If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[crash] js_PCToLineNumber segmentation fault on 64bit linux

RESOLVED DUPLICATE of bug 510040

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 510040
8 years ago
8 years ago

People

(Reporter: Paweł Smoliński, Unassigned)

Tracking

({64bit, crash})

unspecified
x86_64
Linux
64bit, crash
Points:
---
Bug Flags:
blocking1.9.2 -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

746.17 KB, application/x-xpinstall
Details
(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:1.9.1.2) Gecko/20090803 Ubuntu/9.04 (jaunty) Shiretoko/3.5.2
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; pl-PL; rv:1.9.1.2) Gecko/20090803 Ubuntu/9.04 (jaunty) Shiretoko/3.5.2

I'm using Firebug 1.5.x (development releases) in my Firefox 3.5.2 on Ubuntu and after last update Firefox crashes with segmentation fault every time when I'm trying to launch it. Running firefox with -g option gives the following error from GDB:
[New Thread 0x7f1be83ff950 (LWP 16991)]                                      
[New Thread 0x7f1be75ff950 (LWP 16992)]                                      
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f1bfbfed700 (LWP 16955)]      
0x00007f1bf8f4a476 in ?? () from /usr/lib/xulrunner-1.9.1.2/libmozjs.so                                
(gdb) bt
#0  0x00007f1bf8f4a476 in ?? () from /usr/lib/xulrunner-1.9.1.2/libmozjs.so
#1  0x00007f1bf857dbcc in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so  
#2  0x00007f1bf8584292 in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so  
#3  0x00007f1bf8584564 in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so  
#4  0x00007f1bf857cd29 in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so  
#5  0x00007f1bf8f082fe in ?? () from /usr/lib/xulrunner-1.9.1.2/libmozjs.so
#6  0x00007f1bf8f14339 in js_Invoke () from /usr/lib/xulrunner-1.9.1.2/libmozjs.so
#7  0x00007f1bf7f1848d in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so         
#8  0x00007f1bf86d84a5 in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so         
#9  0x00007f1bf86d7953 in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so         
#10 0x00007f1be970a320 in ?? ()                                                   
#11 0x00007f1be2b8e848 in ?? ()                                                   
#12 0x00007f1bf8761255 in ?? () from /usr/lib/xulrunner-1.9.1.2/libxul.so         
#13 0x0000000000000000 in ?? ()   

In my opinion there is some memory leak inside libmozjs.so (buffer/stack overflow?) which probably may be used to inject some binary code into browser process from JavaScript level.

Reproducible: Always

Steps to Reproduce:
1. Install the newest Firebug 1.5.x extension (attached in this bug, version 1.5X.0a22 when writing this bug)
2. Restart Firefox
Actual Results:  
I've removed manually (from Firefox profile directory) extensions files and Firefox has started working properly
(Reporter)

Comment 1

8 years ago
Created attachment 397521 [details]
Buggy extension

Comment 2

8 years ago
It seems unlikely that there is any binary code injection going on... this is just a bug somewhere. Until we get a stacktrace with symbols, however, we don't know enough about the crash to classify it.

If you're using Firefox from Ubuntu, please install the matching debug symbol package and post a stack trace with symbol information. If you're using a build from mozilla.org, please submit a crash report and paste the crash report ID from about:crashes
(Reporter)

Comment 3

8 years ago
I've installed firefox-3.5-dbg and xulrunner-1.9.1-dbg packets and I'm attaching logs below.
In my opinion even if there is some bug in the extension which is using only JavaScript (even if it's some specific like Firebug) any error in JS code shouldn't throw segmentation fault inside browser (it should be catched and presented for the user as regular JS error). According to my knowledge such error could happened in two cases: lost null pointers or buffer/stack overflow.

pawel@galileo:~$ firefox -g                                                                                                                                                         
/usr/bin/gdb /usr/lib/firefox-3.5.2/firefox-3.5 -x /tmp/mozargs.RbrndP                                                                                                              
GNU gdb 6.8-debian                                                                                                                                                                  
Copyright (C) 2008 Free Software Foundation, Inc.                                                                                                                                   
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>                                                                                                       
This is free software: you are free to change and redistribute it.                                                                                                                  
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"                                                                                                          
and "show warranty" for details.                                                                                                                                                    
This GDB was configured as "x86_64-linux-gnu"...                                                                                                                                    
(no debugging symbols found)                                                                                                                                                        
(gdb) rn                                                                                                                                                                            
Undefined command: "rn".  Try "help".                                                                                                                                               
(gdb) ruun                                                                                                                                                                          
Undefined command: "ruun".  Try "help".                                                                                                                                             
(gdb) run                                                                                                                                                                           
Starting program: /usr/lib/firefox-3.5.2/firefox-3.5                                                                                                                                
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
[Thread debugging using libthread_db enabled]                                                                                                                                       
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
(no debugging symbols found)                                                                                                                                                        
[New Thread 0x7fc3d372f700 (LWP 6269)]                                                                                                                                              
[New Thread 0x7fc3c28f1950 (LWP 6277)]                                                                                                                                              
[New Thread 0x7fc3c1ee6950 (LWP 6278)]                                                                                                                                              
[New Thread 0x7fc3c0eff950 (LWP 6279)]                                                                                                                                              
[New Thread 0x7fc3bfbff950 (LWP 6280)]                                                                                                                                              
[New Thread 0x7fc3bedff950 (LWP 6281)]                                                                                                                                              
[Thread 0x7fc3bedff950 (LWP 6281) exited]                                                                                                                                           
[New Thread 0x7fc3bedff950 (LWP 6282)]                                                                                                                                              
[New Thread 0x7fc3bdbff950 (LWP 6283)]                                                                                                                                              
[New Thread 0x7fc3bcdff950 (LWP 6284)]                                                                                                                                              
[Thread 0x7fc3bcdff950 (LWP 6284) exited]                                                                                                                                           
[Thread 0x7fc3bfbff950 (LWP 6280) exited]                                                                                                                                           
[New Thread 0x7fc3bfbff950 (LWP 6296)]                                                                                                                                              
[New Thread 0x7fc3bcdff950 (LWP 6297)]                                                                                                                                              

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fc3d372f700 (LWP 6269)]     
js_PCToLineNumber (cx=0x7fc3b9f10800, script=0x7fc3c13ce800, pc=0xc13ce9bf <Address 0xc13ce9bf out of bounds>) at jsscript.h:325
325     jsscript.h: No such file or directory.                                                                                  
        in jsscript.h                                                                                                           
Current language:  auto; currently c++                                                                                          
(gdb) bt                                                                                                                        
#0  js_PCToLineNumber (cx=0x7fc3b9f10800, script=0x7fc3c13ce800, pc=0xc13ce9bf <Address 0xc13ce9bf out of bounds>) at jsscript.h:325
#1  0x00007fc3cfd7dbcc in jsd_GetClosestLine (jsdc=0x7fc3b9f2cb00, jsdscript=0x7fc3b9fcc040, pc=3241994687) at jsd_scpt.c:526       
#2  0x00007fc3cfd84292 in jsds_FilterHook (jsdc=0x7fc3b9f2cb00, state=<value optimized out>) at jsd_xpc.cpp:400                     
#3  0x00007fc3cfd84564 in jsds_ExecutionHookProc (jsdc=0x7fc3b9f2cb00, jsdthreadstate=0x7fc3b9fcd080, type=4, callerdata=<value optimized out>, rval=0x7fffdb75a678)
    at jsd_xpc.cpp:680                                                                                                                                              
#4  0x00007fc3cfd7cd29 in jsd_CallExecutionHook (jsdc=0x7fc3b9f2cb00, cx=<value optimized out>, type=4, hook=0x7fc3cfd84494 <jsds_ExecutionHookProc>, hookData=0x0, 
    rval=0x7fffdb75a678) at jsd_hook.c:177                                                                                                                          
#5  0x00007fc3d07082fe in js_Interpret (cx=0x7fc3c2b43c00) at jsinterp.cpp:7227                                                                                     
#6  0x00007fc3d0714339 in js_Invoke (cx=0x7fc3c2b43c00, argc=3, vp=0x7fc3d1fc8998, flags=0) at jsinterp.cpp:1394                                                    
#7  0x00007fc3cf71848d in nsXPCWrappedJSClass::CallMethod (this=0x7fc3c13eb500, wrapper=<value optimized out>, methodIndex=3, info=0x7fc3c0f29ed0, nativeParams=0x7fffdb75ac80)
    at xpcwrappedjsclass.cpp:1697                                                                                                                                              
#8  0x00007fc3cfed84a5 in PrepareAndDispatch (self=0x7fc3c13e8340, methodIndex=<value optimized out>, args=0x7fffdb75ad80, gpregs=0x7fffdb75ad80, fpregs=0x7fffdb75adb0)       
    at xptcstubs_x86_64_linux.cpp:151                                                                                                                                          
#9  0x00007fc3cfed7953 in SharedStub () from /usr/lib/xulrunner-1.9.1.2/libxul.so                                                                                              
#10 0x00007fc3cfeab5ba in nsObserverList::NotifyObservers (this=0x7fc3bf21a6c0, aSubject=0x7fc3b9f12448, aTopic=0x7fc3cff61255 "http-on-modify-request", someData=0x0)         
    at nsObserverList.cpp:128                                                                                                                                                  
#11 0x00007fc3cfeab896 in nsObserverService::NotifyObservers (this=<value optimized out>, aSubject=0x7fc3b9f12448, aTopic=0x7fc3cff61255 "http-on-modify-request", someData=0x0)
    at nsObserverService.cpp:181                                                                                                                                                
#12 0x00007fc3cf7c1601 in nsHttpChannel::AsyncOpen (this=0x7fc3b9f12400, listener=0x7fc3b9f84840, context=0x0) at nsHttpHandler.h:181                                           
#13 0x00007fc3cfd2249b in nsHTTPDownloadEvent::Run (this=0x7fc3b9f74c40) at nsNSSCallbacks.cpp:166                                                                              
#14 0x00007fc3cfecca0e in nsThread::ProcessNextEvent (this=0x7fc3d1e75aa0, mayWait=1, result=0x7fffdb75b0bc) at nsThread.cpp:510                                                
#15 0x00007fc3cfea1d36 in NS_ProcessNextEvent_P (thread=0x7fc3b9f10800, mayWait=1) at nsThreadUtils.cpp:227                                                                     
#16 0x00007fc3cfe25e0d in nsBaseAppShell::Run (this=0x7fc3c69f33a0) at nsBaseAppShell.cpp:170                                                                                   
#17 0x00007fc3cfd0a23d in nsAppStartup::Run (this=0x7fc3c2b6fa40) at nsAppStartup.cpp:193                                                                                       
#18 0x00007fc3cf6f1c9f in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:3347                             
#19 0x0000000000402549 in ?? ()                                                                                                                                                 
#20 0x00007fc3d23425a6 in __libc_start_main () from /lib/libc.so.6                                                                                                              
#21 0x0000000000401f09 in ?? ()                                                                                                                                                 
#22 0x00007fffdb75fa98 in ?? ()                                                                                                                                                 
#23 0x000000000000001c in ?? ()                                                                                                                                                 
#24 0x0000000000000001 in ?? ()                                                                                                                                                 
#25 0x00007fffdb7605f3 in ?? ()                                                                                                                                                 
#26 0x0000000000000000 in ?? ()                                                                                                                                                 
(gdb) Quit                                                                                                                                                                      
(gdb) quit                                                                                                                                                                      
The program is running.  Exit anyway? (y or n) y                                                                                                                                
pawel@galileo:~$ clear                                                                                                                                                          
pawel@galileo:~$ firefox -g
/usr/bin/gdb /usr/lib/firefox-3.5.2/firefox-3.5 -x /tmp/mozargs.UfRSIO
GNU gdb 6.8-debian                                                    
Copyright (C) 2008 Free Software Foundation, Inc.                     
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.           
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"   
and "show warranty" for details.                                             
This GDB was configured as "x86_64-linux-gnu"...                             
(no debugging symbols found)                                                 
(gdb) run                                                                    
Starting program: /usr/lib/firefox-3.5.2/firefox-3.5                         
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
[Thread debugging using libthread_db enabled]                                
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
(no debugging symbols found)                                                 
[New Thread 0x7f7779ce1700 (LWP 6545)]                                       
[New Thread 0x7f7768df1950 (LWP 6553)]                                       
[New Thread 0x7f77683e6950 (LWP 6554)]                                       
[New Thread 0x7f77673ff950 (LWP 6555)]                                       
[New Thread 0x7f77660ff950 (LWP 6556)]                                       
[New Thread 0x7f77652ff950 (LWP 6557)]                                       
[Thread 0x7f77652ff950 (LWP 6557) exited]                                    
[New Thread 0x7f77652ff950 (LWP 6558)]                                       
[New Thread 0x7f7763aff950 (LWP 6559)]                                       
[Thread 0x7f7763aff950 (LWP 6559) exited]                                    
[New Thread 0x7f7763aff950 (LWP 6573)]                                       
[New Thread 0x7f77612fe950 (LWP 6574)]                                       

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f7779ce1700 (LWP 6545)]
js_PCToLineNumber (cx=0x7f7760415c00, script=0x7f77678ce800, pc=0x678ce9bf <Address 0x678ce9bf out of bounds>) at jsscript.h:325
325     jsscript.h: No such file or directory.
        in jsscript.h
Current language:  auto; currently c++
(gdb) bt
#0  js_PCToLineNumber (cx=0x7f7760415c00, script=0x7f77678ce800, pc=0x678ce9bf <Address 0x678ce9bf out of bounds>) at jsscript.h:325
#1  0x00007f777627dbcc in jsd_GetClosestLine (jsdc=0x7f7760430100, jsdscript=0x7f77604d99a0, pc=1737288127) at jsd_scpt.c:526
#2  0x00007f7776284292 in jsds_FilterHook (jsdc=0x7f7760430100, state=<value optimized out>) at jsd_xpc.cpp:400
#3  0x00007f7776284564 in jsds_ExecutionHookProc (jsdc=0x7f7760430100, jsdthreadstate=0x7f77604c4880, type=4, callerdata=<value optimized out>, rval=0x7fff81d0cc28)
    at jsd_xpc.cpp:680
#4  0x00007f777627cd29 in jsd_CallExecutionHook (jsdc=0x7f7760430100, cx=<value optimized out>, type=4, hook=0x7f7776284494 <jsds_ExecutionHookProc>, hookData=0x0,
    rval=0x7fff81d0cc28) at jsd_hook.c:177
#5  0x00007f7776c082fe in js_Interpret (cx=0x7f7769043c00) at jsinterp.cpp:7227
#6  0x00007f7776c14339 in js_Invoke (cx=0x7f7769043c00, argc=3, vp=0x7f77784c8998, flags=0) at jsinterp.cpp:1394
#7  0x00007f7775c1848d in nsXPCWrappedJSClass::CallMethod (this=0x7f77678eb500, wrapper=<value optimized out>, methodIndex=3, info=0x7f7767429ed0, nativeParams=0x7fff81d0d230)
    at xpcwrappedjsclass.cpp:1697
#8  0x00007f77763d84a5 in PrepareAndDispatch (self=0x7f77678e8340, methodIndex=<value optimized out>, args=0x7fff81d0d330, gpregs=0x7fff81d0d330, fpregs=0x7fff81d0d360)
    at xptcstubs_x86_64_linux.cpp:151
#9  0x00007f77763d7953 in SharedStub () from /usr/lib/xulrunner-1.9.1.2/libxul.so
#10 0x00007f77763ab5ba in nsObserverList::NotifyObservers (this=0x7f77657186c0, aSubject=0x7f7760417848, aTopic=0x7f7776461255 "http-on-modify-request", someData=0x0)
    at nsObserverList.cpp:128
#11 0x00007f77763ab896 in nsObserverService::NotifyObservers (this=<value optimized out>, aSubject=0x7f7760417848, aTopic=0x7f7776461255 "http-on-modify-request", someData=0x0)
    at nsObserverService.cpp:181
#12 0x00007f7775cc1601 in nsHttpChannel::AsyncOpen (this=0x7f7760417800, listener=0x7f77604c4040, context=0x0) at nsHttpHandler.h:181
#13 0x00007f777622249b in nsHTTPDownloadEvent::Run (this=0x7f7760475d30) at nsNSSCallbacks.cpp:166
#14 0x00007f77763cca0e in nsThread::ProcessNextEvent (this=0x7f7778375aa0, mayWait=1, result=0x7fff81d0d66c) at nsThread.cpp:510
#15 0x00007f77763a1d36 in NS_ProcessNextEvent_P (thread=0x7f7760415c00, mayWait=1) at nsThreadUtils.cpp:227
#16 0x00007f7776325e0d in nsBaseAppShell::Run (this=0x7f776cef33a0) at nsBaseAppShell.cpp:170
#17 0x00007f777620a23d in nsAppStartup::Run (this=0x7f776906fa40) at nsAppStartup.cpp:193
#18 0x00007f7775bf1c9f in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at nsAppRunner.cpp:3347
#19 0x0000000000402549 in ?? ()
#20 0x00007f77788f45a6 in __libc_start_main () from /lib/libc.so.6
#21 0x0000000000401f09 in ?? ()
#22 0x00007fff81d12048 in ?? ()
#23 0x000000000000001c in ?? ()
#24 0x0000000000000001 in ?? ()
#25 0x00007fff81d125f3 in ?? ()
#26 0x0000000000000000 in ?? ()

Updated

8 years ago
Assignee: nobody → general
Component: Extension Compatibility → JavaScript Engine
Product: Firefox → Core
QA Contact: extension.compatibility → general

Updated

8 years ago
Duplicate of this bug: 513670

Comment 5

8 years ago
Both of the crashes here are x86-64. It appears that a jsdIDebuggerService uses a different type for `pc` than JSAPI does: it's a 32-bit (unsigned long) which is an offset from a pcbase.

Theories:
* jsd is forgetting to add pcbase to a pc and passing in a totally bogus jsbytecode* as a pc.
* the jsdIDebuggerService pc offset is so large that it doesn't actually fit in a 32-bit int
do we need to do an audit on jsd to make sure it's 64-bit clean?
Keywords: 64bit
Whiteboard: [firebug-p1]
(In reply to comment #5)
> Theories:
> * jsd is forgetting to add pcbase to a pc and passing in a totally bogus
> jsbytecode* as a pc.
> * the jsdIDebuggerService pc offset is so large that it doesn't actually fit in
> a 32-bit int

JS cx->fp->regs->pc - cx->fp->script->code can't overflow a uint32 -- IIRC lower limits will fail compilation around 24 bits.

But hey, could this be due to imacros? Check cx->fp->imacpc -- if non-null, then cx->fp->regs->pc does *not* point into

[script->code, script->code + script->length)

rather into a static buffer generated by imacro_asm.js.in.

/be
But we don't use imacros except when trace-recording, and we don't debug and record at the same time. So maybe my theory is out on that score.

Anyone able to reproduce?

/be

Comment 9

8 years ago
regarding the title, does this occur only in 1.5a22? not 1.5a21? Is there a version where it works? We maybe able to pick a direction based on the answer.

Comment 10

8 years ago
As I mentioned in bug 513670, it's just a22, at least on my machine - a21 works perfectly.

Comment 11

8 years ago
a21 was R3997 so the changes to the code that calls jsd from Firebug are:
http://code.google.com/p/fbug/source/detail?r=4050 -- jsdIFilters
http://code.google.com/p/fbug/source/detail?r=4051 -- support for Sandbox scopes.

I see on the call stack:
#2  0x00007f7776284292 in jsds_FilterHook (jsdc=0x7f7760430100, state=<value
optimized out>) at jsd_xpc.cpp:400

While that sounds very promising, the call pcToLine() is used extensively in Firebug so 1.5a21 should have crashed.

But see also bug 430205, a crash in 32bit if you call pcToLine with a pc that is out of range.

Comment 12

8 years ago
I can't reproduce this with a22 and a mozilla-central x86-64 build. Are there other steps which might be needed to reproduce? I turned on the script-debugging panel and set it to break on exceptions. Do I need to add a watch expression, a breakpoint, or do some other special setting?
(Reporter)

Comment 13

8 years ago
@Benjamin, can you give me a link for the build you are using? I'll install it on my machine and I'll check if it's reproducable in this build.

Comment 14

8 years ago
It was a self-build, but it's roughly equivalent to http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/firefox-3.7a1pre.en-US.linux-x86_64.tar.bz2

Comment 15

8 years ago
(In reply to comment #12)
> I can't reproduce this with a22 and a mozilla-central x86-64 build. Are there
> other steps which might be needed to reproduce? 

The stack trace says we are in the handler for http-on-modify-request, so this is not user page code, it has to be Firebug code (or another extension?).

The jsd_hook.c 177 http://mxr.mozilla.org/mozilla-central/source/js/jsd/jsd_hook.c#177 
says its not an exception or single step. 

The caller:
http://mxr.mozilla.org/mozilla-central/source/js/src/jsinterp.cpp#1383
does not make sense to me, this should be "callHook", but executionHook is called?
(Reporter)

Comment 16

8 years ago
(In reply to comment #14)
> It was a self-build, but it's roughly equivalent to
> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/firefox-3.7a1pre.en-US.linux-x86_64.tar.bz2

Checked it version and no error is thrown (but most of extensions have been disabled in MineField due to version mismatch). If you think that could be caused by some extension, I'm attaching list of extensions I'm using now:
- Adblock Plus 1.1.1
- Context Search 0.4.4
- DownThemAll! 1.1.4
- Duck Duck Go Toolbar 1.2.0
- Firefogg 0.9.9.6
- FireGestures 1.5.4
- FirePHP 0.3.1 (disabled)
- Fission 1.0.9
- Novell Moonlight 199.2
- PageSpeed 1.2
- PajacykXPI 0.6.2
- Pencil 1.0.6
- Personas For Firefox 1.2.2
- Polish language dictionary 1.0.20090810
- Screengrab 0.96.2
- Tamper Data 10.1.0
- Test Pilot 0.1.2
- Ubuntu Firefox Modifications 0.7 (disabled by Firefox due to Fx version mismatch)
- User Agent Switcher 0.7.2
- VeriSign's OpenID SeatBelt 1.0.0.4012
- Weave 0.6
- Web Developer 1.1.8

Comment 17

8 years ago
I downloaded a mozilla-central build from the link in comment 14, created a new profile, and can confirm that enabling the Script panel does not cause a crash there.

I also updated my 3.6a2pre nightly to the latest version (via Check For Updates...) and got this build:

    Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a2pre) Gecko/20090902 Namoroka/3.6a2pre

I created a new profile with this build, installed Firebug 1.5Xa22 and the segfault is still present.
Is this still crashing with Firefox 3.6b1+ or Firebug 1.5b1?

Comment 19

8 years ago
I gave up on Firefox 3.6 shortly after my previous comment and switched to 3.7 nightlies since they were much more useable, for this and other reasons.

I've just downloaded a build calling itself "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2b2pre) Gecko/20091030 Namoroka/3.6b2pre" and tried it with my current profile which includes Firebug 1.5b1. Sure enough, 3.6 segfaults immediately on startup, and disabling Firebug (by starting in safe-mode then disabling it from the Add-ons Manager) is enough to make Firefox start up again.

Comment 20

8 years ago
Just to point out the obvious, it looks like the address for 'pc' is being clobbered on FF 3.6, but something on FF 3.7 fixed it. 

Firebug has tracing that might help triage the bug:
http://getfirebug.com/wiki/index.php/FAQ#Using_the_Tracing_Version_of_Firebug

The stack trace shows we are in ExecutionHookProc but we don't know which one. The hook is checking the filter but I don't understand why it is looking for the line number: none of the Firebug filters use line numbers. This suggests a possible different bug in the filters which could be a big performance overhead. So I am copying Boris in case he can decode the jsdIFilter source.
> The stack trace shows we are in ExecutionHookProc but we don't know which one.

Uh...  We do know which one.  This is the jsd-internal execution hook; the one that calls the various jsdIExecutionHooks, depending on what kind of hook is asked to be called.

> The hook is checking the filter but I don't understand why it is looking for
> the line number: none of the Firebug filters use line numbers.

jsds_FilterHook always gets the current line, just in case one of the filters wants to filter on line.  This JSD_GetClosestLine call happens before we even check whether we have any filters.  If you think this is wrong (e.g. if getting the current line is expensive), please file a separate but on that?
(In reply to comment #19)
> I've just downloaded a build calling itself "Mozilla/5.0 (X11; U; Linux x86_64;
> en-US; rv:1.9.2b2pre) Gecko/20091030 Namoroka/3.6b2pre" and tried it with my
> current profile which includes Firebug 1.5b1. Sure enough, 3.6 segfaults
> immediately on startup, and disabling Firebug (by starting in safe-mode then
> disabling it from the Add-ons Manager) is enough to make Firefox start up
> again.

Did you happen to get a stack trace in about:crashes with this build? I could try installing a 64bit VM on my system but downloading and installing is going to take awhile.
Keywords: crash
Summary: Newest version of Firebug 1.5.x causes segmentation fault. → Newest version of Firebug 1.5.x causes segmentation fault on 64bit linux

Comment 23

8 years ago
Entering "about:crashes" into the Location bar gives me an alert dialog: "The URL is not valid and cannot be loaded."
Hum, Ted, do we not have Breakpad on 64-bit Linux?  *sadface* if so.
No, we don't have Breakpad on any 64-bit platform currently. It's my understanding that upstream has code that *almost* works on 64-bit Linux and OS X.

Comment 26

8 years ago
Is there any workaround here? Is there a 32bit version that can run on the 64 bit machines?
Our 32-bit builds should run fine on 64-bit systems, if they have the 32-bit libraries installed.  (We don't actually ship a 64-bit Linux version, but some Linux distributors do.)

Comment 28

8 years ago
By now we have multiple reports of a linux 64bit crash on with Firebug 1.5b and one reports the stack trace and it matches the one here.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Newest version of Firebug 1.5.x causes segmentation fault on 64bit linux → [crash] js_PCToLineNumber segmentation fault on 64bit linux

Comment 29

8 years ago
Firebug users can't read this report and they keep asking about the problem. In effect this bug means that Firebug is incompatible with 64 bit linux. I just want to be able to tell them "Sorry the 64bit version is not supported" or "This problem is known and being worked on". (I don't know why they don't want to use the 32 bit version).

Comment 30

8 years ago
As far as I can tell this crash is FF 3.6 only, so by running versions of nightly builds from 3.7 end users could run down the patch that fixed this on FF 3.7. I believe there are 64 bit users willing to do this.
Flags: blocking1.9.2?
Is this 64 bit only? That's not a supported platform, which implies that this shouldn't block the release ...

Comment 32

8 years ago
Yes, 64 bit only. Since the platform is not supported this bug should not be a security issue. By unlocking it, motivated users can help fix the bug.

Comment 33

8 years ago
per comment 12
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 510040
Flags: blocking1.9.2? → blocking1.9.2-
Is this actually a dupe of bug 510040? We're still seeing lots of crashes on Linux 64 with Firebug installed. 510040 is marked fixed in 1.9.2.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
What's the stack for these crashes, and what are the build IDs for the crashing browsers?

Comment 36

8 years ago
and this is reported against 1.9.1.2 which is << 1.9.2 and << 1.9.1.8
Status: REOPENED → RESOLVED
Last Resolved: 8 years ago8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 510040
I believe we're seeing crashes against 3.5.* and 3.6. I need to run an actual build on a 64 bit linux to get an actual stacktrace and I don't have that setup.

Comment 38

8 years ago
Because of mozilla's goofy numbering system it's hard to tell, but it appears that bug 510040 was fixed for Firefox 3.6 and (not yet released) 3.5.8. 

From all the information I have, summarized by steve roussey on 
http://groups.google.com/group/firebug/browse_thread/thread/520f765d0cdc59c8,
the linux 64 bit crashes are all on Firefox 3.5.7. No crashes related to Firebug 1.5 install have been reported against 3.6 to my knowledge.

We have at least three reports of success with Firefox 3.6 on linux 64 from users who crashed with 3.5.7.
not true. Firebug is causing crashes in Firefox 3.6 64 bit. It is possible the users that are working in linux 64 are running 32 bit builds of Firefox, which appears to work fine on that platform.

I discovered this thread while trundling the web:

https://bugs.launchpad.net/ubuntu/+source/firefox-3.5/+bug/449744/
(In reply to comment #39)
> not true. Firebug is causing crashes in Firefox 3.6 64 bit. It is possible the
> users that are working in linux 64 are running 32 bit builds of Firefox, which
> appears to work fine on that platform.

What exactly is leading you to believe that Firefox 3.6 is affected? Nothing in the launchpad thread mentions 3.6 having this issue...
I'm sorry, I said in Comment #39, that 3.6 was mentioned as crashing in that launchpad ticket. I think 3.6 was marked as "affected" in the status and I inferred incorrectly from that. Sorry for the confusion.

Updated

8 years ago
Whiteboard: [firebug-p1]
You need to log in before you can comment on or make changes to this bug.