Closed Bug 287558 Opened 20 years ago Closed 20 years ago

intermittent crashes if a web page containing a flash animation is closed

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Version:
1.7 Branch
Platform:
Sun
SunOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: jk, Unassigned)

References

(
URL
)

Details

(Keywords: crash, helpwanted)

Attachments

(4 files)

Stack backtrace, cpu registers at time of crash
2.73 KB, text/plain
Details
Possibly related flash plugin triggered crash, using firefox.
3.69 KB, text/plain
Details
Another possibly related browser crash during flash plugin unloading
4.57 KB, text/plain
Details
a small test case to reproduce the problem
445 bytes, text/plain
Details
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7.4) Gecko/20040917 Build Identifier: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7.4) Gecko/20040917 Broswer crashes with a core dump, after leaving a web page containing a flash animation. Reproducible: Always Steps to Reproduce: 1. start mozilla, using the Solaris libumem.so.1 debugging memory allocator: env LD_PRELOAD=libumem.so.1 UMEM_DEBUG=default UMEM_LOGGING=transaction mozilla http://www.macromedia.com/software/flash/about/ A html page with an emedded flash animation should open. 2. Leave the page with the embedded flash plugin, for example by opening the URL about:blank Actual Results: Browser crashes with a core dump. The crash happens when the flash plugin has called the X11 library function XCloseIM(). Expected Results: Browser should not crash I'm using a Mozilla 1.7.4 compiled from sources. % uname -rps SunOS 5.10 i386 % locale LANG=de_DE.ISO8859-1 LC_CTYPE=de_DE.ISO8859-1 LC_NUMERIC=de_DE.ISO8859-1 LC_TIME=de_DE.ISO8859-1 LC_COLLATE=de_DE.ISO8859-1 LC_MONETARY=de_DE.ISO8859-1 LC_MESSAGES=de LC_ALL= "Shockwave Flash 7.0 r53" plugin is installed.
It's possible that this is actually a problem in Solaris' libX11.so.4`XCloseIM() or the xiiimp.so.2 shared libarary - and not a problem in mozilla or the flash plugin. But I have no access to Sun's libX11.so / xiiimp.so source code to verify it. Using the standard libc memory allocator the core dump problem is very intermittent.
The problem can be reproduced on Solaris 10 SPARC, too.
Hardware: Other → Sun
Version: unspecified → 1.7 Branch
Keywords: crash
Keywords: helpwanted
I think it's an issue of XIM on Solaris 10, or flash should not do XOpenIM(), XCloseIM() so frequently. It can not be fixed from Mozilla side.
I just found out that running the browser (both mozilla or firefox) in the "C" locale appears to work around the problem. That is, starting mozilla (or firefox) like this does not crash it, when leaving the page with the embedded flash animation: env LC_ALL=C LD_PRELOAD=libumem.so.1 UMEM_DEBUG=default mozilla http://www.macromedia.com/software/flash/about/ Locales where the crash does happens: en_US.ISO8859-1 en_US.ISO8859-15 en_US.UTF-8 de_DE.ISO8859-1 de_DE.ISO8859-15 de_DE.UTF-8 nl_NL.ISO8859-1 es_MX.ISO8859-1 ... (any locale != "C" ?)
Possibly related flash plugin triggered crash, using firefox. From a thread on the solarisx86 mailing list at groups.yahoo.com: http://groups.yahoo.com/group/solarisx86/message/29661 Apparently the flash plugin gets dlclose()'d / unmapped from the browser's address space while there's an active timer callback stack frame into the flash plugin.
From the same solarisx86 mailing list thread on groups.yahoo.com; another way the browser is crashing when the flash plugin is in use: http://groups.yahoo.com/group/solarisx86/message/29709 http://groups.yahoo.com/group/solarisx86/message/29717 This time, Solaris' libumem has detected a memory write into a freed memory block. It seems as if something is seriously broken when the flash plugin is unused and is unloaded from memory.
Apparently this is a bug in Solaris 10 and snv_22 libX11.so XOpenIM() / XCloseIM() implementation. It passes pointers from free()ed memory blocks to XFree().
resolving INVALID -- not a Mozilla bug
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
For the record... From Alan C. @ Sun: > This was filed with our i18n team as bug 6378646 and they have fixed it > in snv_34. http://www.opensolaris.org/jive/thread.jspa?threadID=2731&tstart=0
thank you does this only happen on open solaris (we now have such a field in the os list), or does it happen on solaris5..9?
Status: RESOLVED → VERIFIED
It happens on both OpenSolaris and Sun Solaris releases. A quick test with the XOpenIm() / XCloseIM() test case ... https://bugzilla.mozilla.org/attachment.cgi?id=198809 ... on Solaris 8 x86, using the "Electric Fence 2.0.5" malloc debug library catches the same access to freed memory. Solaris 10 SPARC is affected, too.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: