Bug 488570 - frequent firefox crashes against clearspace
frequent firefox crashes against clearspace
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: firefox (Show other bugs)
5.5
i386 Linux
high Severity urgent
: rc
: ---
Assigned To: Martin Stransky
Martin Stransky
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-04 15:47 EST by Bret McMillan
Modified: 2010-10-23 04:07 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-11 18:46:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
output of gdb's bt command (2.20 KB, text/plain)
2009-03-04 15:50 EST, Bret McMillan
no flags Details
More verbose backtrace of all threads from gdb (5.81 KB, text/plain)
2009-03-04 15:51 EST, Bret McMillan
no flags Details
backtrace w/ more debuginfo's installed (7.11 KB, text/plain)
2009-03-09 12:51 EDT, Bret McMillan
no flags Details
output of gdb's bt command Stacktrace from gdb (8.63 KB, text/plain)
2009-03-17 17:22 EDT, Sudhir Mallamprabhakara
no flags Details
firrefox bug report (536.26 KB, text/plain)
2009-03-20 09:02 EDT, Sam Folk-Williams
no flags Details
Back Trace from the crash I had on RHEL 5.3 FF 3.0.7 (4.78 KB, text/plain)
2009-03-24 11:00 EDT, Sudhir Mallamprabhakara
no flags Details
from firefox bug reporting tool (23.28 KB, text/plain)
2009-04-02 12:14 EDT, Sam Folk-Williams
no flags Details
valgrind output, browser fails to start (252.53 KB, text/plain)
2009-04-07 13:05 EDT, Richard Ryder
no flags Details
HTML for the a sample document that crashes when editing (10.93 KB, text/plain)
2009-04-17 16:46 EDT, Mike Amburn
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 490425 None None None Never

  None (edit)
Description Bret McMillan 2009-03-04 15:47:53 EST
We're seeing frequent crashes of various versions of firefox on RHEL 5 when used with the internal clearspace instance (docspace).

I will gdb backtraces and a coredump of 3.0.2 (the only one we could find debuginfo pkgs for), but we've experienced crashes on 3.0.6, and the 3.0.7 pkg I found in brew the other day.

We do not yet have a reliable reproducer, but it does seem to happen more when interacting w/ the the tinymce editor embedded within clearspace.

If you can point us towards more recent packages and/or debuginfo packages, we'll happily try to help come up w/ more relevant core dumps.
Comment 1 Bret McMillan 2009-03-04 15:50:47 EST
Created attachment 334058 [details]
output of gdb's bt command

Stacktrace from gdb
Comment 2 Bret McMillan 2009-03-04 15:51:30 EST
Created attachment 334059 [details]
More verbose backtrace of all threads from gdb

Backtrace for all threads
Comment 4 Martin Stransky 2009-03-04 16:33:59 EST
Please install debuginfo packages and attach the bactrace again...
Comment 7 Bret McMillan 2009-03-09 12:51:37 EDT
Created attachment 334558 [details]
backtrace w/ more debuginfo's installed

Ok, here's the expanded backtrace w/ xulrunner and other debuginfo's installed
Comment 10 Bret McMillan 2009-03-10 12:18:28 EDT
Martin,

Go ahead and try creating a new document; also, Sudhir and I can probably help you via IRC if need be.  We hang out in #collaboration

TinyMCE refers to the javascript WYSIWYG editor invoked for any document (or other content) creation or editing.
Comment 12 Martin Stransky 2009-03-11 05:15:27 EDT
I can't reproduce the crash.

But it looks like NULL pointer deference like https://bugzilla.mozilla.org/show_bug.cgi?id=474303. This one (and some others) are already fixed in upcoming 3.5 (former 3.1).
Comment 13 Martin Stransky 2009-03-11 05:17:14 EDT
If you can reproduce the crash - can you test official mozilla binaries too? latest 3.0.7 and 3.1 beta...
Comment 14 Bret McMillan 2009-03-11 10:39:45 EDT
Do we have 3.1 packages we could try w/ RHEL5?

Please note that we have tried the 3.0.7 packages that were found in brew, and reproduced the crash with them.  We couldn't provide a stack trace b/c we didn't have the debuginfo pkgs.
Comment 15 Lisa Webb 2009-03-11 13:49:32 EDT
GSS is one of our biggest users of the internal Clearspace instance; this bug greatly impacts their ability to effectively perform their daily activities. 

I see that you are having difficulty reproducing the problem (we also cannot reproduce it consistently)- is there anything further our team can do to help you troubleshoot this issue?
Comment 16 Sam Folk-Williams 2009-03-11 14:01:38 EDT
(In reply to comment #12)
> I can't reproduce the crash.
> 
> But it looks like NULL pointer deference like
> https://bugzilla.mozilla.org/show_bug.cgi?id=474303. This one (and some others)
> are already fixed in upcoming 3.5 (former 3.1).  

Martin - how certain are we that the issue is already resolved in 3.5 (3.1)? And, do we know when this will be released?

Thanks,
Sam
Comment 17 Martin Stransky 2009-03-12 07:28:11 EDT
Please install firefox 3.1b3 at your rhel-5 box (from ftp://ftp.mozilla.org/pub/firefox/nightly/3.1b3-candidates/build2/linux-i686) and try to reproduce the problem with it. This build has the mentioned fix.
Comment 18 Bret McMillan 2009-03-12 14:21:59 EDT
So far, haven't been able to reproduce the issue on the 3.1 build.  Any chance we can obtain some beta 3.1 packages for testing (and possible deployment) w/ RHEL 5 CSB?
Comment 22 Sudhir Mallamprabhakara 2009-03-17 17:22:12 EDT
Created attachment 335605 [details]
output of gdb's bt command  Stacktrace from gdb  

Experienced crash again on FF 3.0.7 with the patches applied.
Comment 23 Martin Stransky 2009-03-18 10:20:52 EDT
Okay, new debug builds are available at http://porkchop.devel.redhat.com/~stransky/xulrunner/ - please attach a backtrace from this build, it should provide more info...
Comment 24 Sudhir Mallamprabhakara 2009-03-18 15:13:46 EDT
My whole OS got rebooted after I installed the new debug builds and could not capture any stacktrace. This happenned when I went to spaces tab of clearspace admin console.
Comment 25 Bret McMillan 2009-03-20 08:50:18 EDT
Clearing needinfo on me
Comment 26 Sam Folk-Williams 2009-03-20 09:02:49 EDT
Created attachment 336041 [details]
firrefox bug report

in case it's useful, firefox generated this report for me the other day when i experienced this crash.
Comment 27 Martin Stransky 2009-03-20 09:25:34 EDT
Sorry but this one is useless...we need a backtrace from gdb.
Comment 28 Sudhir Mallamprabhakara 2009-03-24 11:00:48 EDT
Created attachment 336482 [details]
Back Trace from the crash I had on RHEL 5.3 FF 3.0.7
Comment 29 Martin Stransky 2009-03-24 11:11:13 EDT
Comment on attachment 336482 [details]
Back Trace from the crash I had on RHEL 5.3 FF 3.0.7

This backtrace is incomplete or it's not relevant to the reported crash...
Comment 30 Sam Folk-Williams 2009-04-01 10:47:15 EDT
What's the status on this? Do we have a new build we can test?

-Sam
Comment 31 Martin Stransky 2009-04-02 03:22:19 EDT
Comment #23 is still valid.
Comment 32 Sam Folk-Williams 2009-04-02 06:37:08 EDT
(In reply to comment #31)
> Comment #23 is still valid.  

Thanks - I installed it yesterday. So far I am not experiencing anything bad like in comment #24. I saw a couple of crashes right before installing this, but attempts to reproduce after installing have not been successful.

Was this just a debug package or does it include a potential fix?
Comment 33 Martin Stransky 2009-04-02 06:43:51 EDT
It's only a debug package w/o any fix.
Comment 34 Sam Folk-Williams 2009-04-02 12:11:17 EDT
Is this helpful? Just had a crash but looks like a core did not get generated:

Program /usr/lib/firefox-3.0.5/firefox (pid = 10681) received signal 11.
Stack:
UNKNOWN 0x32e420
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x009691AF]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x01013D31]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x0100B98E]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x0100BE94]
UNKNOWN [/usr/lib/libgtk-x11-2.0.so.0 +0x00130060]
g_closure_invoke+0x0000012B [/lib/libgobject-2.0.so.0 +0x00008F0B]
UNKNOWN [/lib/libgobject-2.0.so.0 +0x00019E83]
g_signal_emit_valist+0x00000667 [/lib/libgobject-2.0.so.0 +0x0001B147]
g_signal_emit+0x00000029 [/lib/libgobject-2.0.so.0 +0x0001B539]
UNKNOWN [/usr/lib/libgtk-x11-2.0.so.0 +0x002445D8]
gtk_main_do_event+0x000003F5 [/usr/lib/libgtk-x11-2.0.so.0 +0x0012A7E5]
UNKNOWN [/usr/lib/libgdk-x11-2.0.so.0 +0x0002B7FF]
gdk_window_process_all_updates+0x00000097 [/usr/lib/libgdk-x11-2.0.so.0 +0x0002BA47]
UNKNOWN [/usr/lib/libgdk-x11-2.0.so.0 +0x0002BAC5]
UNKNOWN [/lib/libglib-2.0.so.0 +0x000295E1]
g_main_context_dispatch+0x00000182 [/lib/libglib-2.0.so.0 +0x0002B342]
UNKNOWN [/lib/libglib-2.0.so.0 +0x0002E31F]
g_main_context_iteration+0x00000065 [/lib/libglib-2.0.so.0 +0x0002E885]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x01010BAD]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x01032C81]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x01033100]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x011BBB93]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x011579CD]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x010333D6]
UNKNOWN [/usr/lib/xulrunner-1.9/libxul.so +0x00D64E45]
XRE_main+0x00002A4C [/usr/lib/xulrunner-1.9/libxul.so +0x001AAB28]
UNKNOWN [/usr/lib/firefox-3.0.5/firefox +0x000010A2]
__libc_start_main+0x000000DC [/lib/libc.so.6 +0x00015E8C]
Sleeping for 300 seconds.
Type 'gdb /usr/lib/firefox-3.0.5/firefox 10681' to attach your debugger to this thread.
db /usr/lib/firefox-3.0.5/firefox 10681^[OH^[[D
(npviewer.bin:10703): Gtk-CRITICAL **: gtk_style_detach: assertion `style->attach_count > 0' failed

(npviewer.bin:10703): Gtk-CRITICAL **: gtk_style_detach: assertion `style->attach_count > 0' failed

(npviewer.bin:10703): Gtk-CRITICAL **: gtk_style_detach: assertion `style->attach_count > 0' failed





/usr/lib/firefox-3.0.5/run-mozilla.sh: line 131: 10681 Killed                  "$prog" ${1+"$@"}
Comment 35 Sam Folk-Williams 2009-04-02 12:14:33 EDT
Created attachment 337842 [details]
from firefox bug reporting tool

This might also be useless - attaching just in case. I do have the xulrunner-debuginfo installed from comment 23
Comment 36 Martin Stransky 2009-04-02 16:09:26 EDT
The backtrace looks partially useful:

#5  0x00000000 in ?? ()
No symbol table info available.
#6  0x01958de3 in nsViewManager::DispatchEvent (this=0xe6af9d0, 
    aEvent=0xbfb43c58, aStatus=0xbfb43b70) at nsViewManager.cpp:1079
	vm = (nsViewManager *) 0xe6af9d0
	didResize = 0
	event = (nsPaintEvent *) 0xbfb43c58
	view = (class nsView *) 0x10455db8
	region = {mRawPtr = 0xdc9e680}

It's from nsViewManager.cpp:1079:

  vm->UpdateView(vm->mRootView, NS_VMREFRESH_NO_SYNC);

But the vm is non null so we're missing some debug informations here (I guess the bactrace comes from the optimized build, right?)

My best guess is that vm->mRootView == NULL, so it crashes in:

NS_IMETHODIMP nsViewManager::UpdateView(nsIView *aView, PRUint32 aUpdateFlags)
{                     
  // Mark the entire view as damaged
  nsView* view = static_cast<nsView*>(aView);
                
  nsRect bounds = view->GetBounds();
  view->ConvertFromParentCoords(&bounds.x, &bounds.y);
  return UpdateView(view, bounds, aUpdateFlags);
}

When you manage to crash the browser again, can you please attach content of vm?
(by p* vm)
Comment 37 Sam Folk-Williams 2009-04-02 20:46:09 EDT
(In reply to comment #36)

> When you manage to crash the browser again, can you please attach content of
> vm?
> (by p* vm)  

Sorry - can you spell that out a bit more? what are the exact steps i need to take?
Comment 42 Martin Stransky 2009-04-06 03:05:17 EDT
When firefox crashes in gdb, select a stack frame in function "nsViewManager::DispatchEvent()" by gdb command 'frame' or 'up'. Then print content of vm variable (by gdb command 'p* vm') and attach it here.
Comment 45 Martin Stransky 2009-04-07 03:22:45 EDT
It looks like nsViewManager is already deleted and no longer valid. Okay I'll try to find a patch for it.
Comment 46 Martin Stransky 2009-04-07 04:25:29 EDT
Hm, I believe the bug is unfixed in the current 3.1 beta 3.

Please try to run firefox inside valgrind. Run 'valgrind --trace-children=yes /usr/bin/firefox' and try to reproduce the crash. 

Then please do the same with firefox binary from comment #17 and attach the logs here.
Comment 47 Ondřej Žižka 2009-04-07 12:31:18 EDT
I've been getting crashes almost every time I tried to edit, with certain pages causing the crash every time.

Now I'm trying with 3.1 beta 3 and no crash occured so far.

Alhough, I'm not using Fedora nor RHEL, just noting FYI.
Comment 48 Richard Ryder 2009-04-07 13:03:21 EDT
Firefox fails to start the browser window when run in valgrind.  It exits after ~4min.  There is quite a bit of output, but since it was not possible to even attempt to duplicate the problem I'm not sure how useful it will be.  Attaching.
Comment 49 Richard Ryder 2009-04-07 13:05:01 EDT
Created attachment 338535 [details]
valgrind output, browser fails to start
Comment 57 Matěj Cepl 2009-04-15 14:58:31 EDT
OK, I cannot reproduce this with standard RHEL 5.3 with firefox-3.0.7-1.el5 and xulrunner-1.9.0.7-3.el5, which is what I have in BRQ satellite.

So we need a little bit more information on this:

1) The best thing which can happen to this bug would be if somebody *FROM GSS* in Brno would be able to reproduce this and then hand the computer to Martin or Jan. Could you try, please?
2) If not that could you try to reproduce it with firefox being started in safe mode, i.e., run

firefox -safe-mode

on in gnome-terminal. Could you do that?
3) Backtrace is still not complete, it could be useful, but still we could get better. Could you please (before doing any further testing) run (as root)

sed -i -e '/^enabled=/s/0/1/' /etc/yum.repos.d/rhel-debuginfo.repo
yum install yum-utils
debuginfo-install firefox

That should make much better backtraces.

Thank you very much in advance for any information.
Comment 66 Mike Amburn 2009-04-17 16:45:37 EDT
I've forwarded this to several individuals working on the problem, but it occurred to me that I should attach to the ticket for posterity.

For what it's worth:

I can consistently (100%) crash Firefox in Clearspace using the following set of specific steps. I only spent an hour or so on the issue, so I can't provide much analysis. However, when it naturally happens to me, I noticed that it was always happened when I was editing a previously created document with complex content in a second+ tab. I used this information to find the following sequence that will consistently crash (for me, at least).

There are two main parts that follow what I experience naturally: (1) creating the document and (2) editing the document. I have been able to get into a loop where the second sequence crashes again and again. I hope this provides some assistance; please let me know how else I can assist you in your efforts.

(prep sequence:)
. Start firefox
. Open new tab
. Go to a space (e.g. https://docspace.corp.redhat.com/clearspace/community/project/knowledge?view=overview)
. Open "Create a new document" in a new tab
. Click Continue (Write a New Document)
. Enter any name for the document like "test123" for the document
. Switch to HTML
. Paste attached HTML as the content
. Click Publish
. Quit Firefox & click "Save and Quit"
(edit sequence:)
. Start firefox (which should open two tabs from previous session)
. Click OK to any authentication windows that pop up.
. Click to focus on the second tab
. Click on "Edit document" link
*CRASH*
Comment 67 Mike Amburn 2009-04-17 16:46:30 EDT
Created attachment 340086 [details]
HTML for the a sample document that crashes when editing
Comment 69 Martin Stransky 2009-04-18 16:48:28 EDT
I've found a way how reproduce it pretty reliably so you can take a break with the reproducers for now...
Comment 70 Sudhir Mallamprabhakara 2009-04-20 09:22:12 EDT
Thanks Martin.. I was able to re-create it multiple times with the settings said above.
Comment 71 Sam Folk-Williams 2009-04-20 14:28:55 EDT
I removed "nspluginwrapper" from my CSB system, but I am still seeing the crash.
Comment 72 Martin Stransky 2009-04-22 07:59:49 EDT
Please try to reproduce with the lately released packages RHEL-5:

firefox-3.0.9-1.el5
xulrunner-1.9.0.9-1.el5

don't forget to install flash plugin (although it doesn't look significant here). nspluginwrapper doesn't matter.
Comment 73 Sam Folk-Williams 2009-04-22 08:27:02 EDT
(In reply to comment #72)
> Please try to reproduce with the lately released packages RHEL-5:
> 
> firefox-3.0.9-1.el5
> xulrunner-1.9.0.9-1.el5
> 
> don't forget to install flash plugin (although it doesn't look significant
> here). nspluginwrapper doesn't matter.  

Just to clarify - do we think there is a patch in here that will address the isue, or is this just a test to see if the new version fixes it? Have you been able to reproduce on the new version?

Thanks,
Sam
Comment 74 Martin Stransky 2009-04-22 08:54:57 EDT
firefox-3.0.9/xulrunner-1.9.0.9 should crash too, I don't see any special fix here but Tomas can't reproduce the crash with it.
Comment 75 Mike Amburn 2009-04-22 11:48:56 EDT
(In reply to comment #72)
> Please try to reproduce with the lately released packages RHEL-5:
> 
> firefox-3.0.9-1.el5
> xulrunner-1.9.0.9-1.el5
> 
> don't forget to install flash plugin (although it doesn't look significant
> here). nspluginwrapper doesn't matter.  

Is it possible to get these another way? I'm on a Mac platform.
Comment 76 Martin Stransky 2009-04-23 03:43:36 EDT
There is the errata there - http://rhn.redhat.com/errata/RHSA-2009-0436.html
Comment 77 Martin Stransky 2009-04-23 05:32:43 EDT
Please try to reproduce the bug with the latest firefox package. It's because I'm going to escalate the issue upstream (at mozilla.org).
Comment 78 Martin Stransky 2009-04-28 05:13:21 EDT
Filled upstream as https://bugzilla.mozilla.org/show_bug.cgi?id=490425
Comment 79 Sam Folk-Williams 2009-04-29 08:21:18 EDT
Martin - are your efforts continuing on this or are we depending on Mozilla 100% here? I just want to make sure I understand where we are. 

Can you not reproduce this anymore on your system?

Thanks,
Sam
Comment 80 Martin Stransky 2009-04-29 08:51:44 EDT
Yes, I can't reproduce this anymore on my system (with 3.0.9) so I'm asking you for reproduction.
Comment 81 Mike Amburn 2009-04-29 09:22:56 EDT
FYI, I reproduced the issue immediately after updating to latest 3.0.10.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10
Comment 82 Martin Stransky 2009-04-30 09:21:16 EDT
new packages with fix are at http://porkchop.devel.redhat.com/~stransky/xulrunner/
(xulrunner-1.9.0.10-1.test)
Comment 83 RHEL Product and Program Management 2009-04-30 12:49:03 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 85 Sam Folk-Williams 2009-04-30 16:01:32 EDT
(In reply to comment #82)
> new packages with fix are at
> http://porkchop.devel.redhat.com/~stransky/xulrunner/
> (xulrunner-1.9.0.10-1.test)  

Martin - any details on what changed?  were you able to reproduce?
Comment 86 Martin Stransky 2009-05-01 03:42:12 EDT
xulrunner-1.9.0.10-1.test contains a patch which should fix this issue (or at least help to move forward) and I can't reproduce the crash with the latest official&fixed packages.
Comment 89 Christopher Aillon 2009-05-11 17:30:16 EDT
Out of curiosity, is it possible to (temporarily?) provide Mozilla a public instance of Clearspace?  It would be helpful if they can reproduce the problem, too.
Comment 91 Sarah Wang 2009-05-13 12:41:47 EDT
(In reply to comment #89)
Try wiki.jboss.org. It uses Clearspace 2.5. Anyone can create an account there then write a document in the wiki space.
Comment 105 errata-xmlrpc 2009-06-11 18:46:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1095.html

Note You need to log in before you can comment on or make changes to this bug.