1576249 – [ppc64] ESR60 segfault in SetColor

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1576249 - [ppc64] ESR60 segfault in SetColor

Summary: [ppc64] ESR60 segfault in SetColor

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firefox
Sub Component:
Version:	7.6
Hardware:	ppc64
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Stransky
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1556893
TreeView+	depends on / blocked

Reported:	2018-05-09 07:10 UTC by Tomas Pelka
Modified:	2018-05-18 07:05 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-18 07:05:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tomas Pelka 2018-05-09 07:10:32 UTC

Description of problem:
New FF 60ESR segfault at start

Version-Release number of selected component (if applicable):
firefox-60.0-4.el7_5

How reproducible:
100%

Steps to Reproduce:
1. start firefox
2.
3.

Actual results:
segfault

Expected results:


Additional info:
Starting program: /usr/lib64/firefox/firefox 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Detaching after fork from child process 4213.

Program received signal SIGSEGV, Segmentation fault.
SetColor (aColor=Red, this=<synthetic pointer>)
    at /usr/src/debug/firefox-60.0/memory/build/rb.h:203
203	      MOZ_RELEASE_ASSERT(mNode);

Thread 1 (Thread 0x3fffb7ff5760 (LWP 4210)):
#0  SetColor (aColor=Red, this=<synthetic pointer>)
    at /usr/src/debug/firefox-60.0/memory/build/rb.h:203
No locals.
#1  RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::MoveRedRight (
    this=<optimized out>, aNode=...)
    at /usr/src/debug/firefox-60.0/memory/build/rb.h:668
        node = {mNode = 0x0}
        rbp_mrr_t = <optimized out>
#2  0x000000010001182c in RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::Remove (this=0x3fffb7800080, aNode=...)
    at /usr/src/debug/firefox-60.0/memory/build/rb.h:562
        rbp_r_s = {u = {
            mBytes = "\000\000?\377\264p\001\270", '\000' <repeats 15 times>, 
            mDummy = 70367476449720}}
        rbp_r_p = {mNode = 0x3fffb47001b8}
        rbp_r_c = {mNode = 0x3fffb4800110}
        rbp_r_xp = {mNode = 0x0}
        rbp_r_t = {mNode = 0x0}
        rbp_r_u = <optimized out>
        rbp_r_cmp = <optimized out>
#3  0x0000000100013180 in Remove (aNode=0x3fffb4800038, this=0x3fffb7800080)
    at /usr/src/debug/firefox-60.0/memory/build/rb.h:144
No locals.
#4  arena_t::SplitRun (this=this@entry=0x3fffb7800000, 
    aRun=aRun@entry=0x3fffb4810000, aSize=aSize@entry=524288, 
    aLarge=aLarge@entry=false, aZero=<optimized out>)
    at /usr/src/debug/firefox-60.0/memory/build/mozjemalloc.cpp:2368
        old_ndirty = 0
        run_ind = 1
        total_pages = 1073722497
        need_pages = 8
        rem_pages = 1073722489
        i = <optimized out>
#5  0x0000000100013458 in arena_t::AllocRun (this=0x3fffb7800000, 
    aSize=524288, aLarge=aLarge@entry=false, aZero=aZero@entry=false)
    at /usr/src/debug/firefox-60.0/memory/build/mozjemalloc.cpp:2546
        run = 0x3fffb4810000
        key = {link = {mLeft = <optimized out>, 
            mRightAndColor = <optimized out>}, bits = 524304}
#6  0x0000000100015770 in arena_t::GetNonFullBinRun (this=<optimized out>, 
    aBin=0x3fffb7800868)
    at /usr/src/debug/firefox-60.0/memory/build/mozjemalloc.cpp:2796
        run = <optimized out>
        i = <optimized out>
        remainder = <optimized out>
        aBin = 0x3fffb7800868
#7  0x000000010001780c in MallocSmall (aZero=true, aSize=<optimized out>, 
    this=0x3fffb7800000)
    at /usr/src/debug/firefox-60.0/memory/build/mozjemalloc.cpp:2942
        bin = 0x3fffb7800868
        run = <optimized out>
        sizeClass = {mType = SizeClass::SubPage, mSize = 8192}
#8  Malloc (aZero=true, aSize=<optimized out>, this=0x3fffb7800000)
    at /usr/src/debug/firefox-60.0/memory/build/mozjemalloc.cpp:2999
No locals.
#9  calloc (aSize=<optimized out>, aNum=<optimized out>, 
    this=<synthetic pointer>)
    at /usr/src/debug/firefox-60.0/memory/build/mozjemalloc.cpp:4178
        arena = 0x3fffb7800000
        checkedSize = {mValue = <optimized out>, mIsValid = false}
        ret = 0x1248
#10 calloc (arg2=<optimized out>, arg1=<optimized out>)
    at /usr/src/debug/firefox-60.0/memory/build/malloc_decls.h:38
No locals.
#11 calloc (arg1=<optimized out>, arg2=<optimized out>)
    at /usr/src/debug/firefox-60.0/memory/build/malloc_decls.h:38
No locals.
#12 0x00003fffb6936e48 in XOpenDisplay (display=0x3fffffffffda ":1")
    at OpenDis.c:115
        dpy = <optimized out>
        i = <optimized out>
        j = <optimized out>
        k = <optimized out>
        display_name = 0x3fffffffffda ":1"
        setup = 0x0
        iscreen = 1
        prefix = <optimized out>
        vendorlen = <optimized out>
        u = <optimized out>
        setuplength = <optimized out>
        usedbytes = 0
        mask = <optimized out>
        conn_buf_size = <optimized out>
        xlib_buffer_size = <optimized out>
#13 0x00003fffb6b2bc30 in _gdk_x11_display_open (display_name=<optimized out>)
    at gdkdisplay-x11.c:1562
        xdisplay = <optimized out>
        display = <optimized out>
        display_x11 = <optimized out>
        attr = {title = 0x3fffb7744000 "", event_mask = 16383, x = -12000, 
          y = 16383, width = -38, height = 16383, 
          wclass = (unknown: 3065402796), visual = 0x3fffb5f97d00, 
          window_type = 16383, cursor = 0x3fffb6bf7900, 
          wmclass_name = 0x3fffffffd120 "", wmclass_class = 0x0, 
          override_redirect = 16383, type_hint = 3051801976}
        argc = <optimized out>
        argv = {0x3fffffffd560 ""}
        class_hint = <optimized out>
        pid = 70368744165664
        ignore = 0
        maj = 1
        min = 16383
        __FUNCTION__ = "_gdk_x11_display_open"
#14 0x00003fffb6ae9698 in gdk_display_manager_open_display (
    manager=<optimized out>, name=0x3fffffffffda ":1")
    at gdkdisplaymanager.c:472
        backend = 0x3fffb48104f0 "*"
        any = 1
        backend_list = <optimized out>
        display = 0x0
        backends = 0x3fffb7770940
        i = <optimized out>
        allow_any = <optimized out>
        __FUNCTION__ = "gdk_display_manager_open_display"
#15 0x00003fffb6ae6a34 in gdk_display_open (display_name=0x3fffffffffda ":1")
    at gdkdisplay.c:1966
No locals.
#16 0x00003fffb21e6a58 in XREMain::XRE_mainStartup (
    this=this@entry=0x3fffffffd638, aExitFlag=aExitFlag@entry=0x3fffffffd560)
    at /usr/src/debug/firefox-60.0/toolkit/xre/nsAppRunner.cpp:4076
        display_name = <optimized out>
        saveDisplayArg = false
        rv = <optimized out>
        desktopStartupIDEnv = <optimized out>
        useXI2 = <optimized out>
        newInstance = <optimized out>
        canRun = false
        version = {<nsTString<char>> = {<nsTSubstring<char>> = {<mozilla::detail::nsTStringRepr<char>> = {mData = 0x3fffb54a0628 "", mLength = 16383, 
                mDataFlags = (mozilla::detail::TERMINATED | mozilla::detail::VOIDED | mozilla::detail::SHARED | mozilla::detail::OWNED | mozilla::detail::LITERAL | unknown: 45824), mClassFlags = (unknown: 24832)}, static kMaxCapacity = 
    2147483637}, <No data fields>}, static kStorageSize = 64, 
          mInlineCapacity = 8, 
          mStorage = "\000!\000\002\000\000?\377\377\377\324 \000\273[\340Vǣ\033\000\000?\377\263\062Q\240\000\000\000\001\000!\000\002\000\000?\377\377\377\326\070\000\000?\377\263\266?\000\000\000?\377\265J\006@\000\000?\377"}
        osABI = {<mozilla::detail::nsTStringRepr<char>> = {
            mData = 0x100057f00 "", mLength = 16383, 
            mDataFlags = (mozilla::detail::TERMINATED | mozilla::detail::VOIDED | mozilla::detail::SHARED | mozilla::detail::OWNED | mozilla::detail::INLINE | mozilla::detail::LITERAL | unknown: 65472), 
            mClassFlags = (unknown: 54256)}, <No data fields>}
        flagFile = {<nsCOMPtr_base> = {
            mRawPtr = 0xbb5be056c7a31b}, <No data fields>}
        cachesOK = <optimized out>
        startupCacheValid = <optimized out>
#17 0x00003fffb21eb328 in XRE_mainStartup (aExitFlag=0x3fffffffd560, 
    this=0x3fffffffd638)
    at /usr/src/debug/firefox-60.0/toolkit/xre/nsAppRunner.cpp:4941
No locals.
#18 XREMain::XRE_main (this=this@entry=0x3fffffffd638, argc=argc@entry=1, 
    argv=argv@entry=0x3fffffffee28, aConfig=...)
    at /usr/src/debug/firefox-60.0/toolkit/xre/nsAppRunner.cpp:4955
        rv = <optimized out>
        binFile = {<nsCOMPtr_base> = {
            mRawPtr = 0x3fffb54a04c0}, <No data fields>}
        exit = false
        result = <optimized out>
        appInitiatedRestart = <optimized out>
#19 0x00003fffb21ebd00 in XRE_main (argc=<optimized out>, argv=0x3fffffffee28, 
    aConfig=...)
    at /usr/src/debug/firefox-60.0/toolkit/xre/nsAppRunner.cpp:5062
        main = {mNativeApp = {<nsCOMPtr_base> = {
              mRawPtr = 0x0}, <No data fields>}, 
          mProfileSvc = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, 
          mProfD = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, 
          mProfLD = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, 
          mProfileLock = {<nsCOMPtr_base> = {
              mRawPtr = 0x0}, <No data fields>}, 
          mRemoteService = {<nsCOMPtr_base> = {
              mRawPtr = 0x0}, <No data fields>}, 
          mRemoteLock = {<PRCListStr> = {next = 0x3fffffffd668, 
              prev = 0x3fffffffd668}, mHaveLock = false, 
            mReplacedLockTime = 0, mLockFile = {<nsCOMPtr_base> = {
                mRawPtr = 0x0}, <No data fields>}, static mPidLockList = {
              next = 0x3fffb4694138 <nsProfileLock::mPidLockList>, 
              prev = 0x3fffb4694138 <nsProfileLock::mPidLockList>}, 
            mPidLockFileName = 0x0, mLockFileDesc = -1}, 
          mRemoteLockDir = {<nsCOMPtr_base> = {
              mRawPtr = 0x0}, <No data fields>}, mScopedXPCOM = {
            mTuple = {<mozilla::detail::PairHelper<ScopedXPCOMStartup*, mozilla::DefaultDelete<ScopedXPCOMStartup>, (mozilla::detail::StorageType)1, (mozilla::detail::StorageType)0>> = {<mozilla::DefaultDelete<ScopedXPCOMStartup>> = {<No data fields>}, mFirstA = 0x0}, <No data fields>}}, mAppData = {
            mTuple = {<mozilla::detail::PairHelper<mozilla::XREAppData*, mozilla::DefaultDelete<mozilla::XREAppData>, (mozilla::detail::StorageType)1, (mozilla::detail::StorageType)0>> = {<mozilla::DefaultDelete<mozilla::XREAppData>> = {<No data fields>}, mFirstA = 0x3fffb5490500}, <No data fields>}}, 
          mDirProvider = {<nsIDirectoryServiceProvider2> = {<nsIDirectoryServiceProvider> = {<nsISupports> = {
                  _vptr.nsISupports = 0x3fffb36fbdf8 <vtable for nsXREDirProvider+16>}, <No data fields>}, <No data fields>}, <nsIProfileStartup> = {<nsISupports> = {
                _vptr.nsISupports = 0x3fffb36fbe40 <vtable for nsXREDirProvider+88>}, <No data fields>}, mAppProvider = {<nsCOMPtr_base> = {
                mRawPtr = 0x0}, <No data fields>}, 
            mGREDir = {<nsCOMPtr_base> = {
                mRawPtr = 0x3fffb54a0640}, <No data fields>}, 
            mGREBinDir = {<nsCOMPtr_base> = {
                mRawPtr = 0x3fffb54a0700}, <No data fields>}, 
            mXULAppDir = {<nsCOMPtr_base> = {
                mRawPtr = 0x3fffb54a0580}, <No data fields>}, 
            mProfileDir = {<nsCOMPtr_base> = {
                mRawPtr = 0x0}, <No data fields>}, 
            mProfileLocalDir = {<nsCOMPtr_base> = {
                mRawPtr = 0x0}, <No data fields>}, mProfileNotified = false, 
            mPrefsInitialized = false, 
            mAppBundleDirectories = {<nsCOMArray_base> = {
                mArray = {<nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {
                      mHdr = 0x3fffb46a1f08 <nsTArrayHeader::sEmptyHdr>}, <nsTArray_TypedBase<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsISupports*, nsTArray_Impl<nsISupports*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, 
                    static NoIndex = <optimized out>}, <No data fields>}}, <No data fields>}}, 
          mProfileName = {<nsTString<char>> = {<nsTSubstring<char>> = {<mozilla::detail::nsTStringRepr<char>> = {mData = 0x3fffffffd71c "", mLength = 0, 
                  mDataFlags = (mozilla::detail::TERMINATED | mozilla::detail::INLINE), 
                  mClassFlags = (mozilla::detail::INLINE | mozilla::detail::NULL_TERMINATED)}, static kMaxCapacity = 2147483637}, <No data fields>}, 
            static kStorageSize = 64, mInlineCapacity = 63, 
            mStorage = '\000' <repeats 62 times>, "?\377"}, 
          mDesktopStartupID = {<nsTString<char>> = {<nsTSubstring<char>> = {<mozilla::detail::nsTStringRepr<char>> = {mData = 0x3fffffffd774 "", mLength = 0, 
                  mDataFlags = (mozilla::detail::TERMINATED | mozilla::detail::INLINE), 
                  mClassFlags = (mozilla::detail::INLINE | mozilla::detail::NULL_TERMINATED)}, static kMaxCapacity = 2147483637}, <No data fields>}, 
            static kStorageSize = 64, mInlineCapacity = 63, 
            mStorage = "\000\377\327\360", '\000' <repeats 11 times>, "\001\000\001a\350", '\000' <repeats 16 times>, "libxul.so\000\000o\000\000so", '\000' <repeats 11 times>}, mStartOffline = false, mShuttingDown = false, 
          mDisableRemote = false, mGdkDisplay = 0x0}
        result = <optimized out>
#20 0x00003fffb21edb6c in mozilla::BootstrapImpl::XRE_main (
    this=<optimized out>, argc=<optimized out>, argv=<optimized out>, 
    aConfig=...) at /usr/src/debug/firefox-60.0/toolkit/xre/Bootstrap.cpp:49
No locals.
#21 0x000000010000a6c8 in do_main (argc=<optimized out>, argc@entry=1, 
    argv=argv@entry=0x3fffffffee28, envp=envp@entry=0x3fffffffee38)
    at /usr/src/debug/firefox-60.0/browser/app/nsBrowserApp.cpp:231
        appDataFile = 0x0
        config = {appData = 0x10004dcc0 <sAppData>, 
          appDataPath = 0x100039800 "browser"}
#22 0x0000000100009d40 in main (argc=<optimized out>, argv=0x3fffffffee28, 
    envp=0x3fffffffee38)
    at /usr/src/debug/firefox-60.0/browser/app/nsBrowserApp.cpp:304
        start = <optimized out>
        rv = <optimized out>
        result = <optimized out>
$1 = void
A debugging session is active.

	Inferior 1 [process 4210] will be killed.

Quit anyway? (y or n)

Comment 3 Martin Stransky 2018-05-16 12:21:17 UTC

New test builds are available here: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=16314298

Comment 4 Martin Stransky 2018-05-16 12:21:46 UTC

Please test when the builds are finished.

Comment 5 Tomas Pelka 2018-05-17 13:35:16 UTC

OK with -7 build works fine except of bz1574501.

Comment 6 Martin Stransky 2018-05-18 07:05:32 UTC

This bug is against unreleased/testing builds, closing as we're not going to use this #BZ for any public purpose.

Note You need to log in before you can comment on or make changes to this bug.