244540 – firefox segfaults - looks like courtesy of threading

Bug 244540 - firefox segfaults - looks like courtesy of threading

Summary: firefox segfaults - looks like courtesy of threading

Keywords:
Status:	CLOSED DUPLICATE of bug 242370
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Gecko Maintainer
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-06-17 00:10 UTC by Michal Jaegermann
Modified:	2007-11-30 22:12 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-07-06 22:58:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
gdb backtrace from a firefox dumped core (2.65 KB, text/plain) 2007-06-17 00:10 UTC, Michal Jaegermann	no flags	Details
View All

Description Michal Jaegermann 2007-06-17 00:10:13 UTC

Description of problem:

I found two cores on my system.  One 92Megs and another 87Megs.
Checking with gdb they were produced this way:

warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash at ffffe0b4
Core was generated by `/usr/lib/firefox-2.0.0.4/firefox-bin'.
Program terminated with signal 11, Segmentation fault.

but there are fingerprints of nsprpub/pr/src/pthreads/ptthread.c
and apparently of calls to java in that trace.

A trace obtained after installing firefox-debuginfo and nspr-debuginfo
is attached.

The highest frame I can list is 21 and this looks like that:

(gdb) f 21
#21 0xf702e60c in xpc_ThreadDataDtorCB (ptr=0x80ed518)
    at xpcthreadcontext.cpp:451
451             delete data;
Current language:  auto; currently c++
(gdb) list
446     PR_STATIC_CALLBACK(void)
447     xpc_ThreadDataDtorCB(void* ptr)
448     {
449         XPCPerThreadData* data = (XPCPerThreadData*) ptr;
450         if(data)
451             delete data;
452     }
453
454     void XPCPerThreadData::MarkAutoRootsBeforeJSFinalize(JSContext* cx)
455     {

with 'ptr' as '(void *) 0x80ed518' and '*(XPCPerThreadData*) ptr'
coming out as:

(gdb) p *(XPCPerThreadData*) ptr
$3 = {mJSContextStack = 0x8112be8, mNextThread = 0x0, mCallContext = 0x0,
  mResolveName = 0, mResolvingWrapper = 0x0, mMostRecentJSContext = 0x9ff5368,
  mMostRecentXPCContext = 0x8455ce8, mExceptionManager = 0x0,
  mException = 0x0, mExceptionManagerNotAvailable = 0, mAutoRoots = 0x0,
  mStackLimit = 4288968920, static gLock = 0x8115830,
  static gThreads = 0x80ed518, static gTLSIndex = 2}

Version-Release number of selected component (if applicable):
firefox-2.0.0.4-2.fc7.i386
This is i386 binary running on x86_64 machine.

How reproducible:
Not really sure but traces from both cores are really the same.

Comment 1 Michal Jaegermann 2007-06-17 00:10:14 UTC

Created attachment 157207 [details]
gdb backtrace from a firefox dumped core

Comment 2 James Ralston 2007-06-28 23:51:57 UTC

This looks like a dupe of bug 242370...

Comment 3 Kai Engert (:kaie) (inactive account) 2007-07-06 22:58:05 UTC

I agree this is a duplicate of 242370

*** This bug has been marked as a duplicate of 242370 ***

Comment 4 James Ralston 2007-11-19 19:35:17 UTC

Also, running pidgin repeatedly, I got this on one of the runs:

$ /usr/bin/pidgin
libnm_glib_nm_state_cb: dbus returned an error.
  (org.freedesktop.DBus.Error.ServiceUnknown) The name
org.freedesktop.NetworkManager was not provided by any .service files
*** glibc detected *** /usr/bin/pidgin: double free or corruption (fasttop):
0x00000000007707d0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3f2f870412]
/lib64/libc.so.6(cfree+0x8c)[0x3f2f873b1c]
/usr/lib64/purple-2/libjabber.so.0(jabber_set_buddy_icon+0x4df)[0x2aaab425e87f]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab425e961]
/usr/lib64/purple-2/libjabber.so.0(jabber_iq_parse+0x1c1)[0x2aaab4265a11]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab4271a8a]
/usr/lib64/libxml2.so.2[0x3f3aa3ab3a]
/usr/lib64/libxml2.so.2(xmlParseChunk+0xa6c)[0x3f3aa4710c]
/usr/lib64/purple-2/libjabber.so.0(jabber_parser_process+0x28)[0x2aaab4271968]
/usr/lib64/purple-2/libjabber.so.0[0x2aaab426e534]
/usr/bin/pidgin[0x462cdf]
/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x1b4)[0x3eeb82d224]
/lib64/libglib-2.0.so.0[0x3eeb83005d]
/lib64/libglib-2.0.so.0(g_main_loop_run+0x1ca)[0x3eeb83036a]
/usr/lib64/libgtk-x11-2.0.so.0(gtk_main+0xa3)[0x3c19f2d783]
/usr/bin/pidgin(main+0x8ec)[0x47a6ec]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3f2f81dab4]
/usr/bin/pidgin[0x429e69]
======= Memory map: ========
00400000-004cd000 r-xp 00000000 fd:02 2262026                           
/usr/bin/pidgin
006cc000-006df000 rw-p 000cc000 fd:02 2262026                           
/usr/bin/pidgin
006df000-00de7000 rw-p 006df000 00:00 0                                  [heap]
40000000-40001000 ---p 40000000 00:00 0 
40001000-40a01000 rw-p 40001000 00:00 0 
31a3c00000-31a3c41000 r-xp 00000000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a3c41000-31a3e40000 ---p 00041000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a3e40000-31a3e43000 rw-p 00040000 fd:02 65793                         
/usr/lib64/libpango-1.0.so.0.1600.4
31a4400000-31a442e000 r-xp 00000000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
31a442e000-31a462d000 ---p 0002e000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
31a462d000-31a462f000 rw-p 0002d000 fd:02 65870                         
/usr/lib64/libpangoft2-1.0.so.0.1600.4
3233600000-3233608000 r-xp 00000000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
3233608000-3233807000 ---p 00008000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
3233807000-3233808000 rw-p 00007000 fd:02 66259                         
/usr/lib64/libXi.so.6.0.0
357cc00000-357ccf0000 r-xp 00000000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357ccf0000-357ceef000 ---p 000f0000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357ceef000-357cef7000 rw-p 000ef000 fd:02 72981                         
/usr/lib64/libpurple.so.0.2.2
357cef7000-357cefa000 rw-p 357cef7000 00:00 0 
357d000000-357d071000 r-xp 00000000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d071000-357d271000 ---p 00071000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d271000-357d276000 rw-p 00071000 fd:02 69138                         
/usr/lib64/libgnomevfs-2.so.0.1800.1
357d400000-357d416000 r-xp 00000000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357d416000-357d615000 ---p 00016000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357d615000-357d617000 rw-p 00015000 fd:02 66916                         
/usr/lib64/libgnome-2.so.0.1800.0
357dc00000-357dc22000 r-xp 00000000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357dc22000-357de21000 ---p 00022000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357de21000-357de25000 rw-p 00021000 fd:02 72570                         
/usr/lib64/libedata-book-1.2.so.2.4.0
357e800000-357e831000 r-xp 00000000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357e831000-357ea31000 ---p 00031000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357ea31000-357ea33000 rw-p 00031000 fd:02 73148                         
/usr/lib64/librsvg-2.so.2.16.1
357ec00000-357ec36000 r-xp 00000000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ec36000-357ee35000 ---p 00036000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ee35000-357ee3b000 rw-p 00035000 fd:02 67451                         
/usr/lib64/libebook-1.2.so.9.0.1
357ee3b000-357ee3c000 rw-p 357ee3b000 00:00 0 
357f000000-357f054000 r-xp 00000000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
357f054000-357f253000 ---p 00054000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
357f253000-357f258000 rw-p 00053000 fd:02 72676                         
/usr/lib64/libcamel-1.2.so.10.0.0
358fe00000-358ff25000 r-xp 00000000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
358ff25000-3590125000 ---p 00125000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
3590125000-3590144000 rw-p 00125000 fd:01 163894                        
/lib64/libcrypto.so.0.9.8b
3590144000-3590148000 rw-p 3590144000 00:00 0 
3590200000-3590207000 r-xp 00000000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590207000-3590407000 ---p 00007000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590407000-3590408000 rw-p 00007000 fd:02 70090                         
/usr/lib64/libpopt.so.0.0.0
3590600000-3590643000 r-xp 00000000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3590643000-3590843000 ---p 00043000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3590843000-3590849000 rw-p 00043000 fd:01 163896                        
/lib64/libssl.so.0.9.8b
3592600000-3592628000 r-xp 00000000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
3592628000-3592828000 ---p 00028000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
3592828000-359282a000 rw-p 00028000 fd:02 65820                         
/usr/lib64/libedataserver-1.2.so.9.0.0
36c4000000-36c4054000 r-xp 00000000 fd:02 73388                         
/usr/lib64/libsoftokn3.so
36c4054000-36c4253000 ---p 00054000 fd:02 73388                  Aborted (core
dumped)

Comment 5 James Ralston 2007-11-19 19:37:25 UTC

Dammit, my apologies; I was trying to paste that into bug 390901.  (I have too
many Bugzilla windows open today...)

Note You need to log in before you can comment on or make changes to this bug.