occasional firefox@testing crashes in brotli module
firefox 46.0-r1 `testing crashes with following backtrace at times:
Thread 31 "firefox" received signal SIGSEGV, Segmentation fault. [Switching to LWP 31952] memcpy () at src/string/x86_64/memcpy.s:18 18 src/string/x86_64/memcpy.s: No such file or directory. (gdb) where #0 memcpy () at src/string/x86_64/memcpy.s:18 #1 0x00006c115e145e31 in memcpy (__n=48615, __os=, __od=) at /usr/include/fortify/string.h:51 #2 WriteRingBuffer (available_out=available_out`entry=0x6c115050e248, next\_out=next\_out@entry=0x6c115050e240, total\_out=total\_out@entry=0x1801851ace0, s=s@entry=0x180185198e0) at /home/tteras/aports/testing/firefox/src/firefox-46.0/modules/brotli/dec/decode.c:1161 \#3 0x00006c115e149c2b in BrotliDecompressStream (available\_in=available\_in@entry=0x6c115050e250, next\_in=next\_in@entry=0x6c115050e238, available\_out=available\_out@entry=0x6c115050e248, next\_out=next\_out@entry=0x6c115050e240, total\_out=0x1801851ace0, s=0x180185198e0) at /home/tteras/aports/testing/firefox/src/firefox-46.0/modules/brotli/dec/decode.c:2244 \#4 0x00006c115c7bebf3 in mozilla::net::nsHTTPCompressConv::BrotliHandler (stream=, closure=0x1800f040fc0, dataIn=0x1800e9f0924 “”, aAvail=13252, countRead=0x6c115052e2ec) at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:188 \#5 0x00006c115c6fb9e0 in nsInputStreamTee::WriteSegmentFun (aIn=, aClosure=0x1800f041160, aFromSegment=0x1800e9ed560 “\\a\\363^\\021\\225\\275\\037.\\242\\242\\325\\303\\”\\022\\363\\001\\320HY8\\177\\177\\021\\030\\067\\361\\261\\316\\363=\\365\\373U\\365\\277?*\\025\\031\\321\\333\\335\\321X\\360\\366QS}\\241\\202\\212\\242\\250\\340\\263\\254eRH \\025H\\314L\\024\\254\\253?\\337f\\365\\365\\253\\322V\\315^\\n\\350\\364\\301\\234\\344\\352c\\222\\236L\\207d\\217\\220r=\\354\\a(\\226%\\267$C\\230.\\374\\377l\\276:I\\347\\t\\227\\033j\\312*\\264\\331\\252\\060T\\236\\062\\320\\356\\333\\267\\006A\\261?\\270?h \\232\\035IfX\\243\\024\\330\\360\\030Y\\024\\306Jq\\231T9\\275~\\316\\265\\214\\334t)\\313\_\\352\\344\\377\\337\\253z\\270\\324\\065\\t\\\\\\343\\360M\\313\\326Bk\\322{\\337}\\340\\177Y`\262\r\276\244\016\331Y\313\v"..., aOffset=, aCount=, aWriteCount=0x6c115052e2ec) at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/io/nsInputStreamTee.cpp:200 #6 0x00006c115c704577 in nsPipeInputStream::ReadSegments (this=0x1800bcbf9e0, aWriter=0x6c115c6fb9cc , aClosure=0x1800f041160, aCount=13252, aReadCount=0x6c115052e374) at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/io/nsPipe3.cpp:1283 #7 0x00006c115c7bf538 in mozilla::net::nsHTTPCompressConv::OnDataAvailable (this=0x1800f040fc0, request=0x1800bc85c48, aContext=0x0, iStr=0x1800f041160, aSourceOffset=0, aCount=13252) at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:444 #8 0x00006c115c78664e in nsStreamListenerTee::OnDataAvailable (this=0x1800f0410c0, request=0x1800bc85c48, context=0x0, input=, offset=0, count=13252) at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/base/nsStreamListenerTee.cpp:93 #9 0x00006c115c8702f0 in mozilla::net::nsHttpChannel::OnDataAvailable (this=0x1800bc85c00, request=, ctxt=, input=0x1800bcbf9e0, offset=, count=13252) at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/protocol/http/nsHttpChannel.cpp:6092 #10 0x00006c115c779c84 in nsInputStreamPump::OnStateTransfer (this=this`entry=0x1800e1e5400) at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/base/nsInputStreamPump.cpp:603 \#11 0x00006c115c779df3 in nsInputStreamPump::OnInputStreamReady (this=0x1800e1e5400, stream=) at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/base/nsInputStreamPump.cpp:430 \#12 0x00006c115c6fe8ce in nsInputStreamReadyEvent::Run (this=0x1800f041120) at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/io/nsStreamUtils.cpp:94 \#13 0x00006c115c7122c3 in nsThread::ProcessNextEvent (this=0x1800a351160, aMayWait=, aResult=0x6c115052e707) —Type to continue, or q to quit—at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/threads/nsThread.cpp:995 \#14 0x00006c115c72dc87 in NS\_ProcessNextEvent (aThread=, aMayWait=aMayWait@entry=true) at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/glue/nsThreadUtils.cpp:297 \#15 0x00006c115c92731e in mozilla::ipc::MessagePumpForNonMainThreads::Run (this=0x1800a356240, aDelegate=0x1800a352240) at /home/tteras/aports/testing/firefox/src/firefox-46.0/ipc/glue/MessagePump.cpp:355 \#16 0x00006c115c917212 in MessageLoop::RunHandler (this=) at /home/tteras/aports/testing/firefox/src/firefox-46.0/ipc/chromium/src/base/message\_loop.cc:227 \#17 MessageLoop::Run (this=this@entry=0x1800a352240) at /home/tteras/aports/testing/firefox/src/firefox-46.0/ipc/chromium/src/base/message\_loop.cc:201 \#18 0x00006c115c715876 in nsThread::ThreadFunc (aArg=0x1800a351160) at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/threads/nsThread.cpp:401 \#19 0x00006c115af4229e in ?? () from /usr/lib/libnspr4.so \#20 0x00006c11670b5487 in start (p=0x6c115052eab0) at src/thread/pthread\_create.c:145 \#21 0x00006c11670b7138 in \_\_clone () at src/thread/x86\_64/clone.s:21 Backtrace stopped: frame did not save the PC (gdb) disassemble Dump of assembler code for function memcpy: 0x00006c11670b3b3d <+0>: mov %rdi,%rax 0x00006c11670b3b40 <+3>: cmp $0x8,%rdx 0x00006c11670b3b44 <+7>: jb 0x6c11670b3b5a <memcpy+29> 0x00006c11670b3b46 <+9>: test $0x7,%edi 0x00006c11670b3b4c <+15>: je 0x6c11670b3b5a <memcpy+29> 0x00006c11670b3b4e <+17>: movsb %ds:(%rsi),%es:(%rdi) 0x00006c11670b3b4f <+18>: dec %rdx 0x00006c11670b3b52 <+21>: test $0x7,%edi 0x00006c11670b3b58 <+27>: jne 0x6c11670b3b4e <memcpy+17> 0x00006c11670b3b5a <+29>: mov %rdx,%rcx 0x00006c11670b3b5d <+32>: shr $0x3,%rcx =>0x00006c11670b3b61 <+36>: rep movsq %ds:(%rsi),%es:(%rdi) 0x00006c11670b3b64 <+39>: and $0x7,%edx 0x00006c11670b3b67 <+42>: je 0x6c11670b3b6e <memcpy+49> 0x00006c11670b3b69 <+44>: movsb %ds:(%rsi),%es:(%rdi) 0x00006c11670b3b6a <+45>: dec %edx 0x00006c11670b3b6c <+47>: jne 0x6c11670b3b69 <memcpy+44> 0x00006c11670b3b6e <+49>: retq End of assembler dump. (gdb) info registers rax 0x6c115050e258 118821617721944 rbx 0xbde7 48615 rcx 0x207 519 rdx 0xbde7 48615 rsi 0x6c1144a09dc8 118821421620680 rdi 0x6c1150519000 118821617766400 rbp 0xbde7 0xbde7 rsp 0x6c115050e148 0x6c115050e148 r8 0x6c11449ff020 118821421576224 r9 0x3a 58 r10 0x300000000000000 216172782113783808 r11 0x1800e9f0917 1649512745239 r12 0x6c115050e248 118821617721928 r13 0x6c115050e240 118821617721920 r14 0x1801851ace0 1649675447520 r15 0x180185198e0 1649675442400 rip 0x6c11670b3b61 0x6c11670b3b61 <memcpy+36> eflags 0x10203 \[ CF IF RF \] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
Seems to be brotli bug.
(from redmine: issue id 5559, created on 2016-05-13, closed on 2017-04-07)
- Changesets:
- Revision d4346ba2 by Natanael Copa on 2016-05-25T21:22:54Z:
testing/firefox: fix stack overflow in brotli decompressor
fixes #5559
https://bugzilla.mozilla.org/show_bug.cgi?id=1274732