Bug 458454 - Firefox crashes when resolving www.mytida.com
Firefox crashes when resolving www.mytida.com
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-08 11:20 EDT by Pete Zaitcev
Modified: 2008-09-29 08:43 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-29 08:43:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pete Zaitcev 2008-08-08 11:20:48 EDT
Description of problem:

Firefox crashes when accessing the following URL:
 http://sora-hime.animeblogger.net/2007/10/27/mashiro-nina-with-robe-and-mai/
It's a WP page full of hotlinking.

Version-Release number of selected component (if applicable):

glibc-2.8.90-11.x86_64
nss-3.12.0.3-3.fc10.x86_64
firefox-3.0.1-1.fc10.x86_64

How reproducible:

100% in this situation

Steps to Reproduce:
1. Open the URL
  
Actual results:

Crash

Expected results:

No crash

Additional info:

Here's what it looks like in gdb with glibc-debuginfo installed:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x44007950 (LWP 6373)]
0x00000031b180861b in __libc_res_nquery (statp=<value optimized out>,
    name=<value optimized out>, class=<value optimized out>,
    type=<value optimized out>, answer=<value optimized out>,
    anslen=<value optimized out>, answerp=<value optimized out>,
    answerp2=<value optimized out>, nanswerp2=<value optimized out>,
    resplen2=<value optimized out>) at res_query.c:262
262             if ((hp->rcode != NOERROR || ntohs(hp->ancount) == 0)
Missing separate debuginfos, use: debuginfo-install GConf2.x86_64 ORBit2.x86_64 
alsa-lib.x86_64 atk.x86_64 audiofile.x86_64 avahi.x86_64 cairo.x86_64 dbus-glib.
x86_64 dbus.x86_64 e2fsprogs.x86_64 esound.x86_64 expat.x86_64 fontconfig.x86_64
 freetype.x86_64 gamin.x86_64 gcc.x86_64 glib2.x86_64 gnome-keyring.x86_64 gnome
-vfs2.x86_64 gtk-nodoka-engine.x86_64 gtk2.x86_64 gvfs.x86_64 keyutils.x86_64 kr
b5.x86_64 lcms.x86_64 libICE.x86_64 libSM.x86_64 libX11.x86_64 libXScrnSaver.x86
_64 libXau.x86_64 libXcomposite.x86_64 libXcursor.x86_64 libXdmcp.x86_64 libXext
.x86_64 libXfixes.x86_64 libXft.x86_64 libXi.x86_64 libXinerama.x86_64 libXrandr.x86_64 libXrender.x86_64 libXt.x86_64 libart_lgpl.x86_64 libbonobo.x86_64 libbonoboui.x86_64 libcanberra.x86_64 libcap.x86_64 libgnome.x86_64 libgnomecanvas.x86_64 libgnomeui.x86_64 libjpeg.x86_64 libogg.x86_64 libpng.x86_64 libselinux.x86_64 libtool.x86_64 libvorbis.x86_64 libxcb.x86_64 libxml2.x86_64 nspr.x86_64 nss.x86_64 openssl.x86_64 pango.x86_64 pixman.x86_64 popt.x86_64 scim-bridge.x86_64 sqlite.x86_64 startup-notification.x86_64 xulrunner.x86_64 zlib.x86_64
(gdb) where
#0  0x00000031b180861b in __libc_res_nquery (statp=<value optimized out>,
    name=<value optimized out>, class=<value optimized out>,
    type=<value optimized out>, answer=<value optimized out>,
    anslen=<value optimized out>, answerp=<value optimized out>,
    answerp2=<value optimized out>, nanswerp2=<value optimized out>,
    resplen2=<value optimized out>) at res_query.c:262
#1  0x00000031b1808b7d in __libc_res_nquerydomain (
    statp=<value optimized out>, name=<value optimized out>,
    domain=<value optimized out>, class=<value optimized out>,
    type=<value optimized out>, answer=<value optimized out>, anslen=Could not find the frame base for "__libc_res_nquerydomain".
)
    at res_query.c:569
#2  0x00000031b1808d73 in __libc_res_nsearch (statp=<value optimized out>,
    name=<value optimized out>, class=<value optimized out>,
    type=<value optimized out>, answer=<value optimized out>,
    anslen=<value optimized out>, answerp=Could not find the frame base for "__libc_res_nsearch".
) at res_query.c:370
#3  0x00007ffff0b981ed in _nss_dns_gethostbyname4_r (
    name=0x2f253d8 "www.mytida.com", pat=0x44006df8, buffer=0x44006820 "\177",
    buflen=1024, errnop=0x44006e0c, herrnop=0x44006e08, ttlp=0x0)
    at nss_dns/dns-host.c:304
#4  0x00000031a74d0a7e in gaih_inet (name=<value optimized out>,
    service=<value optimized out>, req=<value optimized out>,
    pai=<value optimized out>, naddrs=<value optimized out>)
    at ../sysdeps/posix/getaddrinfo.c:714
#5  0x00000031a74d283d in getaddrinfo (name=<value optimized out>,
    service=<value optimized out>, hints=<value optimized out>,
    pai=<value optimized out>) at ../sysdeps/posix/getaddrinfo.c:2154
#6  0x00000031b781d578 in PR_GetAddrInfoByName () from /lib64/libnspr4.so
#7  0x00000031b84905b8 in ?? () from /usr/lib64/xulrunner-1.9/libxul.so
#8  0x00000031b7829aa3 in ?? () from /lib64/libnspr4.so
#9  0x00000031a800740a in start_thread (arg=<value optimized out>)
    at pthread_create.c:297
#10 0x00000031a74e9b2d in clone () from /lib64/libc.so.6
(gdb) 

The strange thing is, www.mytida.com is absent:

[zaitcev@niphredil ~]$ host www.mytida.com
Host www.mytida.com not found: 3(NXDOMAIN)
[zaitcev@niphredil ~]$ host -t any www.mytida.com
;; connection timed out; no servers could be reached
[zaitcev@niphredil ~]$ 

Nothing unusual, right? So, it's possible that some other garbage on that
page leaves lingering corruption.
Comment 1 Ulrich Drepper 2008-08-09 13:57:20 EDT
I cannot reproduce this and nothing spring into mind when I see the segv.  If you can reproduce it, look at the hp and hp2 variables, and print the value of *answerp.
Comment 2 Pete Zaitcev 2008-08-09 16:19:53 EDT
Sorry for being clueless about this, but is there a way to print those
variables without rebuilding glibc from source? As you can see, gdb
cannot show them despite debuginfo being installed. Uli, if you e-mailed
me more detailed instructions, I would be happy to carry them out.
The crash continues to be 100% reproducible with the URL above.
Comment 3 Ulrich Drepper 2008-09-17 11:39:30 EDT
Pete, sorry for not getting back to this earlier.  Can you still reproduce the problem?

If the debug info is not sufficient you'd have to look at the asm code and decode which register has the content.  If you get the crash, run

   disass $pc-64 $pc+16

and

   info registers

I'll then point out the memory locations.
Comment 4 Pete Zaitcev 2008-09-17 12:05:53 EDT
It does not crash at request, unfortunately. Sometimes it does, but not
recently. I think it may be fixed now. Either that, or I'm not running
across a good case. I suspect it may need the system to get loaded
well before it happens.

Current versions:
glibc-2.8.90-12.x86_64
firefox-3.0.1-1.fc10.x86_64

Here's the e-mail I sent you, just in case:

------------------------
From: Pete Zaitcev <zaitcev@redhat.com>
Subject: Re: bug 458454
Date: Tue, 12 Aug 2008 14:50:44 -0600

It came back. The host name it's resolving is different:

#0  0x00000031b180861b in __libc_res_nquery (statp=<value optimized out>,
    name=<value optimized out>, class=<value optimized out>,
    type=<value optimized out>, answer=<value optimized out>,
    anslen=<value optimized out>, answerp=<value optimized out>,
    answerp2=<value optimized out>, nanswerp2=<value optimized out>,
    resplen2=<value optimized out>) at res_query.c:262
#1  0x00000031b1808b7d in __libc_res_nquerydomain (
    statp=<value optimized out>, name=<value optimized out>,
    domain=<value optimized out>, class=<value optimized out>,
    type=<value optimized out>, answer=<value optimized out>, anslen=Could not find the frame base for "__libc_res_nquerydomain".
)
    at res_query.c:569
#2  0x00000031b1808d73 in __libc_res_nsearch (statp=<value optimized out>,
    name=<value optimized out>, class=<value optimized out>,
    type=<value optimized out>, answer=<value optimized out>,
    anslen=<value optimized out>, answerp=Could not find the frame base for "__libc_res_nsearch".
) at res_query.c:370
#3  0x00007ffff12851ed in _nss_dns_gethostbyname4_r (
    name=0x7fffe801d148 "www.rhymynt.com", pat=0x44807df8,
    buffer=0x44807820 "\177", buflen=1024, errnop=0x44807e0c,
    herrnop=0x44807e08, ttlp=0x0) at nss_dns/dns-host.c:304
#4  0x00000031a74d0a7e in gaih_inet (name=<value optimized out>,
    service=<value optimized out>, req=<value optimized out>,
    pai=<value optimized out>, naddrs=<value optimized out>)
    at ../sysdeps/posix/getaddrinfo.c:714
#5  0x00000031a74d283d in getaddrinfo (name=<value optimized out>,
    service=<value optimized out>, hints=<value optimized out>,
    pai=<value optimized out>) at ../sysdeps/posix/getaddrinfo.c:2154
#6  0x00000031b781d578 in PR_GetAddrInfoByName () from /lib64/libnspr4.so
#7  0x0000003bea69064c in ?? () from /usr/lib64/xulrunner-1.9/libxul.so
#8  0x00000031b7829aa3 in ?? () from /lib64/libnspr4.so
#9  0x00000031a800740a in start_thread (arg=<value optimized out>)
    at pthread_create.c:297
#10 0x00000031a74e9b2d in clone () from /lib64/libc.so.6

> So, please try this.  After the crash run
> 
>   info registers
>   disass $pc-64 $pc+16

Here's the info:

(gdb) info registers
rax            0x82     130
rbx            0x1      1
rcx            0x2      2
rdx            0x44806f40       1149267776
rsi            0x0      0
rdi            0x34     52
rbp            0x448065d0       0x448065d0
rsp            0x44806300       0x44806300
r8             0x0      0
r9             0x0      0
r10            0x1      1
r11            0x217    535
r12            0x220    544
r13            0x44806330       1149264688
r14            0x44808dc8       1149275592
r15            0x44806f40       1149267776
rip            0x31b180861b     0x31b180861b <__libc_res_nquery+459>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x63     99
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x1fa0   [ PE IM DM ZM OM UM PM ]
(gdb) 

Dump of assembler code from 0x31b18085db to 0x31b180862b:
0x00000031b18085db <__libc_res_nquery+395>:     add    %al,-0x74b7d78c(%rax,%rax,8)
0x00000031b18085e2 <__libc_res_nquery+402>:     push   %rbp
0x00000031b18085e3 <__libc_res_nquery+403>:     and    %al,-0x79f0f3c6(%rbx)
0x00000031b18085e9 <__libc_res_nquery+409>:     push   %rbx
0x00000031b18085ea <__libc_res_nquery+410>:     add    %eax,(%rax)
0x00000031b18085ec <__libc_res_nquery+412>:     add    %cl,0x3b(%rax)
0x00000031b18085ef <__libc_res_nquery+415>:     jne    0x31b18085a1 <__libc_res_nquery+337>
0x00000031b18085f1 <__libc_res_nquery+417>:     nopl   0x0(%rax)
0x00000031b18085f8 <__libc_res_nquery+424>:     je     0x31b1808a8b <__libc_res_nquery+1595>
0x00000031b18085fe <__libc_res_nquery+430>:     mov    %rsi,-0x50(%rbp)
0x00000031b1808602 <__libc_res_nquery+434>:     nopw   0x0(%rax,%rax,1)
0x00000031b1808608 <__libc_res_nquery+440>:     mov    -0x50(%rbp),%rdx
0x00000031b180860c <__libc_res_nquery+444>:     movzbl 0x3(%rdx),%eax
0x00000031b1808610 <__libc_res_nquery+448>:     mov    %eax,%ecx
0x00000031b1808612 <__libc_res_nquery+450>:     and    $0xf,%ecx
0x00000031b1808615 <__libc_res_nquery+453>:     je     0x31b1808830 <__libc_res_nquery+992>
0x00000031b180861b <__libc_res_nquery+459>:     movzbl 0x3(%rsi),%eax
0x00000031b180861f <__libc_res_nquery+463>:     and    $0xf,%eax
0x00000031b1808622 <__libc_res_nquery+466>:     mov    %eax,%edi
0x00000031b1808624 <__libc_res_nquery+468>:     je     0x31b1808850 <__libc_res_nquery+1024>
0x00000031b180862a <__libc_res_nquery+474>:     test   %cl,%cl

With that, I wanted to do another step to save a round trip: find the
stack frame layout. So, I dumped some memory from 0x44806300 down.
It looks like this:

(gdb) x/80g 0x44806300
0x44806300:     0x0000000000000800      0x00000000448077a0
0x44806310:     0x0000000044807798      0x00000000448077bc
0x44806320:     0x00000000448077b8      0x0000000000000000
0x44806330:     0x0000010000015781      0x7777770300000000
0x44806340:     0x746e796d79687207      0x000100006d6f6303
0x44806350:     0x00016c7876656301      0x0000000000000100
0x44806360:     0x7968720777777703      0x6d6f6303746e796d
0x44806370:     0x746e7901001c0000      0x69617a076d6f6303
0x44806380:     0x6e616c0376656374      0x00000001001c0000
0x44806390:     0x0000000044806610      0xffffffffffffffff
0x448063a0:     0x0000000044806610      0x0000000044806610
0x448063b0:     0x0000000044806500      0x00000031b1811609
0x448063c0:     0x0000000044806f40      0x000000000000f371
0x448063d0:     0x0000000044808e48      0x00000031a746d3d9
0x448063e0:     0x00000000fbad8001      0x0000000044806610
0x448063f0:     0x0000000044806610      0x0000000044806610
0x44806400:     0x0000000044806610      0x000000004480662b
0x44806410:     0xffffffffffffffff      0x0000000044806610
0x44806420:     0xffffffffffffffff      0x0000000000000000
0x44806430:     0x0000000000000000      0x0000000000000000
0x44806440:     0x0000000000000000      0x0000000000000000
0x44806450:     0x0000000000000000      0x0000000000000000
0x44806460:     0x0000000000000000      0x0000000000000000
0x44806470:     0x0000000000000000      0x0000000000000000
0x44806480:     0x0000000000000000      0x0000000000000000
0x44806490:     0x0000000000000000      0x0000000000000000
0x448064a0:     0x00000000ffffffff      0x0000000000000000
0x448064b0:     0x0000000000000000      0x00000031a776f740
0x448064c0:     0x0000000000000000      0x0000000000000000
0x448064d0:     0x0000000000000000      0x0000000044806610
0x448064e0:     0x0000000044808e48      0x00007fffe801d148
0x448064f0:     0x0000000044808dc8      0x00000031a74524f8
0x44806500:     0x0000003000000020      0x00000000448065e0
0x44806510:     0x0000000044806520      0x0000000000000000
0x44806520:     0x0000000000000000      0x0000000000000000
0x44806530:     0x00007fffe801d148      0x0000000044808e48
0x44806540:     0xfefefefefefefeff      0x0000000044806f40
0x44806550:     0x0000000000000000      0x0000000000000000
0x44806560:     0x0000080000000400      0x000000010000f371
0x44806570:     0x00007fffe801d148      0x000001fc00000000
(gdb) x/80g 0x44806570
0x44806570:     0x00007fffe801d148      0x000001fc00000000
0x44806580:     0x0000000044806f40      0x0000000000000000
0x44806590:     0x0000000044806330      0x0000000044806354
0x448065a0:     0x0000002100000021      0x0000000000000000
0x448065b0:     0x00007fffe801d148      0x0000000044808dc8
0x448065c0:     0x0000000044806f40      0x000000000000f371
0x448065d0:     0x000000000000000e      0x00000031b1808b7d
0x448065e0:     0x00000000448077a0      0x0000000044807798
0x448065f0:     0x00000000448077bc      0x00000000448077b8
0x44806600:     0x0000000000000000      0x0000000100000000
0x44806610:     0x6d7968722e777777      0x2e6d6f632e746e79
0x44806620:     0x2e7665637469617a      0x00000000006e616c
0x44806630:     0x0000000000000000      0x0000000000000000

But the strange thing is, I don't see any return addresses at all.
Weird.

I saved the core with "gcore" command in gdb, just in case.
Do you want to look for yourself? It's 279MB long, so perhaps
I can upload it to charlotte.
-----------------------
Comment 5 Pete Zaitcev 2008-09-29 08:43:56 EDT
I didn't see it crash in a while, let's close the bug.

Note You need to log in before you can comment on or make changes to this bug.