Closed Bug 294372 Opened 20 years ago Closed 18 years ago

Double free or memory corruption causes crash

Categories

(Core Graveyard :: GFX: Gtk, defect)

Product:
Core Graveyard
Component:
GFX: Gtk
Version:
1.7 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: greenrd, Assigned: blizzard)

References

(
URL
)

Details

(Keywords: crash) 

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

The URL mentioned causes firefox to crash when you try to go right to the end of
the page. The terminal window I launched firefox from says:

*** glibc detected *** /usr/lib/firefox-1.0.4/firefox-bin: double free or
corruption (!prev): 0x095f2f08 ***

Reproducible: Always

Steps to Reproduce:
1. Go to URL mentioned
2. Press the END key

Actual Results:  
*** glibc detected *** /usr/lib/firefox-1.0.4/firefox-bin: double free or
corruption (!prev): 0x095f2f08 ***
======= Backtrace: =========
/lib/libc.so.6[0xc1f1e4]
/lib/libc.so.6(__libc_free+0x77)[0xc1f71f]
/usr/lib/libstdc++.so.6(_ZdlPv+0x21)[0x8f1669]
/usr/lib/libstdc++.so.6(_ZdaPv+0x1d)[0x8f16b5]
/usr/lib/firefox-1.0.4/components/libgfx_gtk.so[0xf20836]
/usr/lib/firefox-1.0.4/components/libgfx_gtk.so[0xf21b46]
/usr/lib/firefox-1.0.4/components/libgfx_gtk.so[0xefe6e5]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x13097e2]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x1309c1e]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x130abdd]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c2701]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b3c67]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b4fa8]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b6e2d]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12d192e]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b530f]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c2701]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b3c67]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b4fa8]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b6d91]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12d192e]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b530f]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c2701]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b3c67]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b4fa8]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b6e2d]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12d192e]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12b530f]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c2701]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c1c9a]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x13578fe]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c2701]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c1c9a]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x136a2ad]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x136e59e]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x136c843]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c2701]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c1c9a]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x135a4b8]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x136610f]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x12c2701]
/usr/lib/firefox-1.0.4/components/libgklayout.so[0x1367e88]
<snip>

Firefox hangs

Expected Results:  
No crash
WFM Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511
Firefox/1.0.4
WFM Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050515
Firefox/1.0+ ID:2005051518
worksforme with linux suite trunk 2005051501 and firefox 1.0.4.
Keywords: crash
Version: Trunk → 1.7 Branch
I just encountered this with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051025 Firefox/1.5.

Unfortunately, I wasn't given a chance to get a stack trace.  Here is the error I get, however:

 *** glibc detected *** double free or corruption (!prev): 0x09f76050 ***

Here is my system info:

tom@linux:~$ uname -a
Linux linux 2.6.14 #1 PREEMPT Thu Oct 27 21:50:17 PDT 2005 i686 unknown
tom@linux:~$ gcc --version
gcc (GCC) 4.0.2
Copyright (C) 2005 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

tom@linux:~$ ldd --version
ldd (GNU libc) 2.3.4
Copyright (C) 2004 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
tom@linux:~$ 


The site mentioned in this bug report loads fine for me BUT I was able to generate this talkback id:  TB11427502X.

I got the glibc error and killed Firefox.  When I restarted it, it crashed and generated the above talkback id.  I hope that helps.


Incident ID: 11427502
Stack Signature	firefox-bin + 0x410 (0xffffe410) 8ab8e95b
Product ID	Firefox15
Build ID	2005102519
Trigger Time	2005-11-03 18:23:32.0
Platform	LinuxIntel
Operating System	Linux 2.6.14
Module	firefox-bin + (00000410)
URL visited	
User Comments	
Since Last Crash	2 sec
Total Uptime	2 sec
Trigger Reason	SIGIOT: Abort or IOT Instruction: (signal 6)
Source File, Line No.	N/A
Stack Trace 	
firefox-bin + 0x410 (0xffffe410)
libc.so.6 + 0x2a059 (0xb7490059)
libc.so.6 + 0x5c0ba (0xb74c20ba)
libc.so.6 + 0x61f86 (0xb74c7f86)
libc.so.6 + 0x62a4b (0xb74c8a4b)
js_FinalizeStringRT()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsstr.c, line 2713]
js_FinalizeString()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsstr.c, line 2696]
js_GC()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsgc.c, line 1842]
js_ForceGC()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsgc.c, line 1511]
JS_GC()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsapi.c, line 1830]
nsJSContext::Notify()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 2154]
nsTimerImpl::Fire()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 398]
handleTimerEvent()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 462]
PL_HandleEvent()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/plevent.c, line 689]
PL_ProcessPendingEvents()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/plevent.c, line 623]
nsEventQueueImpl::ProcessPendingEvents()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/nsEventQueue.cpp, line 421]
event_processor_callback()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsAppShell.cpp, line 67]
libglib-2.0.so.0 + 0x4f6bf (0xb796f6bf)
libglib-2.0.so.0 + 0x25ecc (0xb7945ecc)
libglib-2.0.so.0 + 0x292bb (0xb79492bb)
libglib-2.0.so.0 + 0x295d7 (0xb79495d7)
libgtk-x11-2.0.so.0 + 0x121c11 (0xb7bf8c11)
nsAppShell::Run()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsAppShell.cpp, line 141]
nsAppStartup::Run()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
XRE_main()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/xre/nsAppRunner.cpp, line 2315]
main()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 62]
libc.so.6 + 0x1524f (0xb747b24f)
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051025 Firefox/1.5

A simplified testcase would be nice. (timeless?)
can't reproduce any more
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
This problem isn't reproducible for me using Firefox 2.0.0.1.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.