Closed Bug 463836 Opened 17 years ago Closed 17 years ago

IcedTea Java crashes xulrunner in LiveConnect

Categories

(Core Graveyard :: Java: Live Connect, defect)

Product:
Core Graveyard
Component:
Java: Live Connect
Version:
1.9.0 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jan, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2) Gecko/2008102718 Fedora/3.0.2-1.fc10 Firefox/3.0.2 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2) Gecko/2008102718 Fedora/3.0.2-1.fc10 Firefox/3.0.2 If you open the URL it crashes reliably (5 times) for me in Fedora 10 / Rawhide. The problem is not reproducible if started with `firefox -g -d gdb'. firefox-3.0.2-1.fc10.x86_64 xulrunner-1.9.0.2-5.fc10.x86_64 GConf2-2.24.0-1.fc10.x86_64 ORBit2-2.14.16-1.fc10.x86_64 atk-1.24.0-1.fc10.x86_64 avahi-0.6.22-11.fc10.x86_64 avahi-glib-0.6.22-11.fc10.x86_64 bug-buddy-2.24.1-1.fc10.x86_64 cairo-1.8.0-1.fc10.x86_64 dbus-glib-0.76-2.fc10.x86_64 dbus-libs-1.2.4-1.fc10.x86_64 e2fsprogs-libs-1.41.3-2.fc10.x86_64 elfutils-libelf-0.137-3.fc10.x86_64 expat-2.0.1-5.x86_64 fontconfig-2.6.0-3.fc10.x86_64 freetype-2.3.7-1.fc10.x86_64 glib2-2.18.2-3.fc10.x86_64 glibc-2.8.90-16.x86_64 gnome-keyring-2.24.1-1.fc10.x86_64 gnome-vfs2-2.24.0-3.fc10.x86_64 gtk-nodoka-engine-0.7.2-1.fc10.x86_64 gtk2-2.14.4-3.fc10.x86_64 gvfs-1.0.2-3.fc10.x86_64 java-1.6.0-openjdk-plugin-1.6.0.0-2b12.fc10.x86_64 keyutils-libs-1.2-3.fc9.x86_64 krb5-libs-1.6.3-16.fc10.x86_64 lcms-libs-1.17-6.fc10.x86_64 libICE-1.0.4-4.fc10.x86_64 libSM-1.1.0-2.fc10.x86_64 libX11-1.1.4-5.fc10.x86_64 libXScrnSaver-1.1.3-1.fc10.x86_64 libXau-1.0.4-1.fc10.x86_64 libXcomposite-0.4.0-5.fc10.x86_64 libXcursor-1.1.9-3.fc10.x86_64 libXdamage-1.1.1-4.fc9.x86_64 libXdmcp-1.0.2-6.fc10.x86_64 libXext-1.0.4-1.fc9.x86_64 libXfixes-4.0.3-4.fc10.x86_64 libXft-2.1.13-1.fc10.x86_64 libXi-1.1.3-4.fc9.x86_64 libXinerama-1.0.3-2.fc10.x86_64 libXrandr-1.2.3-1.fc10.x86_64 libXrender-0.9.4-3.fc9.x86_64 libXt-1.0.5-1.fc10.x86_64 libart_lgpl-2.3.20-1.fc9.x86_64 libbonobo-2.24.0-2.fc10.x86_64 libbonoboui-2.24.0-1.fc10.x86_64 libcanberra-0.10-2.fc10.x86_64 libcanberra-gtk2-0.10-2.fc10.x86_64 libcap-2.10-2.fc10.x86_64 libgcc-4.3.2-7.x86_64 libgnome-2.24.1-7.fc10.x86_64 libgnomecanvas-2.20.1.1-2.fc9.x86_64 libgnomeui-2.24.0-2.fc10.x86_64 libjpeg-6b-43.fc10.x86_64 libogg-1.1.3-9.fc9.x86_64 libpng-1.2.31-2.fc10.x86_64 libselinux-2.0.73-1.fc10.x86_64 libstdc++-4.3.2-7.x86_64 libtdb-1.1.1-22.fc10.x86_64 libtool-ltdl-1.5.26-4.fc10.x86_64 libvorbis-1.2.0-5.fc10.x86_64 libxcb-1.1.91-5.fc10.x86_64 libxml2-2.7.2-1.fc10.x86_64 nspr-4.7.2-2.fc10.x86_64 nss-3.12.2.0-3.fc10.x86_64 openssl-0.9.8g-11.fc10.x86_64 pango-1.22.1-1.fc10.x86_64 pixman-0.12.0-1.fc10.x86_64 popt-1.13-4.fc10.x86_64 sqlite-3.5.9-2.fc10.x86_64 startup-notification-0.9-4.fc9.x86_64 zlib-1.2.3-18.fc9.x86_64 Reproducible: Always Steps to Reproduce: 1. Open: http://myvoipspeed.visualware.com/servers/bru.html 2. Wait till it displays the results. Actual Results: Crash before any results are displayed. Expected Results: Result (some ms delay etc.) are displayed.
(gdb) info threads 9 process 18803 0x000000371e4dca56 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87 8 process 18804 0x000000371f00b54d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread-2.8.90.so 7 process 18806 0x000000371f00b2c9 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread-2.8.90.so 6 process 18807 0x000000371f00b2c9 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread-2.8.90.so 5 process 18808 0x000000371f00b54d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread-2.8.90.so 4 process 18811 0x000000371f00b2c9 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread-2.8.90.so 3 process 18812 0x000000371f00b54d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread-2.8.90.so 2 process 18813 0x000000371e4dca56 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87 * 1 process 18802 0x000000371f00ef6b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 (gdb) bt #0 0x000000371f00ef6b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #1 0x000000373062f7b5 in nsProfileLock::FatalSignalHandler (signo=<value optimized out>) at nsProfileLock.cpp:212 #2 <signal handler called> #3 nsCLiveconnect::Eval (this=<value optimized out>, jEnv=<value optimized out>, obj=<value optimized out>, script=<value optimized out>, length=<value optimized out>, principalsArray=<value optimized out>, numPrincipals=Could not find the frame base for "nsCLiveconnect::Eval(JNIEnv_*, long long, unsigned short const*, int, void**, int, nsISupports*, _jobject**)". ) at nsCLiveconnect.cpp:593 #4 0x00007f4b851e0cf6 in IcedTeaPluginFactory::Eval (this=0x7f4b861e2340) at IcedTeaPlugin.cc:4070 #5 0x00007f4b851ebe0a in IcedTeaRunnableMethod<IcedTeaPluginFactory>::Run (this=0x7fff9a0d7688) at IcedTeaPlugin.cc:1398 #6 0x0000003730e3acb6 in nsThread::ProcessNextEvent (this=<value optimized out>, mayWait=<value optimized out>, result=<value optimized out>) at nsThread.cpp:510 #7 0x0000003730e0cada in NS_ProcessNextEvent_P (thread=<value optimized out>, mayWait=<value optimized out>) at nsThreadUtils.cpp:227 #8 0x0000003730d71505 in nsBaseAppShell::Run (this=<value optimized out>) at nsBaseAppShell.cpp:170 #9 0x0000003730c300d5 in nsAppStartup::Run (this=<value optimized out>) at nsAppStartup.cpp:181 #10 0x00000037306287e0 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:3174 #11 0x0000000000401665 in _Unwind_Resume () at ../../../gcc/unwind.inc:225 #12 0x000000371e41e546 in __libc_start_main (main=<value optimized out>, argc=<value optimized out>, ubp_av=<value optimized out>, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=Could not find the frame base for "__libc_start_main". ) at libc-start.c:220 #13 0x0000000000401159 in _Unwind_Resume () at ../../../gcc/unwind.inc:225 ... (gdb) up #2 <signal handler called> Current language: auto; currently c (gdb) up #3 nsCLiveconnect::Eval (this=<value optimized out>, jEnv=<value optimized out>, obj=<value optimized out>, script=<value optimized out>, length=<value optimized out>, principalsArray=<value optimized out>, numPrincipals=Could not find the frame base for "nsCLiveconnect::Eval(JNIEnv_*, long long, unsigned short const*, int, void**, int, nsISupports*, _jobject**)". ) at nsCLiveconnect.cpp:593 593 JSObject *js_obj = handle->js_obj; Current language: auto; currently c++ (gdb) x/i $rip 0x3730e85de3 <_ZN14nsCLiveconnect4EvalEP7JNIEnv_xPKtiPPviP11nsISupportsPP8_jobject+57>: mov (%rdx),%r15 (gdb) p/x $rdx $4 = 0xffffffff84731760 Core file available.
Version: unspecified → 3.0 Branch
how about: (gdb) p handle $5 = ...?
Component: General → Java: Live Connect
Product: Firefox → Core
QA Contact: general → live-connect
Version: 3.0 Branch → 1.9.0 Branch
It is the rpm build - optimized binary - broken debuginfo: (gdb) p handle No symbol "handle" in current context. (gdb) info line 593 Line 593 of "nsCLiveconnect.cpp" starts at address 0x3730e85de3 <_ZN14nsCLiveconnect4EvalEP7JNIEnv_xPKtiPPviP11nsISupportsPP8_jobject+57> and ends at 0x3730e85de6 <_ZN14nsCLiveconnect4EvalEP7JNIEnv_xPKtiPPviP11nsISupportsPP8_jobject+60>. (gdb) x/2i 0x3730e85de3 0x3730e85de3 <_ZN14nsCLiveconnect4EvalEP7JNIEnv_xPKtiPPviP11nsISupportsPP8_jobject+57>: mov (%rdx),%r15 0x3730e85de6 <_ZN14nsCLiveconnect4EvalEP7JNIEnv_xPKtiPPviP11nsISupportsPP8_jobject+60>: mov 0x180(%rsp),%eax Therefore my conclusion is `handle' is in $rdx at that moment. Address 0xffffffff84731760 is not mapped (according to the core file where some readonly segments may be missing, though): Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align ... LOAD 0x0000000007351000 0x00007fff9a1fd000 0x0000000000000000 0x0000000000002000 0x0000000000002000 R E 1000 LOAD 0x0000000007353000 0xffffffffff600000 0x0000000000000000 0x0000000000000000 0x0000000000001000 R E 1000 0x7fff9a1fd000 + 0x2000 < 0xffffffff84731760 < 0xffffffffff600000 I hope the problem would be reproducible; otherwise I may try to debug it more.
(gdb) p obj $1 = -1807348992 (gdb) p (JSObjectHandle*)obj $2 = (JSObjectHandle *) 0xffffffff94460b00 (gdb) p *(JSObjectHandle*)obj Cannot access memory at address 0xffffffff94460b00 Although this may be a plugin bug not a liveconnect one; see https://bugzilla.redhat.com/show_bug.cgi?id=471987 for a slightly different stack trace but similar symptoms. This doesn't happen all the time for me (and never under gdb directly); possibly something not correctly rooted for the JS GC?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Would be good if the crash could be tested with 32-bit icedtea plugin and also with sun java to see where the problem is.
The problem is no longer reproducible for me on: firefox-3.0.5-1.fc10.x86_64 xulrunner-1.9.0.5-1.fc10.x86_64 java-1.6.0-openjdk-plugin-1.6.0.0-7.b12.fc10.x86_64
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.