94510 - Memory corruption after printing

Status: VERIFIED WORKSFORME

(Core :: Printing: Output, defect)

Description

[Roland Mainz]

(2001-08-08-08-trunk on Solaris/SPARC. I am seeing this issue since a couple of
weeks but I always thought it will go away without my intervention ... looks
that this assumption was wrong...)

Mozilla suffers from heap corruption after printing, Xlib/GTK+ gfx build using
PostScript/Xprint module - sooner or later it crashes with a memory corruption
after user printed something:

Example crash:
-- snip --
t@1 (l@1) signal SEGV (access to address exceeded protections) in realfree at
0xfedc5e60
0xfedc5e60: realfree+0x0104:    st      %i4, [%i4 + %o0]
Current function is nsCRT::strdup (optimized)
  167       return PL_strdup(str);
(/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) where
current thread: t@1
  [1] realfree(0xfc20b020, 0xfd21b118, 0xfee3c450, 0xfee35ad4, 0xfc20b018,
0x1010101), at 0xfedc5e60
  [2] cleanfree(0x0, 0xfee35ad4, 0xfee3c3c4, 0xfee3c444, 0xfee3c434, 0x658), at
0xfedc66ac
  [3] _malloc_unlocked(0x927ac8, 0x8, 0x0, 0x927ac0, 0x0, 0xfee35ad4), at
0xfedc5834
  [4] malloc(0x2, 0xffbee918, 0x20, 0x0, 0x4c, 0x924e88), at 0xfedc572c
  [5] PL_strdup(0xffbeeab8, 0x0, 0xffbeeaa0, 0x2f, 0xfdfb0c1c, 0x25), at
0xfefe1284
=>[6] nsCRT::strdup(str = ???) (optimized), at 0xff12f0cc (line ~167) in
"nsCRT.h"
  [7] nsCString::ToNewCString(this = ???) (optimized), at 0xff12ce4c (line ~559)
in "nsString.cpp"
  [8] nsStdURL::GetPath(this = ???, o_Path = ???) (optimized), at 0xfde7e18c
(line ~970) in "nsStdURL.cpp"
  [9] PresShell::DumpReflows(this = ???) (optimized), at 0xfc594398 (line ~6890)
in "nsPresShell.cpp"
  [10] PresShell::Destroy(this = ???) (optimized), at 0xfc58616c (line ~1727) in
"nsPresShell.cpp"
  [11] PrintObject::~PrintObject(this = ???) (optimized), at 0xfd4847e0 (line
~773) in "nsDocumentViewer.cpp"
  [12] PrintData::~PrintData(this = ???) (optimized), at 0xfd48445c (line ~718)
in "nsDocumentViewer.cpp"
  [13] DocumentViewerImpl::DonePrintingPages(this = ???, aPO = ???) (optimized),
at 0xfd488970 (line ~2155) in "nsDocumentViewer.cpp"
  [14] nsPagePrintTimer::Notify(this = ???, timer = ???) (optimized), at
0xfd49dc84 (line ~617) in "nsDocumentViewer.cpp"
  [15] nsTimerXlib::Fire(this = ???) (optimized), at 0xfc27210c (line ~215) in
"nsTimerXlib.cpp"
  [16] nsTimerXlib::ProcessTimeouts(array = ???) (optimized), at 0xfc2722f4
(line ~297) in "nsTimerXlib.cpp"
  [17] NS_ProcessTimeouts(aDisplay = ???) (optimized), at 0xfc2727a8 (line ~454)
in "nsTimerXlib.cpp"
  [18] CallProcessTimeoutsProc(aDisplay = ???) (optimized), at 0xfdc0e978 (line
~236) in "nsAppShell.cpp"
  [19] CallProcessTimeoutsXtProc(dummy1 = ???, dummy2 = ???) (optimized), at
0xfdc0f134 (line ~401) in "nsAppShell.cpp"
  [20] DoOtherSources(0x14c4f8, 0xfdbe2000, 0x1, 0xf4240, 0x0, 0x1), at
0xfdbaad9c
  [21] XtAppNextEvent(0x14c4f8, 0x0, 0x1, 0x0, 0xffbef09c, 0xc), at 0xfdbaaa14
  [22] nsAppShell::Run(this = ???) (optimized), at 0xfdc0f2a0 (line ~453) in
"nsAppShell.cpp"
  [23] nsAppShellService::Run(this = ???) (optimized), at 0xfe127994 (line ~424)
in "nsAppShellService.cpp"
  [24] main1(argc = ???, argv = ???, nativeApp = ???) (optimized), at 0x188ac
(line ~1300) in "nsAppRunner.cpp"
  [25] main(argc = ???, argv = ???) (optimized), at 0x19298 (line ~1611) in
"nsAppRunner.cpp"
-- snip --

GTK+ build may crash at the same location, at browser exit or after a while of
repeated loading of http://www.mozilla.org/ ...

Can anyone confirm this, please ?

Comment 1

[Roland Mainz]

This is really really a bad one.

timeless, any ideas ? Is is realated to bug 68488 or bug 79920 ?

Comment 2

[Doron Rosenberg (IBM)]

-> printing

Comment 3

[Roland Mainz]

jst, wanna confirm that this crash, please ?

Comment 4

[Roland Mainz]

Same crash in GTK+ toolkit:
-- snip --
t@1 (l@1) signal SEGV (no mapping at the fault address) in realfree at
0xfe745dd4
0xfe745dd4: realfree+0x0078:    ld      [%i1 + 0x8], %o2
Current function is nsCRT::strdup (optimized)
  167       return PL_strdup(str);
(/opt/SUNWspro/bin/../WS6U2/bin/sparcv9/dbx) where
current thread: t@1
  [1] realfree(0xfbd49020, 0xc39c57dc, 0xfe7bc450, 0xfe7b5ad4, 0xfbd49018,
0xc7c7c7c7), at 0xfe745dd4
  [2] cleanfree(0x0, 0xfe7b5ad4, 0xfe7bc3c4, 0xfe7bc444, 0xfe7bc3fc, 0x640), at
0xfe7466ac
  [3] _malloc_unlocked(0xab7668, 0x8, 0x0, 0xab7660, 0x0, 0xfe7b5ad4), at
0xfe745834
  [4] malloc(0x2, 0xffbee890, 0x20, 0x0, 0x4c, 0x8147a8), at 0xfe74572c
  [5] PL_strdup(0xffbeea30, 0x0, 0xffbeea18, 0x2f, 0xfd934e2c, 0x25), at
0xff021284
=>[6] nsCRT::strdup(str = ???) (optimized), at 0xff1af084 (line ~167) in
"nsCRT.h"
  [7] nsCString::ToNewCString(this = ???) (optimized), at 0xff1ace04 (line ~559)
in "nsString.cpp"
  [8] nsStdURL::GetPath(this = ???, o_Path = ???) (optimized), at 0xfd7fe38c
(line ~970) in "nsStdURL.cpp"
  [9] PresShell::DumpReflows(this = ???) (optimized), at 0xfb995fbc (line ~6889)
in "nsPresShell.cpp"
  [10] PresShell::Destroy(this = ???) (optimized), at 0xfb987d9c (line ~1727) in
"nsPresShell.cpp"
  [11] PrintObject::~PrintObject(this = ???) (optimized), at 0xfd084874 (line
~765) in "nsDocumentViewer.cpp"
  [12] PrintData::~PrintData(this = ???) (optimized), at 0xfd0844f0 (line ~710)
in "nsDocumentViewer.cpp"
  [13] DocumentViewerImpl::DonePrintingPages(this = ???, aPO = ???) (optimized),
at 0xfd088980 (line ~2132) in "nsDocumentViewer.cpp"
  [14] nsPagePrintTimer::Notify(this = ???, timer = ???) (optimized), at
0xfd09d300 (line ~609) in "nsDocumentViewer.cpp"
  [15] nsTimerGtk::FireTimeout(this = ???) (optimized), at 0xfbe62278 (line
~186) in "nsTimerGtk.cpp"
  [16] process_timers(array = ???) (optimized), at 0xfbe6253c (line ~256) in
"nsTimerGtk.cpp"
  [17] TimerCallbackFunc(data = ???) (optimized), at 0xfbe6263c (line ~278) in
"nsTimerGtk.cpp"
dbx: warning: can't find file
"/home/gisburn/package-builds/glib/glib-1.2.8/objdir/gmain.lo"
dbx: warning: see `help finding-files'
  [18] g_timeout_dispatch(0x4464d0, 0xffbeefa0, 0x0, 0x0, 0x0, 0xffbeef08), at
0xfea391c0
  [19] g_main_dispatch(0xffbeefa0, 0x171450, 0x1, 0x0, 0x0, 0x0), at 0xfea36dc8
  [20] g_main_iterate(0x1, 0x1, 0xfd95057c, 0xfd5a7618, 0xff3df650, 0x18), at
0xfea37bcc
  [21] g_main_run(0x3b2450, 0x3b2450, 0x5, 0xfd624f84, 0xff15b184, 0x0), at
0xfea37f64
dbx: warning: can't find file
"/home/gisburn/package-builds/gtk+/gtk+-1.2.8/objdir/gtk/gtkmain.lo"
  [22] gtk_main(0x123768, 0xffec0, 0x0, 0xff1516d4, 0xfd620c1c, 0x80000000), at
0xfed560a0
  [23] nsAppShell::Run(this = ???) (optimized), at 0xfd5a7618 (line ~353) in
"nsAppShell.cpp"
  [24] nsAppShellService::Run(this = ???) (optimized), at 0xfdaa79a8 (line ~424)
in "nsAppShellService.cpp"
  [25] main1(argc = ???, argv = ???, nativeApp = ???) (optimized), at 0x18f1c
(line ~1306) in "nsAppRunner.cpp"
  [26] main(argc = ???, argv = ???) (optimized), at 0x19960 (line ~1622) in
"nsAppRunner.cpp"
-- snip --

Comment 5

[Scott Collins]

I do not crash after printing to a file and then playing with the browser
extensively.  Sorry, this probably doesn't help you.  More specific steps to
reproduce?  Does this happen when you print to a file?

Comment 6

[Roland Mainz]

scc:
This crash does usually not occur after printing one URL... it only happens if
you print multiple times (2-3 times, sometimes far more) with different URLs...

Comment 7

[Keyser Sose]

Marking nEW>

Comment 8

[dcone (gone)]

this says Solaris/SPARC on the comments, but Linux on the version,, this makes a 
huge difference. Is this Linux, Solaris, or both.

Comment 9

[dcone (gone)]

Can you take a look at this.. I can not repro.. maybee this is just a Solaris 
issue.

Comment 10

[Roland Mainz]

I cannot reproduce it with newer builds - even with Rational Purify... making
WORKSFORME for now...

----

dcone:
OW: I need a r= for bug 24847 ("cannot print in landscape mode"), please...

Comment 11

[sujay]

v