1789477 – crashes, writes to libxul

Bug 1789477 - crashes, writes to libxul

Summary: crashes, writes to libxul

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Assignee:	Gecko Maintainer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-09 16:26 UTC by udo
Modified:	2020-05-17 06:22 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-17 06:22:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description udo 2020-01-09 16:26:58 UTC

Description of problem:
Firefox crashes, due to bug in amdgpu or whatever, but after the crash libxul appears modified. (`rpm -V firefox`)


Version-Release number of selected component (if applicable):
firefox-71.0-15.fc31.x86_64.rpm

How reproducible:
Use firefox, play youtube, etc on amdgpu (apu?) system.
It crashes and (sometimes) libxul is modified as shown by rpm -V.


Actual results:
Not so stable firefox.

Expected results:


Additional info:

Comment 1 udo 2020-01-09 16:27:56 UTC

/usr is on raid-1 of nvme disks.
No messages are seen that indicate corruption of the raid-1 or the ext4 fs on this raid-1.

Comment 2 udo 2020-01-11 04:27:43 UTC

Also, in other cases, it crashes the computer *HARD*.
Might be related to amdgpu bugs but firefox triggers whatever easily.
This means the 'stable' images of Linux is severely tainted by this issue.

Comment 3 Martin Stransky 2020-01-15 12:48:23 UTC

Can you submit your crashes to mozilla and paste here crash id/link?
You can find them at about:crashes page.
Thanks.

Comment 4 udo 2020-01-18 09:41:35 UTC

A few:

Report ID 	Date Submitted
bp-8af4fe6a-2f9f-4482-939d-fe96b0200113 	1/13/20, 3:09 AM 	
View
bp-beeeae85-dbe8-4fc9-8512-a293e0200112 	1/12/20, 3:01 PM 	
View
bp-66fb51c7-d1db-41a1-aec0-609440200112 	1/12/20, 7:05 AM 	
View
bp-d2b8c40f-bb14-4a03-b722-57d360200112 	1/12/20, 7:05 AM 	
View
bp-e1246648-0272-48dc-b4be-59df50200112 	1/12/20, 5:11 AM 	
View
bp-d21a1179-0c82-4f97-ad0d-7d03a0200112 	1/12/20, 5:11 AM 	
View
bp-e85b1c02-32d1-497b-a3f6-17ae70200112 	1/12/20, 5:11 AM 	
View
bp-8c7c262b-4b06-44b9-9a16-d83050200112 	1/12/20, 4:46 AM 	
View
bp-9a9eed1c-4c3b-41d4-8f54-1df4d0200112 	1/12/20, 4:33 AM 	
View
bp-5c2bc42f-8a58-419d-80a7-377d40200111 	1/11/20, 12:15 PM 	
View
bp-020894f8-f6bb-42f2-9dad-f90490200111 	1/11/20, 4:37 AM 	
View
bp-61b2bacd-65d3-4b8b-9853-aca6c0200111 	1/11/20, 4:29 AM 	
View
bp-45e722e1-c590-442c-a58b-3f50e0200111 	1/11/20, 4:29 AM 	
View
bp-cee2b633-3c86-4058-a6a8-4ad4d0200110 	1/10/20, 4:51 PM 	
View
bp-e00245af-fd87-436a-b092-dc9fb0200110 	1/10/20, 4:51 PM 	
View
bp-ddbd4cf3-e7b9-494e-96aa-41d5f0200110

I cannot see what happened at each moment, though.

Comment 5 udo 2020-01-18 09:53:17 UTC

I cleared the crashes so I can more clearly tell a new crash is about this issue.

Comment 6 udo 2020-01-24 10:12:20 UTC

On kernel 5.4.x this issue happens more often than on kernel 5.3.18.

Comment 7 udo 2020-02-17 16:09:15 UTC

Also writes to binary:

$ rpm -V firefox
..5......    /usr/lib64/firefox/firefox-bin
.......T.    /usr/lib64/firefox/libxul.so
$

Nice to have a Linux like that... :-/

Comment 8 Martin Stransky 2020-02-24 11:17:05 UTC

Hm, I wonder how is that even possible. Please try to:

1) reinstall your firefox package (rpm -e firefox and then install again)
2) create a new profile (firefox -P)
3) if it crashes again please try to get a backtrace of the crash, see:
https://fedoraproject.org/wiki/Debugging_guidelines_for_Mozilla_products#Application_crash

Thanks.

Comment 9 udo 2020-02-24 14:30:09 UTC

It might very well be a kernel issue: https://bugzilla.kernel.org/show_bug.cgi?id=206191

I am not sure if an application would be able to write to libraries when loaded via the dynamic linker...

Comment 10 udo 2020-02-29 14:47:27 UTC

Also happens to thunderbird, albeit less frequent.

Comment 11 udo 2020-04-07 14:30:30 UTC

The stability issue appears to be fixed by kernel 5.6.2. (several days without the lockup)
Yet the writing to libxul etc stays, albeit less frequent:

# rpm -V firefox
..5......    /usr/lib64/firefox/libxul.so
..5......    /usr/lib64/firefox/minidump-analyzer

So we shut down firefox, copy back our backup of libxul, or reinstall firefox, and stuff runs OK again.
But why does firefox do this?

Comment 12 udo 2020-04-07 16:00:49 UTC

I cleared the about:crashes and will submit those that happen on this more stable kernel.

Comment 13 udo 2020-04-09 08:43:17 UTC

In logging I found:

Apr  9 10:04:44 surfplank2 mozilla-thunderbird.desktop[58232]: Crash Annotation GraphicsCriticalError: |[0][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66903.4) |[31][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.1) |[32][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.1) |[33][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.2) |[34][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.2) |[35][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.5) |[36][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.7) |[37][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.7) |[23][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[24][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[25][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[26][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[27][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[28][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[29][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.7) |[30][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.7) [GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624)
Apr  9 10:04:44 surfplank2 mozilla-thunderbird.desktop[58232]: Crash Annotation GraphicsCriticalError: |[0][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66903.4) |[31][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.1) |[32][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.1) |[33][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.2) |[34][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.2) |[35][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.5) |[36][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.7) |[37][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.7) |[38][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66950.7) |[24][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[25][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[26][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[27][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[28][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.6) |[29][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.7) |[30][GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624) (t=66949.7) [GFX1-]: Failed to allocate a surface due to invalid size (DTD) Size(19184,10624)

Does this shed some light on possible causes?

Comment 14 Martin Stransky 2020-04-09 09:11:59 UTC

(In reply to udo from comment #13)
> Does this shed some light on possible causes?

That means a firefox child process crashes/has some difficulties. I don't think it can lead to libxul writes in any way.
btw. the /usr/lib64/firefox/libxul.so is owned by root while you run firefox as a regular user. How any action of regular user can lead to changes in files owned by root? That would be a serious security issue of the underlying system.

Comment 15 udo 2020-04-09 12:13:38 UTC

I can understand your conclusion.
There appears to be a connection, though. (between FF crash and the lib modification)
How to approach this in the bugzilla process?

Comment 16 Martin Stransky 2020-04-09 12:51:51 UTC

(In reply to udo from comment #15)
> I can understand your conclusion.
> There appears to be a connection, though. (between FF crash and the lib
> modification)
> How to approach this in the bugzilla process?

Sorry, I have no idea as I'm not an expert to kernel and other low-level stuff. It may be switched to kernel but I think you wont's get any feedback there. I suggest you to continue to investigate on your own.

Comment 17 udo 2020-04-09 15:02:44 UTC

$ gdb /usr/lib64/firefox/firefox  core.223451
GNU gdb (GDB) Fedora 8.3.50.20190824-30.fc31
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib64/firefox/firefox...
Reading symbols from /usr/lib/debug/usr/lib64/firefox/firefox-74.0.1-3.fc31.x86_64.debug...

warning: core file may not match specified executable file.
[New LWP 223451]
[New LWP 223493]
[New LWP 223483]
[New LWP 223476]
[New LWP 223485]
[New LWP 223467]
[New LWP 223479]
[New LWP 269798]
[New LWP 223490]
[New LWP 269791]
[New LWP 224419]
[New LWP 223486]
[New LWP 223487]
[New LWP 223494]
[New LWP 223509]
[New LWP 223518]
[New LWP 223510]
[New LWP 223520]
[New LWP 224418]
[New LWP 224417]
[New LWP 223495]
[New LWP 269797]
[New LWP 224420]
[New LWP 224500]
[New LWP 269794]
[New LWP 224494]
[New LWP 224421]
[New LWP 223488]
[New LWP 269793]
[New LWP 269795]
[New LWP 269796]
[New LWP 223475]
[New LWP 224499]
[New LWP 223496]
[New LWP 223517]
[New LWP 224416]
[New LWP 269792]
[New LWP 223489]
[New LWP 224497]
[New LWP 223484]
[New LWP 223519]
[New LWP 223482]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments
Core was generated by `/usr/lib64/firefox/firefox -contentproc -childID 9 -isForBrowser -prefsLen 7615'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f77a8d7029a in nsTSubstring<char16_t>::~nsTSubstring (this=0x7f778eee2580, __in_chrg=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/nsTSubstring.h:326
326	  ~nsTSubstring() { Finalize(); }
[Current thread is 1 (Thread 0x7f77b0fdf780 (LWP 223451))]
(gdb) bt
#0  0x00007f77a8d7029a in nsTSubstring<char16_t>::~nsTSubstring() (this=0x7f778eee2580, __in_chrg=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/nsTSubstring.h:326
#1  nsTString<char16_t>::~nsTString() (this=0x7f778eee2580, __in_chrg=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/nsTString.h:26
#2  nsTAutoStringN<char16_t, 64ul>::~nsTAutoStringN() (this=0x7f778eee2580, __in_chrg=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/nsTString.h:490
#3  nsHTMLContentSerializer::AppendElementStart(mozilla::dom::Element*, mozilla::dom::Element*) (this=0x7f777a2a4000, aElement=
    0x7f778eee2580, aOriginalElement=0x7f77a8cd753d <mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&)+1085>)
    at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/dom/base/nsHTMLContentSerializer.cpp:230
#4  0x00007f778d2abc80 in  ()
#5  0x00007f777a2a4000 in  ()
#6  0x00007f77a8c7d933 in mozilla::dom::DocumentFragment::Clone(mozilla::dom::NodeInfo*, nsINode**) const (this=0x0, aNodeInfo=0x0, aResult=0x0) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/dom/base/DocumentFragment.cpp:123
#7  0x00007f778d246f00 in  ()
#8  0x00007f777a2a4000 in  ()
#9  0x00007f77a8c7d933 in mozilla::dom::DocumentFragment::Clone(mozilla::dom::NodeInfo*, nsINode**) const (this=0x0, aNodeInfo=0x0, aResult=0x0) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/dom/base/DocumentFragment.cpp:123
#10 0x00007f778d246d00 in  ()
#11 0x00007f777a2a4000 in  ()
#12 0x00007f77a8c9bbb6 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::JustSuppressCleanupPolicy>::~TErrorResult() (this=0x7f778d2acd00, __in_chrg=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/mozilla/ErrorResult.h:844
#13 mozilla::IgnoreErrors::~IgnoreErrors() (this=0x7f778d2acd00, __in_chrg=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/mozilla/ErrorResult.h:844
#14 mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, char const*) (aExecutionReason=0x7f77ad379ee9 "requestIdleCallback handler", deadline=..., this=0x7f777a2a4000) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/mozilla/dom/WindowBinding.h:779
#15 mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) (this=<optimized out>, aWindow=<optimized out>, aDeadline=6.9244009199240389e-310, aDidTimeout=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/dom/base/IdleRequest.cpp:62
#16 0x00007f777a2a4000 in  ()
#17 0x00007ffe28e85cf8 in  ()
#18 0x00007f77a7c27ac4 in non-virtual thunk to nsThreadPool::Release() () at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/xpcom/threads/nsThreadPool.h:25
#19 0x00007f7795174000 in  ()
#20 0x0000b840a2b75e30 in  ()
#21 0x00007ffe28e85d00 in  ()
#22 0x00007ffe28e85d00 in  ()
#23 0x00007ffe28e85d00 in  ()
#24 0x000055cfbe0b574f in Mutex::Unlock() (this=0x7f779513d9a8) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/memory/build/Mutex.h:121
#25 AutoLock<Mutex>::~AutoLock() (this=<synthetic pointer>, __in_chrg=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/memory/build/Mutex.h:121
#26 arena_t::MallocSmall(unsigned long, bool) (aZero=false, aSize=140151592927296, this=0x7ffe28e85db7) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/memory/build/mozjemalloc.cpp:2855
#27 arena_t::Malloc(unsigned long, bool) (aZero=false, aSize=<optimized out>, this=0x7ffe28e85db7) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/memory/build/mozjemalloc.cpp:2911
#28 BaseAllocator::malloc(unsigned long) (this=<synthetic pointer>, aSize=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/memory/build/mozjemalloc.cpp:4050
#29 Allocator<MozJemallocBase>::malloc(unsigned long) (arg1=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/memory/build/malloc_decls.h:51
#30 malloc(size_t) (arg1=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/memory/build/malloc_decls.h:51
#31 0xf5db96ed067ea200 in  ()
#32 0x00007ffe28e85f70 in  ()
#33 0x00007f77b0da4240 in  ()
#34 0x00007ffe28e85f70 in  ()
#35 0x00007f7795e94040 in  ()
#36 0x00007f77b0da4260 in  ()
#37 0x00007f77a7c2aae0 in nsProcess::ProcessComplete() (this=0x7f779522e000) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/xpcom/threads/nsProcessCommon.cpp:197
#38 0xf5db96ed067ea200 in  ()
#39 0x00007f77b0da4240 in  ()
#40 0x00007f77a812ca2a in mozilla::ipc::IdleSchedulerChild::GetMainThreadIdleScheduler() () at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/ipc/glue/IdleSchedulerChild.cpp:88
#41 0x00007f7795e94040 in  ()
#42 0x00007ffe28e85ef0 in  ()
#43 0x00007ffe28e85f70 in  ()
#44 0x00007ffe28e86380 in  ()
#45 0x000088c395a8f58a in  ()
#46 0x00007f77a80f4b59 in Pickle::ReadInt(PickleIterator*, int*) const (this=0x0, iter=0x0, result=0x0) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/ipc/chromium/src/base/pickle.cc:220
#47 0x00007ffe28e85f70 in  ()
#48 0x00007ffe28e85e80 in  ()
#49 0xf5db96ed067ea200 in  ()
#50 0x00007ffe28e85ef0 in  ()
#51 0x00007f77aa2839fc in nsBaseFilePicker::GetDisplayDirectory(nsIFile**) (this=<optimized out>, aDirectory=<optimized out>) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/objdir/dist/include/nsCOMPtr.h:380
#52 0x00007f77a80f4b59 in Pickle::ReadInt(PickleIterator*, int*) const (this=0x0, iter=0x0, result=0x0) at /usr/src/debug/firefox-74.0.1-3.fc31.x86_64/ipc/chromium/src/base/pickle.cc:220
#53 0x00007ffe28e85f70 in  ()
#54 0x0000000000000000 in  ()
(gdb) 

$ rpm -qa|grep firefox
firefox-debugsource-74.0.1-3.fc31.x86_64
firefox-debuginfo-74.0.1-3.fc31.x86_64
firefox-74.0.1-3.fc31.x86_64

Comment 18 udo 2020-04-10 09:54:15 UTC

$ gdb /usr/lib64/firefox/firefox  core.9225 
GNU gdb (GDB) Fedora 8.3.50.20190824-30.fc31
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib64/firefox/firefox...
Reading symbols from /usr/lib/debug/usr/lib64/firefox/firefox-75.0-1.fc31.x86_64.debug...

warning: core file may not match specified executable file.
[New LWP 9225]
[New LWP 9243]
[New LWP 9248]
[New LWP 9238]
[New LWP 9242]
[New LWP 9233]
[New LWP 9240]
[New LWP 9244]
[New LWP 9246]
[New LWP 9280]
[New LWP 9247]
[New LWP 9865]
[New LWP 9285]
[New LWP 35786]
[New LWP 9850]
[New LWP 9241]
[New LWP 9855]
[New LWP 9288]
[New LWP 9909]
[New LWP 38232]
[New LWP 9852]
[New LWP 9281]
[New LWP 9289]
[New LWP 35787]
[New LWP 9239]
[New LWP 9235]
[New LWP 9261]
[New LWP 9854]
[New LWP 9260]
[New LWP 9230]
[New LWP 9245]
[New LWP 9286]
[New LWP 9851]
[New LWP 9264]
[New LWP 9853]
[New LWP 9908]
[New LWP 9905]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Missing separate debuginfo for /lib64/libwayland-client.so.0
Try: dnf --enablerepo='*debug*' install /usr/lib/debug/.build-id/9e/f915378b86267f15ae3717b419ce8b880c8df4.debug
bMissing separate debuginfo for /lib64/libuuid.so.1
Try: dnf --enablerepo='*debug*' install /usr/lib/debug/.build-id/97/f6854e8679ff15b4e5aa62eb96f6231f3a99db.debug

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments
t
Core was generated by `/usr/lib64/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 7794'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  js::MapGCThingTyped<js::ApplyGCThingTyped<js::GCMarker::traverseEdge<js::ObMissing separate debuginfos, use: dnf debuginfo-install nss-3.50.0-2.fc31.x86_64 nss-softokn-3.50.0-2.fc31.x86_64 nss-softokn-freebl-3.50.0-2.fc31.x86_64 nss-util-3.50.0-2.fc31.x86_64 sqlite-libs-3.30.0-1.fc31.x86_64
--Type <RET> for more, q to quit, c to continue without paging--
jectGroup*, JS::PropertyKey>(js::ObjectGroup*, JS::PropertyKey const&)::{lambda(auto:1)#1}>(JS::PropertyKey const&, js::GCMarker::traverseEdge<js::ObjectGroup*, JS::PropertyKey>(js::ObjectGroup*, JS::PropertyKey const&)::{lambda(auto:1)#1}&&)::{lambda(auto:1)#1}>(JS::PropertyKey const, JS::PropertyKey const&) (f=..., iden=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/Id.h:237
237	bool ApplyGCThingTyped(const jsid& id, F&& f) {
[Current thread is 1 (Thread 0x7f26a7902780 (LWP 9225))]
(gdb) bt
#0  js::MapGCThingTyped<js::ApplyGCThingTyped<js::GCMarker::traverseEdge<js::ObjectGroup*, JS::PropertyKey>(js::ObjectGroup*, JS::PropertyKey const&)::{lambda(auto:1)#1}>(JS::PropertyKey const&, js::GCMarker::traverseEdge<js::ObjectGroup*, JS::PropertyKey>(js::ObjectGroup*, JS::PropertyKey const&)::{lambda(auto:1)#1}&&)::{lambda(auto:1)#1}>(JS::PropertyKey const, JS::PropertyKey const&) (f=..., iden=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/Id.h:237
#1  js::ApplyGCThingTyped<js::GCMarker::traverseEdge<js::ObjectGroup*, JS::PropertyKey>(js::ObjectGroup*, JS::PropertyKey const&)::{lambda(auto:1)#1}>(JS::PropertyKey const&, js::GCMarker::traverseEdge<js::ObjectGroup*, JS::PropertyKey>(js::ObjectGroup*, JS::PropertyKey const&)::{lambda(auto:1)#1}&&) (f=..., iden=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/Id.h:243
#2  js::GCMarker::traverseEdge<js::ObjectGroup*, JS::PropertyKey>(js::ObjectGroup*, JS::PropertyKey const&) (thing=..., source=0x501025ef790, this=0x7f268b8221b0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:1043
#3  js::GCMarker::lazilyMarkChildren(js::ObjectGroup*) (this=this@entry=0x7f268b8221b0, group=0x501025ef790) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:1510
#4  0x00007f26a2212442 in js::GCMarker::processMarkStackTop(js::SliceBudget&) (this=this@entry=0x7f268b8221b0, budget=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:2209
#5  0x00007f26a22130ab in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) (this=this@entry=0x7f268b8221b0, budget=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:1756
#6  0x00007f26a21fc5a4 in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&) (sliceBudget=..., this=0x7f268b8214c8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:5471
#7  js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::gcstats::PhaseKind) (phase=js::gcstats::PhaseKind::MARK, sliceBudget=..., this=0x7f268b8214c8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:5456
#8  js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) (this=this@entry=0x7f268b8214c8, budget=..., gckind=..., reason=reason@entry=JS::GCReason::INTER_SLICE_GC, session=...)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:6525
#9  0x00007f26a21fcb95 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) (this=this@entry=0x7f268b8214c8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckind=..., reason=reason@entry=JS::GCReason::INTER_SLICE_GC)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:6987
#10 0x00007f26a21fce96 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) (this=this@entry=0x7f268b8214c8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckindArg=..., reason=reason@entry=JS::GCReason::INTER_SLICE_GC)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:7169
#11 0x00007f26a21fd58c in js::gc::GCRuntime::gcSlice(JS::GCReason, long) (millis=49, reason=JS::GCReason::INTER_SLICE_GC, this=0x7f268b8214c8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/SliceBudget.h:21
#12 JS::IncrementalGCSlice(JSContext*, JS::GCReason, long) (cx=cx@entry=0x7f268b82e000, reason=reason@entry=JS::GCReason::INTER_SLICE_GC, millis=millis@entry=49) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:8092
#13 0x00007f269f590c96 in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) (aReason=JS::GCReason::INTER_SLICE_GC, aIncremental=nsJSContext::IncrementalGC, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=49)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/dom/base/nsJSEnvironment.cpp:1172
#14 0x00007f269f590d56 in InterSliceGCRunnerFired(mozilla::TimeStamp, void*) (aDeadline=..., aData=0x0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/TimeStamp.h:136
#15 0x00007f269e41708a in std::function<bool (mozilla::TimeStamp)>::operator()(mozilla::TimeStamp) const (__args#0=..., this=0x7f266d17ac70) at /usr/include/c++/9/bits/std_function.h:683
#16 mozilla::IdleTaskRunner::Run() (this=0x7f266d17ac40) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/IdleTaskRunner.cpp:58
#17 0x00007f269e417154 in mozilla::IdleTaskRunner::Run() (this=<optimized out>) at /usr/include/c++/9/bits/std_function.h:564
#18 0x00007f269e4285a4 in nsThread::ProcessNextEvent(bool, bool*) (aResult=0x7ffea3414037, aMayWait=<optimized out>, this=0x7f2690572040) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/nsThread.cpp:1220
#19 nsThread::ProcessNextEvent(bool, bool*) (this=0x7f2690572040, aMayWait=<optimized out>, aResult=0x7ffea3414037) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/nsThread.cpp:1065
#20 0x00007f269e42a26c in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aThread@entry=0x7f2690572040, aMayWait=aMayWait@entry=false) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/nsThreadUtils.cpp:481
#21 0x00007f269e9397ca in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7f26a77a4240, aDelegate=0x7ffea34141e0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/glue/MessagePump.cpp:87
#22 0x00007f269e9002d9 in MessageLoop::RunInternal() (this=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/RefPtr.h:313
#23 MessageLoop::RunHandler() (this=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:308
#24 MessageLoop::Run() (this=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:290
#25 0x00007f26a0aec82c in nsBaseAppShell::Run() (this=0x7f268b95c700) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/widget/nsBaseAppShell.cpp:137
#26 0x00007f26a1c39807 in XRE_RunAppShell() () at /usr/src/debug/firefox-75.0-1.fc31.x86_64/toolkit/xre/nsEmbedFunctions.cpp:926
#27 0x00007f269e9002d9 in MessageLoop::RunInternal() (this=0x7ffea34141e0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/RefPtr.h:313
#28 MessageLoop::RunHandler() (this=0x7ffea34141e0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:308
#29 MessageLoop::Run() (this=this@entry=0x7ffea34141e0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:290
#30 0x00007f26a1c39d47 in XRE_InitChildProcess(int, char**, XREChildData const*) (aArgc=13, aArgv=0x7ffea3414568, aChildData=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/toolkit/xre/nsEmbedFunctions.cpp:761
#31 0x0000560a8868be0b in content_process_main(mozilla::Bootstrap*, int, char**) (bootstrap=0x7f26a7725630, argc=15, argv=0x7ffea3414568) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/browser/app/../../ipc/contentproc/plugin-container.cpp:56
#32 0x0000560a8868b694 in main(int, char**, char**) (argc=<optimized out>, argv=<optimized out>, envp=0x7ffea34145f0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/UniquePtr.h:309
(gdb) 

$ rpm -qa|grep firefox
firefox-debuginfo-75.0-1.fc31.x86_64
firefox-debugsource-75.0-1.fc31.x86_64
firefox-75.0-1.fc31.x86_64

Comment 19 udo 2020-04-11 04:44:39 UTC

$ gdb /usr/lib64/firefox/firefox  core.229294 
GNU gdb (GDB) Fedora 8.3.50.20190824-30.fc31
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib64/firefox/firefox...
Reading symbols from /usr/lib/debug/usr/lib64/firefox/firefox-75.0-1.fc31.x86_64.debug...

warning: core file may not match specified executable file.
[New LWP 229310]
[New LWP 229482]
[New LWP 229309]
[New LWP 234071]
[New LWP 229298]
[New LWP 229319]
[New LWP 229302]
[New LWP 229305]
[New LWP 229312]
[New LWP 229483]
[New LWP 229317]
[New LWP 234069]
[New LWP 229303]
[New LWP 229337]
[New LWP 229294]
[New LWP 229311]
[New LWP 229344]
[New LWP 229340]
[New LWP 229306]
[New LWP 229308]
[New LWP 229479]
[New LWP 229661]
[New LWP 229318]
[New LWP 229480]
[New LWP 229341]
[New LWP 229628]
[New LWP 229304]
[New LWP 229336]
[New LWP 230846]
[New LWP 229297]
[New LWP 230847]
[New LWP 229481]
[New LWP 234068]
[New LWP 229345]
[New LWP 229484]
[New LWP 234070]
[New LWP 229307]
[New LWP 229299]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments
Core was generated by `/usr/lib64/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 7525'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fb98f092563 in js::gc::Cell::getTraceKind (this=0x0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/HeapAPI.h:523
523	  return location == ChunkLocation::Nursery;
[Current thread is 1 (Thread 0x7fb977b05700 (LWP 229310))]
(gdb) bt
#0  0x00007fb98f092563 in js::gc::Cell::getTraceKind() const (this=0x0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/HeapAPI.h:523
#1  js::gc::UniqueIdGCPolicy::needsSweep(js::gc::Cell**, unsigned long*) (cellp=0x7fb970894000) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:3406
#2  JS::GCHashMap<js::gc::Cell*, unsigned long, mozilla::PointerHasher<js::gc::Cell*>, js::SystemAllocPolicy, js::gc::UniqueIdGCPolicy>::sweep() (this=this@entry=0x7fb9775f16e0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/GCHashTable.h:80
#3  0x00007fb98f09282d in JS::Zone::sweepUniqueIds() (this=0x7fb9775f1000) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/threading/ProtectedData.h:136
#4  js::gc::GCRuntime::sweepUniqueIds() (this=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:4983
#5  0x00007fb98f074eb7 in js::GCParallelTask::runTask() (this=0x7ffc717386f0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GCParallelTask.cpp:143
#6  0x00007fb98f08861d in js::GCParallelTask::runFromHelperThread(js::AutoLockHelperThreadState&) (this=0x7ffc717386f0, lock=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GCParallelTask.cpp:128
#7  0x00007fb98ecfa081 in js::HelperThread::handleGCParallelWorkload(js::AutoLockHelperThreadState&) (this=0x7fb9788059b0, lock=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/vm/HelperThreads.h:419
#8  0x00007fb98ecfd46c in js::HelperThread::threadLoop() (this=0x7fb9788059b0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/vm/HelperThreads.cpp:2523
#9  0x00007fb98ecfd4a8 in js::HelperThread::ThreadMain(void*) (arg=0x7fb9788059b0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/vm/HelperThreads.cpp:2045
#10 0x00007fb98ecf9609 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul>(std::integer_sequence<unsigned long, 0ul>) (this=0x7fb97881d200) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/threading/Mutex.h:73
#11 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) (aPack=0x7fb97881d200) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/threading/Thread.h:207
#12 0x00007fb994d3b4e2 in start_thread (arg=<optimized out>) at pthread_create.c:479
#13 0x00007fb9949086a3 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) quit
$ rpm -V firefox
$

Comment 20 udo 2020-04-12 03:37:36 UTC

$ gdb /usr/lib64/firefox/firefox core.52328 
GNU gdb (GDB) Fedora 8.3.50.20190824-30.fc31
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib64/firefox/firefox...
Reading symbols from /usr/lib/debug/usr/lib64/firefox/firefox-75.0-1.fc31.x86_64.debug...

warning: core file may not match specified executable file.
[New LWP 52328]
[New LWP 52347]
[New LWP 56114]
[New LWP 52354]
[New LWP 52345]
[New LWP 52988]
[New LWP 52403]
[New LWP 52400]
[New LWP 52360]
[New LWP 52372]
[New LWP 52985]
[New LWP 88736]
[New LWP 52987]
[New LWP 52357]
[New LWP 54987]
[New LWP 52363]
[New LWP 88728]
[New LWP 54988]
[New LWP 52346]
[New LWP 52355]
[New LWP 52361]
[New LWP 52371]
[New LWP 52364]
[New LWP 52387]
[New LWP 52990]
[New LWP 56103]
[New LWP 56113]
[New LWP 88730]
[New LWP 52356]
[New LWP 54990]
[New LWP 88729]
[New LWP 52404]
[New LWP 52362]
[New LWP 52359]
[New LWP 54985]
[New LWP 52402]
[New LWP 52370]
[New LWP 52386]
[New LWP 52358]
[New LWP 52986]
[New LWP 52989]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments

warning: Loadable section ".note.gnu.property" outside of ELF segments
Missing separate debuginfo for /lib64/libgomp.so.1
Try: dnf --enablerepo='*debug*' install /usr/lib/debug/.build-id/89/25144f2271929b0dc1275e647a2ad03c09463b.debug
Core was generated by `/usr/lib64/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 7525'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  js::SetMaybeAliveFlag<JSObject> (thing=0x3dbe462b2970)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/Realm.h:Missing separate debuginfos, use: dnf debuginfo-install ffmpeg-libs-4.2.1-3.fc31.x86_64 gsm-1.0.18-5.fc31.x86_64 intel-mediasdk-19.3.0-2.fc31.x86_64 lame-libs-3.100-6.fc31.x86_64 libaom-1.0.0-8.20190810git9666276.fc31.x86_64 libdav1d-0.5.2-1.fc31.x86_64 libdrm-2.4.100-1.fc31.x86_64 libtheora-1.1.1-24.fc31.x86_64 libva-2.6.0-0.1.fc31.x86_64 libvdpau-1.3-1.fc31.x86_64 libvpx-1.8.2-1.fc31.x86_64 numactl-libs-2.0.12-3.fc31.x86_64 ocl-icd-2.2.12-6.fc31.x86_64 opencore-amr-0.1.5-8.fc31.x86_64 openjpeg2-2.3.1-6.fc31.x86_64 opus-1.3.1-2.fc31.x86_64 soxr-0.1.3-4.fc31.x86_64 speex-1.2.0-4.fc31.x86_64 vo-amrwbenc-0.1.3-10.fc31.x86_64 x264-libs-0.157-12.20190717git34c06d1.fc31.x86_64 x265-libs-3.1.2-2.fc31.x86_64 xvidcore-1.3.5-6.fc31.x86_64 zvbi-0.2.35-9.fc31.x86_64
--Type <RET> for more, q to quit, c to continue without paging--
50
50	  JS::Compartment* compartment() { return compartment_; }
[Current thread is 1 (Thread 0x7fd930367780 (LWP 52328))]
(gdb) bt
#0  js::SetMaybeAliveFlag<JSObject>(JSObject*) (thing=0x3dbe462b2970) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/Realm.h:50
#1  DoMarking<JSObject>(js::GCMarker*, JSObject*) (thing=0x3dbe462b2970, gcmarker=0x7fd9145221b0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:872
#2  DoMarking<JSObject>(js::GCMarker*, JSObject*) (gcmarker=0x7fd9145221b0, thing=0x3dbe462b2970) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:861
#3  0x00007fd92ac74700 in js::gc::TraceEdgeInternal<JSObject*>(JSTracer*, JSObject**, char const*) (trc=trc@entry=0x3dbe462b2970, thingp=thingp@entry=0x7ffd3c032780, name=name@entry=0x7fd92cb79053 "script-gcthing") at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GCMarker.h:355
#4  0x00007fd92ac785d7 in js::TraceManuallyBarrieredEdge<JSObject*>(JSTracer*, JSObject**, char const*) (name=0x7fd92cb79053 "script-gcthing", thingp=0x7ffd3c032780, trc=0x3dbe462b2970) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Tracer.h:192
#5  js::<lambda(auto:9)>::operator()<JSObject*> (__closure=<optimized out>, __closure=<optimized out>, t=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:671
#6  JS::MapGCThingTyped<js::TraceManuallyBarrieredGenericPointerEdge(JSTracer*, js::gc::Cell**, char const*)::<lambda(auto:9)> > (f=..., traceKind=<optimized out>, thing=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/TraceKind.h:232
#7  js::TraceManuallyBarrieredGenericPointerEdge(JSTracer*, js::gc::Cell**, char const*) (trc=trc@entry=0x7fd9145221b0, thingp=thingp@entry=0x7ffd3c0327b0, name=name@entry=0x7fd92cb79053 "script-gcthing") at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:669
#8  0x00007fd92a910d79 in js::PrivateScriptData::trace(JSTracer*) (this=<optimized out>, trc=trc@entry=0x7fd9145221b0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/vm/JSScript.cpp:4252
#9  0x00007fd92ac74824 in js::BaseScript::traceChildren(JSTracer*) (this=0x3f64877faea0, trc=trc@entry=0x7fd9145221b0) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:1104
#10 0x00007fd92ac7726a in js::GCMarker::processMarkStackTop(js::SliceBudget&) (this=this@entry=0x7fd9145221b0, budget=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:2209
#11 0x00007fd92ac780ab in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) (this=this@entry=0x7fd9145221b0, budget=...) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/Marking.cpp:1756
#12 0x00007fd92ac615a4 in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&) (sliceBudget=..., this=0x7fd9145214c8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:5471
#13 js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::gcstats::PhaseKind) (phase=js::gcstats::PhaseKind::MARK, sliceBudget=..., this=0x7fd9145214c8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:5456
#14 js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) (this=this@entry=0x7fd9145214c8, budget=..., gckind=..., reason=reason@entry=JS::GCReason::PAGE_HIDE, session=...)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:6525
#15 0x00007fd92ac61b95 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) (this=this@entry=0x7fd9145214c8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckind=..., reason=reason@entry=JS::GCReason::PAGE_HIDE)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:6987
#16 0x00007fd92ac61e96 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) (this=this@entry=0x7fd9145214c8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckindArg=..., reason=reason@entry=JS::GCReason::PAGE_HIDE)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:7169
#17 0x00007fd92ac6282d in js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::GCReason, long) (millis=49, reason=JS::GCReason::PAGE_HIDE, gckind=GC_NORMAL, this=0x7fd9145214c8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/js/SliceBudget.h:21
#18 js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::GCReason, long) (millis=49, reason=JS::GCReason::PAGE_HIDE, gckind=GC_NORMAL, this=0x7fd9145214c8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:7250
#19 JS::StartIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason, long) (cx=cx@entry=0x7fd91452e000, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::GCReason::PAGE_HIDE, millis=millis@entry=49) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/js/src/gc/GC.cpp:8087
#20 0x00007fd927ff5c0c in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) (aReason=JS::GCReason::PAGE_HIDE, aIncremental=nsJSContext::IncrementalGC, aShrinking=<optimized out>, aSliceMillis=49)
    at /usr/src/debug/firefox-75.0-1.fc31.x86_64/dom/base/nsJSEnvironment.cpp:1188
#21 0x00007fd927ff5d56 in InterSliceGCRunnerFired(mozilla::TimeStamp, void*) (aDeadline=..., aData=0x28) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/TimeStamp.h:136
#22 0x00007fd926e7c08a in std::function<bool (mozilla::TimeStamp)>::operator()(mozilla::TimeStamp) const (__args#0=..., this=0x7fd8f6c0e450) at /usr/include/c++/9/bits/std_function.h:683
#23 mozilla::IdleTaskRunner::Run() (this=0x7fd8f6c0e420) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/IdleTaskRunner.cpp:58
#24 0x00007fd926e7c154 in mozilla::IdleTaskRunner::Run() (this=<optimized out>) at /usr/include/c++/9/bits/std_function.h:564
#25 0x00007fd926e8d5a4 in nsThread::ProcessNextEvent(bool, bool*) (aResult=0x7ffd3c032da7, aMayWait=<optimized out>, this=0x7fd919071040) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/nsThread.cpp:1220
#26 nsThread::ProcessNextEvent(bool, bool*) (this=0x7fd919071040, aMayWait=<optimized out>, aResult=0x7ffd3c032da7) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/nsThread.cpp:1065
#27 0x00007fd926e8f26c in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aThread@entry=0x7fd919071040, aMayWait=aMayWait@entry=false) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/xpcom/threads/nsThreadUtils.cpp:481
#28 0x00007fd92739e7ca in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fd9301a4240, aDelegate=0x7ffd3c032f50) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/glue/MessagePump.cpp:87
#29 0x00007fd9273652d9 in MessageLoop::RunInternal() (this=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/RefPtr.h:313
#30 MessageLoop::RunHandler() (this=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:308
#31 MessageLoop::Run() (this=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:290
#32 0x00007fd92955182c in nsBaseAppShell::Run() (this=0x7fd9186c8700) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/widget/nsBaseAppShell.cpp:137
#33 0x00007fd92a69e807 in XRE_RunAppShell() () at /usr/src/debug/firefox-75.0-1.fc31.x86_64/toolkit/xre/nsEmbedFunctions.cpp:926
#34 0x00007fd9273652d9 in MessageLoop::RunInternal() (this=0x7ffd3c032f50) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/RefPtr.h:313
#35 MessageLoop::RunHandler() (this=0x7ffd3c032f50) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:308
#36 MessageLoop::Run() (this=this@entry=0x7ffd3c032f50) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/ipc/chromium/src/base/message_loop.cc:290
#37 0x00007fd92a69ed47 in XRE_InitChildProcess(int, char**, XREChildData const*) (aArgc=13, aArgv=0x7ffd3c0332d8, aChildData=<optimized out>) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/toolkit/xre/nsEmbedFunctions.cpp:761
#38 0x000055653ee49e0b in content_process_main(mozilla::Bootstrap*, int, char**) (bootstrap=0x7fd930125630, argc=15, argv=0x7ffd3c0332d8) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/browser/app/../../ipc/contentproc/plugin-container.cpp:56
#39 0x000055653ee49694 in main(int, char**, char**) (argc=<optimized out>, argv=<optimized out>, envp=0x7ffd3c033360) at /usr/src/debug/firefox-75.0-1.fc31.x86_64/objdir/dist/include/mozilla/UniquePtr.h:309
(gdb)

Comment 21 udo 2020-04-15 13:05:06 UTC

How to find the root cause(s) that explain(s) all of this?
- crashes in various ways
- libxul modification despite security model of linux
- also in thunderbird but to a lesser extent

Comment 22 udo 2020-04-15 13:16:02 UTC

Submitted Crash Reports
Report ID 	Date Submitted
bp-6df0c864-0673-4500-b475-e81180200415 	4/15/20, 1:14 PM 	
View
bp-b2c6df83-e6b5-41cd-9ba6-ea80a0200415 	4/15/20, 1:14 PM 	
View
bp-72971e3b-e07b-4e41-b1dc-e3d5b0200414 	4/14/20, 11:18 AM 	
View
bp-37e51bdd-c798-45d6-a8c2-820270200412 	4/12/20, 2:51 PM 	
View
bp-6c14ab40-a245-47a7-a5cb-78c470200412 	4/12/20, 1:26 PM 	
View
bp-e8662466-0829-4c7b-84bc-d57e30200412 	4/12/20, 1:24 PM 	
View
bp-d22a05af-89bf-49e9-96c9-b2a1a0200412 	4/12/20, 7:07 AM 	
View
bp-1687bd9e-45de-4bfb-8017-312230200412 	4/12/20, 7:02 AM 	
View
bp-bc702464-4e25-4f61-a598-43a5c0200410 	4/10/20, 4:51 AM 	
View
bp-75786f07-3e55-4ce1-97ca-df6a00200410 	4/10/20, 4:49 AM 	
View
bp-745139c6-766e-47a9-a14d-68efe0200410 	4/10/20, 4:42 AM 	
View
bp-017bd834-7073-45cf-b5fa-969680200409 	4/9/20, 12:11 PM 	
View
bp-28da372f-e187-4e74-8cc7-ceff80200409 	4/9/20, 12:11 PM 	
View
bp-4b130611-10be-44e4-bc3b-483a60200409 	4/9/20, 12:11 PM 	
View
bp-e479631f-3467-49b9-a414-1f1ba0200409 	4/9/20, 12:11 PM 	
View
bp-d96979ab-9bcc-4c57-b8e8-df0cb0200409 	4/9/20, 12:11 PM 	
View
bp-16654eb9-7675-4dc4-96e4-38c7f0200409 	4/9/20, 12:11 PM 	
View
bp-29f1aeed-e024-42e5-8a5b-4a2590200409 	4/9/20, 12:11 PM 	
View
bp-b9e692fb-0626-4665-8ea8-6dcef0200409 	4/9/20, 12:11 PM 	
View
bp-beec6050-c9fd-4723-9aa6-f2b060200409 	4/9/20, 12:11 PM 	
View
bp-91660c2d-078c-4ee0-8710-b26d10200409 	4/9/20, 11:43 AM 	
View
bp-9d2ff27b-6f9c-40ae-8d6a-6567f0200409 	4/9/20, 4:49 AM 	
View

Comment 23 Martin Stransky 2020-04-15 21:38:21 UTC

I wonder if it can be tied to some HW corruption. Can you for instance perform a memory check of your box?

Comment 24 udo 2020-04-16 03:45:19 UTC

I can.
We have memtest86+ available.

How do you explain that kernel compiles work OK?

Comment 25 udo 2020-05-17 06:22:39 UTC

Different RAM fixed the situation.
But still it is weird that with not-so-perfect RAM an application running as a user can write to a root owned file consistently, repeatedly.

Note You need to log in before you can comment on or make changes to this bug.