Bug 604678 - [spice] spice-xpi crash (seg fault) on rhel 6 which causes firefox to crash
[spice] spice-xpi crash (seg fault) on rhel 6 which causes firefox to crash
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-xpi (Show other bugs)
6.1
All Linux
medium Severity urgent
: rc
: ---
Assigned To: Yuval Kashtan
Desktop QE
: Regression, TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-16 09:28 EDT by Haim
Modified: 2014-01-12 19:46 EST (History)
13 users (show)

See Also:
Fixed In Version: spice-xpi-2.3-0.4.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:39:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Haim 2010-06-16 09:28:10 EDT
Description of problem:

trying to launch spice using firefox from user portal results with firefox crashes on segfualt coming from spice-xpi on nsScriptablePeer::SetInstance (this=0x0, plugin=0x0

segfualt is: 

ived signal SIGSEGV, Segmentation fault.
nsScriptablePeer::SetInstance (this=0x0, plugin=0x0)
    at nsScriptablePeer.cpp:112
112       mPlugin = plugin;


from investigating further, it looks like firefox in its current version which is 3.6.4 is no longer supports scrip-table plug-ins, which is a problem to us as spice-xpi is one. meaning need to perform some code changes. 

repro steps: 

1) browse to user portal 
2) try to launch spice on particular vm 
3) firefox crash 

package list:

spice-client-0.4.2-11.el6.x86_64
spice-xpi-2.3-0.2.el6.x86_64
2.6.32-33.el6.x86_64
firefox-3.6.4-7.el6.x86_64


attached with gdb to firefox so you can see the stack trace below

ived signal SIGSEGV, Segmentation fault.
nsScriptablePeer::SetInstance (this=0x0, plugin=0x0)
    at nsScriptablePeer.cpp:112
112       mPlugin = plugin;
(gdb) bt
#0  nsScriptablePeer::SetInstance (this=0x0, plugin=0x0)
    at nsScriptablePeer.cpp:112
#1  0x00007f98140f30f5 in nsPluginInstance::~nsPluginInstance (this=
    0x7f9814766000, __in_chrg=<value optimized out>) at plugin.cpp:199
#2  0x00007f98140f31a9 in nsPluginInstance::~nsPluginInstance (this=
    0x7f9814766000, __in_chrg=<value optimized out>) at plugin.cpp:201
#3  0x00007f98140f1d16 in NPP_Destroy (instance=<value optimized out>, 
    save=<value optimized out>) at npp_gate.cpp:87
#4  0x00007f9830b34e73 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#5  0x00007f98305d88a9 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#6  0x00007f98305d8a39 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#7  0x00007f9830d42927 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#8  0x00007f9830d14231 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#9  0x00007f9830c956f6 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#10 0x00007f9830ce6e34 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#11 0x00007f9830c0bbc5 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#12 0x00007f9830acb2d0 in ?? () from /usr/lib64/xulrunner-1.9.2/libxul.so
#13 0x00007f98303e4b99 in XRE_main () from /usr/lib64/xulrunner-1.9.2/libxul.so
#14 0x00000000004026e8 in ?? ()
#15 0x0000003c0761ec5d in __libc_start_main (main=0x401f86, argc=1, ubp_av=
    0x7fffcad516d8, init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fffcad516c8)
    at libc-start.c:226
---Type <return> to continue, or q <return> to quit---
#16 0x0000000000401e29 in ?? ()
#17 0x00007fffcad516c8 in ?? ()
#18 0x000000000000001c in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x00007fffcad5342c in ?? ()
#21 0x0000000000000000 in ?? ()
(gdb) l nsScriptablePeer.cpp
the class nsScriptablePeer does not have any method named cpp
Hint: try 'nsScriptablePeer.cpp<TAB> or 'nsScriptablePeer.cpp<ESC-?>
(Note leading single quote.)
(gdb) l nsS
Display all 170 possibilities? (y or n)
(gdb) l nsScriptablePeer::SetInstance(nsPluginInstance*) 
107       return NS_NOINTERFACE; 
108     }
109
110     void nsScriptablePeer::SetInstance(nsPluginInstance* plugin)
111     {
112       mPlugin = plugin;
113     }
114
115     //
116     // the following methods will be callable from JavaScript
(gdb) q
A debugging session is active.

        Inferior 1 [process 5104] will be detached.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 4 Haim 2010-06-17 05:00:05 EDT
nspluginwrapper-1.3.0-12.el6.x86_64

export IGNORE_WRAP="libtotem*:libjavaplugin*:gecko-mediaplayer*:mplayerplug
in*:librhythmbox*:packagekit*:libnsISpicec*"
Comment 5 Martin Stransky 2010-06-17 09:55:01 EDT
It's because a missing NULL pointer check in nsPluginInstance::~nsPluginInstance(). It should be:

nsPluginInstance::~nsPluginInstance()
{
  // mScriptablePeer may be also held by the browser 
  // so releasing it here does not guarantee that it is over
  // we should take precaution in case it will be called later
  // and zero its mPlugin member
  if(mScriptablePeer) {
      mScriptablePeer->SetInstance(NULL);
      NS_IF_RELEASE(mScriptablePeer);
  }
}
Comment 6 Martin Stransky 2010-06-17 10:12:49 EDT
Note: The fix is already included in RHEL5 package, spice-xpi-2.2-1.el5.
Comment 9 Lubos Kocman 2010-09-02 03:36:56 EDT
Verified on:

spice-xpi-2.4-1.el6.x86_64
spice-client-0.4.2-18.el6.x86_64
kernel-2.6.32-70.el6.x86_64
firefox-3.6.9-1.el6.x86_64
nspluginwrapper-1.3.0-14.el6.x86_64
nspluginwrapper-1.3.0-14.el6.i686

No issues with launching spicec from user portal.
Comment 10 releng-rhel@redhat.com 2010-11-10 16:39:13 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.