204769 – crash: corrupted double-linked list: 0x0b0c1b18 ***

Bug 204769 - crash: corrupted double-linked list: 0x0b0c1b18 ***

Summary: crash: corrupted double-linked list: 0x0b0c1b18 ***

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Christopher Aillon
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-08-31 14:18 UTC by Tom London
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-09-02 17:10:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Console output from firefox on crash (33.17 KB, text/plain) 2006-08-31 22:02 UTC, Tom London	no flags	Details
View All

Description Tom London 2006-08-31 14:18:35 UTC

Description of problem:
At intermittant times, firefox crashes 'hangs': the screen 'darkens' under
compiz and is unresponsive.

I ran in a terminal window and got:

[tbl@localhost ~]$ firefox
*** glibc detected *** /usr/lib/firefox-1.5.0.6/firefox-bin: corrupted
double-linked list: 0x0b0c1b18 ***
======= Backtrace: =========
/lib/libc.so.6[0x455145db]
/lib/libc.so.6[0x45516858]
/lib/libc.so.6(__libc_malloc+0x7e)[0x4551809e]
/usr/lib/firefox-1.5.0.6/libmozjs.so(JS_DHashAllocTable+0x17)[0x286c9f]
/usr/lib/firefox-1.5.0.6/libmozjs.so[0x2868ef]
/usr/lib/firefox-1.5.0.6/libmozjs.so(JS_DHashTableOperate+0x14d)[0x286c37]
/usr/lib/firefox-1.5.0.6/components/libxpconnect.so[0x60119c]
/usr/lib/firefox-1.5.0.6/components/libxpconnect.so[0x5fe2ad]
/usr/lib/firefox-1.5.0.6/components/libxpconnect.so[0x5fd634]
/usr/lib/firefox-1.5.0.6/components/libxpconnect.so[0x5fdb1a]
/usr/lib/firefox-1.5.0.6/components/libxpconnect.so[0x603c1c]
/usr/lib/firefox-1.5.0.6/libmozjs.so(js_FinalizeObject+0x56)[0x2ae1dc]
/usr/lib/firefox-1.5.0.6/libmozjs.so(js_GC+0x788)[0x2975d6]
/usr/lib/firefox-1.5.0.6/libmozjs.so(js_ForceGC+0x3f)[0x297918]
/usr/lib/firefox-1.5.0.6/libmozjs.so(JS_GC+0x39)[0x2782c4]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x12dd312]
/usr/lib/firefox-1.5.0.6/libxpcom_core.so(_ZN11nsTimerImpl4FireEv+0x7a)[0x1a2b60]
/usr/lib/firefox-1.5.0.6/libxpcom_core.so(_Z16handleTimerEventP14TimerEventType+0x5e)[0x1a2c08]
/usr/lib/firefox-1.5.0.6/libxpcom_core.so(PL_HandleEvent+0x1c)[0x19f08a]
/usr/lib/firefox-1.5.0.6/libxpcom_core.so(PL_ProcessPendingEvents+0x61)[0x19f2c7]
/usr/lib/firefox-1.5.0.6/libxpcom_core.so[0x1a0750]
/usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so[0x32f964]
/lib/libglib-2.0.so.0[0x457b97dd]
/lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0x45790382]
/lib/libglib-2.0.so.0[0x4579335f]
/lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0x45793709]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0x45b1c8d4]
/usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so[0x32fd0e]
/usr/lib/firefox-1.5.0.6/components/libtoolkitcomps.so[0x63a244]
/usr/lib/firefox-1.5.0.6/firefox-bin[0x8051794]
/usr/lib/firefox-1.5.0.6/firefox-bin(__gxx_personality_v0+0x285)[0x804d1b5]
/lib/libc.so.6(__libc_start_main+0xdc)[0x454c624c]
/usr/lib/firefox-1.5.0.6/firefox-bin(__gxx_personality_v0+0x1e1)[0x804d111]
======= Memory map: ========
00111000-0020c000 r-xp 00000000 fd:00 8785757   
/usr/lib/firefox-1.5.0.6/libxpcom_core.so
0020c000-00215000 rwxp 000fa000 fd:00 8785757   
/usr/lib/firefox-1.5.0.6/libxpcom_core.so
00215000-0022a000 r-xp 00000000 fd:00 8785535   
/usr/lib/firefox-1.5.0.6/components/libpref.so
0022a000-0022b000 rwxp 00015000 fd:00 8785535   
/usr/lib/firefox-1.5.0.6/components/libpref.so
0022b000-00244000 r-xp 00000000 fd:00 8785720   
/usr/lib/firefox-1.5.0.6/components/libjar50.so
00244000-00246000 rwxp 00018000 fd:00 8785720   
/usr/lib/firefox-1.5.0.6/components/libjar50.so
00246000-0024a000 r-xp 00000000 fd:00 8785643   
/usr/lib/firefox-1.5.0.6/libgtkxtbin.so
0024a000-0024b000 rwxp 00003000 fd:00 8785643   
/usr/lib/firefox-1.5.0.6/libgtkxtbin.so
0024b000-00260000 r-xp 00000000 fd:00 7803363    /lib/libselinux.so.1
00260000-00262000 rwxp 00014000 fd:00 7803363    /lib/libselinux.so.1
00262000-00306000 r-xp 00000000 fd:00 8785754   
/usr/lib/firefox-1.5.0.6/libmozjs.so
00306000-0030b000 rwxp 000a3000 fd:00 8785754   
/usr/lib/firefox-1.5.0.6/libmozjs.so
0030b000-0030e000 r-xp 00000000 fd:00 8785640   
/usr/lib/firefox-1.5.0.6/libgfxpsshar.so
0030e000-0030f000 rwxp 00002000 fd:00 8785640   
/usr/lib/firefox-1.5.0.6/libgfxpsshar.so
0030f000-00315000 r-xp 00000000 fd:00 8880451   
/usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so
00315000-00316000 rwxp 00005000 fd:00 8880451   
/usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so
00316000-0031a000 r-xp 00000000 fd:00 8785733   
/usr/lib/firefox-1.5.0.6/components/libpermissions.so
0031a000-0031b000 rwxp 00003000 fd:00 8785733   
/usr/lib/firefox-1.5.0.6/components/libpermissions.so
0031b000-0031d000 r-xp 00000000 fd:00 8692416   
/usr/lib/pango/1.5.0/modules/pango-hangul-fc.so
0031d000-0031e000 rwxp 00001000 fd:00 8692416   
/usr/lib/pango/1.5.0/modules/pango-hangul-fc.so
0031e000-00358000 r-xp 00000000 fd:00 8785548   
/usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so
00358000-0035c000 rwxp 00039000 fd:00 8785548   
/usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so
0035c000-00368000 r-xp 00000000 fd:00 8785508   
/usr/lib/firefox-1.5.0.6/components/libcookie.so
00368000-00369000 rwxp 0000c000 fd:00 8785508   
/usr/lib/firefox-1.5.0.6/components/libcookie.so
00369000-00382000 r-xp 00000000 fd:00 8785674   
/usr/lib/firefox-1.5.0.6/components/libchrome.so
00382000-00383000 rwxp 00019000 fd:00 8785674   
/usr/lib/firefox-1.5.0.6/components/libchrome.so
00383000-00485000 r-xp 00000000 fd:00 8785723   
/usr/lib/firefox-1.5.0.6/components/libnecko.so
00485000-004


Version-Release number of selected component (if applicable):
firefox-1.5.0.6-8.i386

How reproducible:
Yes, but intermittant.  Occurs several times a day.


Steps to Reproduce:
1. run for a while....
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Tom London 2006-08-31 17:09:54 UTC

Get similar thing with firefox-1.5.0.6-9, this time in libcairo.

[tbl@localhost ~]$ *** glibc detected *** /usr/lib/firefox-1.5.0.6/firefox-bin:
corrupted double-linked list: 0x0921bb10 ***
======= Backtrace: =========
/lib/libc.so.6[0x4551454a]
/lib/libc.so.6[0x45516858]
/lib/libc.so.6(__libc_malloc+0x7e)[0x4551809e]
/usr/lib/libcairo.so.2[0x45d9c33e]
/usr/lib/libcairo.so.2[0x45d9c428]
/usr/lib/libcairo.so.2[0x45d9c569]
/usr/lib/libcairo.so.2(cairo_move_to+0x75)[0x45d93785]
/usr/lib/libcairo.so.2(cairo_rectangle+0x38)[0x45d93918]
/usr/lib/gtk-2.0/2.10.0/engines/libclearlooks.so[0xa514f1]
/usr/lib/gtk-2.0/2.10.0/engines/libclearlooks.so[0xa47431]
/usr/lib/libgtk-x11-2.0.so.0(gtk_paint_extension+0xc7)[0x45b91767]
/usr/lib/firefox-1.5.0.6/components/libgfx_gtk.so[0x8195d6]
/usr/lib/firefox-1.5.0.6/components/libgfx_gtk.so[0x81ae53]
/usr/lib/firefox-1.5.0.6/components/libgfx_gtk.so[0x8345e7]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0xffccf6]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0xffd598]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x1036c36]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x1111155]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x110fa9b]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x111204d]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x11111ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x1034044]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x103431c]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x103386e]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x10144db]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x124b5e0]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x124f099]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x12513c6]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x12535ef]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x1254167]
/usr/lib/firefox-1.5.0.6/components/libgklayout.so[0x124b39a]
/usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so[0x294088]
/usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so[0x28f2d7]
/usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so[0x28f355]
/usr/lib/libgtk-x11-2.0.so.0[0x45b21db0]
/lib/libgobject-2.0.so.0(g_closure_invoke+0x12b)[0x3f9f0b]
/lib/libgobject-2.0.so.0[0x40ae83]
/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x667)[0x40c147]
/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0x40c539]
======= Memory map: ========
00111000-00114000 r-xp 00000000 fd:00 7798847    /lib/libgmodule-2.0.so.0.1200.3
00114000-00115000 rwxp 00002000 fd:00 7798847    /lib/libgmodule-2.0.so.0.1200.3
00115000-00217000 r-xp 00000000 fd:00 8785671    /usr/li

Comment 2 Tom London 2006-08-31 21:59:06 UTC

Got another, this time I gdb'ed the process and got the stack:

(no debugging symbols found)
0xb7fb0402 in __kernel_vsyscall ()
(gdb) where
#0  0xb7fb0402 in __kernel_vsyscall ()
#1  0x4558969e in __lll_mutex_lock_wait () from /lib/libc.so.6
#2  0x4551a38e in _L_lock_14482 () from /lib/libc.so.6
#3  0x455198b4 in free () from /lib/libc.so.6
#4  0x0805a25b in nsACString_internal::operator= ()
#5  0x0805a2a1 in nsProfileLock::RemovePidLockFiles ()
#6  0x0805a488 in nsProfileLock::FatalSignalHandler ()
#7  <signal handler called>
#8  0xb7fb0402 in __kernel_vsyscall ()
#9  0x454d9060 in raise () from /lib/libc.so.6
#10 0x454da8b1 in abort () from /lib/libc.so.6
#11 0x4550e47b in __libc_message () from /lib/libc.so.6
#12 0x455145db in malloc_consolidate () from /lib/libc.so.6
#13 0x45516858 in _int_malloc () from /lib/libc.so.6
#14 0x4551809e in malloc () from /lib/libc.so.6
#15 0x4e82fcaf in JS_DHashAllocTable ()
   from /usr/lib/firefox-1.5.0.6/libmozjs.so
#16 0x4e82f8ff in JS_DHashTableRawRemove ()
   from /usr/lib/firefox-1.5.0.6/libmozjs.so
#17 0x4e82fc47 in JS_DHashTableOperate ()
   from /usr/lib/firefox-1.5.0.6/libmozjs.so
#18 0x001401ac in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libxpconnect.so
---Type <return> to continue, or q <return> to quit---
#19 0x0013d2bd in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libxpconnect.so
#20 0x0013c644 in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libxpconnect.so
#21 0x0013cb2a in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libxpconnect.so
#22 0x00142c2c in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libxpconnect.so
#23 0x4e8571ec in js_FinalizeObject ()
   from /usr/lib/firefox-1.5.0.6/libmozjs.so
#24 0x4e8405e6 in js_GC () from /usr/lib/firefox-1.5.0.6/libmozjs.so
#25 0x4e840928 in js_ForceGC () from /usr/lib/firefox-1.5.0.6/libmozjs.so
#26 0x4e8212d4 in JS_GC () from /usr/lib/firefox-1.5.0.6/libmozjs.so
#27 0x4e821326 in JS_MaybeGC () from /usr/lib/firefox-1.5.0.6/libmozjs.so
#28 0x039b946f in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libgklayout.so
#29 0x039ba560 in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libgklayout.so
#30 0x039c33a6 in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libgklayout.so
#31 0x039c3697 in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libgklayout.so
#32 0x4ed72b64 in nsTimerImpl::Fire ()
---Type <return> to continue, or q <return> to quit---
   from /usr/lib/firefox-1.5.0.6/libxpcom_core.so
#33 0x4ed72c18 in handleTimerEvent ()
   from /usr/lib/firefox-1.5.0.6/libxpcom_core.so
#34 0x4ed6f09a in PL_HandleEvent ()
   from /usr/lib/firefox-1.5.0.6/libxpcom_core.so
#35 0x4ed6f2d7 in PL_ProcessPendingEvents ()
   from /usr/lib/firefox-1.5.0.6/libxpcom_core.so
#36 0x4ed70760 in nsEventQueueImpl::~nsEventQueueImpl$base ()
   from /usr/lib/firefox-1.5.0.6/libxpcom_core.so
#37 0x00277984 in ?? ()
   from /usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so
#38 0x4e29d94d in g_io_channel_unix_get_fd () from /lib/libglib-2.0.so.0
#39 0x4e274342 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#40 0x4e27731f in g_main_context_check () from /lib/libglib-2.0.so.0
#41 0x4e2776c9 in g_main_loop_run () from /lib/libglib-2.0.so.0
#42 0x4e55b8d4 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#43 0x00277d2e in ?? ()
   from /usr/lib/firefox-1.5.0.6/components/libwidget_gtk2.so
#44 0x002ac254 in NSGetModule ()
   from /usr/lib/firefox-1.5.0.6/components/libtoolkitcomps.so
#45 0x080517b4 in __cxa_pure_virtual ()
#46 0x0804d1d5 in __cxa_pure_virtual ()
#47 0x454c624c in __libc_start_main () from /lib/libc.so.6
---Type <return> to continue, or q <return> to quit---
#48 0x0804d131 in __cxa_pure_virtual ()
(gdb) quit
The program is running.  Quit anyway (and detach it)? (y or n) y
Detaching from program: /usr/lib/firefox-1.5.0.6/firefox-bin, process 7024
[root@localhost ~]# 

Console output attached....

Comment 3 Tom London 2006-08-31 22:02:23 UTC

Created attachment 135343 [details]
Console output from firefox on crash

Comment 4 Bill Nottingham 2006-09-01 20:38:34 UTC

Please try glibc-2.4.90-28 or later.

Comment 5 Tom London 2006-09-01 20:51:42 UTC

I'm trying now.  Appears more robust.

I'll close tomorrow if I see no more crashes.

Comment 6 Tom London 2006-09-02 17:10:53 UTC

glibc-2.4.90-28 seems to have fixed this.

Closing....

Note You need to log in before you can comment on or make changes to this bug.