From owner-freebsd-current@FreeBSD.ORG  Wed Oct  8 01:50:20 2008
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B486C10656A2
	for <freebsd-current@freebsd.org>; Wed,  8 Oct 2008 01:50:20 +0000 (UTC)
	(envelope-from kientzle@freebsd.org)
Received: from kientzle.com (kientzle.com [66.166.149.50])
	by mx1.freebsd.org (Postfix) with ESMTP id 6642E8FC0C
	for <freebsd-current@freebsd.org>; Wed,  8 Oct 2008 01:50:20 +0000 (UTC)
	(envelope-from kientzle@freebsd.org)
Received: from [10.123.2.205] (p53.kientzle.com [66.166.149.53])
	by kientzle.com (8.12.9/8.12.9) with ESMTP id m981oEtv085390;
	Tue, 7 Oct 2008 18:50:18 -0700 (PDT)
	(envelope-from kientzle@freebsd.org)
Message-ID: <48EC11D1.3090304@freebsd.org>
Date: Tue, 07 Oct 2008 18:50:09 -0700
From: Tim Kientzle <kientzle@freebsd.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20060422
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: jos@catnook.com
References: <20081004080511.GA72641@lizzy.catnook.local>
	<20081004161024.GA67323@nagual.pp.ru>
	<20081004222249.GA48928@lizzy.catnook.local>
	<48E80F02.4070309@freebsd.org>
	<20081005233256.GB8507@lizzy.catnook.local>
	<48E95D0E.50202@freebsd.org>
	<20081006051424.GA5858@lizzy.catnook.local>
	<48EA2FA0.8060007@freebsd.org>
	<20081006190750.GA14017@lizzy.catnook.local>
	<48EAE8DA.2000908@freebsd.org>
	<20081007163143.GA25284@lizzy.catnook.local>
In-Reply-To: <20081007163143.GA25284@lizzy.catnook.local>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Andrey Chernov <ache@nagual.pp.ru>, freebsd-current@freebsd.org
Subject: Re: firefox3-bin crashes near arc4random_buf()
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2008 01:50:20 -0000

This is a lot more interesting.  This points to a crash
within libc's db code.  Somehow, it's trying to compute
a hash for some element with length -10618, which is
getting converted to an unsigned 4294956678, which is
causing the crash.

Does Firefox have knobs to use a newer Berkeley DB?  I can't
recall whether newer Berkeley DB versions are thread-safe but
I'm pretty sure the old version in our libc isn't.  If Firefox
is assuming the BDB code is thread-safe that could certainly
cause corruption of the BDB data with all sorts of unpleasant
consequences.  That's just a random guess, though.  Maybe someone
else on this mailing list knows better.

Tim


> Good news! firefox3 crashed again, so the problem is not fixed. But the
> backtrace (attached) looks slightly different this time. Anything particular
> you'd like me to look at?

> #0  0x2a31656b in thr_kill () at thr_kill.S:2
> #1  0x2a2c5736 in pthread_kill () from /lib/libthr.so.3
> #2  0x2a2c32c3 in raise () from /lib/libthr.so.3
> #3  0x28237381 in XRE_InitEmbedding () from /usr/local/lib/firefox3/libxul.so
> #4  <signal handler called>
> #5  hash4 (keyarg=0xad6397a, len=4294956678) at /usr/src/lib/libc/db/hash/hash_func.c:184
> #6  0x2a39ab3d in __call_hash (hashp=0x8386200, k=0xad6397a "", len=-10618) at /usr/src/lib/libc/db/hash/hash.c:896
> #7  0x2a3997fa in __split_page (hashp=0x8386200, obucket=7, nbucket=15) at /usr/src/lib/libc/db/hash/hash_page.c:356
> #8  0x2a39ac09 in __expand_table (hashp=0x8386200) at /usr/src/lib/libc/db/hash/hash.c:865
> #9  0x2a39922f in __addel (hashp=0x8386200, bufp=0xb2e47c0, key=0xbf4f9640, val=0xbf4f9648) at /usr/src/lib/libc/db/hash/hash_page.c:454
> #10 0x2a39c2e0 in hash_access (hashp=0x8386200, action=HASH_PUT, key=0xbf4f9640, val=0xbf4f9648) at /usr/src/lib/libc/db/hash/hash.c:680
> #11 0x2aa0cb9c in ?? () from /usr/local/lib/firefox3/libnssdbm3.so
> #12 0xbf4f9648 in ?? ()
> #13 0xbf4f9640 in ?? ()
> #14 0xbf4f9648 in ?? ()
> #15 0x00000000 in ?? ()
> #16 0x2a2c3599 in pthread_self () from /lib/libthr.so.3
> #17 0x2aa1c3e4 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #18 0x2aa1cbb8 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #19 0x2aa1d6ff in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #20 0x2aa218b2 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #21 0x2aa236c9 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so
> #22 0x2aa23791 in legacy_SetCryptFunctions () from /usr/local/lib/firefox3/libnssdbm3.so