Bug 457550 - Coredump during startup
Coredump during startup
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-01 09:56 EDT by Zdenek Kabelac
Modified: 2008-10-29 05:34 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-29 05:34:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zdenek Kabelac 2008-08-01 09:56:59 EDT
Description of problem:

#0  0x00007f6d157e5fdb in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x00007f6d130ebaf5 in nsProfileLock::FatalSignalHandler (signo=11) at
nsProfileLock.cpp:212
#2  <signal handler called>
#3  0x00007f6d1484b3a5 in js_Interpret (cx=0x76cf80) at jsinterp.c:4174
#4  0x00007f6d14851e26 in js_Invoke (cx=0x76cf80, argc=4, vp=0x7ff238, flags=0)
at jsinterp.c:1313
#5  0x00007f6d1310d7d0 in nsXPCWrappedJSClass::CallMethod (this=0x25fd980, 
    wrapper=<value optimized out>, methodIndex=3, info=0x1054a90,
nativeParams=0x7fff1dc0eb80)
    at xpcwrappedjsclass.cpp:1523
#6  0x00007f6d13907931 in PrepareAndDispatch (self=0x1342120, methodIndex=<value
optimized out>, 
    args=0x7fff1dc0ec80, gpregs=0x7fff1dc0ec80, fpregs=0x7fff1dc0ecb0) at
xptcstubs_x86_64_linux.cpp:151
#7  0x00007f6d13906ddf in SharedStub () from /usr/lib64/xulrunner-1.9/libxul.so
#8  0x00007f6d1368c3a2 in nsDocLoader::FireOnStateChange (this=0x15e7770,
aProgress=0x32d17f8, 
    aRequest=0x77a4bb8, aStateFlags=196612, aStatus=0) at nsDocLoader.cpp:1235
#9  0x00007f6d1368c3f1 in nsDocLoader::FireOnStateChange (this=0x2785910,
aProgress=0x32d17f8, 
    aRequest=0x77a4bb8, aStateFlags=196612, aStatus=0) at nsDocLoader.cpp:1242
#10 0x00007f6d1368c3f1 in nsDocLoader::FireOnStateChange (this=0x32d17d0,
aProgress=0x32d17f8, 
    aRequest=0x77a4bb8, aStateFlags=196612, aStatus=0) at nsDocLoader.cpp:1242
#11 0x00007f6d1368cc8c in nsDocLoader::OnProgress (this=0x32d17d0,
aRequest=0x77a4bb8, 
    ctxt=<value optimized out>, aProgress=17018, aProgressMax=18446744073709551615)
    at nsDocLoader.cpp:1026
#12 0x00007f6d1319779f in nsHttpChannel::OnTransportStatus (this=0x77a4b70, 
    trans=<value optimized out>, status=2152398854, progress=17018,
progressMax=18446744073709551615)
    at nsHttpChannel.cpp:4554
#13 0x00007f6d1319684d in nsHttpChannel::OnDataAvailable (this=0x77a4b70, 
    request=<value optimized out>, ctxt=<value optimized out>, input=0x775dd70, 
    offset=<value optimized out>, count=17018) at nsHttpChannel.cpp:4510
#14 0x00007f6d131309cc in nsInputStreamPump::OnStateTransfer (this=0x7803a80)
    at nsInputStreamPump.cpp:508
#15 0x00007f6d13130acc in nsInputStreamPump::OnInputStreamReady (this=0x7803a80,
stream=0x799faa0)
    at nsInputStreamPump.cpp:398
#16 0x00007f6d138e730a in nsInputStreamReadyEvent::Run (this=0x775df40) at
nsStreamUtils.cpp:111
#17 0x00007f6d138fb822 in nsThread::ProcessNextEvent (this=0x6dad20, mayWait=1,
result=0x7fff1dc0f19c)
    at nsThread.cpp:510
#18 0x00007f6d138cd06a in NS_ProcessNextEvent_P (thread=0x76cf80, mayWait=1) at
nsThreadUtils.cpp:227
#19 0x00007f6d1383158d in nsBaseAppShell::Run (this=0xef0b20) at
nsBaseAppShell.cpp:170
#20 0x00007f6d136ef299 in nsAppStartup::Run (this=0x101bf20) at nsAppStartup.cpp:181
#21 0x00007f6d130e4ad9 in XRE_main (argc=<value optimized out>, argv=<value
optimized out>, 
    aAppData=<value optimized out>) at nsAppRunner.cpp:3170
#22 0x0000000000401665 in main (argc=3, argv=0x7fff1dc12bd8) at nsXULStub.cpp:364

as could be found:

(gdb) print entry
$1 = (JSPropCacheEntry *) 0x0
(gdb) print rval
$1 = 127531680
(gdb) print *rval
$7 = 336709728
(gdb) print cx
$2 = (JSContext *) 0x76cf80
(gdb) print *cx
$5 = {links = {next = 0x1cf2ad0, prev = 0x7622a8}, operationCount = 1342678850,
xmlSettingFlags = 0 '\0', padding = 0 '\0', 
  version = 4276, options = 64, localeCallbacks = 0x0, resolvingTable =
0x7b7520, rval2 = 0, rval2set = 0 '\0', 
  generatingError = 0 '\0', insideGCMarkCallback = 0 '\0', throwing = 0 '\0',
exception = -2147483647, 
  stackLimit = 140733692046216, scriptStackQuota = 33554137, runtime = 0x762080,
stackPool = {first = {next = 0x7ff200, 
      base = 7786496, limit = 7786496, avail = 7786496}, current = 0x7ff200,
arenasize = 256, mask = 7, quotap = 0x76cfd0}, 
  fp = 0x7fff1dc0e600, tempPool = {first = {next = 0x0, base = 7786568, limit =
7786568, avail = 7786568}, 
    current = 0x76d028, arenasize = 1024, mask = 7, quotap = 0x76cfd0},
globalObject = 0x41f7cc0, weakRoots = {newborn = {
      0x80edc80, 0x0 <repeats 13 times>}, lastAtom = 9731588, lastInternalResult
= 135189824}, regExpStatics = {
    input = 0x44cf300, multiline = 0, parenCount = 0, moreLength = 0, parens =
{{length = 6, chars = 0x80d99c2}, {
        length = 37, chars = 0x1132c0c}, {length = 0, chars = 0x0}, {length = 0,
chars = 0x0}, {length = 0, chars = 0x0}, {
        length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars
= 0x0}, {length = 0, chars = 0x0}}, 
    moreParens = 0x0, lastMatch = {length = 55, chars = 0x80d99bc}, lastParen =
{length = 0, chars = 0x7f6d14ab7b40}, 
    leftContext = {length = 6, chars = 0x80d99b0}, rightContext = {length = 0,
chars = 0x80d9a2a}}, sharpObjectMap = {
    depth = 0, sharpgen = 0, table = 0x0}, argumentFormatMap = 0x796db0,
lastMessage = 0x0, 
  errorReporter = 0x7f6d1310b9ac <xpcWrappedJSErrorReporter(JSContext*, char
const*, JSErrorReport*)>, 
  operationCallbackIsSet = 0, operationLimit = 2147483647, operationCallback =
0, interpLevel = 1, data = 0x0, 
  dormantFrameChain = 0x0, thread = 0x76d290, requestDepth = 2,
outstandingRequests = 2, titleToShare = 0x0, 
  lockedSealedTitle = 0x0, threadLinks = {next = 0x1cf2d98, prev = 0x76d290},
stackHeaders = 0x7ff228, localRootStack = 0x0, 
  tempValueRooters = 0x0, doubleFreeList = 0x75d1088, debugHooks = 0x7622b8}
(gdb) print obj
$3 = (JSObject *) 0x799faa0
(gdb) print *obj
$6 = {map = 0x7f6d1411c860, fslots = {140106464872672, 140106464872736,
140106464872784, 1, 0, 127531360}, 
  dslots = 0x725c930}
(gdb) print id
$4 = 7922676


So I assume this code in jsinterp.c !OBJ_GET_PROPERTY(cx, obj, id, &rval))
is crashing firefox - are there all vars checked if they do not run out of their
bounds - i.e

Version-Release number of selected component (if applicable):
firefox-3.0.1-1.fc10.x86_64

How reproducible:
no idea - crashed with some set of my pages during the firefox restart
I assume faulty script - but it still should not crash the interpreted...


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Martin Stransky 2008-10-29 05:34:02 EDT
Can't reproduce, closing.

Note You need to log in before you can comment on or make changes to this bug.