.
> (gdb) run
> Starting program: /usr/lib64/firefox/firefox 
> warning: no loadable sections found in added symbol-file system-supplied DSO
> at 0x2aaaaaaab000
> [Thread debugging using libthread_db enabled]
> Detaching after fork from child process 5364.
> Program exited normally.
> (gdb) set logging on crash_bt
> Copying output to crash_bt.
> (gdb) thread apply all bt full
> (gdb) print DumpJSStack()
> No symbol table is loaded.  Use the "file" command.
> (gdb) set logging off
> Done logging to crash_bt.
> (gdb) quit
> $ more crash_bt
> No symbol table is loaded.  Use the "file" command.
> 
> If the first part worked, the gdb handles would be present, but it doesn't,
> implying that the required debug-info packages are not available.

In this case the crash was total, took down 3 ff windows, but gdb didn't notice it. There is no about:crashes page. Fedora may have debuginfo, but does RHEL 5.8? Derek seems to have something. In my case the crash occurs going to:

http://www.bbc.co.uk/radio/

then

http://www.bbc.co.uk/radio/player/bbc_radio_three

in a fresh ff session with:

dom.ipc.plugins.nswrapper* false

Comment 8 roger.bivand 2012-11-01 16:35:11 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Thanks, but the trace is incomplete. Please follow the instructions from the
> > > box:
> > > 
> > > set logging on crash_bt
> > > thread apply all bt full
> > > print DumpJSStack()
> > > set logging off
> > > 
> > > and attach the full backtrace from all threards.
> > 
> > Martin:
> > 
> > This is not helpful on your part. I have, and I guess Derek has too,
> > attempted to follow the instructions. I see:
> > 
> > # debuginfo-install firefox.x86_64
> > Loaded plugins: rhnplugin
> > enabling epel-debuginfo
> > Reading repository metadata in from local files
> > Could not find debuginfo for main pkg: firefox-10.0.10-1.el5_8.x86_64
> > Could not find debuginfo pkg for dependency package
> > glibc-2.5-81.el5_8.7.x86_64
> > Could not find debuginfo pkg for dependency package
> > glibc-2.5-81.el5_8.7.x86_64
> > Could not find debuginfo pkg for dependency package atk-1.12.2-1.fc6.x86_64
> > Could not find debuginfo pkg for dependency package cairo-1.2.4-5.el5.x86_64
> > ...
> > 
> > So when doing:
> > $ firefox -g -d gdb
> > MOZILLA_FIVE_HOME=/usr/lib64/firefox
> >  
> > LD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox/plugins:/usr/lib64/
> > firefox
> > DISPLAY=:0.0
> > FONTCONFIG_PATH=/etc/fonts:/usr/lib64/firefox/res/Xft
> > DYLD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox
> >      LIBRARY_PATH=
> >        SHLIB_PATH=/usr/lib64/firefox:/usr/lib64/firefox
> >           LIBPATH=/usr/lib64/firefox:/usr/lib64/firefox
> >        ADDON_PATH=
> >       MOZ_PROGRAM=/usr/lib64/firefox/firefox
> >       MOZ_TOOLKIT=
> >         moz_debug=1
> >      moz_debugger=gdb
> > moz_debugger_args=
> > /usr/bin/gdb  --args /usr/lib64/firefox/firefox
> > GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5_8.1)
> > Copyright (C) 2009 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> > and "show warranty" for details.
> > This GDB was configured as "x86_64-redhat-linux-gnu".
> > For bug reporting instructions, please see:
> > <http://www.gnu.org/software/gdb/bugs/>...
> > Reading symbols from /usr/lib64/firefox/firefox...(no debugging symbols
> > found)...done.
> > (gdb) run
> > Starting program: /usr/lib64/firefox/firefox 
> > warning: no loadable sections found in added symbol-file system-supplied DSO
> > at 0x2aaaaaaab000
> > [Thread debugging using libthread_db enabled]
> > Detaching after fork from child process 5364.
> > Program exited normally.
> > (gdb) set logging on crash_bt
> > Copying output to crash_bt.
> > (gdb) thread apply all bt full
> > (gdb) print DumpJSStack()
> > No symbol table is loaded.  Use the "file" command.
> > (gdb) set logging off
> > Done logging to crash_bt.
> > (gdb) quit
> > $ more crash_bt
> > No symbol table is loaded.  Use the "file" command.
> > 
> > If the first part worked, the gdb handles would be present, but it doesn't,
> > implying that the required debug-info packages are not available.
> 
> In this case the crash was total, took down 3 ff windows, but gdb didn't
> notice it. There is no about:crashes page. Fedora may have debuginfo, but
> does RHEL 5.8? Derek seems to have something. 

OK, enabled debuginfo in RHN subscriptions. Will report on crash shortly.

> In my case the crash occurs going to:
> 
> http://www.bbc.co.uk/radio/
> 
> then
> 
> http://www.bbc.co.uk/radio/player/bbc_radio_three
> 
> in a fresh ff session with:
> 
> dom.ipc.plugins.nswrapper* false

Comment 9 derek 2012-11-01 16:55:06 UTC
Created attachment 636741 [details]
crash_bt

Sorry, here is the full back trace.

Comment 10 roger.bivand 2012-11-01 17:30:09 UTC
Created attachment 636753 [details]
crash_bt

Comment 13 Martin Stransky 2012-11-02 08:55:05 UTC
Looks like a NULL pointer crash in nsObjectFrame::CallSetWindow(). If you set the dom.ipc.plugins.enabled.nswrapper* to true does it help to you?

If I understand correclty, firefox-10.0.8 works fine for you, right?

Comment 14 roger.bivand 2012-11-02 09:31:28 UTC
(In reply to comment #13)
> Looks like a NULL pointer crash in nsObjectFrame::CallSetWindow(). If you
> set the dom.ipc.plugins.enabled.nswrapper* to true does it help to you?
> 
> If I understand correcty, firefox-10.0.8 works fine for you, right?

Previous x86_64 versions up to 10.0.10 worked  (but could stall/freeze occasionally but not predictably) with:

dom.ipc.plugins.enabled.nswrapper* false

10.0.10 crashes always, immediately, as described with false.

10.0.10 does not crash with true.

Comment 15 Martin Stransky 2012-11-02 10:01:54 UTC
Thanks. 

Can you please test the 10.0.8 package (it's the previous one) with 
dom.ipc.plugins.enabled.nswrapper* false? But you have to add the key manually to about:config because it has been explicitly added to 10.0.10 package.

Comment 16 roger.bivand 2012-11-02 10:51:42 UTC
(In reply to comment #15)
> Thanks. 
> 
> Can you please test the 10.0.8 package (it's the previous one) with 
> dom.ipc.plugins.enabled.nswrapper* false? But you have to add the key
> manually to about:config because it has been explicitly added to 10.0.10
> package.

Sorry, I did:

yum downgrade firefox.x86_64
yum downgrade firefox-debuginfo.x86_64

but after that gdb said:

firefox -g -d gdb
MOZILLA_FIVE_HOME=/usr/lib64/firefox
  LD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox/plugins:/usr/lib64/firefox
DISPLAY=:0.0
FONTCONFIG_PATH=/etc/fonts:/usr/lib64/firefox/res/Xft
DYLD_LIBRARY_PATH=/usr/lib64/firefox:/usr/lib64/firefox
     LIBRARY_PATH=
       SHLIB_PATH=/usr/lib64/firefox:/usr/lib64/firefox
          LIBPATH=/usr/lib64/firefox:/usr/lib64/firefox
       ADDON_PATH=
      MOZ_PROGRAM=/usr/lib64/firefox/firefox
      MOZ_TOOLKIT=
        moz_debug=1
     moz_debugger=gdb
moz_debugger_args=
/usr/bin/gdb  --args /usr/lib64/firefox/firefox
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5_8.1)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib64/firefox/firefox...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/lib64/firefox/firefox 
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x2aaaaaaab000
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 11652.
Error: Platform version '10.0.10' is not compatible with
minVersion >= 10.0.8
maxVersion <= 10.0.8

Program exited with code 01.
(gdb)

So you'll have to show me precisely how to downgrade to a running 10.0.8 (10.0.8 now wouldn't start at all, not just for gdb). Is the version cached? Are the plugin hooks versioned?

Comment 17 Martin Stransky 2012-11-02 10:55:56 UTC
Ahh, looks like we have a dependency bug here. Generally you need to downgrade the xulrunner package too because it provides a binary part of the browser. 

Thanks!

Comment 18 roger.bivand 2012-11-02 11:14:23 UTC
Running yum downgrade firefox.x86_64 xulrunner.x86_64

gives:

Downloading Packages:
Running rpm_check_debug
ERROR with rpm_check_debug vs depsolve:
libmozalloc.so is needed by (installed) devhelp-0.12-22.el5.i386
libxul.so is needed by (installed) devhelp-0.12-22.el5.i386
Complete!
(1, [u'Please report this error in https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%205&component=yum'])

so there may be a 64/32 issue? 

yum downgrade firefox xulrunner

is running, to be followed by

yum downgrade firefox-debuginfo xulrunner-debuginfo

Comment 19 Martin Stransky 2012-11-02 11:18:32 UTC
Yes, devhelp may cause a problem, but you can remove it, downgrade firefox/xulrunner and install devhelp again. BTW. you may not need the devhelp package, it's just a launcher for help system for developers, I wonder who runs it anyway.

Comment 20 Martin Stransky 2012-11-02 11:27:04 UTC
To be sure...you see it on RHEL5 only and RHEL6 is unaffected, right?

Comment 23 roger.bivand 2012-11-02 15:41:45 UTC
Created attachment 637135 [details]
crash_bt 10.0.8

Comment 24 roger.bivand 2012-11-02 15:57:28 UTC
(In reply to comment #20)
> To be sure...you see it on RHEL5 only and RHEL6 is unaffected, right?

I'm only running RHEL5 on two academic license machines, don't have access to RHEL6. The 10.0.8 crash was provoked in the same way, suggesting that the dom.ipc.plugins.enabled.nswrapper* false is the trigger to a possibly earlier vulnerability.

Comment 25 roger.bivand 2012-11-02 16:01:16 UTC
(In reply to comment #14)
> (In reply to comment #13)
> > Looks like a NULL pointer crash in nsObjectFrame::CallSetWindow(). If you
> > set the dom.ipc.plugins.enabled.nswrapper* to true does it help to you?
> > 
> > If I understand correcty, firefox-10.0.8 works fine for you, right?
> 
> Previous x86_64 versions up to 10.0.10 worked  (but could stall/freeze
> occasionally but not predictably) with:
> 
> dom.ipc.plugins.enabled.nswrapper* false

I retract this - I was assuming that the tag existed and was default false. More correctly, previous x86_64 versions up to 10.0.10 worked  (but could stall/freeze occasionally but not predictably) with default configure settings (no user changes).

> 
> 10.0.10 crashes always, immediately, as described with false.
> 
> 10.0.10 does not crash with true.

Comment 32 errata-xmlrpc 2012-11-06 14:05:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1429.html


Note You need to log in before you can comment on or make changes to this bug.