Closed Bug 327127 Opened 19 years ago Closed 18 years ago

flash plugin freezes firefox, corrupted double-linked list detected by glibc

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: dicks, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060207 Debian/1.5.dfsg+1.5.0.1-1 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060207 Debian/1.5.dfsg+1.5.0.1-1 Firefox/1.5.0.1

When visiting www.webwereld.nl or other sites with flash content, Firefox sometimes freezes completely, where not even the window is repainted when you move another window over it. In some of these cases, glibc also prints messages about corrupted pointers on the console:
*** glibc detected *** corrupted double-linked list: 0x0930d9a0 ***
or:
*** glibc detected *** free(): invalid pointer: 0x0929e4d8 ***

It is clearly related to the Flash plugin only (version 7.0r61 and 7.0r25). I can reproduce the problem with only the Flash plugin installed, and with a fresh ~/.mozilla directory without any installed extensions.

Reproducible: Sometimes

Steps to Reproduce:
1.Start Firefox with installed flash plugin on the commandline.
2.Go to a website with lots so flash, such as www.webwereld.nl.
3.Click on a few article headers.
4.Restart Firefox if it does not freeze after a few pages.
Actual Results:  
Sometimes Firefox freezes and/or messages about corrupted pointers will appear on the console.

Expected Results:  
No freeze and no messages about corrupted pointers.

This is on a Debian system with libc6-2.3.5-13. The windowing environment seems to have an influence. On a KDE desktop, the problem seems to occur more frequently than with a desktop with the icewm window manager.
Does this happen in safe mode? Have you tried reinstalling Flash (making sure if you do so via apt that you flush all cached downloaded files first)?
(In reply to comment #1)
> Does this happen in safe mode? Have you tried reinstalling Flash (making sure
> if you do so via apt that you flush all cached downloaded files first)?

I've manually installed the Flash plugin by copying the files flashplayer.xpt and libflashplayer.so from the Macromedia .tar.gz to /usr/lib/firefox/plugins/.

It also happens in safe mode. As I wrote in my initial bug report, it even happens  when I remove all other plugins from the plugins directory, and remove the ~/.mozilla/ and ~/.firefox/ directories.
Some additional info:

1) I found an old Flash plugin, 6.0r81, and that one freezes as well.

2) I ran Firefox under valgrind, and found some errors. There were a couple of warnings about overlapping arguments of memcpy, but this is probably harmless:

==8859== Source and destination overlap in memcpy(0x1E5E7DB0, 0x1E5E7DBB, 13)
==8859==    at 0x1B905C17: memcpy (mac_replace_strmem.c:113)
==8859==    by 0x1E29976E: FlashSecurity::ExtractSubdomainFromPath(char*, int) (in /usr/lib/mozilla/plugins/libflashplayer.so)
[...]

Probably more serious are the warnings about reading and writing to free'd memory, although I don't know if this is the cause of current problem:

==8859== Invalid read of size 1
==8859==    at 0x1E315FD0: gtkTimerCallback(void*) (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1C0D08D5: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0CEB8B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D1F6A: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D2446: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1BC2FAC4: gtk_main_iteration (in /usr/lib/libgtk-x11-2.0.so.0.800.10)
==8859==    by 0x1E315FF1: gtkTimerCallback(void*) (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1C0D08D5: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0CEB8B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D1F6A: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D22C6: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1BC303A0: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.800.10)
==8859==  Address 0x1E071BD4 is 4756 bytes inside a block of size 4764 free'd
==8859==    at 0x1B904CA8: operator delete(void*) (vg_replace_malloc.c:155)
==8859==    by 0x1E3147E3: PlatformPlayer::~PlatformPlayer() (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1E316233: PlatformPlayer::NsDestroyPlayer(_NPP*) (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1E31A870: NPP_Destroy (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1E318ACF: Private_Destroy (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x824EBFD: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82F2AD6: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82CD8DE: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82C29F2: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82E724E: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82B69C0: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82E724E: (within /usr/lib/firefox/firefox-bin)
==8859==
==8859== Invalid write of size 1
==8859==    at 0x1E315FF4: gtkTimerCallback(void*) (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1C0D08D5: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0CEB8B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D1F6A: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D2446: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1BC2FAC4: gtk_main_iteration (in /usr/lib/libgtk-x11-2.0.so.0.800.10)
==8859==    by 0x1E315FF1: gtkTimerCallback(void*) (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1C0D08D5: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0CEB8B: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D1F6A: (within /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1C0D22C6: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.800.6)
==8859==    by 0x1BC303A0: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.800.10)
==8859==  Address 0x1E071BD4 is 4756 bytes inside a block of size 4764 free'd
==8859==    at 0x1B904CA8: operator delete(void*) (vg_replace_malloc.c:155)
==8859==    by 0x1E3147E3: PlatformPlayer::~PlatformPlayer() (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1E316233: PlatformPlayer::NsDestroyPlayer(_NPP*) (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1E31A870: NPP_Destroy (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x1E318ACF: Private_Destroy (in /usr/lib/mozilla/plugins/libflashplayer.so)
==8859==    by 0x824EBFD: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82F2AD6: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82CD8DE: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82C29F2: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82E724E: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82B69C0: (within /usr/lib/firefox/firefox-bin)
==8859==    by 0x82E724E: (within /usr/lib/firefox/firefox-bin)

Those look to me as if it's all a problem with Flash itself. Could you file a bug report with Adobe/Macromedia? (http://www.macromedia.com/support/flashplayer/)

However, I'm not much of a C programmer, so I might be wrong.
The problem seems to disappear when I disable the "artsdsp" sound wrapper, by setting FIREFOX_DSP=none in firefoxrc. Does this ring a bell somewhere?
I'm going to mark this as invalid, as I feel that it's a Flash issue. Correct me if I'm wrong.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.