Re: firefox3-bin crashes near arc4random_buf()

From: Tim Kientzle <kientzle_at_freebsd.org>
Date: Tue, 07 Oct 2008 18:50:09 -0700
This is a lot more interesting.  This points to a crash
within libc's db code.  Somehow, it's trying to compute
a hash for some element with length -10618, which is
getting converted to an unsigned 4294956678, which is
causing the crash.

Does Firefox have knobs to use a newer Berkeley DB?  I can't
recall whether newer Berkeley DB versions are thread-safe but
I'm pretty sure the old version in our libc isn't.  If Firefox
is assuming the BDB code is thread-safe that could certainly
cause corruption of the BDB data with all sorts of unpleasant
consequences.  That's just a random guess, though.  Maybe someone
else on this mailing list knows better.

Tim


> Good news! firefox3 crashed again, so the problem is not fixed. But the
> backtrace (attached) looks slightly different this time. Anything particular
> you'd like me to look at?

> #0  0x2a31656b in thr_kill () at thr_kill.S:2
> #1  0x2a2c5736 in pthread_kill () from /lib/libthr.so.3
> #2  0x2a2c32c3 in raise () from /lib/libthr.so.3
> #3  0x28237381 in XRE_InitEmbedding () from /usr/local/lib/firefox3/libxul.so
> #4  <signal handler called>
> #5  hash4 (keyarg=0xad6397a, len=4294956678) at /usr/src/lib/libc/db/hash/hash_func.c:184
> #6  0x2a39ab3d in __call_hash (hashp=0x8386200, k=0xad6397a "", len=-10618) at /usr/src/lib/libc/db/hash/hash.c:896
> #7  0x2a3997fa in __split_page (hashp=0x8386200, obucket=7, nbucket=15) at /usr/src/lib/libc/db/hash/hash_page.c:356
> #8  0x2a39ac09 in __expand_table (hashp=0x8386200) at /usr/src/lib/libc/db/hash/hash.c:865
> #9  0x2a39922f in __addel (hashp=0x8386200, bufp=0xb2e47c0, key=0xbf4f9640, val=0xbf4f9648) at /usr/src/lib/libc/db/hash/hash_page.c:454
> #10 0x2a39c2e0 in hash_access (hashp=0x8386200, action=HASH_PUT, key=0xbf4f9640, val=0xbf4f9648) at /usr/src/lib/libc/db/hash/hash.c:680
> #11 0x2aa0cb9c in ?? () from /usr/local/lib/firefox3/libnssdbm3.so
> #12 0xbf4f9648 in ?? ()
> #13 0xbf4f9640 in ?? ()
> #14 0xbf4f9648 in ?? ()
> #15 0x00000000 in ?? ()
> #16 0x2a2c3599 in pthread_self () from /lib/libthr.so.3
> #17 0x2aa1c3e4 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #18 0x2aa1cbb8 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #19 0x2aa1d6ff in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #20 0x2aa218b2 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #21 0x2aa236c9 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #22 0x2aa23791 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
Received on Tue Oct 07 2008 - 23:50:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:36 UTC