Bug 503651

Summary: firefox crashes: realloc(): invalid next size
Product: [Fedora] Fedora Reporter: D. Hugh Redelmeier <hugh>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: gecko-bugs-nobody, hugh, walters
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-18 09:31:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description D. Hugh Redelmeier 2009-06-02 03:30:14 UTC 
Description of problem:
firefox crashed spontaneously.


Version-Release number of selected component (if applicable):
firefox-3.0.10-1.fc10.x86_64

How reproducible:
Has happened once, so far

Steps to Reproduce:
unknown
  
Actual results:
Note: I I set ulimit -c high and invoked firefox, from an xterm, with --sync.  Firefox crashes with random errors and I want to catch them.

When it crashed, I got a lot of stuff on the xterm (stdout or stderr).  Here are the first few lines:
  sh: acroread: command not found
  sh: acroread: command not found
  *** glibc detected *** /usr/lib64/firefox-3.0.10/firefox: realloc(): invalid next size: 0x00007f10cab13600 ***
  ======= Backtrace: =========

This looks to me to be an arena corruption.

Expected results:
firefox doesn't crash.

Additional info:
I have a transcript of the run (stdout and stderr) and a core file.
I will retain these (but updates from Fedora, applied to my system, will eventually make the system's debuginfo wrong for the core file).

Here's the output of gdb's "where" command on the core file:

(gdb) where
#0  0x000000352260efab in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x0000003ffa232045 in nsProfileLock::FatalSignalHandler (signo=6) at nsProfileLock.cpp:212
#2  <signal handler called>
#3  0x0000003521a32f05 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#4  0x0000003521a34a73 in abort () at abort.c:88
#5  0x0000003521a72438 in __libc_message (do_abort=2, fmt=0x3521b3c428 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#6  0x0000003521a77ec8 in malloc_printerr (action=2, str=0x3521b39acd "realloc(): invalid next size", ptr=<value optimized out>) at malloc.c:5994
#7  0x0000003521a7c131 in _int_realloc (av=0x0, oldmem=0x0, bytes=<value optimized out>) at malloc.c:4983
#8  0x0000003521a7cfbe in __libc_realloc (oldmem=0x7f10cab13600, bytes=520) at malloc.c:3708
#9  0x0000003585c15a07 in PR_Realloc (ptr=0x7f10cab13600, size=3829) at ../../../mozilla/nsprpub/pr/src/malloc/prmem.c:482
#10 0x0000003ffaa4b468 in NS_Realloc_P (ptr=0xef5, size=3829) at nsMemoryImpl.cpp:298
#11 0x0000003ffaa15c97 in nsTArray_base::EnsureCapacity (this=0x7f10c037ed98, capacity=64, elemSize=8) at nsTArray.cpp:102
#12 0x0000003ffa369fe5 in AppendElements<imgRequestProxy*> () at ../../../dist/include/xpcom/nsTArray.h:551
#13 AppendElement<imgRequestProxy*> () at ../../../dist/include/xpcom/nsTArray.h:568
#14 AppendElement<imgRequestProxy*> () at ../../../dist/include/xpcom/nsTObserverArray.h:196
#15 AppendElementUnlessExists<imgRequestProxy*> () at ../../../dist/include/xpcom/nsTObserverArray.h:211
#16 imgRequest::AddProxy (this=0x7f10c037ed10, proxy=0x3714bbe0) at imgRequest.cpp:146
#17 0x0000003ffa36b49e in imgRequestProxy::Init (this=0x3714bbe0, request=0x7f10c037ed10, aLoadGroup=0x36b9dc90, aObserver=0x3713d5c0) at imgRequestProxy.cpp:123
#18 0x0000003ffa3677a9 in imgLoader::CreateNewProxyForRequest (this=<value optimized out>, aRequest=0x7f10c037ed10, aLoadGroup=0x36b9dc90, aObserver=0x3713d5c0, aLoadFlags=0, aProxyRequest=<value optimized out>,
    _retval=0x3713d5c8) at imgLoader.cpp:695
#19 0x0000003ffa367ff0 in imgLoader::LoadImage (this=0x75dc70, aURI=0x3713d6f0, aInitialDocumentURI=0x2d590000, aReferrerURI=0x2d590000, aLoadGroup=0x36b9dc90, aObserver=0x3713d5c0, aCX=0x344c0aa0,
    aLoadFlags=<value optimized out>, cacheKey=0x0, aRequest=0x0, _retval=0x3713d5c8) at imgLoader.cpp:538
#20 0x0000003ffa4d31bf in nsContentUtils::LoadImage (aURI=0x3713d6f0, aLoadingDocument=0x344c0aa0, aLoadingPrincipal=<value optimized out>, aReferrer=0x2d590000, aObserver=0x3713d5c0, aLoadFlags=0, aRequest=0x3713d5c8)
    at nsContentUtils.cpp:2331
#21 0x0000003ffa50699a in nsImageLoadingContent::LoadImage (this=0x3713d5c0, aNewURI=0x3713d6f0, aForce=<value optimized out>, aNotify=0, aDocument=0x344c0aa0, aLoadFlags=0) at nsImageLoadingContent.cpp:587
#22 0x0000003ffa506bd6 in nsImageLoadingContent::LoadImage (this=0x3713d5c0, aNewURI=@0x7fffec2592b0, aForce=0, aNotify=0) at nsImageLoadingContent.cpp:491
#23 0x0000003ffa56699f in nsHTMLImageElement::BindToTree (this=0x3713d590, aDocument=<value optimized out>, aParent=<value optimized out>, aBindingParent=<value optimized out>, aCompileEventHandlers=<value optimized out>)
    at nsHTMLImageElement.cpp:537
#24 0x0000003ffa4feefe in nsGenericElement::doInsertChildAt (aKid=0x3713d590, aIndex=0, aNotify=0, aParent=0x3714bfc0, aDocument=0x344c0aa0, aChildArray=@0x3714bfe8) at nsGenericElement.cpp:2729
#25 0x0000003ffa5888a7 in SinkContext::Node::Add (this=<value optimized out>, child=0x3713d590) at nsHTMLContentSink.cpp:912
#26 0x0000003ffa58bce6 in SinkContext::AddLeaf (this=0x2d590950, aContent=0xef5) at nsHTMLContentSink.cpp:1171
#27 0x0000003ffa58ca72 in SinkContext::AddLeaf (this=0x2d590950, aNode=@0x3714b700) at nsHTMLContentSink.cpp:1102
#28 0x0000003ffa33b756 in CNavDTD::HandleDefaultStartToken (this=0x37abd170, aToken=0x3720f348, aChildTag=eHTMLTag_img, aNode=0x3714b700) at CNavDTD.cpp:1084
#29 0x0000003ffa33b9ef in CNavDTD::HandleStartToken (this=0x37abd170, aToken=0x3720f348) at CNavDTD.cpp:1436
#30 0x0000003ffa33bccd in CNavDTD::HandleToken (this=0x37abd170, aToken=0x3720f348, aParser=0x2d590160) at CNavDTD.cpp:760
#31 0x0000003ffa33c3e5 in CNavDTD::BuildModel (this=0x37abd170, aParser=0x2d590160, aTokenizer=<value optimized out>, anObserver=<value optimized out>, aSink=<value optimized out>) at CNavDTD.cpp:336
#32 0x0000003ffa342998 in nsParser::BuildModel (this=0x2d590160) at nsParser.cpp:1797
#33 0x0000003ffa344ff4 in nsParser::ResumeParse (this=0x2d590160, allowIteration=1, aIsFinalChunk=1, aCanInterrupt=1) at nsParser.cpp:1674
#34 0x0000003ffa342c78 in nsParser::ContinueInterruptedParsing (this=0x2d590160) at nsParser.cpp:1183
#35 0x0000003ffa4d20b6 in nsRunnableMethod<nsContentSink>::Run (this=0xffffffffffffffff) at ../../../dist/include/xpcom/nsThreadUtils.h:261
#36 0x0000003ffaa440fa in nsThread::ProcessNextEvent (this=0x74d3e0, mayWait=1, result=0x7fffec25981c) at nsThread.cpp:510
#37 0x0000003ffaa15dea in NS_ProcessNextEvent_P (thread=0xef5, mayWait=1) at nsThreadUtils.cpp:227
#38 0x0000003ffa97a529 in nsBaseAppShell::Run (this=0x80efe0) at nsBaseAppShell.cpp:170
#39 0x0000003ffa838605 in nsAppStartup::Run (this=0x89baf0) at nsAppStartup.cpp:181
#40 0x0000003ffa22b070 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:3193
#41 0x0000000000401665 in main (argc=2, argv=0x7fffec25d238) at nsXULStub.cpp:364
Comment 1 Bug Zapper 2009-11-18 12:03:31 UTC 
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Bug Zapper 2009-12-18 09:31:28 UTC 
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.