Open Bug 731122 Opened 13 years ago Updated 3 years ago

segfault in xulrunner when running pyxpcom+hulahop

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: lkcl, Unassigned)

References

Details

Attachments

(1 file)

typescript
7.25 KB, text/plain
Details
Attached file typescript
User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB) AppleWebKit/534.3 (KHTML, like Gecko) Arora/0.10.1 Safari/534.3 Steps to reproduce: compile xulrunner 13.0a1. git log showing which revision shown here: commit 0fe594352d85ec02545c848329881908452e1e3d Author: Chris Jones <jones.chris.g@gmail.com> Date: Fri Feb 17 22:33:52 2012 -0800 Bug 727950: Don't close the camera dso, some of them don't like that. r=fabr commit e4fc9ab51f354a5e18f37c0089a6144ba7000430 Merge: 816599f 705190c Author: Tim Taubert <tim.taubert@gmx.de> Date: Sat Feb 18 02:03:47 2012 +0100 merge m-c to fx-team commit 816599f1b52a7c2f15284bf173881afdea0f15bd Merge: d5a97d9 9ce3a6c Author: Ed Morley <bmo@edmorley.co.uk> Date: Sat Feb 18 00:16:22 2012 +0000 Merge last PGO-green changeset of mozilla-inbound to mozilla-central commit d5a97d99967d5a0b8a4f2bac6018160032cecd0e Author: Kyle Machulis <kyle@nonpolynomial.com> Date: Fri Feb 17 15:54:27 2012 -0800 Back out bug 711601 (changeset 4c8aa2b0ca1c) due to qemu breakage commit 6c261ec0ea5c1df2556ad8f17035d07d0a1a557f Author: Kyle Huey <khuey@kylehuey.com> Date: Fri Feb 17 15:17:05 2012 -0800 Bug 669845: Make nsTypeFindAhead clear out all of its references to content commit c38b1473adeac1a43c35b6c29750c789492f06b7 Author: Brian Smith <bsmith@mozilla.com> Date: Fri Feb 17 14:51:47 2012 -0800 Bug 713936, Part 4: Remove security/patches/bug-717906-lowhash, r=kaie, a=ak commit 240680eb1b945ac7719a88137811d7eb6fbbe527 Author: Brian Smith <bsmith@mozilla.com> Date: Fri Feb 17 15:03:46 2012 -0800 Bug 713936, Part 3: Update to NSPR 4.9 RTM (NSPR_4_9_RTM), r=kaie, a=akeybl commit 9ce3a6c7567f74ae344d56ecd56367e80dd9cab9 Author: Vivien Nicolas <21@vingtetun.org> Date: Fri Feb 17 22:37:53 2012 +0100 Bug 728373 - Ensure the xul window handle keypress when the screen goes full Actual results: #0 0x0000000000000021 in ?? () #1 0x00007fffed7eeebd in NS_TableDrivenQI (aThis=<value optimized out>, entries=0x7fffee853160, aIID=..., aInstancePtr=0x7fffffff5dd8) at /home/lkcl/oe/src/gecko/obj-x86_64-unknown-linux-gnu/xpcom/build/nsISupportsImpl.cpp:49 #2 0x00007fffed7ed5da in nsCOMPtr_base::assign_from_qi (this=0x7fffffff5df0, qi=..., iid=<value optimized out>) at /home/lkcl/oe/src/gecko/obj-x86_64-unknown-linux-gnu/xpcom/build/nsCOMPtr.cpp:96 #3 0x00007fffecee9d2b in PrefCallback (this=0x7fffffff5e20, aDomain=<value optimized out>, aObserver=0xecb710, aBranch=0xe52640) at /home/lkcl/oe/src/gecko/modules/libpref/src/nsPrefBranch.h:92 #4 0x00007fffecee9950 in nsPrefBranch::RemoveObserver (this=0xe52640, aDomain= 0x7fffeddb9600 "security.fileuri.strict_origin_policy", aObserver=<value optimized out>) at /home/lkcl/oe/src/gecko/modules/libpref/src/nsPrefBranch.cpp:629 #5 0x00007fffeceec05e in mozilla::Preferences::RemoveObservers (aObserver= 0xecb710, aPrefs=0x7fffee9a8080) at /home/lkcl/oe/src/gecko/modules/libpref/src/Preferences.cpp:1392 #6 0x00007fffed3619c6 in ~nsScriptSecurityManager (this=0xecb700, __in_chrg=<value optimized out>) at /home/lkcl/oe/src/gecko/caps/src/nsScriptSecurityManager.cpp:3408 #7 0x00007fffed361a23 in ~nsScriptSecurityManager (this=0xecb700, __in_chrg=<value optimized out>) at /home/lkcl/oe/src/gecko/caps/src/nsScriptSecurityManager.cpp:3415 #8 0x00007fffed36481c in nsScriptSecurityManager::GetScriptSecurityManager () at /home/lkcl/oe/src/gecko/caps/src/nsScriptSecurityManager.cpp:3460 #9 0x00007fffed0cdf7f in nsContentUtils::Init () at /home/lkcl/oe/src/gecko/content/base/src/nsContentUtils.cpp:376 #10 0x00007fffecf4242a in nsLayoutStatics::Initialize () at /home/lkcl/oe/src/gecko/layout/build/nsLayoutStatics.cpp:168 #11 0x00007fffecf40f6b in Initialize () at /home/lkcl/oe/src/gecko/layout/build/nsLayoutModule.cpp:368 #12 0x00007fffed817e97 in nsComponentManagerImpl::KnownModule::Load (this= 0xe173d0) at /home/lkcl/oe/src/gecko/xpcom/components/nsComponentManager.cpp:732 #13 0x00007fffed817edc in nsFactoryEntry::GetFactory (this=0xe186a0) at /home/lkcl/oe/src/gecko/xpcom/components/nsComponentManager.cpp:1738 #14 0x00007fffed817fe6 in nsComponentManagerImpl::CreateInstanceByContractID ( this=<value optimized out>, aContractID=<value optimized out>, aDelegate= 0x0, aIID=..., aResult=0x7fffffff6020) at /home/lkcl/oe/src/gecko/xpcom/components/nsComponentManager.cpp:1060 #15 0x00007fffed8187b4 in nsComponentManagerImpl::GetServiceByContractID (this= 0xde1d50, aContractID=<value optimized out>, aIID=..., result= 0x7fffffff60a8) at /home/lkcl/oe/src/gecko/xpcom/components/nsComponentManager.cpp:1466 #16 0x00007fffed7ee0c0 in nsGetServiceByContractIDWithError::operator() (this= 0x7fffffff6190, aIID=<value optimized out>, aInstancePtr=0x7fffffff60a8) at /home/lkcl/oe/src/gecko/obj-x86_64-unknown-linux-gnu/xpcom/build/nsComponentManagerUtils.cpp:288 #17 0x00007fffed7ed6fa in nsCOMPtr_base::assign_from_gs_contractid_with_error ( this=0x7fffffff6200, gs=<value optimized out>, iid=<value optimized out>) at /home/lkcl/oe/src/gecko/obj-x86_64-unknown-linux-gnu/xpcom/build/nsCOMPtr.cpp:141 #18 0x00007fffed56b5ab in nsCOMPtr<nsISupports>::operator= ( this=<value optimized out>, aSubject=<value optimized out>, aTopic= 0x7fffedcaa5ef "app-startup", someData=<value optimized out>) (full stacktrace attached) Expected results: no segfault.
this shouldn't be hard to do. the code below is basically "it". there's nothing more sophisticated, and this all worked perfectly for xulrunner 1.9 and even for xulrunner 9.0. what's going on?? static void setup_plugin_path() { const char *user_path; char *new_path; user_path = g_getenv ("MOZ_PLUGIN_PATH"); new_path = g_strconcat(user_path ? user_path : "", user_path ? ":" : "", PLUGIN_PATH, (char *) NULL); g_setenv ("MOZ_PLUGIN_PATH", new_path, TRUE); g_free (new_path); } gboolean hulahop_startup() { nsresult rv; setup_plugin_path(); hulahop_add_components_path(LIB_DIR"/components"); nsCOMPtr<nsILocalFile> greDir; rv = NS_NewNativeLocalFile(nsCString(LIBXUL_DIR), PR_TRUE, getter_AddRefs(greDir)); NS_ENSURE_SUCCESS(rv, FALSE); nsCOMPtr<nsILocalFile> binDir; rv = NS_NewNativeLocalFile(nsCString(LIBXUL_DIR), PR_TRUE, getter_AddRefs(binDir)); NS_ENSURE_SUCCESS(rv, FALSE); rv = XRE_InitEmbedding2(greDir, binDir, const_cast<HulahopDirectoryProvider *> (&kDirectoryProvider)); NS_ENSURE_SUCCESS(rv, FALSE); XRE_NotifyProfile(); return TRUE; }
btw for various reasons i've had to do this: mk_add_options MOZ_MAKE_FLAGS="-j6" ac_add_options --disable-jemalloc ac_add_options --enable-application=xulrunner ac_add_options --with-system-nss and have been forced to install the debian/experimental 3.13.1.with.ckbi.1.88-1 libnss3 package (see bugs related to mozilla keeping an internal copy of nss APIs but then actually changing that API for a public release).
sXPConnect->SetDefaultSecurityManager is failing (why? you may want to look into that). So the security manager is deleted, but at that point it has a zero refcount. The RemoveObservers call in ~nsScriptSecurity manager seems to rely on refcount stabilization, and that's not happening in this case, so you get a double-delete and then a crash.
Status: UNCONFIRMED → NEW
Component: General → Security: CAPS
Ever confirmed: true
QA Contact: general → caps
This is a regression from bug 660770. That RemoveObservers call is just not safe, as far as I can tell.
Blocks: 660770
Hmm, nsScriptSecurityManager::InitPrefs() uses AddStrongObservers(), so, the destructor may not need to release them. But I have a question, why nsScriptSecurityManager is destroyed even though it's grabbed by Preferences except when XPCOM is shutting down?
Presumably either XPConnect was unavailable or GetSafeJSContext failed. The latter actually has this comment: >3344 if (!cx) return NS_ERROR_FAILURE; // this can happen of xpt loading fails
(In reply to Boris Zbarsky (:bz) from comment #3) > sXPConnect->SetDefaultSecurityManager is failing (why? you may want to look > into that). this may be related to the use of the (newer, experimental) libnss 3.13.3. i could not use the "stable" libnss3.12, i got errors at runtime which, when i looked them up, explained that there had been changes to the libnss3 API which actually *didn't* make it into the released (newer) version of libnss3.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: