bug in samba's libnss [@ abort - talloc_free - alloc_sub_basic]

VERIFIED INVALID

Status

NSPR
NSPR
--
critical
VERIFIED INVALID
10 years ago
7 years ago

People

(Reporter: Parasyte, Assigned: Jelmer Vernooij)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008101315 Ubuntu/8.10 (intrepid) Firefox/3.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008101315 Ubuntu/8.10 (intrepid) Firefox/3.0.3

Visiting Planet Mozilla, recently, causes Firefox 3.0.3 to crash. This currently happens every time, including while in safe-mode. It's hard to say if it will continue to happen as Planet Mozilla updates... But for now, I can reproduce this 100% of the time.

This does not seem to be related to Bug 406058

Here's a big GDB log of the crash and simple backtrace.

Reproducible: Always




osterj@CN212409:~$ firefox -g -safe-mode
/usr/bin/gdb /usr/lib/firefox-3.0.3/firefox -x /tmp/mozargs.G10675
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) set pagination off
(gdb) run
Starting program: /usr/lib/firefox-3.0.3/firefox -safe-mode
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[New Thread 0xb7ca06c0 (LWP 10679)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[New Thread 0xb5b48b90 (LWP 10682)]
[New Thread 0xb5347b90 (LWP 10683)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[New Thread 0xb49fcb90 (LWP 10684)]
[Thread 0xb49fcb90 (LWP 10684) exited]
[New Thread 0xb41fbb90 (LWP 10685)]
[Thread 0xb41fbb90 (LWP 10685) exited]
[New Thread 0xb41fbb90 (LWP 10686)]
[New Thread 0xb49fcb90 (LWP 10687)]
[New Thread 0xb39fab90 (LWP 10688)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[New Thread 0xb1f48b90 (LWP 10692)]
[New Thread 0xb1747b90 (LWP 10693)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[New Thread 0xb02ffb90 (LWP 10696)]
[New Thread 0xafafeb90 (LWP 10697)]
[New Thread 0xaf2fdb90 (LWP 10698)]
[New Thread 0xaeafcb90 (LWP 10699)]
[New Thread 0xae2fbb90 (LWP 10700)]
[New Thread 0xadafab90 (LWP 10701)]
[New Thread 0xad2f9b90 (LWP 10702)]
*** glibc detected *** /usr/lib/firefox-3.0.3/firefox: double free or corruption (fasttop): 0xb0322a28 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d113f4]
/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb7d13456]
/usr/lib/libtalloc.so.1(talloc_free+0x153)[0xb3019503]
/lib/libnss_wins.so.2(alloc_sub_basic+0xa87)[0xb0e7a758]
/lib/libnss_wins.so.2(talloc_sub_basic+0x33)[0xb0e7ad3f]
/lib/libnss_wins.so.2[0xb0dba281]
/lib/libnss_wins.so.2(lp_lockdir+0x27)[0xb0dbb3f2]
/lib/libnss_wins.so.2(lock_path+0x17)[0xb0e74a75]
/lib/libnss_wins.so.2(receive_unexpected+0x21)[0xb0e13767]
/lib/libnss_wins.so.2(receive_nmb_packet+0x65)[0xb0e16375]
/lib/libnss_wins.so.2(name_query+0x32e)[0xb0e18e4d]
/lib/libnss_wins.so.2(_nss_wins_gethostbyname_r+0x38a)[0xb0db6555]
/lib/tls/i686/cmov/libc.so.6(gethostbyname_r+0x1a3)[0xb7d9db13]
/usr/lib/libnspr4.so.0d(PR_GetHostByName+0xb4)[0xb7bd91e4]
/usr/lib/libnspr4.so.0d(PR_GetAddrInfoByName+0xb0)[0xb7bd9640]
/usr/lib/xulrunner-1.9.0.3/libxul.so[0xb71bb454]
/usr/lib/libnspr4.so.0d[0xb7be71e1]
/lib/tls/i686/cmov/libpthread.so.0[0xb7f2f50f]
/lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0xb7d837ee]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:02 1226428    /usr/lib/firefox-3.0.3/firefox
0804f000-08050000 r--p 00006000 08:02 1226428    /usr/lib/firefox-3.0.3/firefox
08050000-08051000 rw-p 00007000 08:02 1226428    /usr/lib/firefox-3.0.3/firefox
096c1000-0a609000 rw-p 096c1000 00:00 0          [heap]
ac002000-ac200000 rw-p ac002000 00:00 0 
ac200000-ac23d000 rw-p ac200000 00:00 0 
ac23d000-ac300000 ---p ac23d000 00:00 0 
ac300000-ac400000 rw-p ac300000 00:00 0 
ac4e5000-ac500000 r--p 00000000 08:02 1047836    /usr/share/fonts/truetype/ttf-liberation/LiberationMono-Regular.ttf
ac500000-ac6f8000 rw-p ac500000 00:00 0 
ac6f8000-ac700000 ---p ac6f8000 00:00 0 
ac700000-ac8c1000 rw-p ac700000 00:00 0 
ac8c1000-ac900000 ---p ac8c1000 00:00 0 
ac900000-ac9f2000 rw-p ac900000 00:00 0 
ac9f2000-aca00000 ---p ac9f2000 00:00 0 
aca30000-aca7c000 r--p 00000000 08:02 539911     /usr/share/fonts/truetype/ttf-dejavu/DejaVuSansMono.ttf
aca7c000-acaf9000 r--p 00000000 08:02 540597     /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Oblique.ttf
acaf9000-acafa000 ---p acaf9000 00:00 0 
acafa000-ad2fa000 rw-p acafa000 00:00 0 
ad2fa000-ad2fb000 ---p ad2fa000 00:00 0 
ad2fb000-adafb000 rw-p ad2fb000 00:00 0 
adafb000-adafc000 ---p adafb000 00:00 0 
adafc000-ae2fc000 rw-p adafc000 00:00 0 
ae2fc000-ae2fd000 ---p ae2fc000 00:00 0 
ae2fd000-aeafd000 rw-p ae2fd000 00:00 0 
aeafd000-aeafe000 ---p aeafd000 00:00 0 
aeafe000-af2fe000 rw-p aeafe000 00:00 0 
af2fe000-af2ff000 ---p af2fe000 00:00 0 
af2ff000-afaff000 rw-p af2ff000 00:00 0 
afaff000-afb00000 ---p afaff000 00:00 0 
afb00000-b0300000 rw-p afb00000 00:00 0 
b0300000-b0500000 rw-p b0300000 00:00 0 
b0500000-b05fe000 rw-p b0500000 00:00 0 
b05fe000-b0600000 ---p b05fe000 00:00 0 
b0600000-b06fc000 rw-p b0600000 00:00 0 
b06fc000-b0700000 ---p b06fc000 00:00 0 
b0732000-b07bb000 r--p 00000000 08:02 539906     /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf
b07bb000-b07dc000 r--p 00000000 08:02 1047837    /usr/share/fonts/truetype/ttf-liberation/LiberationSans-Bold.ttf
b07dc000-b0800000 r--p 00000000 08:02 1047844    /usr/share/fonts/truetype/ttf-liberation/LiberationSerif-Regular.ttf
b0800000-b0a00000 rw-p b0800000 00:00 0 
b0a00000-b0b00000 rw-p b0a00000 00:00 0 
b0b1c000-b0b3d000 r--p 00000000 08:02 1047840    /usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf
b0b3d000-b0bce000 rw-p b0b3d000 00:00 0 
b0bce000-b0bd2000 r-xp 00000000 08:02 393255     /lib/tls/i686/cmov/libnss_dns-2.8.90.so
b0bd2000-b0bd3000 r--p 00003000 08:02 393255     /lib/tls/i686/cmov/libnss_dns-2.8.90.so
b0bd3000-b0bd4000 rw-p 00004000 08:02 393255     /lib/tls/i686/cmov/libnss_dns-2.8.90.so
b0bd4000-b0bd6000 r-xp 00000000 08:02 360341     /lib/libnss_mdns4_minimal.so.2
b0bd6000-b0bd7000 rw-p 00001000 08:02 360341     /lib/libnss_mdns4_minimal.so.2
b0bef000-b0c0f000 r--s 00000000 08:02 458815     /usr/share/samba/lowcase.dat
b0c0f000-b0c2f000 r--s 00000000 08:02 459961     /usr/share/sa
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xae2fbb90 (LWP 10700)]
0xb7f76430 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7f76430 in __kernel_vsyscall ()
#1  0xb7ccd880 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7ccf248 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7d0b10d in ?? () from /lib/tls/i686/cmov/libc.so.6
#4  0xb7d113f4 in ?? () from /lib/tls/i686/cmov/libc.so.6
#5  0xb7d13456 in free () from /lib/tls/i686/cmov/libc.so.6
#6  0xb3019503 in talloc_free () from /usr/lib/libtalloc.so.1
#7  0xb0e7a758 in alloc_sub_basic () from /lib/libnss_wins.so.2
#8  0xb0e7ad3f in talloc_sub_basic () from /lib/libnss_wins.so.2
#9  0xb0dba281 in ?? () from /lib/libnss_wins.so.2
#10 0xb0dbb3f2 in lp_lockdir () from /lib/libnss_wins.so.2
#11 0xb0e74a75 in lock_path () from /lib/libnss_wins.so.2
#12 0xb0e13767 in receive_unexpected () from /lib/libnss_wins.so.2
#13 0xb0e16375 in receive_nmb_packet () from /lib/libnss_wins.so.2
#14 0xb0e18e4d in name_query () from /lib/libnss_wins.so.2
#15 0xb0db6555 in _nss_wins_gethostbyname_r () from /lib/libnss_wins.so.2
#16 0xb7d9db13 in gethostbyname_r () from /lib/tls/i686/cmov/libc.so.6
#17 0xb7bd91e4 in PR_GetHostByName () from /usr/lib/libnspr4.so.0d
#18 0xb7bd9640 in PR_GetAddrInfoByName () from /usr/lib/libnspr4.so.0d
#19 0xb71bb454 in ?? () from /usr/lib/xulrunner-1.9.0.3/libxul.so
#20 0xb7be71e1 in ?? () from /usr/lib/libnspr4.so.0d
#21 0xb7f2f50f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#22 0xb7d837ee in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb)

Comment 1

10 years ago
this looks like a bug in nss_wins, complain to them.

if you want to file a bug against firefox, you need to install symbols for firefox.

https://wiki.ubuntu.com/MozillaTeam/Bugs#Obtain%20a%20backtrace%20from%20an%20apport%20crash%20report%20(using%20gdb)
(Reporter)

Comment 2

10 years ago
As you suggested, I've installed the debug symbols and created a new backtrace, which now no longer reports a "double free" -> See attachment here: https://bugs.launchpad.net/ubuntu/+source/firefox-3.0/+bug/294344

Just let me know if more information is required.
(Reporter)

Comment 3

10 years ago
I've discovered two basic workarounds for the crash.

1) Disable "load images automatically"
or
2) Set the following prefs to absurdly low numbers:

network.http.max-connections = 1
network.http.max-connections-per-server = 1
network.http.pipelining.maxrequests = 1

Neither of these are acceptable solutions (for obvious reasons).

Comment 4

10 years ago
I believe this may be the same crash that I have filed here:

https://bugzilla.mozilla.org/show_bug.cgi?id=464813

Updated

10 years ago
Duplicate of this bug: 464813

Comment 6

10 years ago
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xa6ffcb90 (LWP 3755)]
0xb800e430 in __kernel_vsyscall ()
(gdb) bt full
#0  0xb800e430 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7d6b880 in raise () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#2  0xb7d6d248 in abort () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#3  0xb3a935dd in talloc_free () from /usr/lib/libtalloc.so.1
No symbol table info available.
#4  0xb0b05289 in ?? () from /lib/libnss_wins.so.2
No symbol table info available.
#5  0xb3a93621 in talloc_free () from /usr/lib/libtalloc.so.1
No symbol table info available.
#6  0xb0b30758 in alloc_sub_basic () from /lib/libnss_wins.so.2
No symbol table info available.
#7  0xb0b30d3f in talloc_sub_basic () from /lib/libnss_wins.so.2
No symbol table info available.
#8  0xb0a70281 in ?? () from /lib/libnss_wins.so.2
No symbol table info available.
#9  0xb0a713f2 in lp_lockdir () from /lib/libnss_wins.so.2
No symbol table info available.
#10 0xb0b2aa75 in lock_path () from /lib/libnss_wins.so.2
No symbol table info available.
#11 0xb0ac9767 in receive_unexpected () from /lib/libnss_wins.so.2
No symbol table info available.
#12 0xb0acc375 in receive_nmb_packet () from /lib/libnss_wins.so.2
No symbol table info available.
#13 0xb0acee4d in name_query () from /lib/libnss_wins.so.2
No symbol table info available.
#14 0xb0a6c555 in _nss_wins_gethostbyname_r () from /lib/libnss_wins.so.2
No symbol table info available.
#15 0xb0a6c853 in _nss_wins_gethostbyname2_r () from /lib/libnss_wins.so.2
No symbol table info available.
#16 0xb7e05666 in gaih_inet () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#17 0xb7e07039 in getaddrinfo () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#18 0xb7c7d6b9 in PR_GetAddrInfoByName (
    hostname=0x86b3664 "stats.wordpress.com", af=0, flags=32800)
    at prnetdb.c:2042
	res = <value optimized out>
	hints = {ai_flags = 0, ai_family = 0, ai_socktype = 1, 
  ai_protocol = 0, ai_addrlen = 0, ai_addr = 0x0, ai_canonname = 0x0, 
  ai_next = 0x0}
	rv = <value optimized out>
#19 0xb725f454 in nsHostResolver::ThreadFunc (arg=0x836a600)
    at nsHostResolver.cpp:697
	flags = 32800
	status = <value optimized out>
	rec = (nsHostRecord *) 0x86b3630
	ai = (PRAddrInfo *) 0x1
Assignee: nobody → wtc
Component: General → NSPR
Keywords: crash
Product: Firefox → NSPR
QA Contact: general → nspr
Summary: *** glibc detected *** double free or corruption (fasttop) → bug in libnss [@ abort - talloc_free - alloc_sub_basic]
Version: unspecified → other
Reporter wrote:
> (started occurring after I upgraded from Ubuntu 8.04.1 to 8.10)

So, firefox and NSPR are victims here.  -> evangelism?

Comment 8

10 years ago
Created attachment 348223 [details]
Full backtraces for SIGABRT crash

Full crash backtraces from duped bug https://bugzilla.mozilla.org/show_bug.cgi?id=464813

Comment 9

10 years ago
Since https://bugzilla.mozilla.org/show_bug.cgi?id=464813 has been duped here, please note:

- The initially reported "double free or corruption" warning may have been spurious.

- FWIW, this feels like a concurrency issue. It's not deterministically reproable for me, but in my experience so far, if Firefox crashes with many tabs open, it often crashes repeatedly when trying to reopen them all simultaneously on restart. Note also the original reporter has been able to work around the issue by basically disabling concurrent network loading.
(Reporter)

Comment 10

10 years ago
I am going to agree with those observations. Although this is 100% reproducible for me visiting the Planet link, the crash will occur seemingly at random, but only while actively loading a web page. Unfortunately, the crash also happens very often, up to several times per day.

Usually after it crashes, I can restore the session fine because Firefox will not remember the page that crashed during load.

Comment 11

10 years ago
nelson: i'm fairly certain it's a bug in libnss_wins which has nothing to do with us, yes, we're victims. But I've tried and failed to explain to the reporters that they need to complain to that library's vendor. I believe the vendor is samba.org
Assignee: wtc → jelmer

Comment 12

10 years ago
To keep this thread updated, it looks like this is definitely a libnss_wins bug, as Timeless says. Disabling wins resolution for host names (by removing 'wins' from the 'hosts' line in /etc/nsswitch.conf file) works around the issue. It looks like this probably affects anyone with samba 3.2.3; that was the new version taken in Ubuntu Intrepid. There is a patch out for testing at https://bugzilla.samba.org/show_bug.cgi?id=5904

Trying to get assistance with this bug was an interesting quick tour of the bug-triage process for three different teams (Ubuntu, Samba and Firefox). Kudos to the Samba guys for jumping all over this once I finally filed against them. Ubuntu was largely a black hole. For what it's worth, triage here was prompt but very abrasive. Better than the reverse, I guess.
When a bug report is found to be the fault of some non-Mozilla software, 
then for purposes of tracking flaws in Mozilla software, that bug report
is invalid.  It does not identify an actual flaw in Mozilla software.   
This bug report is one of those. So, by definition, this bug is invalid.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID

Updated

10 years ago
Status: RESOLVED → VERIFIED
Summary: bug in libnss [@ abort - talloc_free - alloc_sub_basic] → bug in samba's libnss [@ abort - talloc_free - alloc_sub_basic]

Updated

10 years ago
Duplicate of this bug: 471338

Updated

9 years ago
Duplicate of this bug: 488541
Crash Signature: [@ abort - talloc_free - alloc_sub_basic]
You need to log in before you can comment on or make changes to this bug.