Ubuntu
firefox package

Firefox crashes when a plugin calls freopen()

Bug #810214 reported by penalvch on 2011-07-13

This bug affects 6 people

	Status	Importance	Assigned to	Milestone
Mozilla Firefox	Fix Released	Critical	mozilla-bugs #699734	Mozilla Firefox 11
firefox (Ubuntu)	Fix Released	Undecided	Unassigned
iceweasel (Debian)	Fix Released	Unknown	debbugs #619579

Bug Description

1) lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

2) apt-cache policy mozilla-plugin-vlc
mozilla-plugin-vlc:
  Installed: 1.1.9-1ubuntu1.2
  Candidate: 1.1.9-1ubuntu1.2
  Version table:
*** 1.1.9-1ubuntu1.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty-updates/universe i386 Packages
        100 /var/lib/dpkg/status
     1.1.9-1ubuntu1.1 0
        500 http://security.ubuntu.com/ubuntu/ natty-security/universe i386 Packages
     1.1.9-1ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages

apt-cache policy firefox
firefox:
  Installed: 5.0+build1+nobinonly-0ubuntu0.11.04.2
  Candidate: 5.0+build1+nobinonly-0ubuntu0.11.04.2
  Version table:
*** 5.0+build1+nobinonly-0ubuntu0.11.04.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty-updates/main i386 Packages
        500 http://security.ubuntu.com/ubuntu/ natty-security/main i386 Packages
        100 /var/lib/dpkg/status
     4.0+nobinonly-0ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages

3) What is expected to happen in Firefox is when one visits the website:

http://media.thrashermagazine.com/FiringLine_PatPasquale.mp4

mozilla-plugin-vlc plays the video with no problem.

4) What happens instead is Firefox crashes, with a prompt to report this to Mozilla instead of an apport to Launchpad. The about:crashes link may be found at:
https://crash-stats.mozilla.com/report/index/c6f47bc4-e936-469d-bcf2-b13352110713

WORKAROUND: Open in VLC via the Terminal:

wget http://media.thrashermagazine.com/FiringLine_PatPasquale.mp4 && vlc FiringLine_PatPasquale.mp4

the video plays correctly.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: mozilla-plugin-vlc 1.1.9-1ubuntu1.2
ProcVersionSignature: Ubuntu 2.6.38-10.46-generic 2.6.38.7
Uname: Linux 2.6.38-10-generic i686
NonfreeKernelModules: fglrx
Architecture: i386
Date: Wed Jul 13 19:35:14 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
LANGUAGE=en_US:en
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: vlc
UpgradeStatus: Upgraded to natty on 2011-05-14 (60 days ago)

Tags:

Revision history for this message

penalvch (penalvch) wrote on 2011-07-13:

gdb-firefox.txt Edit (84.8 KiB, text/plain)
Dependencies.txt Edit (4.3 KiB, text/plain; charset="utf-8")
RelatedPackageVersions.txt Edit (655 bytes, text/plain; charset="utf-8")

Revision history for this message

penalvch (penalvch) wrote on 2011-07-13:

about-plugins.odt Edit (28.6 KiB, application/vnd.oasis.opendocument.text)

Revision history for this message

Rémi Denis-Courmont (rdenis) wrote on 2011-07-14:

It's crashing while trying to close a FILE pointer from within glibc freopen() from within the lua5.1 file loader. This smells quite fishy. Can you post a valgrind trace?

Changed in vlc (Ubuntu):
status:	New → Incomplete

Revision history for this message

penalvch (penalvch) wrote on 2011-07-15:

valgrind.log Edit (3.8 KiB, text/plain)

Changed in vlc (Ubuntu):
status:	Incomplete → New

Revision history for this message

Rémi Denis-Courmont (rdenis) wrote on 2011-07-15:

Uh? Did you actually reproduce the problem under valgrind? I can't even see VLC messages...

Changed in vlc (Ubuntu):
status:	New → Incomplete

Bug Watch Updater (bug-watch-updater) on 2011-07-15

Changed in vlc (Debian):
status:	Unknown → New

Revision history for this message

penalvch (penalvch) wrote on 2011-07-15:

Rémi Denis-Courmont:

> Uh? Did you actually reproduce the problem under valgrind? I can't even see VLC messages...

Yes. I followed the recommendations from https://wiki.ubuntu.com/Valgrind and performed the following to produce the log at the Terminal:

G_SLICE=always-malloc G_DEBUG=gc-friendly valgrind -v --tool=memcheck --leak-check=full --num-callers=40 --log-file=valgrind.log firefox

then pasted the above mentioned link into the address bar, hit enter, crash, click Quit Firefox button in report to Mozilla window, then saved valgrind log to this bug.

apt-cache policy valgrind
valgrind:
  Installed: 1:3.6.1-0ubuntu1
  Candidate: 1:3.6.1-0ubuntu1
  Version table:
*** 1:3.6.1-0ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status

Changed in vlc (Ubuntu):
status:	Incomplete → New

Bug Watch Updater (bug-watch-updater) on 2011-08-10

Changed in vlc (Debian):
status:	New → Incomplete

Revision history for this message

Rémi Denis-Courmont (rdenis) wrote on 2011-08-24:

Detailled valgrind trace is available on the Debian bug report. It did not help much though :-(

Rémi Denis-Courmont (rdenis) on 2011-09-23

Changed in vlc (Ubuntu):
status:	New → Confirmed
summary:	- Firefox crashes using mozilla-plugin-vlc on mp4 video + Firefox crashes using mozilla-plugin-vlc inside liblua

Revision history for this message

Rémi Denis-Courmont (rdenis) wrote on 2011-10-17: Re: Firefox crashes using mozilla-plugin-vlc inside liblua

Download full text (5.4 KiB)

So I reproduced the bug (on Debian/Iceweasel anyway) and stepped through the Lua code. I cannot see anything wrong: Lua calls fopen(filename, "r") which returns a valid FILE pointer, then it calls getc(fp) and then freopen(filename, "rb", fp). freopen() crashes while trying to close the fp. This crashes under Firefox, but not under VLC self.

Interestingly, in VLC, the FILE pointer has more data, and is directed to a different close function inside glibc:

_IO_new_file_close_it (fp=0x814e4b8) at fileops.c:165
165 fileops.c: Aucun fichier ou dossier de ce type.
        in fileops.c
(gdb) p *fp
$2 = {_flags = -72539000, _IO_read_ptr = 0xb7fcc001 "LuaQ",
  _IO_read_end = 0xb7fcc9b2 "", _IO_read_base = 0xb7fcc000 "\033LuaQ",
  _IO_write_base = 0xb7fcc000 "\033LuaQ",
  _IO_write_ptr = 0xb7fcc000 "\033LuaQ",
  _IO_write_end = 0xb7fcc000 "\033LuaQ", _IO_buf_base = 0xb7fcc000 "\033LuaQ",
  _IO_buf_end = 0xb7fcd000 "\177ELF\001\001\001", _IO_save_base = 0x0,
  _IO_backup_base = 0x0, _IO_save_end = 0x0, _markers = 0x0,
  _chain = 0xb7e8e560, _fileno = 10, _flags2 = 0, _old_offset = 0,
  _cur_column = 0, _vtable_offset = 0 '\000', _shortbuf = "",
  _lock = 0x814e550, _offset = -1, _codecvt = 0x0, _wide_data = 0x814e55c,
  _freeres_list = 0x0, _freeres_buf = 0x0, _freeres_size = 0, _mode = -1,
  _unused2 = '\000' <repeats 39 times>}
(gdb) bt
#0 _IO_new_file_close_it (fp=0x814e4b8) at fileops.c:165
#1 0xb7daba1d in freopen (
    filename=0x8150830 "/usr/lib/vlc/lua/playlist/anevia_streams.luac",
    mode=0xb6b599a8 "rb", fp=0x814e4b8) at freopen.c:69
#2 0xb6b4e115 in luaL_loadfile (L=0x81487e8,
    filename=0x8150830 "/usr/lib/vlc/lua/playlist/anevia_streams.luac")
    at lauxlib.c:574
#3 0xb6b6ccbd in probe_luascript ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#4 0xb6b6f4b7 in vlclua_scripts_batch_execute ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#5 0xb6b6d314 in Import_LuaPlaylist ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#6 0xb7f4c260 in module_need () from /usr/lib/libvlccore.so.4
#7 0xb7ef6ce3 in __demux_New () from /usr/lib/libvlccore.so.4
#8 0xb7f05a6e in InputSourceInit () from /usr/lib/libvlccore.so.4
#9 0xb7f06df9 in Init () from /usr/lib/libvlccore.so.4
#10 0xb7f0b20c in Run () from /usr/lib/libvlccore.so.4
#11 0xb7f51a19 in thread_entry () from /usr/lib/libvlccore.so.4
#12 0xb7e9b944 in start_thread (arg=0xb7828b70) at pthread_create.c:304
#13 0xb7e18d9e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
Backtrace stopped: Not enough registers or memory available to unwind further
(gdb) p _IO_stdin_used
$3 = 131073

but Firefox (actually Iceweasel):

Interestingly, in VLC, the FILE pointer has more data, and is directed to a different close function inside glibc:

_IO_new_file_close_it (fp=0x814e4b8) at fileops.c:165
165     fileops.c: Aucun fichier ou dossier de ce type.
        in fileops.c
(gdb) p *fp
$2 = {_flags = -72539000, _IO_read_ptr = 0xb7fcc001 "LuaQ", 
  _IO_read_end = 0xb7fcc9b2 "", _IO_read_base = 0xb7fcc000 "\033LuaQ", 
  _IO_write_base = 0xb7fcc000 "\033LuaQ", 
  _IO_write_ptr = 0xb7fcc000 "\033LuaQ", 
  _IO_write_end = 0xb7fcc000 "\033LuaQ", _IO_buf_base = 0xb7fcc000 "\033LuaQ", 
  _IO_buf_end = 0xb7fcd000 "\177ELF\001\001\001", _IO_save_base = 0x0, 
  _IO_backup_base = 0x0, _IO_save_end = 0x0, _markers = 0x0, 
  _chain = 0xb7e8e560, _fileno = 10, _flags2 = 0, _old_offset = 0, 
  _cur_column = 0, _vtable_offset = 0 '\000', _shortbuf = "", 
  _lock = 0x814e550, _offset = -1, _codecvt = 0x0, _wide_data = 0x814e55c, 
  _freeres_list = 0x0, _freeres_buf = 0x0, _freeres_size = 0, _mode = -1, 
  _unused2 = '\000' <repeats 39 times>}
(gdb) bt
#0  _IO_new_file_close_it (fp=0x814e4b8) at fileops.c:165
#1  0xb7daba1d in freopen (
    filename=0x8150830 "/usr/lib/vlc/lua/playlist/anevia_streams.luac", 
    mode=0xb6b599a8 "rb", fp=0x814e4b8) at freopen.c:69
#2  0xb6b4e115 in luaL_loadfile (L=0x81487e8, 
    filename=0x8150830 "/usr/lib/vlc/lua/playlist/anevia_streams.luac")
    at lauxlib.c:574
#3  0xb6b6ccbd in probe_luascript ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#4  0xb6b6f4b7 in vlclua_scripts_batch_execute ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#5  0xb6b6d314 in Import_LuaPlaylist ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#6  0xb7f4c260 in module_need () from /usr/lib/libvlccore.so.4
#7  0xb7ef6ce3 in __demux_New () from /usr/lib/libvlccore.so.4
#8  0xb7f05a6e in InputSourceInit () from /usr/lib/libvlccore.so.4
#9  0xb7f06df9 in Init () from /usr/lib/libvlccore.so.4
#10 0xb7f0b20c in Run () from /usr/lib/libvlccore.so.4
#11 0xb7f51a19 in thread_entry () from /usr/lib/libvlccore.so.4
#12 0xb7e9b944 in start_thread (arg=0xb7828b70) at pthread_create.c:304
#13 0xb7e18d9e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
Backtrace stopped: Not enough registers or memory available to unwind further
(gdb) p _IO_stdin_used
$3 = 131073

but Firefox (actually Iceweasel):

Program received signal SIGSEGV, Segmentation fault.
0xb76c0a14 in _IO_old_file_close_it (fp=0xa92c7040) at oldfileops.c:158
158     oldfileops.c: Aucun fichier ou dossier de ce type.
        in oldfileops.c
(gdb) p *fp
$1 = {_flags = -72539000, _IO_read_ptr = 0xb2d05001 "LuaQ", 
  _IO_read_end = 0xb2d059b2 "", _IO_read_base = 0xb2d05000 "\033LuaQ", 
  _IO_write_base = 0xb2d05000 "\033LuaQ", 
  _IO_write_ptr = 0xb2d05000 "\033LuaQ", 
  _IO_write_end = 0xb2d05000 "\033LuaQ", _IO_buf_base = 0xb2d05000 "\033LuaQ", 
  _IO_buf_end = 0xb2d06000 "\336\022\004\225", _IO_save_base = 0x0, 
  _IO_backup_base = 0x0, _IO_save_end = 0x0, _markers = 0x0, 
  _chain = 0xb76fa920, _fileno = 56, _flags2 = 0, _old_offset = -1492835812, 
  _cur_column = 0, _vtable_offset = 0 '\000', _shortbuf = "\247", 
  _lock = 0xa92c70d8}
(gdb) bt
#0  0xb76c0a14 in _IO_old_file_close_it (fp=0xa92c7040) at oldfileops.c:158
#1  0xb7617894 in freopen (
    filename=0xa97489a0 "/usr/lib/vlc/lua/playlist/anevia_streams.luac", 
    mode=0xa6e939a8 "rb", fp=0xa92c7040) at freopen.c:62
#2  0xa6e88115 in luaL_loadfile (L=0xac6de060, 
    filename=0xa97489a0 "/usr/lib/vlc/lua/playlist/anevia_streams.luac")
    at lauxlib.c:574
#3  0xa6ebccbd in probe_luascript ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#4  0xa6ebf4b7 in vlclua_scripts_batch_execute ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#5  0xa6ebd314 in Import_LuaPlaylist ()
   from /usr/lib/vlc/plugins/misc/liblua_plugin.so
#6  0xa899c260 in module_need () from /usr/lib/libvlccore.so.4
#7  0xa8946ce3 in __demux_New () from /usr/lib/libvlccore.so.4
#8  0xa8955a6e in InputSourceInit () from /usr/lib/libvlccore.so.4
#9  0xa8956df9 in Init () from /usr/lib/libvlccore.so.4
#10 0xa895b20c in Run () from /usr/lib/libvlccore.so.4
#11 0xa89a1a19 in thread_entry () from /usr/lib/libvlccore.so.4
#12 0xb7703944 in start_thread (arg=0xa887fb70) at pthread_create.c:304
#13 0xb7684d9e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
Backtrace stopped: Not enough registers or memory available to unwind further
(gdb) p _IO_stdin_used
Address of symbol "_IO_stdin_used" is unknown.

And voilà! For whatever reasons, the Firefox binary fails to define _IO_stdin_used even though it's  linked against a "recent" (e)glibc ABI, causing freopen() to wrongly enter the antique GLibc 2.1 libio support.

There are several ways to fix this. The correct one consists of fixing the Firefox linking flags or whatever in the Firefox build system causes _IO_stdin_used not to be defined in the binary. Alternatively, you could work around it by dropping support for GLibc 2.0-2.1 ABI compatibility in (e)glibc. Or you could hack all freopen()ing libraries to define the symbol (probably not a good nor practical idea). That's not my call.

Reassigning to firefox and glibc.

affects:

vlc (Ubuntu) → firefox (Ubuntu)

Bug Watch Updater (bug-watch-updater) on 2011-10-18

Changed in vlc (Debian):
status:	Incomplete → New

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-10-26:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in eglibc (Ubuntu):
status:	New → Confirmed

Rémi Denis-Courmont (rdenis) on 2011-10-29

affects:

vlc (Debian) → iceweasel (Debian)

Rémi Denis-Courmont (rdenis) on 2011-10-29

summary:

- Firefox crashes using mozilla-plugin-vlc inside liblua
+ Firefox crashes when a plugin calls freopen()

Revision history for this message

In Mozilla Bugzilla #699734, Mh+mozilla (mh+mozilla) wrote on 2011-11-04:

#10

I got the craziest crash happening on sparc linux, when running xpcshell with jemalloc enabled, it crashes in "setbuf(stdout, 0);" (which is a libc function).

It turns out this is due to the fact that the _IO_stdin_used symbol is not exported, because of the version script used to hide most symbols from programs. No idea why this only crashes on sparc, though.

Revision history for this message

In Mozilla Bugzilla #699734, Mh+mozilla (mh+mozilla) wrote on 2011-11-04:

#11

Created attachment 571903
Export the _IO_stdin_used symbol

Revision history for this message

In Mozilla Bugzilla #699734, Mh+mozilla (mh+mozilla) wrote on 2011-11-18:

#12

http://hg.mozilla.org/integration/mozilla-inbound/rev/109b2416d243

Revision history for this message

In Mozilla Bugzilla #699734, Bmo-edmorley (bmo-edmorley) wrote on 2011-11-19:

#13

https://hg.mozilla.org/mozilla-central/rev/109b2416d243

Bug Watch Updater (bug-watch-updater) on 2011-11-24

Changed in firefox:
importance:	Unknown → Critical
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-11-24

Changed in iceweasel (Debian):
status:	New → Fix Released

Micah Gersten (micahg) on 2011-11-24

Changed in firefox:
milestone:	none → 11

Revision history for this message

In Mozilla Bugzilla #699734, Reuben Morais (reuben-morais) wrote on 2011-12-14:

#14

This also affected x86 (https://crash-stats.mozilla.com/report/index/bp-696816ab-e67c-4beb-b60e-defec2111214 / https://launchpad.net/bugs/810214), should we ship this earlier than Firefox 11?

Revision history for this message

penalvch (penalvch) wrote on 2012-03-25:

#15

This is fixed in Precise.

lsb_release -rd
Description: Ubuntu precise (development branch)
Release: 12.04

apt-cache policy firefox
firefox:
  Installed: 11.0+build1-0ubuntu1
  Candidate: 11.0+build1-0ubuntu1
  Version table:
*** 11.0+build1-0ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        100 /var/lib/dpkg/status

apt-cache policy mozilla-plugin-vlc
mozilla-plugin-vlc:
  Installed: 2.0.0-1
  Candidate: 2.0.0-1
  Version table:
*** 2.0.0-1 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/universe i386 Packages
        100 /var/lib/dpkg/status

Changed in firefox (Ubuntu):
status:	Confirmed → Fix Released
no longer affects:	eglibc (Ubuntu)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

debbugs #619579
[done normal] Edit
mozilla-bugs #699734
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntufirefox package

Firefox crashes when a plugin calls freopen()

Bug Description

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
firefox package