From owner-freebsd-current@FreeBSD.ORG  Thu Oct  9 16:38:37 2008
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 09314106568E
	for <freebsd-current@freebsd.org>; Thu,  9 Oct 2008 16:38:37 +0000 (UTC)
	(envelope-from jos@catnook.com)
Received: from lizzy.dyndns.org (209-204-188-132.dsl.static.sonic.net
	[209.204.188.132])
	by mx1.freebsd.org (Postfix) with SMTP id 25BEB8FC22
	for <freebsd-current@freebsd.org>; Thu,  9 Oct 2008 16:38:35 +0000 (UTC)
	(envelope-from jos@catnook.com)
Received: (qmail 50196 invoked by uid 1000); 9 Oct 2008 16:38:55 -0000
Date: Thu, 9 Oct 2008 09:38:55 -0700
From: Jos Backus <jos@catnook.com>
To: Tim Kientzle <kientzle@freebsd.org>
Message-ID: <20081009163855.GB49963@lizzy.catnook.local>
References: <20081004222249.GA48928@lizzy.catnook.local>
	<48E80F02.4070309@freebsd.org>
	<20081005233256.GB8507@lizzy.catnook.local>
	<48E95D0E.50202@freebsd.org>
	<20081006051424.GA5858@lizzy.catnook.local>
	<48EA2FA0.8060007@freebsd.org>
	<20081006190750.GA14017@lizzy.catnook.local>
	<48EAE8DA.2000908@freebsd.org>
	<20081007163143.GA25284@lizzy.catnook.local>
	<48EC11D1.3090304@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <48EC11D1.3090304@freebsd.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: Andrey Chernov <ache@nagual.pp.ru>, freebsd-current@freebsd.org
Subject: Re: firefox3-bin crashes near arc4random_buf()
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: jos@catnook.com
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2008 16:38:37 -0000

On Tue, Oct 07, 2008 at 06:50:09PM -0700, Tim Kientzle wrote:
> This is a lot more interesting.  This points to a crash
> within libc's db code.  Somehow, it's trying to compute
> a hash for some element with length -10618, which is
> getting converted to an unsigned 4294956678, which is
> causing the crash.
> 
> Does Firefox have knobs to use a newer Berkeley DB?

Not that I am aware of. Maybe I should ask ports@...

> I can't
> recall whether newer Berkeley DB versions are thread-safe but
> I'm pretty sure the old version in our libc isn't.  If Firefox
> is assuming the BDB code is thread-safe that could certainly
> cause corruption of the BDB data with all sorts of unpleasant
> consequences.  That's just a random guess, though.  Maybe someone
> else on this mailing list knows better.

I think you're on to something.
 
Also, I have found a reliable way to cause the crash. It happens when I go to
https://wellpointnextrx.com/ and try to accept the cert for the session.

-- 
Jos Backus
jos at catnook.com