Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 447442 - www-client/chromium-25.0.1359.3 - segmentation fault in base::DictionaryValue::Get (this=0x555559a4a080, path="intl", out_value=out_value@entry=0x7fffff7ff158) at base/values.cc:478
Summary: www-client/chromium-25.0.1359.3 - segmentation fault in base::DictionaryValue...
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Chromium Project
URL:
Whiteboard: ht-wanted
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-16 12:19 UTC by octoploid
Modified: 2013-01-09 04:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description octoploid 2012-12-16 12:19:30 UTC 
www-client/chromium-25.0.1359.3 crashes at two different places for me:

1)
Program received signal SIGSEGV, Segmentation fault.
0x00005555562c63ad in base::DictionaryValue::GetWithoutPathExpansion(std::string const&, base::Value const**) const ()
(gdb) bt
#0  0x00005555562c63ad in base::DictionaryValue::GetWithoutPathExpansion(std::string const&, base::Value const**) const ()
#1  0x00005555562c6590 in base::DictionaryValue::Get(std::string const&, base::Value const**) const ()
#2  0x00005555562c6992 in base::DictionaryValue::GetDictionary(std::string const&, base::DictionaryValue const**) const ()
#3  0x00005555562c653f in base::DictionaryValue::Get(std::string const&, base::Value const**) const ()
#4  0x00005555565355df in JsonPrefStore::GetValue(std::string const&, base::Value const**) const ()
#5  0x0000555555c4f143 in PrefValueStore::GetValueFromStore(char const*, PrefValueStore::PrefStoreType, base::Value const**) const ()
#6  0x0000555555c4f3a6 in PrefValueStore::GetValueFromStoreWithType(char const*, base::Value::Type, PrefValueStore::PrefStoreType, base::Value const**) const ()
#7  0x0000555555c4f50a in PrefValueStore::GetValue(std::string const&, base::Value::Type, base::Value const**) const ()
#8  0x0000555555c4bcf3 in PrefService::GetPreferenceValue(std::string const&) const ()
#9  0x0000555555c4d03b in PrefService::GetString(char const*) const ()
#10 0x0000555555ed0e86 in AutocompleteProvider::StringForURLDisplay(GURL const&, bool, bool) const ()
#11 0x00005555581620f3 in SearchProvider::NavigationToMatch(SearchProvider::NavigationResult const&, bool) ()
#12 0x0000555558162dc8 in SearchProvider::AddNavigationResultsToMatches(std::vector<SearchProvider::NavigationResult, std::allocator<SearchProvider::NavigationResult> > const
&, bool) ()
#13 0x0000555558167773 in SearchProvider::ConvertResultsToAutocompleteMatches() ()

After this crash I temporarily moved .config/chromium to another place
and this leads to another crash (harfbuzz related):

2)*** Error in `/usr/lib64/chromium-browser/chrome --single-process': double free or corruption (fasttop): 0x00007fffa5342100 ***
...
(gdb) bt
#0  0x00007ffff3e0df69 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff3e0f418 in __GI_abort () at abort.c:90
#2  0x00007ffff3e4c737 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff3f094b8 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007ffff3e52326 in malloc_printerr (action=3, str=0x7ffff3f096a0 "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:4902
#4  0x00007ffff3e53007 in _int_free (av=<optimized out>, p=0x7fffa53420f0, have_lock=0) at malloc.c:3758
#5  0x00007ffff4d47833 in hb_buffer_destroy () from /usr/lib/libharfbuzz.so.0
#6  0x0000555556ab6bf6 in WebCore::HarfBuzzShaper::shapeHarfBuzzRuns(bool) ()
#7  0x0000555556ab802f in WebCore::HarfBuzzShaper::shape(WebCore::GlyphBuffer*) ()
#8  0x0000555556ab4465 in WebCore::Font::floatWidthForComplexText(WebCore::TextRun const&, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData c
onst*>, WTF::HashTraits<WebCore::SimpleFontData const*> >*, WebCore::GlyphOverflow*) const ()
#9  0x0000555556a7da09 in WebCore::Font::width(WebCore::TextRun const&, WTF::HashSet<WebCore::SimpleFontData const*, WTF::PtrHash<WebCore::SimpleFontData const*>, WTF::HashTr
aits<WebCore::SimpleFontData const*> >*, WebCore::GlyphOverflow*) const ()
#10 0x0000555557039198 in WebCore::RenderBlock::LineBreaker::nextSegmentBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::
RenderBlock::RenderTextInfo&, WebCore::RenderBlock::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul>&) ()
#11 0x00005555570393bb in WebCore::RenderBlock::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::Ren
derBlock::RenderTextInfo&, WebCore::RenderBlock::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul>&) ()
#12 0x000055555703ea23 in WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCo
re::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) ()
#13 0x000055555703fd99 in WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) ()
#14 0x00005555570403f3 in WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) ()
#15 0x0000555557027dbc in WebCore::RenderBlock::layoutBlock(bool, WebCore::LayoutUnit) ()
#16 0x0000555557006873 in WebCore::RenderBlock::layout() ()



Reproducible: Always
Comment 1 octoploid 2012-12-16 13:31:52 UTC 
With debug info:

Program received signal SIGSEGV, Segmentation fault.
base::DictionaryValue::Get (this=0x555559a4a080, path="intl", out_value=out_value@entry=0x7fffff7ff158) at base/values.cc:478
478     base/values.cc: No such file or directory.
(gdb) bt
#0  base::DictionaryValue::Get (this=0x555559a4a080, path="intl", out_value=out_value@entry=0x7fffff7ff158) at base/values.cc:478
#1  0x00005555562c64f2 in base::DictionaryValue::GetDictionary (this=<optimized out>, path=..., out_value=0x7fffff7ff1c0) at base/values.cc:586
#2  0x00005555562c609f in base::DictionaryValue::Get (this=<optimized out>, path=..., out_value=0x7fffff7ff388) at base/values.cc:487
#3  0x000055555653513f in JsonPrefStore::GetValue (this=this@entry=0x5555599afa30, key="intl.accept_languages", result=result@entry=0x7fffff7ff608)
    at base/prefs/json_pref_store.cc:168
#4  0x0000555555c4eca3 in PrefValueStore::GetValueFromStore (this=this@entry=0x5555599b0210, name=name@entry=0x55555a192f58 "intl.accept_languages", 
    store_type=store_type@entry=PrefValueStore::USER_STORE, out_value=out_value@entry=0x7fffff7ff608) at chrome/browser/prefs/pref_value_store.cc:217
#5  0x0000555555c4ef06 in PrefValueStore::GetValueFromStoreWithType (this=this@entry=0x5555599b0210, name=0x55555a192f58 "intl.accept_languages", 
    type=type@entry=base::Value::TYPE_STRING, store=store@entry=PrefValueStore::USER_STORE, out_value=out_value@entry=0x7fffff7ff608)
    at chrome/browser/prefs/pref_value_store.cc:230
#6  0x0000555555c4f06a in PrefValueStore::GetValue (this=0x5555599b0210, name="intl.accept_languages", type=base::Value::TYPE_STRING, out_value=0x7fffff7ff608)
    at chrome/browser/prefs/pref_value_store.cc:106
#7  0x0000555555c4b853 in PrefService::GetPreferenceValue (this=this@entry=0x5555599b03d0, path="intl.accept_languages") at chrome/browser/prefs/pref_service.cc:1062
#8  0x0000555555c4cb9b in PrefService::GetString (this=0x5555599b03d0, path=0x5555589b2210 <prefs::kAcceptLanguages> "intl.accept_languages")
    at chrome/browser/prefs/pref_service.cc:619
#9  0x0000555555ed09e6 in AutocompleteProvider::StringForURLDisplay (this=<optimized out>, url=..., check_accept_lang=<optimized out>, trim_http=<optimized out>)
    at chrome/browser/autocomplete/autocomplete_provider.cc:116
#10 0x0000555558161c53 in SearchProvider::NavigationToMatch (this=0x555559dbdf40, navigation=..., is_keyword=<optimized out>)
    at chrome/browser/autocomplete/search_provider.cc:1174
#11 0x0000555558162928 in SearchProvider::AddNavigationResultsToMatches (this=0x555559dbdf40, 
    navigation_results=std::vector of length 390935121283, capacity -781875593123 = {...}, is_keyword=88, is_keyword@entry=false)
    at chrome/browser/autocomplete/search_provider.cc:860
...
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-17 11:57:20 UTC 
Please post your `emerge --info' output in a comment.
Comment 3 octoploid 2012-12-17 12:54:29 UTC 
x4 ~ # emerge --info
Portage 2.1.11.38 (default/linux/amd64/10.0/no-multilib, gcc-4.8.0, unavailable, 3.7.0-08805-ga4f1de1-dirty x86_64)
=================================================================
System uname: Linux-3.7.0-08805-ga4f1de1-dirty-x86_64-AMD_Phenom-tm-_II_X4_955_Processor-with-gentoo-2.0.3
Timestamp of tree: Mon, 17 Dec 2012 10:45:01 +0000
ld GNU gold (GNU Binutils 2.23.51.20121207) 1.11
app-shells/bash:          4.2_p39-r1
dev-lang/python:          2.7.3-r3, 3.2.3-r2
dev-util/cmake:           2.8.10.2
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          9999
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.6
sys-devel/binutils:       9999
sys-devel/gcc:            4.8.0
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7.0
sys-libs/glibc:           2.17
Repositories: gentoo proaudio
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-w -march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-w -march=native -O2 -pipe"
DISTDIR="/var/tmp/portage"
EMERGE_DEFAULT_OPTS="--quiet-build=n"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news nostrip parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/"
INSTALL_MASK="/lib/systemd/system /usr/lib/tmpfiles.d"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1,--hash-style=gnu,--as-needed,--gc-sections,--icf=all,--icf-iterations=3"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude=metadata/cache/*"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/portage"
PORTDIR_OVERLAY="/usr/local/layman/pro-audio"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="3dnow X alsa amd64 apng audiofile bash-completion berkdb bzip2 cairo cli cracklib crypt cscope cups cxx dbus djvu dri exif extras fbcon fontconfig fortran gdbm gif gpm gtk iconv jpeg kde kpathsea maildir mmx mudflap ncurses nls nptl ogg opengl pam pcre png pppd qt3support qt4 readline session sse sse2 sse3 ssl svg tcpd threads tiff truetype unicode vim-syntax xft zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-12-17 16:54:05 UTC 
(In reply to comment #0)
> After this crash I temporarily moved .config/chromium to another place
> and this leads to another crash (harfbuzz related):

Alright, please keep your backed up .config/chromium to make sure you can always repro. Could you please _attach_ the output of "bt full" in gdb? So far we have just "bt".

Also, could you try running it under valgrind, to possibly catch memory problems earlier? I mean try valgrind with your old config. Mke sure you have a _copy_ somewhere else so that chromium doesn't modify our repro case.

> 2)*** Error in `/usr/lib64/chromium-browser/chrome --single-process': double
> free or corruption (fasttop): 0x00007fffa5342100 ***
> ...
> (gdb) bt
> #0  0x00007ffff3e0df69 in __GI_raise (sig=sig@entry=6) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00007ffff3e0f418 in __GI_abort () at abort.c:90
> #2  0x00007ffff3e4c737 in __libc_message (do_abort=do_abort@entry=2,
> fmt=fmt@entry=0x7ffff3f094b8 "*** Error in `%s': %s: 0x%s ***\n")
>     at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
> #3  0x00007ffff3e52326 in malloc_printerr (action=3, str=0x7ffff3f096a0
> "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:4902
> #4  0x00007ffff3e53007 in _int_free (av=<optimized out>, p=0x7fffa53420f0,
> have_lock=0) at malloc.c:3758
> #5  0x00007ffff4d47833 in hb_buffer_destroy () from /usr/lib/libharfbuzz.so.0
> #6  0x0000555556ab6bf6 in WebCore::HarfBuzzShaper::shapeHarfBuzzRuns(bool) ()

Please report this as a separate bug. That version started using system harfbuzz, so this is likely the culprit. Do you have any steps to repro that one? Again, please move everything related to that harfbuzz crash to a separate bug.

Ah, one more thing about this harfbuzz crash: please try with USE=tcmalloc (you may need to unmask it) and report what happens.
Comment 5 octoploid 2012-12-17 18:11:06 UTC 
(In reply to comment #4)
> (In reply to comment #0)
> > After this crash I temporarily moved .config/chromium to another place
> > and this leads to another crash (harfbuzz related):
> 
> Alright, please keep your backed up .config/chromium to make sure you can
> always repro. Could you please _attach_ the output of "bt full" in gdb? So
> far we have just "bt".
> 
> Also, could you try running it under valgrind, to possibly catch memory
> problems earlier? I mean try valgrind with your old config. Mke sure you
> have a _copy_ somewhere else so that chromium doesn't modify our repro case.

I can also reproduce it with a clean profile. Basically chromium crashes
as soon as I type in the address bar. When I only click on links it runs
fine (when I built chromium with in-tree harfbuzz).

Unfortunately I don't have time to debug the issue further right now.
(I also had bad experience with upstream, because they are totally 
unresponsive and opening a bug on http://code.google.com/p/chromium is
equivalent to posting it to /dev/null IMO)

> 
> > 2)*** Error in `/usr/lib64/chromium-browser/chrome --single-process': double
> > free or corruption (fasttop): 0x00007fffa5342100 ***
> > ...
> > (gdb) bt
> > #0  0x00007ffff3e0df69 in __GI_raise (sig=sig@entry=6) at
> > ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> > #1  0x00007ffff3e0f418 in __GI_abort () at abort.c:90
> > #2  0x00007ffff3e4c737 in __libc_message (do_abort=do_abort@entry=2,
> > fmt=fmt@entry=0x7ffff3f094b8 "*** Error in `%s': %s: 0x%s ***\n")
> >     at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
> > #3  0x00007ffff3e52326 in malloc_printerr (action=3, str=0x7ffff3f096a0
> > "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:4902
> > #4  0x00007ffff3e53007 in _int_free (av=<optimized out>, p=0x7fffa53420f0,
> > have_lock=0) at malloc.c:3758
> > #5  0x00007ffff4d47833 in hb_buffer_destroy () from /usr/lib/libharfbuzz.so.0
> > #6  0x0000555556ab6bf6 in WebCore::HarfBuzzShaper::shapeHarfBuzzRuns(bool) ()
> 
> Please report this as a separate bug. That version started using system
> harfbuzz, so this is likely the culprit. Do you have any steps to repro that
> one? Again, please move everything related to that harfbuzz crash to a
> separate bug.

Please note that this happened with the older harfbuzz-0.9.5.
Will try with the newer version as soon as I find time.

Thanks.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-12-28 01:16:32 UTC 
Can anyone else reproduce this bug?
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-01-09 04:25:28 UTC 
(In reply to comment #6)
> Can anyone else reproduce this bug?

No repro -> WORKSFORME .