I'm experiencing consistent crashes with Seamonkey 1.1.1[56] when loading certain URLs. I've been able to reproduce this with the following procedure: 1. In a shell: printf "HTTP/1.0 200 OK\nContent-Type: text/plain\n\nLocation: http://www.mozilla.com/\n" | nc -lp5555 2. In Seamonkey, enter "http://127.0.0.1:5555" in the address bar and press Enter. 3. After the request is printed in the shell, press ^C to terminate netcat and close the connection. When the connection closes, Seamonkey promptly terminates with a segmentation fault. I haven't investigated the relevant source in depth, but the actual bug looks like it may be a GCC optimization bug; see analysis below. (The crash goes away if I replace -O2 with -O0 in my CFLAGS.) emerge --info: Portage 2.2_rc28 (default-linux/x86, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.28-gentoo-r4 i686) ================================================================= System uname: Linux-2.6.28-gentoo-r4-i686-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_4400+-with-gentoo-2.0.0 Timestamp of tree: Fri, 10 Apr 2009 05:45:01 +0000 app-shells/bash: 3.2_p48-r1 dev-lang/python: 2.5.4-r2, 2.6.1-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.2 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a ACCEPT_KEYWORDS="x86 ~x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=x86-64 -mtune=k8 -mmmx -msse -msse2 -pipe -g" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=x86-64 -mtune=k8 -mmmx -msse -msse2 -pipe -g" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks fixpackages preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.gg3.net" LDFLAGS="" MAKEOPTS="" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync21.us.gentoo.org/gentoo-portage" USE="aac alsa berkdb cjk cli crypt dri dv dvd fortran gif iconv ipv6 isdnlog joystick jpeg jpeg2k lame live mad midi mmx mp3 mudflap ncurses nptl nptlonly ogg openmp oss perl png pppd pv3 python quicktime readline reflection scanner sdl session spl sse sse2 ssl theora tiff truetype unicode vorbis win32codecs x264 x86 xanim xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia vesa" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS gcc --version: gcc (Gentoo 4.3.3-r2 p1.1, pie-10.1.5) 4.3.3 Copyright (C) 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Created attachment 187881 [details] Crash backtrace and disassembly The code leading up to the crash point is: PRUint32 len = 0; nsCOMPtr<nsIInputStream> in; nsCOMPtr<nsIOutputStream> out; // Create a pipe and fill it with the data from the sniffer buffer. rv = NS_NewPipe(getter_AddRefs(in), getter_AddRefs(out), MAX_BUFFER_SIZE, MAX_BUFFER_SIZE); if (NS_SUCCEEDED(rv)) { rv = out->Write(mBuffer, mBufferLen, &len); <== CRASH HERE And the equivalent assembly is: 0xb6dab838: lea -0x24(%ebp),%eax <== Obtain pointer to &out 0xb6dab83b: movl $0x0,-0x1c(%ebp) 0xb6dab842: movl $0x0,-0x20(%ebp) 0xb6dab849: movl $0x0,-0x24(%ebp) <== Set out to NULL 0xb6dab850: mov %eax,-0x4c(%ebp) <== Store pointer to &out 0xb6dab853: call 0xb6d6fc70 <_ZN13nsCOMPtr_base16begin_assignmentEv@plt> 0xb6dab858: lea -0x20(%ebp),%edx 0xb6dab85b: mov %eax,-0x40(%ebp) <== Store return value (also &out?) 0xb6dab85e: mov %edx,%eax 0xb6dab860: mov %edx,-0x44(%ebp) 0xb6dab863: call 0xb6d6fc70 <_ZN13nsCOMPtr_base16begin_assignmentEv@plt> 0xb6dab868: mov %eax,%esi 0xb6dab86a: lea -0x2c(%ebp),%eax <== Receives out pipe pointer 0xb6dab86d: movl $0x0,0x18(%esp) 0xb6dab875: movl $0x1,0x14(%esp) 0xb6dab87d: movl $0x400,0x10(%esp) 0xb6dab885: mov %eax,0x4(%esp) 0xb6dab889: lea -0x28(%ebp),%eax <== Receives in pipe pointer 0xb6dab88c: movl $0x0,0xc(%esp) 0xb6dab894: movl $0x0,0x8(%esp) 0xb6dab89c: mov %eax,(%esp) v== NS_NewPipe(...) 0xb6dab89f: call 0xb6d6e980 <_Z11NS_NewPipe2PP19nsIAsyncInputStreamPP20nsIAsyncOutputStreamiijjP9nsIMemory@plt> 0xb6dab8a4: test %eax,%eax 0xb6dab8a6: js 0xb6dab99c 0xb6dab8ac: mov -0x28(%ebp),%eax 0xb6dab8af: mov -0x40(%ebp),%ecx <== Retrieve pointer to &out(?) 0xb6dab8b2: mov -0x24(%ebp),%edx <== Load value of out 0xb6dab8b5: movl $0x0,-0x10(%ebp) 0xb6dab8bc: mov %eax,(%esi) 0xb6dab8be: mov -0x2c(%ebp),%eax <== Load out pipe pointer 0xb6dab8c1: mov %eax,(%ecx) <== Update out(?) 0xb6dab8c3: lea -0x1c(%ebp),%eax 0xb6dab8c6: mov (%edx),%ecx <== CRASH HERE 0xb6dab8c8: mov %eax,0xc(%esp) 0xb6dab8cc: mov 0x14(%edi),%eax 0xb6dab8cf: mov %eax,0x8(%esp) 0xb6dab8d3: mov 0x10(%edi),%eax 0xb6dab8d6: mov %edx,(%esp) 0xb6dab8d9: mov %eax,0x4(%esp) 0xb6dab8dd: call *0x14(%ecx) <== out->Write(...) So if I understand properly what's going on (which is a big if--I can't figure out why GCC making use of all those extra stack variables), the code is attempting to load the "out" pointer for the Write() call _before_ the variable is updated with the pipe pointer returned from NS_NewPipe().
Created attachment 187882 [details, diff] Workaround patch for seamonkey-1.1.16 Just for reference, this seems to fix the crash (though I haven't checked whether the resultant behavior is correct).
I think I'm seeing the crashes as well. /usr/libexec/mozilla-launcher: line 119: 26666 Segmentation fault $(type -P aoss) "$mozbin" $xulparams "$@" seamonkey-bin exited with non-zero status (139) I didn't encounter those prior to rebuilding my world tree with the new gcc compiler (the 4.3.2 one). Greets, Tobias
I should add that I can produce the crash either by going onto specific webpages or by simply using the reproduction steps by Andrew. The netcat approach always works, but the webpage behaviour is kinda random - however it usually doesn't take too long till a crash occurs.
Additional information: It's probably the same bug and it's happening on Fedora as well. gcc compiler version there is also 4.3.2, and the code only fails with -O2. https://bugzilla.redhat.com/show_bug.cgi?id=468415 They filed a bugreport upstream, which is here: https://bugzilla.mozilla.org/show_bug.cgi?id=472570 @Andrew: I don't know the details, but you should probably check if those are really related to the crashes we see here.
Another spam from me. Workaround without patching the source: I have added -fno-strict-aliasing to the CFLAGS for the seamonkey package which fixes the problem for me. No more random crashes.
Thanks for checking. I'm currently building to test the patch from: https://bugzilla.mozilla.org/show_bug.cgi?id=351231 FWIW, though, it looks like -fno-strict-aliasing was officially added to the Mozilla configure.in in response to https://bugzilla.mozilla.org/show_bug.cgi?id=413253 so that might be the easiest solution for seamonkey-1.1.x in Gentoo (presumably seamonkey-2.0 will include the updated configure.in).
Created attachment 188894 [details, diff] Add -fno-strict-aliasing to CXXFLAGS
Forgot to mention that the patch from bugzilla.mozilla.org #351231 did not fix this particular crash, so -fno-strict-aliasing seems to be the way to go. Sorry for the spam!
(In reply to comment #9) > Forgot to mention that the patch from bugzilla.mozilla.org #351231 did not fix > this particular crash, so -fno-strict-aliasing seems to be the way to go. > Sorry for the spam! > I would rather not append on the ebuild side of it but rather patch configure as upstream has already done. Nirbheek if you would go ahead and commit the patch that will be attached here in next few minutes, it is as upstream has fixed it via configure.
Created attachment 197176 [details, diff] seamonkey-1.0.17 aliasing patch Patch for configure.in
Fixed in-tree with -r1 Using commit message: ------------------------------------------------------------------------------ Fix crash without -fno-strict-aliasing, bug 265642 (Portage version: 2.2_rc33/cvs/Linux i686) ------------------------------------------------------------------------------
I've confirmed that the new ebuild fixes the bug. Thanks!
*** Bug 276953 has been marked as a duplicate of this bug. ***
This has resurfaced in seamonkey-1.1.18; it looks like the -fno-strict-aliasing patch is still required.
(In reply to comment #15) > This has resurfaced in seamonkey-1.1.18; it looks like the -fno-strict-aliasing > patch is still required. > This was suppose to have been fixed in 1.1.18 but I can readded the patch that is not a problem. It will be late tonight before I can get around to this.
(In reply to comment #15) > This has resurfaced in seamonkey-1.1.18; it looks like the -fno-strict-aliasing > patch is still required. > I have re-added patch to .18 release. Thanks for reporting.
