Bug 244540

Summary: firefox segfaults - looks like courtesy of threading
Product: [Fedora] Fedora Reporter: Michal Jaegermann <michal>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: kengert, ralston, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-06 22:58:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
gdb backtrace from a firefox dumped core none

Description Michal Jaegermann 2007-06-17 00:10:13 UTC
Description of problem:

I found two cores on my system.  One 92Megs and another 87Megs.
Checking with gdb they were produced this way:

warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash at ffffe0b4
Core was generated by `/usr/lib/firefox-2.0.0.4/firefox-bin'.
Program terminated with signal 11, Segmentation fault.

but there are fingerprints of nsprpub/pr/src/pthreads/ptthread.c
and apparently of calls to java in that trace.

A trace obtained after installing firefox-debuginfo and nspr-debuginfo
is attached.

The highest frame I can list is 21 and this looks like that:

(gdb) f 21
#21 0xf702e60c in xpc_ThreadDataDtorCB (ptr=0x80ed518)
    at xpcthreadcontext.cpp:451
451             delete data;
Current language:  auto; currently c++
(gdb) list
446     PR_STATIC_CALLBACK(void)
447     xpc_ThreadDataDtorCB(void* ptr)
448     {
449         XPCPerThreadData* data = (XPCPerThreadData*) ptr;
450         if(data)
451             delete data;
452     }
453
454     void XPCPerThreadData::MarkAutoRootsBeforeJSFinalize(JSContext* cx)
455     {

with 'ptr' as '(void *) 0x80ed518' and '*(XPCPerThreadData*) ptr'
coming out as:

(gdb) p *(XPCPerThreadData*) ptr
$3 = {mJSContextStack = 0x8112be8, mNextThread = 0x0, mCallContext = 0x0,
  mResolveName = 0, mResolvingWrapper = 0x0, mMostRecentJSContext = 0x9ff5368,
  mMostRecentXPCContext = 0x8455ce8, mExceptionManager = 0x0,
  mException = 0x0, mExceptionManagerNotAvailable = 0, mAutoRoots = 0x0,
  mStackLimit = 4288968920, static gLock = 0x8115830,
  static gThreads = 0x80ed518, static gTLSIndex = 2}

Version-Release number of selected component (if applicable):
firefox-2.0.0.4-2.fc7.i386
This is i386 binary running on x86_64 machine.

How reproducible:
Not really sure but traces from both cores are really the same.

Comment 1 Michal Jaegermann 2007-06-17 00:10:14 UTC
Created attachment 157207 [details]
gdb backtrace from a firefox dumped core

Comment 2 James Ralston 2007-06-28 23:51:57 UTC
This looks like a dupe of bug 242370...


Comment 3 Kai Engert (:kaie) (inactive account) 2007-07-06 22:58:05 UTC
I agree this is a duplicate of 242370

*** This bug has been marked as a duplicate of 242370 ***

Comment 4 James Ralston 2007-11-19 19:35:17 UTC
Also, running pidgin repeatedly, I got this on one of the runs:

$ /usr/bin/pidgin
libnm_glib_nm_state_cb: dbus returned an error.
  (org.freedesktop.DBus.Error.ServiceUnknown) The name
org.freedesktop.NetworkManager was not provided by any .service files
*** glibc detected *** /usr/bin/pidgin: double free or corruption (fasttop):
0x00000000007707d0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3f2f870412]
/lib64/libc.so.6(cfree+0x8c)[0x3f2f873b1c]
/usr/lib64/purple-2/libjabber.so.0(jabber_set_buddy_icon+0x4df)[0x2aaab425e87f]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab425e961]
/usr/lib64/purple-2/libjabber.so.0(jabber_iq_parse+0x1c1)[0x2aaab4265a11]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab4271a8a]
/usr/lib64/libxml2.so.2[0x3f3aa3ab3a]
/usr/lib64/libxml2.so.2(xmlParseChunk+0xa6c)[0x3f3aa4710c]
/usr/lib64/purple-2/libjabber.so.0(jabber_parser_process+0x28)[0x2aaab4271968]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab426e534]
/usr/bin/pidgin[0x462cdf]
/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x1b4)[0x3eeb82d224]
/lib64/libglib-2.0.so.0[0x3eeb83005d]
/lib64/libglib-2.0.so.0(g_main_loop_run+0x1ca)[0x3eeb83036a]
/usr/lib64/libgtk-x11-2.0.so.0(gtk_main+0xa3)[0x3c19f2d783]
/usr/bin/pidgin(main+0x8ec)[0x47a6ec]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3f2f81dab4]
/usr/bin/pidgin[0x429e69]
======= Memory map: ========
00400000-004cd000 r-xp 00000000 fd:02 2262026                           
/usr/bin/pidgin
006cc000-006df000 rw-p 000cc000 fd:02 2262026                           
/usr/bin/pidgin
006df000-00de7000 rw-p 006df000 00:00 0                                  [heap]
40000000-40001000 ---p 40000000 00:00 0 
40001000-40a01000 rw-p 40001000 00:00 0 
31a3c00000-31a3c41000 r-xp 00000000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a3c41000-31a3e40000 ---p 00041000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a3e40000-31a3e43000 rw-p 00040000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a4400000-31a442e000 r-xp 00000000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
31a442e000-31a462d000 ---p 0002e000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
31a462d000-31a462f000 rw-p 0002d000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
3233600000-3233608000 r-xp 00000000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
3233608000-3233807000 ---p 00008000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
3233807000-3233808000 rw-p 00007000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
357cc00000-357ccf0000 r-xp 00000000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357ccf0000-357ceef000 ---p 000f0000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357ceef000-357cef7000 rw-p 000ef000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357cef7000-357cefa000 rw-p 357cef7000 00:00 0 
357d000000-357d071000 r-xp 00000000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d071000-357d271000 ---p 00071000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d271000-357d276000 rw-p 00071000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d400000-357d416000 r-xp 00000000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357d416000-357d615000 ---p 00016000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357d615000-357d617000 rw-p 00015000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357dc00000-357dc22000 r-xp 00000000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357dc22000-357de21000 ---p 00022000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357de21000-357de25000 rw-p 00021000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357e800000-357e831000 r-xp 00000000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357e831000-357ea31000 ---p 00031000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357ea31000-357ea33000 rw-p 00031000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357ec00000-357ec36000 r-xp 00000000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ec36000-357ee35000 ---p 00036000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ee35000-357ee3b000 rw-p 00035000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ee3b000-357ee3c000 rw-p 357ee3b000 00:00 0 
357f000000-357f054000 r-xp 00000000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
357f054000-357f253000 ---p 00054000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
357f253000-357f258000 rw-p 00053000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
358fe00000-358ff25000 r-xp 00000000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
358ff25000-3590125000 ---p 00125000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
3590125000-3590144000 rw-p 00125000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
3590144000-3590148000 rw-p 3590144000 00:00 0 
3590200000-3590207000 r-xp 00000000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590207000-3590407000 ---p 00007000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590407000-3590408000 rw-p 00007000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590600000-3590643000 r-xp 00000000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3590643000-3590843000 ---p 00043000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3590843000-3590849000 rw-p 00043000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3592600000-3592628000 r-xp 00000000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
3592628000-3592828000 ---p 00028000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
3592828000-359282a000 rw-p 00028000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
36c4000000-36c4054000 r-xp 00000000 fd:02 73388                         
/usr/lib64/libsoftokn3.so
36c4054000-36c4253000 ---p 00054000 fd:02 73388                  Aborted (core
dumped)


Comment 5 James Ralston 2007-11-19 19:37:25 UTC
Dammit, my apologies; I was trying to paste that into bug 390901.  (I have too
many Bugzilla windows open today...)