Bug 16747

Summary: crash in glib : g_ascii_strcasecmp
Product: swfdec Reporter: MALET Jean-Luc <jeanluc.malet>
Component: pluginAssignee: swfdec ml <swfdec>
Status: NEW --- QA Contact: swfdec ml <swfdec>
Severity: blocker    
Priority: medium CC: bugs.freedesktop
Version: 0.6.6   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description MALET Jean-Luc 2008-07-16 14:07:49 UTC 
here is the backtrace 
I was trying to reproduce annother issue about an unknown property in movie that also cause a crash....
firefox is 3.0

(gdb) bt
#0  0x00007fe19029a64a in g_ascii_strcasecmp () from /usr/lib/libglib-2.0.so.0
#1  0x00007fe17f5f9064 in ?? ()
   from /usr/lib/firefox-3.0/plugins/libswfdecmozilla.so
#2  0x00007fe19349fb1c in ?? () from /usr/lib/firefox-3.0/libxul.so
#3  0x00007fe19349fbc0 in ?? () from /usr/lib/firefox-3.0/libxul.so
#4  0x00007fe1934ae867 in ?? () from /usr/lib/firefox-3.0/libxul.so
#5  0x00007fe1934a3cf7 in ?? () from /usr/lib/firefox-3.0/libxul.so
#6  0x00007fe1934adf0e in ?? () from /usr/lib/firefox-3.0/libxul.so
#7  0x00007fe192f93b47 in ?? () from /usr/lib/firefox-3.0/libxul.so
#8  0x00007fe192f97e5a in ?? () from /usr/lib/firefox-3.0/libxul.so
#9  0x00007fe1930c88eb in ?? () from /usr/lib/firefox-3.0/libxul.so
#10 0x00007fe1930c8df9 in ?? () from /usr/lib/firefox-3.0/libxul.so
#11 0x00007fe19366a26a in ?? () from /usr/lib/firefox-3.0/libxul.so
#12 0x00007fe193635e1b in ?? () from /usr/lib/firefox-3.0/libxul.so
#13 0x00007fe19358cc6d in ?? () from /usr/lib/firefox-3.0/libxul.so
#14 0x00007fe193432c52 in ?? () from /usr/lib/firefox-3.0/libxul.so
#15 0x00007fe192da75fa in XRE_main () from /usr/lib/firefox-3.0/libxul.so
#16 0x0000000000400fa1 in ?? ()
#17 0x00007fe18f2b6146 in __libc_start_main () from /lib64/libc.so.6
#18 0x0000000000400c59 in ?? ()
#19 0x00007fffe4f89388 in ?? ()
#20 0x000000000000001c in ?? ()
#21 0x0000000000000001 in ?? ()
Comment 1 Riccardo Magliocchetti 2008-07-17 00:53:14 UTC 
Jean-Luc, please provide a test case where the crash is reproducible.
Comment 2 MALET Jean-Luc 2008-07-22 05:39:57 UTC 
hi, sorry for the late reply
the issue seems to be reproductible on each video I try to open.
I can rebuild the sfwdec componenents with debug symbols if you want
best Regards
JLM
Comment 3 Riccardo Magliocchetti 2008-07-22 06:01:06 UTC 
(In reply to comment #2)
> hi, sorry for the late reply

Hi, don't worry :)

> the issue seems to be reproductible on each video I try to open.

from which site?

> I can rebuild the sfwdec componenents with debug symbols if you want

That would be helpful.
Comment 4 MALET Jean-Luc 2008-07-22 14:37:55 UTC 
hi,
here are today tests

the webpage that cause the crash is http://www.youtube.com/watch?v=IEt7lY-tlW4

after recompiling I got this error :

Unsupported movie property ͒����������͒�������������������������������������������������������������������������������������������������������������������8���������������������������������������������������������������������������������������������������������������������������D��� �������D��� with value "http://s.ytimg.com/yt/swf/watch-vfl47060.swf"
Unsupported movie property . with value "movie_player"
�N with value "movie_player"
Unsupported movie propertyO with value "#FFFFFF"
Unsupported movie property I��L�L$0L�D$(H�|$ H�t$H�T$H�LH�$H��HA��f�H��PH�$H�TL�D$L�L$H�L$ H�t$(H�|$0H�l$8H�D$`H�D$@H�LH�T$`H�t$XI��L�L�H��H�|$PL�D$H�p���I��H�TL�D$L�L$H�$L�T$HM��yH�L$ H�t$(H�|$0H��`A��H�\$HH�t$hH��L��I�I���L)�H��H���H�H�K H�s(H�{0A��H��H��HH��H�H�AI �y0�y@H�T$PH��$� with value "high"

Program received signal SIGSEGV, Segmentation fault.
0x00007f4f023fe64a in g_ascii_strcasecmp () from /usr/lib/libglib-2.0.so.0
(gdb) bt
#0  0x00007f4f023fe64a in g_ascii_strcasecmp () from /usr/lib/libglib-2.0.so.0
#1  0x00007f4ef1cf9064 in ?? () from /usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so
#2  0x00007f4f05604b8c in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#3  0x00007f4f05604c30 in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#4  0x00007f4f056138d7 in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#5  0x00007f4f05608d67 in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#6  0x00007f4f05612f7e in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#7  0x00007f4f050f8ad7 in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#8  0x00007f4f050fcdea in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#9  0x00007f4f0522d95b in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#10 0x00007f4f0522de69 in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#11 0x00007f4f057cf2fa in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#12 0x00007f4f0579aeab in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#13 0x00007f4f056f1cdd in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#14 0x00007f4f05597cb2 in ?? () from /usr/lib/firefox-3.0.1/libxul.so
#15 0x00007f4f04f0c20a in XRE_main () from /usr/lib/firefox-3.0.1/libxul.so
#16 0x0000000000400fa1 in ?? ()
#17 0x00007f4f0141a146 in __libc_start_main () from /lib64/libc.so.6
#18 0x0000000000400c59 in ?? ()
#19 0x00007fff0e575948 in ?? ()
#20 0x000000000000001c in ?? ()
#21 0x0000000000000001 in ?? ()
#22 0x00007fff0e577672 in ?? ()
#23 0x0000000000000000 in ?? ()

which is the original error I was looking at....

I then redone the test with the debugging symbols (forgot to remove stipping before)
I don't have the same error, but I have

(gdb) bt
#0  0x00007fff439c990a in ?? ()
#1  0x00007f2f3b7c50c2 in ?? () from /lib64/ld-linux-x86-64.so.2
#2  0x00007f2f26f4f6fb in swfdec_init () at swfdec_player.c:2374
Backtrace stopped: previous frame inner to this frame (corrupt stack?)


http://www.youtube.com/watch?v=IEt7lY-tlW4

hope it helps....
JL
Comment 5 MALET Jean-Luc 2008-09-03 12:48:04 UTC 
after investigation it seems that the crash above comes from the line 2374 of swfdec_player.c :

  s = g_getenv ("SWFDEC_DEBUG");

running it with SWFDEC_DEBUG=1 environment fixes the issue.... but brings new one

question : why using a g_getenv instead of a getenv?

the firefox then crash right after loading swf plugin, however the stack has no symbols so it's not in a swfdec function

I'm trying to compile firefox with debug symbols but only get striped binaries... how can I prevent debug symbols to be stripped?

Best Regards
JLM
Comment 6 Riccardo Magliocchetti 2008-09-08 05:11:10 UTC 
Jean-Luc, can you retry with swfdec 0.8 and firefox 3.0.1?
Comment 7 MALET Jean-Luc 2008-09-08 14:35:25 UTC 
still crashing. however the backtrace isn't the same than before....
HOW CAN I COMPILE FIREFOX AND KEEP DEBUG SYMBOLS? I can help a lot if I could have the debug symbols of firefox... maybe the issue isn't in swfdec but in firefox

here is the end of  SWFDEC_DEBUG=2 firefox -Profilemanager -g

WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 964
###!!! ASSERTION: non-root frame's desired size changed during an incremental reflow: '(target == rootFrame && size.height == NS_UNCONSTRAINEDSIZE) || (desiredSize.width == size.width && desiredSize.height == size.height)', file nsPresShell.cpp, line 6290
###!!! ASSERTION: reflow state computed incorrect width: 'reflowState.ComputedWidth() == size.width - reflowState.mComputedBorderPadding.LeftRight()', file nsPresShell.cpp, line 6276
###!!! ASSERTION: reflow roots must not have visible overflow: 'desiredSize.mOverflowArea == nsRect(nsPoint(0, 0), nsSize(desiredSize.width, desiredSize.height))', file nsPresShell.cpp, line 6294
###!!! ASSERTION: reflow state computed incorrect width: 'reflowState.ComputedWidth() == size.width - reflowState.mComputedBorderPadding.LeftRight()', file nsPresShell.cpp, line 6276
###!!! ASSERTION: reflow roots must not have visible overflow: 'desiredSize.mOverflowArea == nsRect(nsPoint(0, 0), nsSize(desiredSize.width, desiredSize.height))', file nsPresShell.cpp, line 6294
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 964
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 964
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 964
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file ../../dist/include/layout/nsPresContext.h, line 964
###!!! ASSERTION: reflow state computed incorrect width: 'reflowState.ComputedWidth() == size.width - reflowState.mComputedBorderPadding.LeftRight()', file nsPresShell.cpp, line 6276
###!!! ASSERTION: reflow roots must not have visible overflow: 'desiredSize.mOverflowArea == nsRect(nsPoint(0, 0), nsSize(desiredSize.width, desiredSize.height))', file nsPresShell.cpp, line 6294
###!!! ASSERTION: non-root frame's desired size changed during an incremental reflow: '(target == rootFrame && size.height == NS_UNCONSTRAINEDSIZE) || (desiredSize.width == size.width && desiredSize.height == size.height)', file nsPresShell.cpp, line 6290
For application/x-shockwave-flash found plugin /usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so
LoadPlugin() /usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so returned 7fcaf2f8df80

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000002 in ?? ()
(gdb) bt
#0  0x0000000000000002 in ?? ()
#1  0x00007fcafc41d990 in ?? ()
#2  0x0000000000000000 in ?? ()
(gdb)
Comment 8 Benjamin Otte 2008-09-09 00:41:20 UTC 
This looks indeed  lot like something being broken with your Firefox, as there's loads of assertions being hit before even loading the Swfdec plugin.
Comment 9 MALET Jean-Luc 2008-09-23 02:01:53 UTC 
I tested the issue on a ia32 box (same os, same firefox build) 
the issue isn't reproducible on ia32
it only occurs on x86_64

-> the issue can be caused by a missuse of long, or assignement of pointers to int or vice-versa.
-> the issue don't occurs if swfdec-mozilla isn't installed, thus there is clearly a side effect between swfdec plugin presence and the crash....

I still can't install mozilla with symbols (ie not stripped...) so still can't investigate further.

Best Regards
JLM
Comment 10 Karl Tomlinson 2008-09-23 03:03:37 UTC 
(In reply to comment #7)
> still crashing. however the backtrace isn't the same than before....
> HOW CAN I COMPILE FIREFOX AND KEEP DEBUG SYMBOLS? I can help a lot if I could
> have the debug symbols of firefox... maybe the issue isn't in swfdec but in
> firefox
> 
> here is the end of  SWFDEC_DEBUG=2 firefox -Profilemanager -g

> ###!!! ASSERTION: reflow roots must not have visible overflow:
> 'desiredSize.mOverflowArea == nsRect(nsPoint(0, 0), nsSize(desiredSize.width,
> desiredSize.height))', file nsPresShell.cpp, line 6294
> ###!!! ASSERTION: non-root frame's desired size changed during an incremental
> reflow: '(target == rootFrame && size.height == NS_UNCONSTRAINEDSIZE) ||
> (desiredSize.width == size.width && desiredSize.height == size.height)', file
> nsPresShell.cpp, line 6290
> For application/x-shockwave-flash found plugin
> /usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so
> LoadPlugin() /usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so returned
> 7fcaf2f8df80

It looks like this is a debug build, and so should have symbols.

Try putting "NSPR_LOG_MODULES=nsObjectFrame:4,Plugin:5,PluginNPP:5,PluginNPN:5"
and it may give some info on where Mozilla is up to.

The assertions are layout related and not necessarily related to the crash.

> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000000002 in ?? ()
> (gdb) bt
> #0  0x0000000000000002 in ?? ()
> #1  0x00007fcafc41d990 in ?? ()
> #2  0x0000000000000000 in ?? ()
> (gdb)

I'm not sure symbols are going to help here.  The stack looks corrupted.
Comment 11 MALET Jean-Luc 2008-09-23 03:30:25 UTC 
(In reply to comment #10)
> It looks like this is a debug build, and so should have symbols.

this IS a debug build.... but file tell me that all installed stuff is... stripped! I tried all the things I found with google... and well still strip my binaries... (either through strip or using ld striping)

> 
> Try putting 
> "NSPR_LOG_MODULES=nsObjectFrame:4,Plugin:5,PluginNPP:5,PluginNPN:5"
> and it may give some info on where Mozilla is up to.
Where should I put that? in environment variables?

> 
> The assertions are layout related and not necessarily related to the crash.
yes it is what I suspected...
 
> I'm not sure symbols are going to help here.  The stack looks corrupted.
> 
I suspected that also...
Comment 12 Karl Tomlinson 2008-09-23 12:43:49 UTC 
(In reply to comment #11)
> (In reply to comment #10)
> > It looks like this is a debug build, and so should have symbols.
> 
> this IS a debug build.... but file tell me that all installed stuff is...
> stripped! I tried all the things I found with google... and well still strip my
> binaries... (either through strip or using ld striping)

You can try an explicit "ac_add_options --disable-strip" in the .mozconfig.

I'm not sure what install process you are using.  Maybe it's the install process that's stripping.

Are the files in the build directory $MOZ_OBJDIR/dist/bin stripped?
You should be able to run $MOZ_OBJDIR/dist/bin/firefox in the build directory.

> > Try putting 
> > "NSPR_LOG_MODULES=nsObjectFrame:4,Plugin:5,PluginNPP:5,PluginNPN:5"
> > and it may give some info on where Mozilla is up to.
> Where should I put that? in environment variables?

Yes, in the environment at run time.  (Sorry, I should have said that.)
Comment 13 MALET Jean-Luc 2008-09-23 14:20:50 UTC 
-2020837568[7f8287717150]: nsObjectFrame::Instantiate(application/x-shockwave-flash) called on frame 7f827d64f240
-2020837568[7f8287717150]: nsPluginInstanceOwner 7f827d4542c0 created
-2020837568[7f8287717150]: Created new instance owner 7f827d4542c0 for frame 7f827d64f240
-2020837568[7f8287717150]: nsPluginInstanceOwner::Init() called on 7f827d4542c0 for frame 7f827d64f240
-2020837568[7f8287717150]: nsPluginHostImpl::InstantiateEmbeddedPlugin Begin mime=application/x-shockwave-flash, owner=7f827d4542c0, url=http://s.ytimg.com/yt/swf/watch-vfl55589.swf
-2020837568[7f8287717150]: nsPluginHostImpl::TrySetupPluginInstance Begin mime=application/x-shockwave-flash, owner=7f827d4542c0, url=http://s.ytimg.com/yt/swf/watch-vfl55589.swf
-2020837568[7f8287717150]: nsPluginHostImpl::GetPluginFactory Begin mime=application/x-shockwave-flash, plugin=/usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so
For application/x-shockwave-flash found plugin /usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so
LoadPlugin() /usr/lib/firefox-3.0.1/plugins/libswfdecmozilla.so returned 7f827d286920
-2020837568[7f8287717150]: NPN callbacks initialized
-2020837568[7f8287717150]: ns4xPluginInstance ctor: this=7f827caf24a0
-2020837568[7f8287717150]: ns4xPluginInstance::Initialize this=7f827caf24a0
-2020837568[7f8287717150]: NPN_GetValue: npp=7f827caf24d8, var=268435469


here is what I get with thoses environment variables
I was told by someone that ac_add_options --disable-strip isn't enough (allready tried) because some other configure script in some subdir activate ld'flags that strip at linking time....

if this help you... 
thanks a lot
JLM

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.