firefox crashes like mad with double free or corruption

Bug #291843 reported by Florian Hars on 2008-10-31
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox-3.0 (Gentoo Linux)
New
Undecided
Unassigned
firefox-3.0 (Ubuntu)
High
Unassigned
pango-graphite (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: firefox

Every few pages firefox just hangs and writes a crash report to .xsession-errors like
*** glibc detected *** /usr/lib/firefox-3.0.3/firefox: double free or corruption (!prev): 0x09eec1b8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d853f4]
/lib/tls/i686/cmov/libc.so.6[0xb7d88eed]
/lib/tls/i686/cmov/libc.so.6(realloc+0x106)[0xb7d89d86]
/usr/lib/libglib-2.0.so.0(g_realloc+0x3a)[0xb6ba9c4a]
/usr/lib/libpango-1.0.so.0(pango_glyph_string_set_size+0x99)[0xb6d165d9]
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so[0xb3a2de3e]
/usr/lib/libpango-1.0.so.0[0xb6d1cfea]
/usr/lib/libpango-1.0.so.0(pango_shape+0x5a)[0xb6d3032a]
/usr/lib/xulrunner-1.9.0.3/libxul.so(_ZN17gfxPangoFontGroup24CreateGlyphRunsItemizingEP10gfxTextRunPKcjj+0x1de)[0xb79bb722]
/usr/lib/xulrunner-1.9.0.3/libxul.so(_ZN17gfxPangoFontGroup11InitTextRunEP10gfxTextRunPKcjji+0x33)[0xb79bb975]
/usr/lib/xulrunner-1.9.0.3/libxul.so(_ZN17gfxPangoFontGroup11MakeTextRunEPKtjPKN17gfxTextRunFactory10ParametersEj+0x107)[0xb79bbab9]
/usr/lib/xulrunner-1.9.0.3/libxul.so[0xb79b765b]

I'll try to attach the full data, but firefux usually crashes before I can submit an attachment.
$ lsb_release -rd
Description: Ubuntu 8.10
Release: 8.10
$ apt-cache policy firefox
firefox:
  Installiert: 3.0.3+nobinonly-0ubuntu2
  Kandidat: 3.0.3+nobinonly-0ubuntu2
  Versions-Tabelle:
 *** 3.0.3+nobinonly-0ubuntu2 0
        500 http://de.archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

Florian Hars (hars) wrote :

Nope, Firefox crashes once I click on the button to select the file to attach:
*** glibc detected *** /usr/lib/firefox-3.0.3/firefox: malloc(): memory corrupti
on: 0x09ebae08 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e9a116]
/lib/tls/i686/cmov/libc.so.6(__libc_malloc+0x95)[0xb7e9b865]
/usr/lib/libstdc++.so.6(_Znwj+0x27)[0xb8075d47]
/usr/lib/libstdc++.so.6(_Znaj+0x1d)[0xb8075e8d]
/usr/lib/pango/1.6.0/modules/graphite/pango-graphite.so(_ZN2gr12PangoTextSrcC1EP
KciiS2_+0x3c)[0xb3aeb92c]
/usr/lib/pango/1.6.0/modules/graphite/pango-graphite.so(graphite_PangoGlyphStrin
g+0x49)[0xb3aecbd9]
/usr/lib/pango/1.6.0/modules/graphite/pango-graphite.so[0xb3aedcb9]
/usr/lib/libpango-1.0.so.0[0xb6e2efea]

Alexander Sack (asac) wrote :

seems like a font issue. maybe also your graphics driver is involved ... what graphics chipset/driver are you using? wha tlanguage are you using. Do you use any special fonts? Have you ever installed windows fonts?

Changed in firefox:
status: New → Incomplete
Florian Hars (hars) wrote :

Yes, I can switch the behaviour on and of by installing or uninstalling
ttf-indic-fonts-core_1%3a0.5.4ubuntu2

So there seems to be a bug in these fonts and/or a bug in the handling of these fonts in either firefox or pango. I don't know any of these languages, so deinstalling it is a useful workaround for me.

LANG=de_DE.UTF-8
Graphics chipset is Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller rev 3, driver is intel

Alexander Sack (asac) wrote :

thanks for the update. subscribed font maintainer and moving to proper package.

Changed in firefox:
importance: Undecided → High
status: Incomplete → Confirmed
Florian Hars (hars) wrote :

The cause of the bug is not in ttf-fonts-indic. After a few more experiments firefox was in a state where it would crash within seconds of every startup no matter which fonts were installed. Then I went for the radical way and removed all ttf fonts that were no hard requirements of other packages (like OOo) and xulrunner-1.9 with all dependenciesup to ubuntu-desktop. Then I reinstalled just firefox, and it did no longer crash, but everything looked like crap because every space was at least four times too wide. Then I reinstalled the rest (like ubuntu-desktop), which pulled all the fonts in again (including ttf-indic-fonts), and firefox still does not crash. But it still looks like crap.

Alexander Sack (asac) wrote :

please use the correct package if you bounce stuff. also why do you think its pango-graphite?

Changed in firefox:
status: Confirmed → Incomplete
Florian Hars (hars) wrote :

The resident behaviour is just bug #193198, which might suggest that the original problem (which I luckily can no longer reproduce) was somewhere in the interaction between firefox and pango, too. I am not sure that it is really the same problem (my first stacktrace does not involve pango-graphite) so I am not marking this as a duplicate. Feel free to do so if you have reasons to assume it is.

I attach a longer excerpt from .xsession-errors for that crash, in case someone would like to look at it.

Florian Hars (hars) wrote :

Sorry, that should be bug #193108, why is there no prewiew function in Launchpad?

Leon (leonbo) wrote :

I'm having this same problem. Phew, I thought I was the only one. Here's the full report: http://pastie.org/312856
And here some (I think) important lines:

*** glibc detected *** /usr/lib/firefox-3.0.3/firefox: double free or corruption (!prev): 0x00007fec8c0ff090 ***
7fec8b555000-7fec8b588000 r--p 00000000 08:07 213855 /usr/share/fonts/truetype/msttcorefonts/Arial_Italic.ttf
7fec8b588000-7fec8b5d2000 r--p 00000000 08:07 213863 /usr/share/fonts/truetype/msttcorefonts/Courier_New.ttf

Leon (leonbo) wrote :

My Display controller: Intel Corporation Mobile GM965/GL960 Integrated Graphics Controller (rev 0c)
Maybe it helps?

psypher (psypher246) wrote :

MEEE TOOO. I am so happy i found this. 3 days now I have been searching. EXACT same symptoms.

I'm running nVidia Corporation Quadro FX 1600M (rev a1)

psypher wrote:
> MEEE TOOO. I am so happy i found this. 3 days now I have been searching.
> EXACT same symptoms.
>
> I'm running nVidia Corporation Quadro FX 1600M (rev a1)
>
>
please try to use the _free_ nv driver for X instead of nvidia (or vv.).

Yossi Gil (yossi-gil) wrote :

I see this bug, even though I am using the free NVIDIA driver, and despite using none of the Indic fonts (Hebrew fonts are installed though).

Please help. Firefox is completely useless with this bug...

Yossi Gil (yossi-gil) wrote :

Seems as duplicate of 309539

I edited my /etc/

replacing the line reading

hosts: files mdns4_minimal [NOTFOUND=return] wins dns mdns4

by

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

that is, removed the "wins" term from that line. This seems to have worked around the problem. No firefox crash any more.

Yossi Gil (yossi-gil) wrote :

that is, # /etc/nsswitch.conf

To Ubuntu Intrepid users experiencing these bugs:

For Debian, I prepared samba 3.2.5 packages that supposedly fix them:

  * Fix segfault whan accessign some NAS devices running old versions of Samba
    Closes: #500129
  * Fix process crush when using gethostbyname_r in several threads
    Closes: #509101, #510450

It would help a lot if you could test these packages. I suppose they
will work properly on Ubuntu Intrepid but I haven't check this in
reality.

These packages are apt-get'able:

deb http://pkg-samba.alioth.debian.org/packages-prospective/ ./
deb-src http://pkg-samba.alioth.debian.org/packages-prospective/ ./

Please note that using this source will upgrade any existing samba
binary package on your systems. No *other* package should be upgraded
by this operation.

If you use aptitude, I recommend you "simpulate" the upgrade:

aptitude update
aptitude -s upgrade

Please also note that reverting back to official Ubuntu packages would
be recommended after this test, otherwise you might be later left
with packages for which no more security updates will come.

Still, if some of you could test and report if issues are fixed, that
would help greatly to improve samba packages in Debian, which in turn
will participate to the improvement of samba packages in Ubuntu.

Pander (pander) wrote :

firefox 3.0.8+nobinonly-0ubuntu0.8.10.2 crashes on http://castor.org/download.html with a segfault, perhaps this is a case for this bug?

Download full text (9.9 KiB)

Started my firefox with gdb, did plugin update with it's automatically update checking.
The "Segmentation fault" was happened when auto-restarting firefox after plugin update. (It always happens, never mind.)
And then I choose to load my 250 tabs back to me, which are exist last time firefox crashs.
After few minutes, it hangs and not responding anymore.

matthew@Priapus:~/bug-report$ FoxyProxy settingsDir = /home/matthew/.mozilla/firefox/hpelwq2p.default
Segmentation fault
FoxyProxy settingsDir = /home/matthew/.mozilla/firefox/hpelwq2p.default
*** glibc detected *** /usr/lib/firefox-3.0.8/firefox: double free or corruption (out): 0xadb436f8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e0b454]
/lib/tls/i686/cmov/libc.so.6(cfree+0x96)[0xb7e0d4b6]
/usr/lib/xulrunner-1.9.0.8/libmozjs.so[0xb7d79fb3]
/usr/lib/xulrunner-1.9.0.8/libmozjs.so[0xb7d3900f]
/usr/lib/xulrunner-1.9.0.8/libmozjs.so(JS_GC+0x45)[0xb7d1563c]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7254140]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7a0a02e]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7a0a16d]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7603e5a]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7604112]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7a01162]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7a011d7]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb79fec8c]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb79cf5b0]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb7952578]
/usr/lib/xulrunner-1.9.0.8/libxul.so[0xb77e7a28]
/usr/lib/xulrunner-1.9.0.8/libxul.so(XRE_main+0x1d5c)[0xb7248cf8]
/usr/lib/firefox-3.0.8/firefox[0x80491ab]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7db2685]
/usr/lib/firefox-3.0.8/firefox[0x8048d11]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:01 593142 /usr/lib/firefox-3.0.8/firefox
0804f000-08050000 r--p 00006000 08:01 593142 /usr/lib/firefox-3.0.8/firefox
08050000-08051000 rw-p 00007000 08:01 593142 /usr/lib/firefox-3.0.8/firefox
098f4000-11a7b000 rw-p 098f4000 00:00 0 [heap]
a1800000-a18fe000 rw-p a1800000 00:00 0
a18fe000-a1900000 ---p a18fe000 00:00 0
a2d98000-a2d99000 ---p a2d98000 00:00 0
a2d99000-a3599000 rwxp a2d99000 00:00 0
a3599000-a359a000 ---p a3599000 00:00 0
a359a000-a3d9a000 rwxp a359a000 00:00 0
a3e00000-a3efa000 rw-p a3e00000 00:00 0
a3efa000-a3f00000 ---p a3efa000 00:00 0
a3fff000-a4000000 ---p a3fff000 00:00 0
a4000000-a4800000 rwxp a4000000 00:00 0
a4800000-a4a00000 rw-p a4800000 00:00 0
a4a00000-a4b00000 rw-p a4a00000 00:00 0
a4c00000-a4d00000 rw-p a4c00000 00:00 0
a4e00000-a4ef9000 rw-p a4e00000 00:00 0
a4ef9000-a4f00000 ---p a4ef9000 00:00 0
a4f00000-a4fc5000 rw-p a4f00000 00:00 0
a4fc5000-a5000000 ---p a4fc5000 00:00 0
a5000000-a50c1000 rw-p a5000000 00:00 0
a50c1000-a5100000 ---p a50c1000 00:00 0
a5847000-a5fb1000 r--p 00000000 08:01 40717 /usr/share/fonts/truetype/kochi/kochi-gothic-subst.ttf
a5fb1000-a6a00000 r--p 00000000 08:01 103616 /usr/share/fonts/truetype/wqy/wqy-zenhei.ttf
a6a00000-a6ac6000 rw-p a6a00000 00:00 0
a6ac6000-a6b00000 ---p a6ac6000 00:00 0
a6c00000-a6cfb000 rw-p a6c00000 00:00 0
a6cfb000-a6d00000 ---p a6cfb000 00:00 0
a6d00000-a6dff000 rw-p a6d00000 00:00...

Tim Pederick (pederick) wrote :
Download full text (14.9 KiB)

I'm having a similar but possibly not identical error (I got "realloc()" where others have "double free or corruption" or "malloc()"). Since installing pango-graphite last night, the Bookmarks toolbar and parts of many webpages (e.g. Gmail, thereifixedit.com) have large inter-word spacing, and Firefox crashes within a few clicks.

Firefox 3.0.14+build2+nobinonly-0ubuntu0.9.04.1 on Kubuntu Jaunty.

Why do I suspect that pango-graphite is responsible? Because it's the only rendering-related change I've made since everything was normal. And sure enough, after uninstalling it (and libgraphite3, to be safe), everything looks normal again and Firefox has stayed stable at least long enough to test for crashes, browse around a bit, get to Launchpad, and post this.

Here's the error info; ignore the "wrong ELF class" warnings, they're still around after uninstalling pango-graphite.

** (firefox:4843): WARNING **: Exception in gr::RangeSegment

** (firefox:4843): WARNING **: Exception in gr::RangeSegment

** (firefox:4843): WARNING **: Exception in gr::RangeSegment

[...Repeat ad nauseum...]

** (firefox:4843): WARNING **: Exception in gr::RangeSegment

** (firefox:4843): WARNING **: Exception in gr::RangeSegment

** (firefox:4843): WARNING **: Exception in gr::RangeSegment

** (firefox:4843): WARNING **: Exception in gr::RangeSegment
Gtk-Message: Failed to load module "canberra-gtk-module": /usr/lib/gtk-2.0/modules/libcanberra-gtk-module.so: wrong ELF class: ELFCLASS64

(npviewer.bin:4875): Gtk-WARNING **: /usr/lib/gtk-2.0/2.10.0/engines/libqtcurve.so: wrong ELF class: ELFCLASS64
*** glibc detected *** /usr/lib/firefox-3.0.14/firefox: realloc(): invalid next size: 0x0000000007ccbeb0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f3ab0087cb8]
/lib/libc.so.6[0x7f3ab008bf21]
/lib/libc.so.6(realloc+0x12e)[0x7f3ab008cdae]
/usr/lib/libglib-2.0.so.0(g_realloc+0x2e)[0x7f3aabe7693e]
/usr/lib/libpango-1.0.so.0(pango_glyph_string_set_size+0x3d)[0x7f3aaca0febd]
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so[0x7f3a9f94f3da]
/usr/lib/libpango-1.0.so.0(pango_shape+0x4a)[0x7f3aaca26eba]
/usr/lib/xulrunner-1.9.0.14/libxul.so(_ZN17gfxPangoFontGroup24CreateGlyphRunsItemizingEP10gfxTextRunPKcjj+0x1fc)[0x7f3aaef937ea]
/usr/lib/xulrunner-1.9.0.14/libxul.so(_ZN17gfxPangoFontGroup11MakeTextRunEPKtjPKN17gfxTextRunFactory10ParametersEj+0x10e)[0x7f3aaef93b76] ...

John Vivirito (gnomefreak) wrote :

Sorry but Firefox-3.0 has reached EOL and will not get any more updates. Please test with latest stable version of Firefox-3.5 from our repos and if you can still reproduce this bug file a new one using apport

Changed in firefox-3.0 (Ubuntu):
status: Incomplete → Invalid
John Vivirito (gnomefreak) wrote :

sorry 3.0.18 will be released in Feb. this is as of yesterdays meeting

Changed in firefox-3.0 (Ubuntu):
status: Invalid → Confirmed
status: Confirmed → Incomplete
John Vivirito (gnomefreak) wrote :

Is this still seen in 3.0.17? and in 3.5

Pander (pander) wrote :

As for me and concerning EOL, this bug report can be closed unless someone else can still reproduce this.

Martin Erik Werner (arand) wrote :

Just to collect some structure, I'm insolently marking this as a dupe of Bug #540035.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers