glibc detected firefox-bin: double free or corruption (out)

RESOLVED DUPLICATE of bug 403363

Status

Core Graveyard
Image: Painting
--
critical
RESOLVED DUPLICATE of bug 403363
11 years ago
3 years ago

People

(Reporter: bc, Unassigned)

Tracking

({crash, testcase})

Trunk
x86
Linux
crash, testcase

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
blaming necko based on the first part of the backtrace.

======= Backtrace: =========
/lib/libc.so.6[0xe5bdf1]
/lib/libc.so.6(cfree+0x90)[0xe5f430]
/work/mozilla/builds/1.9.0/mozilla/firefox-debug/dist/bin/components/libnecko.so[0x788bdc0]

see also bug 403145, bug 403578
Flags: blocking1.9?
(Reporter)

Comment 1

11 years ago
just before the crash I got 3

ASSERTION: imgContainer::DrawFrameTo: Invalid aDstRect: '(aDstRect.x >= 0) && (aDstRect.y >= 0) && (a
DstRect.x + aDstRect.width <= dstRect.width) && (aDstRect.y + aDstRect.height <= dstRect.height)', file mozilla/modules/libpr0n/src/imgContainer.cpp, line 1122
(Reporter)

Comment 2

11 years ago
Igor, I found this looking at crash-reports for js related stacks. maybe this is something you could look at?
(Reporter)

Comment 3

11 years ago
Created attachment 288449 [details]
quiz-cam_banner_1.gif
(Reporter)

Comment 4

11 years ago
Loading the image horks. I thought at first this was in libpr0n but I'm not sure what is going on with this.

#0  0x00e5c5d8 in _int_malloc () from /lib/libc.so.6
#1  0x00e5debe in malloc () from /lib/libc.so.6
#2  0x0019956b in JS_malloc (cx=0x83acc00, nbytes=8192) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsapi.c:1720
#3  0x0025c43c in JS_XDRNewMem (cx=0x83acc00, mode=JSXDR_ENCODE) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsxdrapi.c:247
#4  0x029bca2a in WriteScriptToStream (cx=0x83acc00, script=0x89dd3e0, stream=0x8a0a7c8) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/loader/mozJSComponentLoader.cpp:416
#5  0x029bcf2f in mozJSComponentLoader::WriteScript (this=0x834bff8, flSvc=0x83b1cd8, script=0x89dd3e0, component=0x88e72b8, nativePath=0x8bd2d30 "file:///work/mozilla/builds/1.9.0/mozilla/firefox-debug/dist/bin/components/nsUrlClassifierLib.js", uri=0x8bdb3e0, cx=0x83acc00) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/loader/mozJSComponentLoader.cpp:1012
#6  0x029bf012 in mozJSComponentLoader::GlobalForLocation (this=0x834bff8, aComponent=0x88e72b8, aGlobal=0x8b694ec, aLocation=0x8b694f0) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/loader/mozJSComponentLoader.cpp:1242
#7  0x029c0947 in mozJSComponentLoader::LoadModule (this=0x834bff8, aComponentFile=0x88e72b8, aResult=0xbff6c984) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/loader/mozJSComponentLoader.cpp:598
#8  0x0033115e in nsFactoryEntry::GetFactory (this=0x8310e20, aFactory=0xbff6c9ec) at /work/mozilla/builds/1.9.0/mozilla/xpcom/components/nsComponentManager.cpp:3578
#9  0x00331573 in nsComponentManagerImpl::CreateInstance (this=0x82e0120, aClass=@0x891fbd4, aDelegate=0x0, aIID=@0xbff6cad8, aResult=0xbff6ca34) at /work/mozilla/builds/1.9.0/mozilla/xpcom/components/nsComponentManager.cpp:1710
#10 0x00333509 in nsComponentManagerImpl::GetService (this=0x82e0120, aClass=@0x891fbd4, aIID=@0xbff6cad8, result=0xbff6cad0) at /work/mozilla/builds/1.9.0/mozilla/xpcom/components/nsComponentManager.cpp:1926
#11 0x0297e6aa in nsJSCID::GetService (this=0x891fbb8, _retval=0xbff6ccbc) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcjsid.cpp:899
#12 0x00358995 in NS_InvokeByIndex_P () at /work/mozilla/builds/1.9.0/mozilla/xpcom/reflect/xptinfo/src/xptiInterfaceInfo.cpp:73
#13 0x0299d7c6 in XPCWrappedNative::CallMethod (ccx=@0xbff6cef4, mode=XPCWrappedNative::CALL_METHOD) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2346
#14 0x029ac47c in XPC_WN_CallMethod (cx=0x8651618, obj=0xb4024e80, argc=0, argv=0x8692374, vp=0xbff6d00c) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1467
#15 0x001e2838 in js_Invoke (cx=0x8651618, argc=0, vp=0x869236c, flags=0) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:1386
#16 0x001f3d6e in js_Interpret (cx=0x8651618, pc=0x8bf4a79 ":", result=0xbff6d664) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:4146
#17 0x001e28c2 in js_Invoke (cx=0x8651618, argc=2, vp=0x86922d0, flags=2) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:1406
#18 0x029967e8 in nsXPCWrappedJSClass::CallMethod (this=0x83c2ac0, wrapper=0x8b5aee0, methodIndex=3, info=0x83dec18, nativeParams=0xbff6da5c) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1441
#19 0x0298dda5 in nsXPCWrappedJS::CallMethod (this=0x8b5aee0, methodIndex=3, info=0x83dec18, params=0xbff6da5c) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:567
#20 0x00359826 in PrepareAndDispatch (methodIndex=3, self=0x8a334e0, args=0xbff6db20) at /work/mozilla/builds/1.9.0/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_gcc_x86_unix.cpp:95
#21 0x003315ad in nsComponentManagerImpl::CreateInstance (this=0x82e0120, aClass=@0x8c0d28c, aDelegate=0x0, aIID=@0xbff6dc2c, aResult=0xbff6db88) at /work/mozilla/builds/1.9.0/mozilla/xpcom/components/nsComponentManager.cpp:1714
#22 0x00333509 in nsComponentManagerImpl::GetService (this=0x82e0120, aClass=@0x8c0d28c, aIID=@0xbff6dc2c, result=0xbff6dc24) at /work/mozilla/builds/1.9.0/mozilla/xpcom/components/nsComponentManager.cpp:1926
#23 0x0297e6aa in nsJSCID::GetService (this=0x8c0d270, _retval=0xbff6de10) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcjsid.cpp:899
#24 0x00358995 in NS_InvokeByIndex_P () at /work/mozilla/builds/1.9.0/mozilla/xpcom/reflect/xptinfo/src/xptiInterfaceInfo.cpp:73
#25 0x0299d7c6 in XPCWrappedNative::CallMethod (ccx=@0xbff6e048, mode=XPCWrappedNative::CALL_METHOD) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2346
#26 0x029ac47c in XPC_WN_CallMethod (cx=0x8651618, obj=0xb73993e0, argc=0, argv=0x86922b8, vp=0xbff6e160) at /work/mozilla/builds/1.9.0/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1467
#27 0x001e2838 in js_Invoke (cx=0x8651618, argc=0, vp=0x86922b0, flags=0) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:1386
#28 0x001f3d6e in js_Interpret (cx=0x8651618, pc=0x84c199d ":", result=0xbff6e7b8) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:4146
#29 0x001e28c2 in js_Invoke (cx=0x8651618, argc=1, vp=0x8692270, flags=2) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:1406
#30 0x001e2b91 in js_InternalInvoke (cx=0x8651618, obj=0xb4098280, fval=-1274546432, flags=0, argc=1, argv=0x8b54bc8, rval=0xbff6e974) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsinterp.c:1462
#31 0x001a2d5e in JS_CallFunctionValue (cx=0x8651618, obj=0xb4098280, fval=-1274546432, argc=1, argv=0x8b54bc8, rval=0xbff6e974) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsapi.c:4884
#32 0x031512ee in nsJSContext::CallEventHandler (this=0x86455c0, aTarget=0x8655040, aScope=0xb4098280, aHandler=0xb407f700, aargv=0x8a314ec, arv=0xbff6ea9c) at /work/mozilla/builds/1.9.0/mozilla/dom/src/base/nsJSEnvironment.cpp:1935
#33 0x0317d5c2 in nsGlobalWindow::RunTimeout (this=0x8655040, aTimeout=0x8b6d428) at /work/mozilla/builds/1.9.0/mozilla/dom/src/base/nsGlobalWindow.cpp:7371
#34 0x0317dae6 in nsGlobalWindow::TimerCallback (aTimer=0x8b6d468, aClosure=0x8b6d428) at /work/mozilla/builds/1.9.0/mozilla/dom/src/base/nsGlobalWindow.cpp:7702
#35 0x00344ddc in nsTimerImpl::Fire (this=0x8b6d468) at /work/mozilla/builds/1.9.0/mozilla/xpcom/threads/nsTimerImpl.cpp:400
#36 0x00344ff5 in nsTimerEvent::Run (this=0xb3f49a40) at /work/mozilla/builds/1.9.0/mozilla/xpcom/threads/nsTimerImpl.cpp:487
#37 0x0033efdb in nsThread::ProcessNextEvent (this=0x82e0360, mayWait=1, result=0xbff6ec80) at /work/mozilla/builds/1.9.0/mozilla/xpcom/threads/nsThread.cpp:490
#38 0x002ca50b in NS_ProcessNextEvent_P (thread=0x82e0360, mayWait=1) at nsThreadUtils.cpp:227
#39 0x04fb39a8 in nsBaseAppShell::Run (this=0x837c178) at /work/mozilla/builds/1.9.0/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:154
#40 0x017ec3a1 in nsAppStartup::Run (this=0x83ac268) at /work/mozilla/builds/1.9.0/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170
#41 0x0015bfbc in XRE_main (argc=4, argv=0xbff6f2c4, aAppData=0x82949a8) at /work/mozilla/builds/1.9.0/mozilla/toolkit/xre/nsAppRunner.cpp:3142
#42 0x08048e11 in main (argc=4, argv=0xbff6f2c4) at /work/mozilla/builds/1.9.0/mozilla/browser/app/nsBrowserApp.cpp:153
(gdb) 
Keywords: testcase
(Reporter)

Comment 5

11 years ago
Created attachment 288456 [details]
valgrind log
(Reporter)

Comment 6

11 years ago
over to imagegfx
Component: Networking → Image: GFX
QA Contact: networking → image.gfx
(Reporter)

Comment 7

11 years ago
bug 143046 looks like the culprit.

Comment 8

11 years ago
Bug 403363 covers this imgContainer::DrawFrameTo bug
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 403363
Group: security

Updated

9 years ago
Component: Image: Painting → Image: Painting
Product: Core → Core Graveyard
(Reporter)

Updated

3 years ago
Flags: blocking1.9?
You need to log in before you can comment on or make changes to this bug.