From owner-freebsd-current@FreeBSD.ORG Sun Oct 5 23:32:37 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D229710656A5 for ; Sun, 5 Oct 2008 23:32:37 +0000 (UTC) (envelope-from jos@catnook.com) Received: from lizzy.dyndns.org (209-204-188-132.dsl.static.sonic.net [209.204.188.132]) by mx1.freebsd.org (Postfix) with SMTP id 069978FC22 for ; Sun, 5 Oct 2008 23:32:34 +0000 (UTC) (envelope-from jos@catnook.com) Received: (qmail 8728 invoked by uid 1000); 5 Oct 2008 23:32:56 -0000 Date: Sun, 5 Oct 2008 16:32:56 -0700 From: Jos Backus To: Tim Kientzle Message-ID: <20081005233256.GB8507@lizzy.catnook.local> References: <20081004080511.GA72641@lizzy.catnook.local> <20081004161024.GA67323@nagual.pp.ru> <20081004222249.GA48928@lizzy.catnook.local> <48E80F02.4070309@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <48E80F02.4070309@freebsd.org> User-Agent: Mutt/1.5.18 (2008-05-17) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Andrey Chernov , freebsd-current@freebsd.org Subject: Re: firefox3-bin crashes near arc4random_buf() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jos@catnook.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2008 23:32:37 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Oct 04, 2008 at 05:49:06PM -0700, Tim Kientzle wrote: > First, you need to share the first items in the > backtrace, as they're more likely to be correct. > I agree with Andrey that it looks like there's > some stack corruption, so it's hard to trust > anything except the first couple of entries. Attached is a tarball containing firefox3.gdb which has the full output of `bt'. Unfortunately it doesn't tell me very much more. > You should also look at several independent core > dumps and see how much the backtraces have in common. I watched it crash a bunch more times and the backtraces are the same. That's good, right? :-) > It might also be worth running it under ktrace, > forcing the crash, then sharing the last few dozen > lines from kdump output. Also attached is firefox3.kdump. The last few lines look like: 6855 firefox-bin RET clock_gettime 0 6855 firefox-bin CALL _umtx_op(0x8179760,0x8,0x1,0x8179740,0xbf8fdddc) 6855 firefox-bin PSIG SIGSEGV caught handler=0x28237290 mask=0x0 code=0x1 6855 firefox-bin CALL unlink(0x8179600) 6855 firefox-bin NAMI "/home/jos/.mozilla/firefox/tosfxhak.default/lock" 6855 firefox-bin RET unlink 0 6855 firefox-bin CALL sigaction(SIGSEGV,0x2978dfb4,0) 6855 firefox-bin RET sigaction 0 6855 firefox-bin CALL sigprocmask(SIG_UNBLOCK,0xbf4f906c,0) 6855 firefox-bin RET sigprocmask 0 6855 firefox-bin CALL thr_kill(0x1878c,SIGSEGV) 6855 firefox-bin RET thr_kill 0 6855 firefox-bin PSIG SIGSEGV SIG_DFL 6855 firefox-bin NAMI "firefox-bin.core" 6855 firefox-bin RET poll -1 errno 4 Interrupted system call 6855 firefox-bin RET _umtx_op -1 errno 4 Interrupted system call 6855 firefox-bin RET _umtx_op -1 errno 4 Interrupted system call 6855 firefox-bin RET _umtx_op -1 errno 60 Operation timed out 6855 firefox-bin RET _umtx_op -1 errno 4 Interrupted system call 6850 sh RET wait4 6855/0x1ac7 6850 sh CALL write(0x1,0x814e400,0x21) 6850 sh GIO fd 1 wrote 33 bytes "Segmentation fault (core dumped) " 6850 sh RET write 33/0x21 6850 sh CALL exit(0x8b) 6846 sh RET wait4 6850/0x1ac2 6846 sh CALL exit(0x8b) This to me suggests that the segfault happens inside _umtx_op. Am I reading that correctly? Thanks for looking into this! -- Jos Backus jos at catnook.com --MGYHOYXEY6WxJCY8--