Bug 18784

Summary: frequent crash in firefox since update from firefox-38 to firefox-45
Product: Mageia Reporter: Nicolas Pomarède <npomarede>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: ghibomgx, luigiwalser, marja11, thierry.vignaud, tmb
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: glibc, nss, nspr, firefox-45.2.0-1.mga5 CVE:
Status comment:
Attachments: example crash 1
example crash 2
example crash 3
backtrace after seg fault
another crash, with different backtraces
sigsegv crash from gdb
bt full for all threads

Description Nicolas Pomarède 2016-06-24 17:51:03 CEST 
Under mga5, I have frequent crash with firefox since updating to latest ersion provided  by urpmi in june 2016.
Under the same conditions / number of tabs, firefox-38 was stable and never crashed this way.

When crashing under gdb, back traces seem to be related to nspr library or nns library.

version used :
firefox-45.2.0-1.mga5
libnspr4-4.12-1.mga5
libnss3-3.24.0-1.mga5

Here're some traces after using debuginfo packages :

---------- crash 1 in nspr --------------------

Core was generated by `/usr/bin/firefox'.
Program terminated with signal SIGPIPE, Broken pipe.
#0  0xb7fddc29 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fddc29 in __kernel_vsyscall ()
#1  0xb7fab375 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/i386/i486/pthread_cond_timedwait.S:245
#2  0xaf5a489b in pt_TimedWait (cv=cv@entry=0xb3bf2504, ml=0xb3be33a0, timeout=60000)
    at ../../../nspr/pr/src/pthreads/ptsynch.c:264
#3  0xaf5a4d8a in PR_WaitCondVar (cvar=0xb3bf2500, timeout=60000) at ../../../nspr/pr/src/pthreads/ptsynch.c:398
#4  0xafe098c2 in Wait (this=<optimized out>, aInterval=<optimized out>) at ../../dist/include/mozilla/CondVar.h:79
#5  nsHostResolver::GetHostToLookup (this=0xaa813180, result=0x5f8ff2d8)
    at /usr/src/debug/firefox-45.2.0esr/netwerk/dns/nsHostResolver.cpp:1163
#6  0xafe0a41c in nsHostResolver::ThreadFunc (arg=0xaa813180)
    at /usr/src/debug/firefox-45.2.0esr/netwerk/dns/nsHostResolver.cpp:1391
#7  0xaf5aaad3 in _pt_root (arg=0x71092f00) at ../../../nspr/pr/src/pthreads/ptthread.c:216
#8  0xb7fa6386 in start_thread (arg=0x5f8ffb40) at pthread_create.c:310
#9  0xb7d6a6ae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:122


---------- crash 2 in nss --------------

Program terminated with signal SIGPIPE, Broken pipe.
#0  0xb7fddc29 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fddc29 in __kernel_vsyscall ()
#1  0xb7d5d5cb in poll () at ../sysdeps/unix/syscall-template.S:81
#2  0xb6337224 in send_dg (ansp2_malloced=0x707fdb2c, resplen2=0x707fdb28, anssizp2=0x707fdb24, ansp2=0x707fdb20, 
    anscp=0x707fdb1c, gotsomewhere=<synthetic pointer>, v_circuit=<synthetic pointer>, ns=0, terrno=0x707fc690, 
    anssizp=0x707fc748, ansp=0x707fc68c, buflen2=37, buf2=0x707fc788 "qÃ\001", buflen=37, buf=0x707fc760 "ÃZ\001", 
    statp=0x707fedc4) at res_send.c:1199
#3  __libc_res_nsend (statp=0x707fedc4, buf=0x707fc760 "ÃZ\001", buflen=37, buf2=0x707fc788 "qÃ\001", buflen2=37, 
    ans=0x707fd2f0 "Hü\201\200", anssiz=2048, ansp=0x707fdb1c, ansp2=0x707fdb20, nansp2=0x707fdb24, resplen2=0x707fdb28, 
    ansp2_malloced=0x707fdb2c) at res_send.c:576
#4  0xb6335210 in __GI___libc_res_nquery (statp=0x707fedc4, name=0x7d97865c "www.ubuntukylin.com", class=1, type=62321, 
    answer=0x707fd2f0 "Hü\201\200", anslen=2048, answerp=0x707fdb1c, answerp2=0x707fdb20, nanswerp2=0x707fdb24, 
    resplen2=0x707fdb28, answerp2_malloced=0x707fdb2c) at res_query.c:227
#5  0xb6335e07 in __libc_res_nquerydomain (answerp2_malloced=0x707fdb2c, resplen2=0x707fdb28, nanswerp2=0x707fdb24, 
    answerp2=0x707fdb20, answerp=0x707fdb1c, anslen=2048, answer=0x707fd2f0 "Hü\201\200", type=62321, class=1, domain=0x0, 
    name=0x7d97865c "www.ubuntukylin.com", statp=0x707fedc4) at res_query.c:595
#6  __GI___libc_res_nsearch (statp=0x707fedc4, name=0x7d97865c "www.ubuntukylin.com", class=1, type=62321, 
    answer=0x707fd2f0 "Hü\201\200", anslen=2048, answerp=0x707fdb1c, answerp2=0x707fdb20, nanswerp2=0x707fdb24, 
    resplen2=0x707fdb28, answerp2_malloced=0x707fdb2c) at res_query.c:381
#7  0xa5c03640 in _nss_dns_gethostbyname4_r (name=0x7d97865c "www.ubuntukylin.com", pat=0x707fe058, 
    buffer=0x707fdb80 "¬\022G6tustudio.org\200Ã\177p", buflen=1056, errnop=0x707fe05c, herrnop=0x707fe06c, ttlp=0x0)
    at nss_dns/dns-host.c:315
#8  0xb7d4c9c8 in gaih_inet (name=0x7d97865c "www.ubuntukylin.com", service=<optimized out>, req=0x707fe200, pai=0x707fe110, 
    naddrs=0x707fe11c) at ../sysdeps/posix/getaddrinfo.c:870
#9  0xb7d4f818 in __GI_getaddrinfo (name=<optimized out>, service=<optimized out>, hints=0x707fe200, pai=0x707fe1fc)
    at ../sysdeps/posix/getaddrinfo.c:2425
#10 0xaf59df5c in PR_GetAddrInfoByName (hostname=<optimized out>, af=0, flags=32800) at ../../../nspr/pr/src/misc/prnetdb.c:2046
#11 0xafe0ee5c in _GetAddrInfo_Portable (aAddrInfo=<optimized out>, aNetworkInterface=<optimized out>, aFlags=<optimized out>, 
    aAddressFamily=<optimized out>, aCanonHost=<optimized out>)
    at /usr/src/debug/firefox-45.2.0esr/netwerk/dns/GetAddrInfo.cpp:352
#12 mozilla::net::GetAddrInfo (aHost=0x7d97865c "www.ubuntukylin.com", aAddressFamily=65020, aFlags=24, 
    aNetworkInterface=0x7d978670 "", aAddrInfo=0x707fe2dc, aGetTtl=false)
    at /usr/src/debug/firefox-45.2.0esr/netwerk/dns/GetAddrInfo.cpp:419
#13 0xafe0a4a4 in nsHostResolver::ThreadFunc (arg=0xaa813180)
    at /usr/src/debug/firefox-45.2.0esr/netwerk/dns/nsHostResolver.cpp:1403
#14 0xaf5aaad3 in _pt_root (arg=0x8e149a40) at ../../../nspr/pr/src/pthreads/ptthread.c:216
---Type <return> to continue, or q <return> to quit---
#15 0xb7fa6386 in start_thread (arg=0x707feb40) at pthread_create.c:310
#16 0xb7d6a6ae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:122


-------------- crash 3 in nspr --------------------

(gdb) bt
#0  0xb7fddc29 in __kernel_vsyscall ()
#1  0xb7fab375 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/i386/i486/pthread_cond_timedwait.S:245
#2  0xaf5a489b in pt_TimedWait (cv=cv@entry=0xb3bf2504, ml=0xb3be33a0, timeout=60000)
    at ../../../nspr/pr/src/pthreads/ptsynch.c:264
#3  0xaf5a4d8a in PR_WaitCondVar (cvar=0xb3bf2500, timeout=60000) at ../../../nspr/pr/src/pthreads/ptsynch.c:398
#4  0xafe098c2 in Wait (this=<optimized out>, aInterval=<optimized out>) at ../../dist/include/mozilla/CondVar.h:79
#5  nsHostResolver::GetHostToLookup (this=0xaa813180, result=0x6edfe2d8)
    at /usr/src/debug/firefox-45.2.0esr/netwerk/dns/nsHostResolver.cpp:1163
#6  0xafe0a41c in nsHostResolver::ThreadFunc (arg=0xaa813180)
    at /usr/src/debug/firefox-45.2.0esr/netwerk/dns/nsHostResolver.cpp:1391
#7  0xaf5aaad3 in _pt_root (arg=0x79eebcc0) at ../../../nspr/pr/src/pthreads/ptthread.c:216
#8  0xb7fa6386 in start_thread (arg=0x6edfeb40) at pthread_create.c:310
#9  0xb7d6a6ae in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:122


This mga5 pc is up to date, all latest urpmi updates are applied.
Thierry Vignaud 2016-06-24 17:56:02 CEST

CC: (none) => luigiwalser, thierry.vignaud, tmb
Source RPM: firefox-45.2.0-1.mga5 => glibc, nss, nspr, firefox-45.2.0-1.mga5

Comment 1 David Walser 2016-06-24 17:59:50 CEST 
I'm not experiencing it.  You might want to try with a new Firefox profile and see if you can reproduce it.  If not, merge back in the bits you need in your profile.

Granted, ideally it shouldn't be crashing like this, but you'd need to report this upstream if it's going to be fixed.  I wouldn't know how to debug a SIGPIPE, and #3 doesn't look like a crash.
Comment 2 Nicolas Pomarède 2016-06-24 18:04:55 CEST 
Created attachment 8064 [details]
example crash 1
Comment 3 Nicolas Pomarède 2016-06-24 18:05:26 CEST 
Created attachment 8065 [details]
example crash 2
Comment 4 Nicolas Pomarède 2016-06-24 18:05:46 CEST 
Created attachment 8066 [details]
example crash 3
Comment 5 Thierry Vignaud 2016-06-24 18:06:36 CEST 
Indeed, sigpipe isn't a crash, it's just a regular signal.
You must continue until you actually hit SIGSEGV (using the "c" command -- for "continue")

Alternativaly, before running the "r" (run) command in gdb, you can use:

handle SIGPIPE nostop noprint pass
Comment 6 Thierry Vignaud 2016-06-24 18:07:26 CEST 
Also please attach the traces with the prior GDB message, else they're useless.
One cannot know if it's a backtrace on a breakpoint, a crash, ...
Comment 7 Thierry Vignaud 2016-06-24 18:07:49 CEST 
Comment on attachment 8064 [details]
example crash 1

incomplete

Attachment 8064 is obsolete: 0 => 1

Comment 8 Thierry Vignaud 2016-06-24 18:07:53 CEST 
Comment on attachment 8065 [details]
example crash 2

incomplete

Attachment 8065 is obsolete: 0 => 1

Comment 9 Thierry Vignaud 2016-06-24 18:07:58 CEST 
Comment on attachment 8066 [details]
example crash 3

incomplete

Attachment 8066 is obsolete: 0 => 1

Comment 10 Nicolas Pomarède 2016-06-24 18:12:03 CEST 
OK, I will leave firefox open during next days after disabling SIGPIPE and report new crashes then.
Comment 11 Nicolas Pomarède 2016-06-27 10:22:55 CEST 
Got a real segmentation fault this time, see the attached trace from gdb
Comment 12 Nicolas Pomarède 2016-06-27 10:23:33 CEST 
Created attachment 8074 [details]
backtrace after seg fault
Comment 13 Nicolas Pomarède 2016-06-27 13:47:06 CEST 
Created attachment 8075 [details]
another crash, with different backtraces
Comment 14 Marja Van Waes 2016-07-04 08:12:56 CEST 
Thanks for having tried again :-)

I see:

"Missing separate debuginfos, use: debuginfo-install gvfs-1.22.3-2.1.mga5.i586 libGConf2_4-3.2.6-8.mga5.i586 ............"

Could you please try to install all those missing debuginfos with

  # debuginfo-install gvfs-1.22.3-2.1.mga5.i586 libGConf2.... etc.etc

and then update your system (including the debug packages) before getting another backtrace?

There'll most likely be several threads, if you see any mention of threads, then don't forget to do use "thread apply all bt full"

https://wiki.mageia.org/en/Debugging_software_crashes#gdb

CC: (none) => marja11

Comment 15 Nicolas Pomarède 2016-07-28 16:21:27 CEST 
I was able to get new traces.

Note that "debuginfo-install gvfs-1.22.3-2.1.mga5.i586 libGConf2_4-3.2.6-8.mga5.i586 ............" doesn't work, many of the suggested packages don't exist, so debuginfo-install will fail with :

no such pacakge GConf2-debuginfo
no such package libalsa2-debuginfo
and so on.

So, I manually installed some debuginfo package one by one, let me know if some symbols are missing from the traces and I will do another "bt" with the missing debuginfo.

I attach 2 files :

- crash_core.23325.txt : this is the result when firefox ran from gdb and crashed with sigsegv. crash happened at /usr/src/debug/firefox-45.2.0esr/netwerk/protocol/http/nsHttp.cpp:300

- bt_core.23325.txt : result of running gdb with the core file and doing "bt full" then "thread apply all bt full" (53 threads to dump)
Comment 16 Nicolas Pomarède 2016-07-28 16:22:09 CEST 
Created attachment 8280 [details]
sigsegv crash from gdb
Comment 17 Nicolas Pomarède 2016-07-28 16:22:56 CEST 
Created attachment 8281 [details]
bt full for all threads
Comment 18 Giuseppe Ghibò 2016-10-11 17:12:25 CEST 
can you verify whether this still happens with firefox 45.4.0 (either on mga5 or 6)?

CC: (none) => ghibomgx

Comment 19 Nicolas Pomarède 2016-10-11 17:22:09 CEST 
Hi
can't try under mga5 anymore due to changing this machine, but at least under mga6 it seems stable.
Comment 20 Marja Van Waes 2017-01-10 12:49:25 CET 
(In reply to Giuseppe Ghibò from comment #18)
> can you verify whether this still happens with firefox 45.4.0 (either on
> mga5 or 6)?

(In reply to Nicolas Pomarède from comment #19)
> Hi
> can't try under mga5 anymore due to changing this machine, but at least
> under mga6 it seems stable.

Assuming the same version fixed it in Mageia 5, too, so closing.

Thanks for all the effort you've put into getting a complete backtrace, Nicolas!

@ anyone still (or again) hitting this issue

PLease open a new report against our latest Firefox version, and get a new backtrace like Nicolas provided (see above for how to do that).

Status: NEW => RESOLVED
Resolution: (none) => FIXED