[Bug 929219] Re: chromium-browser crashed with SIGSEGV in __nscd_get_mapping()

Bug Watch Updater 929219 at bugs.launchpad.net
Mon Mar 12 14:48:24 UTC 2012 

Launchpad has imported 7 comments from the remote bug at
http://sourceware.org/bugzilla/show_bug.cgi?id=13594.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2012-01-13T16:38:09+00:00 Aj-suse wrote:

I have seen some reports where glibc crashes if nscd is not running,
especially with chromium but also with ktorrent. This is not always
reproduceable, so there's some kind of race or random memory corruption.

valgrind reports:
==16750== Process terminating with default action of signal 11 (SIGSEGV)
==16750==  Access not within mapped region at address 0x17
==16750==    at 0xC63DC1E: __nscd_get_mapping (in /lib64/libc-2.15.so)
==16750==    by 0xC63DDE3: __nscd_get_map_ref (in /lib64/libc-2.15.so)
==16750==    by 0xC63B2E1: nscd_gethst_r (in /lib64/libc-2.15.so)
==16750==    by 0xC63BB96: __nscd_gethostbyname2_r (in /lib64/libc-2.15.so)
==16750==    by 0xC6213F0: gethostbyname2_r@@GLIBC_2.2.5 (in /lib64/libc-2.15.so)
==16750==    by 0xC5F5D8F: gaih_inet (in /lib64/libc-2.15.so)
==16750==    by 0xC5F6ED2: getaddrinfo (in /lib64/libc-2.15.so)
==16750==    by 0x140E7BD: net::SystemHostResolverProc(std::string const&, net::AddressFamily, int, net::AddressList*, int*) (in /usr/lib64/chromium/chromium)
==16750==    by 0x1407C57: net::HostResolverImpl::Job::DoLookup(base::TimeTicks const&, unsigned int) (in /usr/lib64/chromium/chromium)
==16750==    by 0x2B5B2FA: base::(anonymous namespace)::WorkerThread::ThreadMain() (in /usr/lib64/chromium/chromium)
==16750==    by 0x11753C1: base::(anonymous namespace)::ThreadFunc(void*) (in /usr/lib64/chromium/chromium)
==16750==    by 0x919FF65: start_thread (in /lib64/libpthread-2.15.so)

gdb gives a similar backtrace.

After reverting commit 3a2c02424d9824f5cdea4ebd32ff929b2b1f49c6, the
problem does not appear anymore.

I can't reproduce it yet on my system - so no further information.

Reports:
https://bugzilla.novell.com/show_bug.cgi?id=741021
https://bbs.archlinux.org/viewtopic.php?id=133021

Reply at: https://bugs.launchpad.net/eglibc/+bug/929219/comments/0

------------------------------------------------------------------------
On 2012-02-07T16:44:47+00:00 ajaxas wrote:

I confirm this for Chromium on archlinux.

Specs (just in case):
- kernel 3.3-rc2 (vanilla)
- glibc 2.15

I can only add 2 things:
- this happens only once in a session, i.e. when Chromium is launched for the first time after boot; after that Chromium starts normally.
- I couldn't yet reproduce this bug *within* gdb - it always starts without a problem. I will continue trying though.

Reply at: https://bugs.launchpad.net/eglibc/+bug/929219/comments/1

------------------------------------------------------------------------
On 2012-02-11T22:52:36+00:00 Pcpa wrote:

I am just starting testing an update from "2.14.90" to "2.15" for
mandriva, and I get this randomly, varying from 1 to 4 times every
restart of chromium-browser.

$ rpm -qf /usr/bin/chromium-browser 
chromium-browser-unstable-17.0.963.26-1-mdv2012.0.x86_64

$ LD_LIBRARY_PATH=/usr/lib64/chromium-browser gdb /usr/lib64/chromium-browser/chrome
...
0x00007ffff18f5e7e in __nscd_get_mapping (type=<optimized out>, key=
    0x7ffff19436b4 "hosts", mappedp=0x7ffff1b82548) at nscd_helper.c:417
417       if (oldval != NULL && atomic_decrement_val (&oldval->counter) == 0)
(gdb) p oldval
$1 = (struct mapped_database *) 0xffffffffffffffff
(gdb) bt
#0  0x00007ffff18f5e7e in __nscd_get_mapping (type=<optimized out>, key=
    0x7ffff19436b4 "hosts", mappedp=0x7ffff1b82548) at nscd_helper.c:417
#1  0x00007ffff18f4098 in __nscd_get_nl_timestamp () at nscd_gethst_r.c:113
#2  0x00007ffff18e2be8 in __check_pf (seen_ipv4=0x7ffff7ed071e, seen_ipv6=
    0x7ffff7ed071f, in6ai=0x7ffff7ed06e0, in6ailen=0x7ffff7ed06f0)
    at ../sysdeps/unix/sysv/linux/check_pf.c:324
#3  0x00007ffff18aa015 in __GI_getaddrinfo (name=
    0x555559ba3a68 "www.statcounter.com", service=<optimized out>, hints=
    0x7ffff7ed0a60, pai=0x7ffff7ed0a98) at ../sysdeps/posix/getaddrinfo.c:2305
#4  0x00005555566a0c9c in ?? ()
#5  0x000055555669b3e8 in ?? ()
#6  0x0000555557d85b95 in ?? ()
#7  0x0000555556437fb2 in ?? ()
#8  0x00007ffff4239bd0 in start_thread (arg=0x7ffff7ed1700)
    at pthread_create.c:309
#9  0x00007ffff18bd93d in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

I believe this should correct it, but not the proper solution:

--- glibc-2.15-a316c1f/nscd/nscd_helper.c.orig	2012-02-11 20:25:37.804514879 -0200
+++ glibc-2.15-a316c1f/nscd/nscd_helper.c	2012-02-11 20:26:07.428588082 -0200
@@ -414,7 +414,8 @@ __nscd_get_mapping (request_type type, c
   struct mapped_database *oldval = *mappedp;
   *mappedp = result;
 
-  if (oldval != NULL && atomic_decrement_val (&oldval->counter) == 0)
+  if (oldval != NULL && oldval != NO_MAPPING
+      && atomic_decrement_val (&oldval->counter) == 0)
     __nscd_unmap (oldval);
 
   return result;


hopefully also useful:

(gdb) frame 0#0  0x00007ffff18f5e7e in __nscd_get_mapping (type=<optimized out>, key=
    0x7ffff19436b4 "hosts", mappedp=0x7ffff1b82548) at nscd_helper.c:417
417       if (oldval != NULL && atomic_decrement_val (&oldval->counter) == 0)
(gdb) p keylen
$12 = 6
(gdb) p mapsize
$13 = 0
(gdb) p iov
$14 = {{iov_base = 0x7ffff7ed0330, iov_len = 6}, {iov_base = 0x7ffff7ed04a0, 
    iov_len = 8}}
(gdb) p cmsg
$15 = <optimized out>
(gdb) p (cmsg)->__cmsg_data
value has been optimized out
(gdb) p ip
$16 = <optimized out>
(gdb) p mapfd
$17 = <optimized out>
(gdb) p st
No symbol "st" in current context.
(gdb) p mapping
$18 = <optimized out>
(gdb) p size
No symbol "size" in current context.
(gdb) p oldval
$19 = (struct mapped_database *) 0xffffffffffffffff
(gdb) p result
$20 = (struct mapped_database *) 0xffffffffffffffff

Reply at: https://bugs.launchpad.net/eglibc/+bug/929219/comments/8

------------------------------------------------------------------------
On 2012-02-11T23:01:24+00:00 Pcpa wrote:

Forgot to add some extra information:

$ ls /usr/lib64/chromium-browser
chrome*            libppGoogleNaClPluginChrome.so*  resources.pak
chrome.pak         locales/                         themes/
chrome-sandbox*    nacl_helper*                     xdg-mime*
chromium-wrapper*  nacl_helper_bootstrap*           xdg-settings*
default_apps/      nacl_irt_x86_64.nexe
libffmpegsumo.so*  resources/

If removing libppGoogleNaClPluginChrome.so from that directory,
or overriding the wrapper and starting chrome without setting
LD_LIBRARY_PATH I could not get it to crash, neither did notice
any problems.

Reply at: https://bugs.launchpad.net/eglibc/+bug/929219/comments/9

------------------------------------------------------------------------
On 2012-02-12T04:25:56+00:00 ajaxas wrote:

It's already fixed in archlinux, though it was one helluva big commit:
http://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/glibc&id=8e950112da65c96ad17cbd650ac9db3050343a3f
I'm not even sure where to look...

Reply at: https://bugs.launchpad.net/eglibc/+bug/929219/comments/10

------------------------------------------------------------------------
On 2012-02-12T04:33:38+00:00 Allan McRae wrote:

That is called reverting the commit that caused the issue...  Not fixing
it.

Reply at: https://bugs.launchpad.net/eglibc/+bug/929219/comments/11

------------------------------------------------------------------------
On 2012-02-12T04:39:26+00:00 ajaxas wrote:

(In reply to comment #5)
> That is called reverting the commit that caused the issue...  Not fixing it.

Okay.
It's already reverted in archlinux. Hope this stays reverted for good and finds it's way into the upstream (if this wasn't archlinux-only problem since it was *package* version that changed...)

Reply at: https://bugs.launchpad.net/eglibc/+bug/929219/comments/12


** Changed in: glibc
       Status: Unknown => Confirmed

** Changed in: eglibc
       Status: Unknown => Confirmed

** Changed in: glibc
   Importance: Unknown => Medium

** Changed in: eglibc
   Importance: Unknown => Medium

** Bug watch added: Novell/SUSE Bugzilla #741021
   https://bugzilla.novell.com/show_bug.cgi?id=741021

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/929219

Title:
  chromium-browser crashed with SIGSEGV in __nscd_get_mapping()

Status in Embedded GLIBC:
  Confirmed
Status in The GNU C Library:
  Confirmed
Status in “chromium-browser” package in Ubuntu:
  Triaged
Status in “eglibc” package in Ubuntu:
  Triaged

Bug description:
  updated latest - rebooted and tried to open chromium, no such luck

  ProblemType: Crash
  DistroRelease: Ubuntu 12.04
  Package: chromium-browser 16.0.912.77~r118311-0ubuntu1
  ProcVersionSignature: Ubuntu 3.2.0-14.23-generic 3.2.3
  Uname: Linux 3.2.0-14-generic i686
  ApportVersion: 1.91-0ubuntu1
  Architecture: i386
  CheckboxSubmission: 8617bffd198177508bf030f94c880aca
  CheckboxSystem: bb422ca46d02494cdbc459927a98bc2f
  CrashCounter: 1
  CrashDB: ubuntu
  Date: Thu Feb  9 00:48:53 2012
  Desktop-Session:
   DESKTOP_SESSION = ubuntu
   XDG_CONFIG_DIRS = /etc/xdg/xdg-ubuntu:/etc/xdg
   XDG_DATA_DIRS = /usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/
  Env:
   MOZ_PLUGIN_PATH = None
   LD_LIBRARY_PATH = None
  ExecutablePath: /usr/lib/chromium-browser/chromium-browser
  InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release i386 (20111012)
  ProcCmdline: /usr/lib/chromium-browser/chromium-browser
  ProcEnviron:
   
  SegvAnalysis:
   Segfault happened at: 0xb7db005:	lock xadd %ecx,0xc(%eax)
   PC (0x0b7db005) ok
   source "%ecx" ok
   destination "0xc(%eax)" (0x0000000b) not located in a known VMA region (needed writable region)!
   Stack memory exhausted (SP below stack segment)
  SegvReason: writing NULL VMA
  Signal: 11
  SourcePackage: chromium-browser
  StacktraceTop:
   ?? () from /lib/i386-linux-gnu/libc.so.6
   ?? () from /lib/i386-linux-gnu/libc.so.6
   ?? () from /lib/i386-linux-gnu/libc.so.6
   ?? () from /lib/i386-linux-gnu/libc.so.6
   gethostbyname2_r () from /lib/i386-linux-gnu/libc.so.6
  ThirdParty: True
  Title: chromium-browser crashed with SIGSEGV in gethostbyname2_r()
  UpgradeStatus: Upgraded to precise on 2012-02-05 (3 days ago)
  UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
  chromium-default: CHROMIUM_FLAGS=""

To manage notifications about this bug go to:
https://bugs.launchpad.net/eglibc/+bug/929219/+subscriptions

More information about the foundations-bugs mailing list