Ubuntu
firefox-3.5 package

firefox startup SEGV on amd64 when I installed chromebug

Bug #462557 reported by hkoba
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox-3.5 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: firefox

Today, I observed SEGV of firefox-3.5 on amd64.

1) Ubuntu 9.10
2) firefox:
  Installed: 3.5.3+build1+nobinonly-0ubuntu6
  Candidate: 3.5.3+build1+nobinonly-0ubuntu6
  Version table:
 *** 3.5.3+build1+nobinonly-0ubuntu6 0
        500 http://jp.archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status

Here is gdb session, with backtrace.
I suspect pointer truncation (64 -> 32)
('script' should be 0x7fffe4867ab8, but it is 0xe4867ab8)
===============================================================

-arashi(pts/0)% firefox-3.5 -g -no-remote -p develuser
/usr/bin/gdb /usr/lib/firefox-3.5.3/firefox -x /tmp/mozargs.FMhm5G
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/lib/firefox-3.5.3/firefox...(no debugging symbols found)...done.
(gdb) set height 0
(gdb) run
Starting program: /usr/lib/firefox-3.5.3/firefox -no-remote -p develuser
[Thread debugging using libthread_db enabled]
[New Thread 0x7fffe6cf0910 (LWP 15893)]
[New Thread 0x7fffe62e5910 (LWP 15894)]
[New Thread 0x7fffe51ff910 (LWP 15895)]

Program received signal SIGSEGV, Segmentation fault.
js_PCToLineNumber (cx=0x7fffe6fe2000, script=0x7fffe4867000, pc=0xe4867ab8 <Address 0xe4867ab8 out of bounds>) at jsscript.cpp:1808
1808 jsscript.cpp: No such file or directory.
        in jsscript.cpp
Current language: auto
The current source language is "auto; currently c++".
(gdb) bt
#0 js_PCToLineNumber (cx=0x7fffe6fe2000, script=0x7fffe4867000, pc=0xe4867ab8 <Address 0xe4867ab8 out of bounds>) at jsscript.cpp:1808
#1 0x00007ffff53a3594 in jsd_GetClosestLine (jsdc=0x7ffff670c280, jsdscript=0x7fffe4866220, pc=3834018488) at jsd_scpt.c:523
#2 0x00007ffff53a96cd in jsds_FilterHook (jsdc=0x7ffff670c280, state=<value optimized out>) at jsd_xpc.cpp:400
#3 0x00007ffff53aa2f3 in jsds_ExecutionHookProc (jsdc=0x7ffff670c280, jsdthreadstate=0x7fffe48656c0, type=1, callerdata=<value optimized out>,
    rval=0x7fffffff9108) at jsd_xpc.cpp:680
#4 0x00007ffff53a26ef in jsd_CallExecutionHook (jsdc=0x7ffff670c280, cx=<value optimized out>, type=3834018488, hook=0x7ffff53aa1c4 <jsds_ExecutionHookProc>,
    hookData=0x1, rval=<value optimized out>) at jsd_hook.c:177
#5 0x00007ffff636936f in JS_HandleTrap (cx=0x7fffe6f09800, script=0x7fffe4867000, pc=0x7fffe4867ab8 "S", rval=0x7fffffff9108) at jsdbgapi.cpp:318
#6 0x00007ffff6381c4f in js_Interpret (cx=0x7fffe6f09800) at jsinterp.cpp:5647
#7 0x00007ffff638ebfd in js_Execute (cx=0x7fffe6f09800, chain=0x7fffe6ff7c80, script=0xe4867ab8, down=0x0, flags=<value optimized out>, result=0x7fffffff93e0)
    at jsinterp.cpp:1622
#8 0x00007ffff6357a48 in JS_ExecuteScript (cx=0x7fffe6fe2000, obj=0x7fffe4867000, script=0xe4867ab8, rval=0x3e11) at jsapi.cpp:5036
#9 0x00007ffff4d7502c in mozJSComponentLoader::GlobalForLocation (this=0x7ffff6760250, aComponent=0x7fffe5203540, aGlobal=0x7fffe5227128,
    aLocation=<value optimized out>, exception=<value optimized out>) at mozJSComponentLoader.cpp:1386
#10 0x00007ffff4d7602f in mozJSComponentLoader::LoadModule (this=0x7ffff6760250, aComponentFile=0x7fffe5203540, aResult=0x7fffffff9780)
    at mozJSComponentLoader.cpp:691
#11 0x00007ffff54ed8f3 in nsFactoryEntry::GetFactory (this=0x7ffff66e0c10, aFactory=0x7fffffff97c8) at nsComponentManager.cpp:3601
#12 0x00007ffff54eda15 in nsComponentManagerImpl::CreateInstanceByContractID (this=<value optimized out>, aContractID=<value optimized out>, aDelegate=0x0,
    aIID=..., aResult=0x7fffffff9840) at nsComponentManager.cpp:1682
#13 0x00007ffff54eea6a in nsComponentManagerImpl::GetServiceByContractID (this=0x7ffff6692160, aContractID=<value optimized out>, aIID=<value optimized out>,
    result=0x7fffffff98c8) at nsComponentManager.cpp:2253
#14 0x00007ffff54c4bd4 in nsGetServiceByContractIDWithError::operator() (this=0x7fffffff9940, aIID=..., aInstancePtr=0xe4867ab8) at nsComponentManagerUtils.cpp:288
#15 0x00007ffff54c434a in nsCOMPtr_base::assign_from_gs_contractid_with_error (this=0x7fffffff99b0, gs=..., iid=...) at nsCOMPtr.cpp:141
#16 0x00007ffff52ed5ca in nsCOMPtr<nsISupports>::operator= (this=<value optimized out>, aSubject=<value optimized out>, aTopic=0x7ffff5565984 "app-startup",
    someData=<value optimized out>) at ../../../../dist/include/xpcom/nsCOMPtr.h:1031
#17 nsAppStartupNotifier::Observe (this=<value optimized out>, aSubject=<value optimized out>, aTopic=0x7ffff5565984 "app-startup", someData=<value optimized out>)
    at nsAppStartupNotifier.cpp:94
#18 0x00007ffff4d185e2 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:3161
#19 0x000000000040271f in ?? ()
#20 0x00007ffff6be3abd in __libc_start_main () from /lib/libc.so.6
#21 0x0000000000401f99 in ?? ()
#22 0x00007fffffffe468 in ?? ()
#23 0x000000000000001c in ?? ()
#24 0x0000000000000004 in ?? ()
#25 0x00007fffffffe7de in ?? ()
#26 0x0000000000000000 in ?? ()
(gdb) up 9
#9 0x00007ffff4d7502c in mozJSComponentLoader::GlobalForLocation (this=0x7ffff6760250, aComponent=0x7fffe5203540, aGlobal=0x7fffe5227128,
    aLocation=<value optimized out>, exception=<value optimized out>) at mozJSComponentLoader.cpp:1386
1386 mozJSComponentLoader.cpp: No such file or directory.
        in mozJSComponentLoader.cpp
(gdb) p nativePath
$1 = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7fffffff94f0 "file:///usr/lib/firefox-3.5.3/components/fuelApplication.js",
        mLength = 59, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63,
    mFixedBuf = 0x7fffffff94f0 "file:///usr/lib/firefox-3.5.3/components/fuelApplication.js"},
  mStorage = "file:///usr/lib/firefox-3.5.3/components/fuelApplication.js\000\377\177\000"}
(gdb) p *script
$2 = {code = 0x7fffe4867ab8 "S", length = 1850, version = 4276, nfixed = 101, objectsOffset = 80 'P', upvarsOffset = 0 '\000', regexpsOffset = 0 '\000',
  trynotesOffset = 0 '\000', flags = 0 '\000', main = 0x7fffe4867afd ";", atomMap = {vector = 0x7fffe4867060, length = 160},
  filename = 0x7fffe52295fd "file:///usr/lib/firefox-3.5.3/components/fuelApplication.js", lineno = 1, nslots = 108, staticLevel = 0, principals = 0x7fffe6f5e548,
  u = {object = 0x0, nextToGC = 0x0}}
(gdb) down
#8 0x00007ffff6357a48 in JS_ExecuteScript (cx=0x7fffe6fe2000, obj=0x7fffe4867000, script=0xe4867ab8, rval=0x3e11) at jsapi.cpp:5036
5036 jsapi.cpp: No such file or directory.
        in jsapi.cpp
(gdb) up
#9 0x00007ffff4d7502c in mozJSComponentLoader::GlobalForLocation (this=0x7ffff6760250, aComponent=0x7fffe5203540, aGlobal=0x7fffe5227128,
    aLocation=<value optimized out>, exception=<value optimized out>) at mozJSComponentLoader.cpp:1386
1386 mozJSComponentLoader.cpp: No such file or directory.
        in mozJSComponentLoader.cpp
(gdb) info registers
rax 0x0 0
rbx 0x7fffe5203540 140737037481280
rcx 0x1 1
rdx 0xe4867ab8 3834018488
rsi 0x7fffe4867000 140737027403776
rdi 0x7fffe6fe2000 140737068802048
rbp 0x1 0x1
rsp 0x7fffffff92d0 0x7fffffff92d0
r8 0x1 1
r9 0x3e11 15889
r10 0x7fffffff8b40 140737488325440
r11 0x7fffe6fe6980 140737068820864
r12 0x7ffff6760250 140737328317008
r13 0x7fffe4867000 140737027403776
r14 0x7fffe5227128 140737037627688
r15 0x7fffe6f09800 140737067915264
rip 0x7ffff4d7502c 0x7ffff4d7502c <mozJSComponentLoader::GlobalForLocation(nsILocalFile*, JSObject**, char**, long*)+2594>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa3 [ IE DE PE IM DM ZM OM UM PM ]
(gdb) x/8i $pc-32
0x7ffff4d7500c <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2562>: mov 0x128(%rsp),%rdx
0x7ffff4d75014 <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2570>: lea 0x110(%rsp),%rcx
0x7ffff4d7501c <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2578>: mov 0x80(%rsp),%rdi
0x7ffff4d75024 <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2586>: mov %rsi,(%r14)
0x7ffff4d75027 <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2589>: callq 0x7ffff4d09440 <JS_ExecuteScript@plt>
0x7ffff4d7502c <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2594>: test %eax,%eax
0x7ffff4d7502e <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2596>:
    jne 0x7ffff4d7503e <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2612>
0x7ffff4d75030 <_ZN20mozJSComponentLoader17GlobalForLocationEP12nsILocalFilePP8JSObjectPPcPl+2598>: movq $0x0,(%r14)
(gdb)

Revision history for this message
Micah Gersten (micahg) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 449744, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Please continue to report any other bugs you may find.

affects: firefox (Ubuntu) → firefox-3.5 (Ubuntu)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.