[Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000

gnash-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000

From:	Paul Menzel
Subject:	[Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000]
Date:	Wed, 12 Dec 2012 11:30:32 +0000
User-agent:	Mozilla/5.0 (X11; Linux) AppleWebKit/535.22 (KHTML, like Gecko) Chrome/18.0.1025.133 Safari/535.22 Midori/0.4

Follow-up Comment #12, bug #37077 (project gnash):

Besides WebKitGTK+ making Valgrind pretty chatty,

        $ G_SLICE=always-malloc G_DEBUG=gc-friendly valgrind --tool=memcheck
--leak-check=full --leak-resolution=high --num-callers=20 --smc-check=all
--error-limit=no --log-file=/tmp/20121212--midori-valgrind.log midori -c
/tmp/midori
        WARNING: gnome-keyring:: couldn't connect to:
/home/paul/.cache/keyring-rl9Th8/pkcs11: Datei oder Verzeichnis nicht
gefunden
        ERROR: Invalid fd passed
        Getötet

I found the pasted messages regarding Gnash. Most of the file descriptors do
not seem to get negative when corrupted, so the above message is not seen a
lot in Gnash’s log output. But Valgrind catches them.

        $ grep "invalid file" 20121212--midori-valgrind.log
        ==2064== Warning: invalid file descriptor 610044180 in syscall
write()
        ==2064== Warning: invalid file descriptor 6094891 in syscall write()
        ==2064== Warning: invalid file descriptor 678457172 in syscall
write()
        ==2064== Warning: invalid file descriptor 3670073 in syscall write()

Valgrind messages concerting Gnash.

[…]

==2064== Conditional jump or move depends on uninitialised value(s)
==2064==    at 0x18C9C038: gnash::GnashPluginScriptObject::writePlayer(int,
std::string const&) (pluginScriptObject.cpp:688)
==2064==    by 0x18C9C07D:
gnash::GnashPluginScriptObject::writePlayer(std::string const&)
(pluginScriptObject.cpp:678)
==2064==    by 0x18CA0345:
gnash::GnashPluginScriptObject::GetVariable(std::string const&)
(pluginScriptObject.cpp:612)
==2064==    by 0x18CA7244: gnash::GetVariableCallback(NPObject*, void*,
_NPVariant const*, unsigned int, _NPVariant*) (callbacks.cpp:144)
==2064==    by 0x18C9FC81: gnash::GnashPluginScriptObject::Invoke(NPObject*,
void*, _NPVariant const*, unsigned int, _NPVariant*)
(pluginScriptObject.cpp:527)
==2064==    by 0x18C9FD22:
gnash::GnashPluginScriptObject::marshalInvoke(NPObject*, void*, _NPVariant
const*, unsigned int, _NPVariant*) (pluginScriptObject.cpp:346)
==2064==    by 0x5638945:
JSC::Bindings::CInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x56414C3: JSC::callRuntimeMethod(JSC::ExecState*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x6B5AAAA: cti_op_call_NotJSFunction (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0xC3E81D6: ???
==2064==    by 0x6B15589: JSC::Interpreter::executeCall(JSC::ExecState*,
JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue,
JSC::ArgList const&) (in /usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x6BE4331: JSC::call(JSC::ExecState*, JSC::JSValue,
JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x55C0679:
WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*,
WebCore::Event*) (in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57663D5:
WebCore::EventTarget::fireEventListeners(WebCore::Event*,
WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1u>&)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57665CF:
WebCore::EventTarget::fireEventListeners(WebCore::Event*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A98A19:
WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>,
WTF::PassRefPtr<WebCore::EventTarget>) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A9959A: WebCore::DOMWindow::dispatchLoadEvent() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x572E55D: WebCore::Document::dispatchWindowLoadEvent() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5732697: WebCore::Document::implicitClose() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A19353: WebCore::FrameLoader::checkCallImplicitClose() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)

[…]

==2064== 288 bytes in 24 blocks are definitely lost in loss record 17,134 of
19,142
==2064==    at 0x48288D8: malloc (vg_replace_malloc.c:270)
==2064==    by 0x70A6E1F: strdup (strdup.c:43)
==2064==    by 0x5640328: _NPN_UTF8FromIdentifier (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x18C9AF0E: NPN_UTF8FromIdentifier (npn_gate.cpp:266)
==2064==    by 0x18C9FC1C: gnash::GnashPluginScriptObject::Invoke(NPObject*,
void*, _NPVariant const*, unsigned int, _NPVariant*)
(pluginScriptObject.cpp:514)
==2064==    by 0x18C9FD22:
gnash::GnashPluginScriptObject::marshalInvoke(NPObject*, void*, _NPVariant
const*, unsigned int, _NPVariant*) (pluginScriptObject.cpp:346)
==2064==    by 0x5638945:
JSC::Bindings::CInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x56414C3: JSC::callRuntimeMethod(JSC::ExecState*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x6B5AAAA: cti_op_call_NotJSFunction (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0xC3E81D6: ???
==2064==    by 0x6B15589: JSC::Interpreter::executeCall(JSC::ExecState*,
JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue,
JSC::ArgList const&) (in /usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x6BE4331: JSC::call(JSC::ExecState*, JSC::JSValue,
JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x55C0679:
WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*,
WebCore::Event*) (in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57663D5:
WebCore::EventTarget::fireEventListeners(WebCore::Event*,
WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1u>&)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57665CF:
WebCore::EventTarget::fireEventListeners(WebCore::Event*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A98A19:
WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>,
WTF::PassRefPtr<WebCore::EventTarget>) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A9959A: WebCore::DOMWindow::dispatchLoadEvent() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x572E55D: WebCore::Document::dispatchWindowLoadEvent() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5732697: WebCore::Document::implicitClose() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A19353: WebCore::FrameLoader::checkCallImplicitClose() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)

[…]

==2064== Syscall param write(fd) contains uninitialised byte(s)
==2064==    at 0x70212BB: ??? (syscall-template.S:82)
==2064==    by 0x18C9C052: gnash::GnashPluginScriptObject::writePlayer(int,
std::string const&) (pluginScriptObject.cpp:689)
==2064==    by 0x18C9C07D:
gnash::GnashPluginScriptObject::writePlayer(std::string const&)
(pluginScriptObject.cpp:678)
==2064==    by 0x18CA0345:
gnash::GnashPluginScriptObject::GetVariable(std::string const&)
(pluginScriptObject.cpp:612)
==2064==    by 0x18CA7244: gnash::GetVariableCallback(NPObject*, void*,
_NPVariant const*, unsigned int, _NPVariant*) (callbacks.cpp:144)
==2064==    by 0x18C9FC81: gnash::GnashPluginScriptObject::Invoke(NPObject*,
void*, _NPVariant const*, unsigned int, _NPVariant*)
(pluginScriptObject.cpp:527)
==2064==    by 0x18C9FD22:
gnash::GnashPluginScriptObject::marshalInvoke(NPObject*, void*, _NPVariant
const*, unsigned int, _NPVariant*) (pluginScriptObject.cpp:346)
==2064==    by 0x5638945:
JSC::Bindings::CInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x56414C3: JSC::callRuntimeMethod(JSC::ExecState*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x6B5AAAA: cti_op_call_NotJSFunction (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0xC3E81D6: ???
==2064==    by 0x6B15589: JSC::Interpreter::executeCall(JSC::ExecState*,
JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue,
JSC::ArgList const&) (in /usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x6BE4331: JSC::call(JSC::ExecState*, JSC::JSValue,
JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x55C0679:
WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*,
WebCore::Event*) (in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57663D5:
WebCore::EventTarget::fireEventListeners(WebCore::Event*,
WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1u>&)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57665CF:
WebCore::EventTarget::fireEventListeners(WebCore::Event*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A98A19:
WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>,
WTF::PassRefPtr<WebCore::EventTarget>) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5A9959A: WebCore::DOMWindow::dispatchLoadEvent() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x572E55D: WebCore::Document::dispatchWindowLoadEvent() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x5732697: WebCore::Document::implicitClose() (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)

[…]

==2064== Invalid read of size 4
==2064==    at 0x18C9F8D3: gnash::GnashPluginScriptObject::readPlayer(int)
(pluginScriptObject.cpp:717)
==2064==    by 0x196FFBBF: ???
==2064==  Address 0xbf21e770 is not stack'd, malloc'd or (recently) free'd

[…]

==2064== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==2064==  Access not within mapped region at address 0xBF21E770
==2064==    at 0x18C9F8D3: gnash::GnashPluginScriptObject::readPlayer(int)
(pluginScriptObject.cpp:717)
==2064==    by 0x196FFBBF: ???
==2064==  If you believe this happened as a result of a stack
==2064==  overflow in your program's main thread (unlikely but
==2064==  possible), you can try to increase the size of the
==2064==  main thread stack using the --main-stacksize= flag.
==2064==  The main thread stack size used in this run was 8388608.
==2064== 
==2064== HEAP SUMMARY:
==2064==     in use at exit: 10,052,457 bytes in 83,872 blocks
==2064==   total heap usage: 4,785,904 allocs, 4,702,032 frees, 309,790,306
bytes allocated

[…]

==2064== 12 bytes in 1 blocks are definitely lost in loss record 4,525 of
19,142
==2064==    at 0x48288D8: malloc (vg_replace_malloc.c:270)
==2064==    by 0x70A6E1F: strdup (strdup.c:43)
==2064==    by 0x5640328: _NPN_UTF8FromIdentifier (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x18C9AF0E: NPN_UTF8FromIdentifier (npn_gate.cpp:266)
==2064==    by 0x18C9FC1C: gnash::GnashPluginScriptObject::Invoke(NPObject*,
void*, _NPVariant const*, unsigned int, _NPVariant*)
(pluginScriptObject.cpp:514)
==2064==    by 0x18C9FD22:
gnash::GnashPluginScriptObject::marshalInvoke(NPObject*, void*, _NPVariant
const*, unsigned int, _NPVariant*) (pluginScriptObject.cpp:346)
==2064==    by 0x5638945:
JSC::Bindings::CInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x56414C3: JSC::callRuntimeMethod(JSC::ExecState*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x6B5AAAA: cti_op_call_NotJSFunction (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0xC3E81D6: ???
==2064==    by 0x6B15589: JSC::Interpreter::executeCall(JSC::ExecState*,
JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue,
JSC::ArgList const&) (in /usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x6BE4331: JSC::call(JSC::ExecState*, JSC::JSValue,
JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x55C0679:
WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*,
WebCore::Event*) (in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57663D5:
WebCore::EventTarget::fireEventListeners(WebCore::Event*,
WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1u>&)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57665CF:
WebCore::EventTarget::fireEventListeners(WebCore::Event*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x577084D: WebCore::Node::handleLocalEvents(WebCore::Event*)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x9E2DFFF: ???
==2064== 
==2064== 12 bytes in 1 blocks are definitely lost in loss record 4,526 of
19,142
==2064==    at 0x48288D8: malloc (vg_replace_malloc.c:270)
==2064==    by 0x70A6E1F: strdup (strdup.c:43)
==2064==    by 0x5640328: _NPN_UTF8FromIdentifier (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x18C9AF0E: NPN_UTF8FromIdentifier (npn_gate.cpp:266)
==2064==    by 0x18C9FC1C: gnash::GnashPluginScriptObject::Invoke(NPObject*,
void*, _NPVariant const*, unsigned int, _NPVariant*)
(pluginScriptObject.cpp:514)
==2064==    by 0x18C9FD22:
gnash::GnashPluginScriptObject::marshalInvoke(NPObject*, void*, _NPVariant
const*, unsigned int, _NPVariant*) (pluginScriptObject.cpp:346)
==2064==    by 0x5638945:
JSC::Bindings::CInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x56414C3: JSC::callRuntimeMethod(JSC::ExecState*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x6B5AAAA: cti_op_call_NotJSFunction (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0xC3E81D6: ???
==2064==    by 0x6B15589: JSC::Interpreter::executeCall(JSC::ExecState*,
JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue,
JSC::ArgList const&) (in /usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x6BE4331: JSC::call(JSC::ExecState*, JSC::JSValue,
JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (in
/usr/lib/libjavascriptcoregtk-1.0.so.0.13.2)
==2064==    by 0x55C0679:
WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*,
WebCore::Event*) (in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57663D5:
WebCore::EventTarget::fireEventListeners(WebCore::Event*,
WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1u>&)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x57665CF:
WebCore::EventTarget::fireEventListeners(WebCore::Event*) (in
/usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x577084D: WebCore::Node::handleLocalEvents(WebCore::Event*)
(in /usr/lib/libwebkitgtk-1.0.so.0.13.2)
==2064==    by 0x1713A19F: ???

[…]

==2064== LEAK SUMMARY:
==2064==    definitely lost: 69,200 bytes in 1,951 blocks
==2064==    indirectly lost: 74,805 bytes in 3,552 blocks
==2064==      possibly lost: 618,408 bytes in 6,933 blocks
==2064==    still reachable: 9,290,044 bytes in 71,436 blocks
==2064==         suppressed: 0 bytes in 0 blocks
==2064== Reachable blocks (those to which a pointer was found) are not shown.
==2064== To see them, rerun with: --leak-check=full --show-reachable=yes
==2064== 
==2064== For counts of detected and suppressed errors, rerun with: -v
==2064== Use --track-origins=yes to see where uninitialised values come from
==2064== ERROR SUMMARY: 48146 errors from 11270 contexts (suppressed: 411 from
14)

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?37077>

_______________________________________________
  Nachricht gesendet von/durch Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel, 2012/12/12
- [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Sandro Santilli, 2012/12/12
  - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Sandro Santilli, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel <=
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Sandro Santilli, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Sandro Santilli, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Rob Savoye, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Rob Savoye, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Rob Savoye, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel, 2012/12/12
    - [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000], Paul Menzel, 2012/12/12

Prev by Date: [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000]
Next by Date: [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000]
Previous by thread: [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000]
Next by thread: [Gnash-commit] [bug #37077] segfault in libgnashplugin.so[a85b5000+47000]
Index(es):
- Date
- Thread