ff crashes on xslt transformation when using oracle java plugin

Bug #1000885 reported by Ritesh Khadgaray
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Firefox
New
Critical
firefox (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

Firefox crashes when performing an XSLT transformation when also loading any <applet> stanza when the Oracle java plugin is used.

= Environment =

* oracle jre 6u31 (*any* oracle/sun java plugin)
* Firefox (any version)
* Ubuntu 10.04 LTS , 11.04, 11.10 or 12.04 LTS 32-bit
* Web page containing xslt reproducer (attached)

= Reproducible =
100% (see attachment reproducer) but only with the Oracle Java plugin, not the iced tea plugins in the archive.

= Workaround =
Use the OpenJDK/IcedTea plugin - this is not a viable option due to the customers application certification.

= Further Information =
Reproducing on Ubuntu 12.04 LTS 32-bit with Firefox (11.0+build1-0ubuntu4)

1. Download the two JRE's from:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

2. Extract both Oracle JRE's:
$ bash ./jre-6u31-linux-i586.bin
$ tar -xvf jre-7u3-linux-i586.tar.gz
$ sudo mv jre1.* /usr/lib/jvm

3. Install the plugins into the alternatives system to switch easily:
$ sudo update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /usr/lib/jvm/jre1.6.0_31/lib/i386/libnpjp2.so 1059
$ sudo update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /usr/lib/jvm/jre1.7.0_03/lib/i386/libnpjp2.so 1058

4. Unpack the xslt-crash-reproducer.zip
$ unzip xslt-crash-reproducer.zip

5. Open Firefox and check "about:plugins", open file:///path/to/test1.html . Repeat with alternating java plugins using alternatives to reconfiure which plugin is active:
sudo update-alternatives --config mozilla-javaplugin.so

= backtrace =

[Thread 0xa38a7b40 (LWP 2384) exited]
nsPluginNativeWindowGtk2: call SetWindow with xid=0x3e00291
--DOMWINDOW == 14 (0x811f4368) [serial = 14] [outer = 0x811e7e58] [url = about:blank]

Program received signal SIGSEGV, Segmentation fault.
0xb5fd9fbb in AssertActivityIsLegal ()
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:167
167 /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp: No such file or directory.
(gdb) bt
#0 0xb5fd9fbb in AssertActivityIsLegal ()
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:167
#1 0xb5fdc8d2 in NS_LogDtor_P (aPtr=0x81405fe0,
    aType=0xb6a941ab "txInstruction", aInstanceSize=8)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:1148
#2 0xb5232e0e in txInstruction::~txInstruction (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:64
#3 0xb5237966 in txStartLREElement::~txStartLREElement (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:388
#4 0xb52379a7 in txStartLREElement::~txStartLREElement (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:388
#5 0xb5237187 in nsAutoPtr<txInstruction>::~nsAutoPtr (this=0x81405fc4,
    __in_chrg=<optimized out>) at ../../../../dist/include/nsAutoPtr.h:105
#6 0xb5232e1c in txInstruction::~txInstruction (this=0x81405fc0,
    __in_chrg=<optimized out>)

Revision history for this message
Ritesh Khadgaray (khadgaray) wrote :
Revision history for this message
In , Ritesh Khadgaray (khadgaray) wrote :
Download full text (7.5 KiB)

Created attachment 624795
test.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0
Build ID: 20120509213847

Steps to reproduce:

Firefox crashes when performing an XSLT transformation when also loading any <applet> stanza when the Oracle java plugin is used.

= Environment =

* oracle jre 6u31 (*any* oracle/sun java plugin)
* Firefox (any version)
* Ubuntu 10.04 LTS , 11.04, 11.10 or 12.04 LTS 32-bit
* Web page containing xslt reproducer (attached)

= Reproducible =
100% (see attachment reproducer) but only with the Oracle Java plugin, not the iced tea plugins in the archive.

= Workaround =
Use the OpenJDK/IcedTea plugin - this is not a viable option .

= Further Information =
Reproducing on Ubuntu 12.04 LTS 32-bit with Firefox 12

*. Download the two JRE's from:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

* . Extract both Oracle JRE's:
$ cd /usr
$ tar -xvf jre-7u3-linux-i586.tar.gz

* . Install the plugins into the alternatives system to switch easily:
$ ln -s /usr/jre1.6.0_31/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins

* . Unpack test.zip
$ unzip test.zip

* . Open Firefox and check "about:plugins", open file:///path/to/test1.html .

= backtrace =

[Thread 0xa38a7b40 (LWP 2384) exited]
nsPluginNativeWindowGtk2: call SetWindow with xid=0x3e00291
--DOMWINDOW == 14 (0x811f4368) [serial = 14] [outer = 0x811e7e58] [url = about:blank]

Program received signal SIGSEGV, Segmentation fault.
0xb5fd9fbb in AssertActivityIsLegal ()
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:167
167 /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp: No such file or directory.
(gdb) bt
#0 0xb5fd9fbb in AssertActivityIsLegal ()
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:167
#1 0xb5fdc8d2 in NS_LogDtor_P (aPtr=0x81405fe0,
    aType=0xb6a941ab "txInstruction", aInstanceSize=8)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/base/nsTraceRefcntImpl.cpp:1148
#2 0xb5232e0e in txInstruction::~txInstruction (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:64
#3 0xb5237966 in txStartLREElement::~txStartLREElement (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:388
#4 0xb52379a7 in txStartLREElement::~txStartLREElement (this=0x81405fe0,
    __in_chrg=<optimized out>)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:388
#5 0xb5237187 in nsAutoPtr<txInstruction>::~nsAutoPtr (this=0x81405fc4,
    __in_chrg=<optimized out>) at ../../../../dist/include/nsAutoPtr.h:105
#6 0xb5232e1c in txInstruction::~txInstruction (this=0x81405fc0,
    __in_chrg=<optimized out>)
...

#6479 0xb522b2f5 in txStylesheet::Release (this=0x81394ac8)
    at /tmp/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txStylesheet.h:71

#6480 0xb522db66 in nsRefPtr<txStylesheet>::~nsRefPtr (this=0x81392bec, __in_chrg=<optimized out>)
    at ../../....

Read more...

Changed in firefox:
importance: Unknown → Medium
status: Unknown → New
Changed in firefox:
importance: Medium → Critical
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Where does this build of Firefox come from? (it's not ours).

This crash relies on building with --enable-debug, which is not the default on any build. In addition to that, it requires an environment variable to turn a (harmless) warning in to the runtime abort seen here ("MOZ_FATAL_STATIC_XPCOM_CTORS_DTORS")

Revision history for this message
Tom Ellis (tellis) wrote :

Hi Chris,

It's reproducible on any version of Firefox that I've tried including the ones distributed with Ubuntu (10.04 through to 12.04) an from 3.5 up to FF12.

I can try and obtain another backtrace from your suggestion, but using the steps to reproduce and the test case it's easy to reproduce.

Regards,
Tom

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

It doesn't crash when I try it here

Revision history for this message
Ritesh Khadgaray (khadgaray) wrote :
Download full text (21.4 KiB)

Hi @Chris

  Do check, if oracle's java is being used ( about:plugin ) , and that we are on a x86 platform.

stack trace with vanilla ff on precise

Program received signal SIGSEGV, Segmentation fault.
arena_dalloc (ptr=0xa81722b0, offset=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/memory/jemalloc/jemalloc.c:4604
4604 /build/buildd/firefox-12.0+build1/build-tree/mozilla/memory/jemalloc/jemalloc.c: No such file or directory.
(gdb) bt
#0 arena_dalloc (ptr=0xa81722b0, offset=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/memory/jemalloc/jemalloc.c:4604
#1 0xb7fcbb36 in moz_free (ptr=0xa81722b0)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/memory/mozalloc/mozalloc.cpp:97
#2 0xb6a462b9 in nsStringBuffer::Release (this=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/string/src/nsSubstring.cpp:193
#3 0xb6a463fa in nsAString_internal::Finalize (this=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/xpcom/string/src/nsTSubstring.cpp:188
#4 0xb63a59ce in ~nsAString_internal (this=0xa81745a8,
    __in_chrg=<optimized out>) at ../../../../dist/include/nsTSubstring.h:113
#5 ~nsString (this=0xa81745a8, __in_chrg=<optimized out>)
    at ../../../../dist/include/nsTString.h:54
#6 txText::~txText (this=0xa81745a0, __in_chrg=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:402
#7 0xb63a59f6 in txText::~txText (this=0xa81745a0, __in_chrg=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:402
#8 0xb63a527b in ~nsAutoPtr (this=0xa8174584, __in_chrg=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at ../../../../dist/include/nsAutoPtr.h:105
#9 txInstruction::~txInstruction (this=0xa8174580, __in_chrg=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:63
#10 0xb63a599e in txStartLREElement::~txStartLREElement (this=0xa8174580,
    __in_chrg=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:388
#11 0xb63a527b in ~nsAutoPtr (this=0xa8174564, __in_chrg=<optimized out>)
    at ../../../../dist/include/nsAutoPtr.h:105
#12 txInstruction::~txInstruction (this=0xa8174560, __in_chrg=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:63
#13 0xb63a59f6 in txText::~txText (this=0xa8174560, __in_chrg=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:402
#14 0xb63a527b in ~nsAutoPtr (this=0xa8174544, __in_chrg=<optimized out>)
    at ../../../../dist/include/nsAutoPtr.h:105
#15 txInstruction::~txInstruction (this=0xa8174540, __in_chrg=<optimized out>)
    at /build/buildd/firefox-12.0+build1/build-tree/mozilla/content/xslt/src/xslt/txInstructions.h:63
#16 0xb63a599e in txStartLREElement::~txStartLREElement (this=0xa8174540,
    __in_chrg=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at...

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Unfortunately, I don't have a x86 system

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

The location of the crash suggests that there might be memory corruption, which is going to be fun to debug. The best way to start doing that is to build Firefox with --enable-valgrind --disable-jemalloc, so that you can run it with memcheck. The fact that this issue only occurs when using the Oracle plugin in an area of code completely unrelated to plugins (which works fine when the plugin isn't loaded) would suggest that it is quite likely to be a bug introduced by the Java plugin.

Changed in firefox (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Jose Plans (jplans) wrote :

After further analysis we found out this was a java plugin/application issue. Thanks Chris for your comments and help.

Changed in firefox (Ubuntu):
status: New → Invalid
Changed in firefox:
status: New → Unknown
Changed in firefox:
status: Unknown → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.