604678 – [spice] spice-xpi crash (seg fault) on rhel 6 which causes firefox to crash

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 604678 - [spice] spice-xpi crash (seg fault) on rhel 6 which causes firefox to crash

Summary: [spice] spice-xpi crash (seg fault) on rhel 6 which causes firefox to crash

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	spice-xpi
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Yuval Kashtan
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-16 13:28 UTC by Haim
Modified:	2014-01-13 00:46 UTC (History)
CC List:	13 users (show)
Fixed In Version:	spice-xpi-2.3-0.4.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-10 21:39:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Haim 2010-06-16 13:28:10 UTC

Description of problem:

trying to launch spice using firefox from user portal results with firefox crashes on segfualt coming from spice-xpi on nsScriptablePeer::SetInstance (this=0x0, plugin=0x0

segfualt is: 

ived signal SIGSEGV, Segmentation fault.
nsScriptablePeer::SetInstance (this=0x0, plugin=0x0)
    at nsScriptablePeer.cpp:112
112       mPlugin = plugin;


from investigating further, it looks like firefox in its current version which is 3.6.4 is no longer supports scrip-table plug-ins, which is a problem to us as spice-xpi is one. meaning need to perform some code changes. 

repro steps: 

1) browse to user portal 
2) try to launch spice on particular vm 
3) firefox crash 

package list:

spice-client-0.4.2-11.el6.x86_64
spice-xpi-2.3-0.2.el6.x86_64
2.6.32-33.el6.x86_64
firefox-3.6.4-7.el6.x86_64


attached with gdb to firefox so you can see the stack trace below

ived signal SIGSEGV, Segmentation fault.
nsScriptablePeer::SetInstance (this=0x0, plugin=0x0)
    at nsScriptablePeer.cpp:112
112       mPlugin = plugin;
(gdb) bt
#0  nsScriptablePeer::SetInstance (this=0x0, plugin=0x0)
    at nsScriptablePeer.cpp:112
#1  0x00007f98140f30f5 in nsPluginInstance::~nsPluginInstance (this=
    0x7f9814766000, __in_chrg=<value optimized out>) at plugin.cpp:199
#2  0x00007f98140f31a9 in nsPluginInstance::~nsPluginInstance (this=
    0x7f9814766000, __in_chrg=<value optimized out>) at plugin.cpp:201
#3  0x00007f98140f1d16 in NPP_Destroy (instance=<value optimized out>, 
    save=<value optimized out>) at npp_gate.cpp:87
#4  0x00007f9830b34e73 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#5  0x00007f98305d88a9 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#6  0x00007f98305d8a39 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#7  0x00007f9830d42927 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#8  0x00007f9830d14231 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#9  0x00007f9830c956f6 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#10 0x00007f9830ce6e34 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#11 0x00007f9830c0bbc5 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#12 0x00007f9830acb2d0 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#13 0x00007f98303e4b99 in XRE_main () from /usr/lib64/xulrunner-1.9.2/libxul.so
#14 0x00000000004026e8 in ?? ()
#15 0x0000003c0761ec5d in __libc_start_main (main=0x401f86, argc=1, ubp_av=
    0x7fffcad516d8, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fffcad516c8)
    at libc-start.c:226
---Type <return> to continue, or q <return> to quit---
#16 0x0000000000401e29 in ?? ()
#17 0x00007fffcad516c8 in ?? ()
#18 0x000000000000001c in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x00007fffcad5342c in ?? ()
#21 0x0000000000000000 in ?? ()
(gdb) l nsScriptablePeer.cpp
the class nsScriptablePeer does not have any method named cpp
Hint: try 'nsScriptablePeer.cpp<TAB> or 'nsScriptablePeer.cpp<ESC-?>
(Note leading single quote.)
(gdb) l nsS
Display all 170 possibilities? (y or n)
(gdb) l nsScriptablePeer::SetInstance(nsPluginInstance*) 
107       return NS_NOINTERFACE; 
108     }
109
110     void nsScriptablePeer::SetInstance(nsPluginInstance* plugin)
111     {
112       mPlugin = plugin;
113     }
114
115     //
116     // the following methods will be callable from JavaScript
(gdb) q
A debugging session is active.

        Inferior 1 [process 5104] will be detached.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 4 Haim 2010-06-17 09:00:05 UTC

nspluginwrapper-1.3.0-12.el6.x86_64

export IGNORE_WRAP="libtotem*:libjavaplugin*:gecko-mediaplayer*:mplayerplug
in*:librhythmbox*:packagekit*:libnsISpicec*"

Comment 5 Martin Stransky 2010-06-17 13:55:01 UTC

It's because a missing NULL pointer check in nsPluginInstance::~nsPluginInstance(). It should be:

nsPluginInstance::~nsPluginInstance()
{
  // mScriptablePeer may be also held by the browser 
  // so releasing it here does not guarantee that it is over
  // we should take precaution in case it will be called later
  // and zero its mPlugin member
  if(mScriptablePeer) {
      mScriptablePeer->SetInstance(NULL);
      NS_IF_RELEASE(mScriptablePeer);
  }
}

Comment 6 Martin Stransky 2010-06-17 14:12:49 UTC

Note: The fix is already included in RHEL5 package, spice-xpi-2.2-1.el5.

Comment 9 Lubos Kocman 2010-09-02 07:36:56 UTC

Verified on:

spice-xpi-2.4-1.el6.x86_64
spice-client-0.4.2-18.el6.x86_64
kernel-2.6.32-70.el6.x86_64
firefox-3.6.9-1.el6.x86_64
nspluginwrapper-1.3.0-14.el6.x86_64
nspluginwrapper-1.3.0-14.el6.i686

No issues with launching spicec from user portal.

Comment 10 releng-rhel@redhat.com 2010-11-10 21:39:13 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.