RFH: Re: Bug#570056: iceweasel: SIGSEGV - nsDOMEvent::AddRef

To: Sandro Tosi <morph@debian.org>
Cc: 570056@bugs.debian.org, debian-devel@lists.debian.org
Subject: RFH: Re: Bug#570056: iceweasel: SIGSEGV - nsDOMEvent::AddRef
From: Mike Hommey <mh@glandium.org>
Date: Wed, 17 Feb 2010 11:48:46 +0100
Message-id: <[🔎] 20100217104846.GA32531@glandium.org>
Mail-followup-to: Sandro Tosi <morph@debian.org>, 570056@bugs.debian.org, debian-devel@lists.debian.org
In-reply-to: <8b2d7b4d1002162233i7d4725aeqe8cf9f4da3f60b78@mail.gmail.com>
References: <20100216062910.18126.10898.reportbug@zion.matrix.int> <20100216091237.GC18757@glandium.org> <8b2d7b4d1002162233i7d4725aeqe8cf9f4da3f60b78@mail.gmail.com>

On Wed, Feb 17, 2010 at 07:33:19AM +0100, Sandro Tosi wrote:
> > Other than that, with your core file, could you at least get (and send)
> > the output for disassemble, info registers, and info locals ?
> 
> Attached.

There definitely is something weird going on, because according to the
value in the rip register, the two first instructions of the function
have been executed. And the second should have set rax to 2. But rax is
definitely not 2, while rsp is ! And rsp is the stack pointer, so when
pushing on the third instruction, no wonder it segfaults.
But how on earth can "mov $0x2,%eax" lead to rsp being modified ?

Would someone have a better explanation than a broken CPU ?

> Program terminated with signal 11, Segmentation fault.
> #0  nsDOMEvent::AddRef (this=0x7f6bcea877f0) at nsDOMEvent.cpp:169
> 169	nsDOMEvent.cpp: No such file or directory.
> 	in nsDOMEvent.cpp
> (gdb) disassemble
> Dump of assembler code for function _ZN10nsDOMEvent6AddRefEv:
> 0x00007f6c1894933c <_ZN10nsDOMEvent6AddRefEv+0>:	push   %r12
> 0x00007f6c1894933e <_ZN10nsDOMEvent6AddRefEv+2>:	mov    $0x2,%eax
> 0x00007f6c18949343 <_ZN10nsDOMEvent6AddRefEv+7>:	push   %rbp
> 0x00007f6c18949344 <_ZN10nsDOMEvent6AddRefEv+8>:	mov    %rdi,%rbp
> 0x00007f6c18949347 <_ZN10nsDOMEvent6AddRefEv+11>:	push   %rbx
> 0x00007f6c18949348 <_ZN10nsDOMEvent6AddRefEv+12>:	mov    0x18(%rdi),%rbx
> 0x00007f6c1894934c <_ZN10nsDOMEvent6AddRefEv+16>:	test   %rbx,%rbx
> 0x00007f6c1894934f <_ZN10nsDOMEvent6AddRefEv+19>:	je     0x7f6c18949386 <_ZN10nsDOMEvent6AddRefEv+74>
> 0x00007f6c18949351 <_ZN10nsDOMEvent6AddRefEv+21>:	mov    %ebx,%eax
> 0x00007f6c18949353 <_ZN10nsDOMEvent6AddRefEv+23>:	test   $0x1,%al
> 0x00007f6c18949355 <_ZN10nsDOMEvent6AddRefEv+25>:	jne    0x7f6c18949378 <_ZN10nsDOMEvent6AddRefEv+60>
> 0x00007f6c18949357 <_ZN10nsDOMEvent6AddRefEv+27>:	mov    %rbx,%rdi
> 0x00007f6c1894935a <_ZN10nsDOMEvent6AddRefEv+30>:	mov    0x8(%rbx),%r12d
> 0x00007f6c1894935e <_ZN10nsDOMEvent6AddRefEv+34>:	callq  0x7f6c18624320 <NS_CycleCollectorForget2_P@plt>
> 0x00007f6c18949363 <_ZN10nsDOMEvent6AddRefEv+39>:	test   %eax,%eax
> 0x00007f6c18949365 <_ZN10nsDOMEvent6AddRefEv+41>:	je     0x7f6c1894936e <_ZN10nsDOMEvent6AddRefEv+50>
> 0x00007f6c18949367 <_ZN10nsDOMEvent6AddRefEv+43>:	lea    0x1(%r12),%eax
> 0x00007f6c1894936c <_ZN10nsDOMEvent6AddRefEv+48>:	jmp    0x7f6c1894937c <_ZN10nsDOMEvent6AddRefEv+64>
> 0x00007f6c1894936e <_ZN10nsDOMEvent6AddRefEv+50>:	lea    0x1(%r12),%eax
> 0x00007f6c18949373 <_ZN10nsDOMEvent6AddRefEv+55>:	mov    %eax,0x8(%rbx)
> 0x00007f6c18949376 <_ZN10nsDOMEvent6AddRefEv+58>:	jmp    0x7f6c18949386 <_ZN10nsDOMEvent6AddRefEv+74>
> 0x00007f6c18949378 <_ZN10nsDOMEvent6AddRefEv+60>:	sar    %eax
> 0x00007f6c1894937a <_ZN10nsDOMEvent6AddRefEv+62>:	inc    %eax
> 0x00007f6c1894937c <_ZN10nsDOMEvent6AddRefEv+64>:	lea    (%rax,%rax,1),%edx
> 0x00007f6c1894937f <_ZN10nsDOMEvent6AddRefEv+67>:	or     $0x1,%edx
> 0x00007f6c18949382 <_ZN10nsDOMEvent6AddRefEv+70>:	mov    %rdx,0x18(%rbp)
> 0x00007f6c18949386 <_ZN10nsDOMEvent6AddRefEv+74>:	pop    %rbx
> 0x00007f6c18949387 <_ZN10nsDOMEvent6AddRefEv+75>:	pop    %rbp
> 0x00007f6c18949388 <_ZN10nsDOMEvent6AddRefEv+76>:	pop    %r12
> 0x00007f6c1894938a <_ZN10nsDOMEvent6AddRefEv+78>:	retq   
> End of assembler dump.
> Current language:  auto
> The current source language is "auto; currently c++".
> (gdb) info registers
> rax            0x7f6c194b6e78	140102257569400
> rbx            0x7f6bcea877f0	140101005375472
> rcx            0x0	0
> rdx            0x7fff85125ad8	140735425960664
> rsi            0x7f6c18e7b420	140102251033632
> rdi            0x7f6bcea877f0	140101005375472
> rbp            0x7fff85125ad8	0x7fff85125ad8
> rsp            0x2	0x2
> r8             0x7f6bd9197380	140101180552064
> r9             0x7f6c18ae5112	140102247272722
> r10            0x7fff85125c30	140735425961008
> r11            0x7f6bc7568808	140100882565128
> r12            0x7f6c1894cbee	140102245600238
> r13            0x7f6c1969f078	140102259568760
> r14            0x7f6bd0b00000	140101039423488
> r15            0x7f6bd0c19de0	140101040578016
> rip            0x7f6c18949343	0x7f6c18949343 <nsDOMEvent::AddRef()+7>
> eflags         0x10216	[ PF AF IF RF ]
> cs             0x33	51
> ss             0x2b	43
> ds             0x0	0
> es             0x0	0
> fs             0x0	0
> gs             0x0	0
> fctrl          0x37f	895
> fstat          0x4120	16672
> ftag           0xffff	65535
> fiseg          0x7f6c	32620
> fioff          0x17883f30	394805040
> foseg          0x7fff	32767
> fooff          0x8512c6e8	-2062367000
> fop            0x55c	1372
> mxcsr          0x1fa3	[ IE DE PE IM DM ZM OM UM PM ]
> (gdb) info locals
> No locals.
> (gdb)

Reply to:

Prev by Date: Bug#570202: ITP: ucimf-openvanilla - openvanilla input method collection for ucimf
Next by Date: Mass bug filing for python-apt API transition
Previous by thread: Bug#570202: ITP: ucimf-openvanilla - openvanilla input method collection for ucimf
Next by thread: Mass bug filing for python-apt API transition
Index(es):
- Date
- Thread