User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.1.9) Gecko/20100402 Ubuntu/9.10 (karmic) Firefox/3.5.9 Build Identifier: http://releases.mozilla.org/pub/mozilla.org/firefox/releases/latest-3.6/source/firefox-3.6.3.source.tar.bz2 Solaris10/SPARC gcc-4.4.3 --disable-optimize --enable-debug CFLAGS=CXXFLAGS="-m32 -fno-inline -g3" I got several SIGBUS crashes somehow associated with nsTArray. I caught one in gdb (don't care for the SIGSEGV, outside of gdb it's really a SIGBUS, maybe gdb "converts" it somehow): Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1 (LWP 1)] 0xfcb384c0 in PropertyProvider::GetSpacingInternal (this=0xffbfcf40, aStart=0, aLength=20, aSpacing=0xffbfbfbc, aIgnoreTabs=1) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/generic/nsTextFrameThebes.cpp:2386 2386 aSpacing[index].mBefore = 0.0; (gdb) disas Dump of assembler code for function _ZN16PropertyProvider18GetSpacingInternalEjjPN7gfxFont7SpacingEi: [...] => 0xfcb384c0 <+220>: std %f8, [ %g2 ] [...] (gdb) p/x $g2 $2 = 0xffbfbfbc (gdb) p aSpacing $3 = (gfxFont::Spacing *) 0xffbfbfbc (gdb) up 3 #3 0xfeb33cbc in gfxTextRun::GetAdjustedSpacingArray (this=0xf1c9c7a0, aStart=0, aEnd=20, aProvider=0xffbfcf40, aSpacingStart=0, aSpacingEnd=20, aSpacing=0xffbfbfb0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/gfx/thebes/src/gfxFont.cpp:2029 2029 aSpacing->Elements() + aSpacingStart - aStart); (gdb) p *aSpacing $5 = {<nsTArray_base> = {static sEmptyHdr = {mLength = 0, mCapacity = 0, mIsAutoArray = 0}, mHdr = 0xffbfbfb4}, <No data fields>} (gdb) p sizeof(nsTArray_base::Header) $6 = 8 As you can see the nsTArray's mHdr is not aligned to an address divisible by 8. It should, because this causes the address of the first double of gfxFont::Spacing to be misaligned and thus causing a SIGBUS on SPARC. mHdr gets its value through NS_Alloc. I tried to find out which one, but unfortunately the libc_db of out system doesn't fit to the libc making thread debugging unreliable and it's a production system. So I weren't really able to set breakpoints, but trying to do so gives this (among many error messages): b NS_Alloc mozilla-1.9.2/xpcom/stub/nsXPComStub.cpp, line 246 b NS_Alloc_P mozilla-1.9.2/xpcom/base/nsMemoryImpl.cpp, line 282 b PR_Malloc /mozilla-1.9.2/nsprpub/pr/src/malloc/prmem.c, line 465 Also: user@host:~/ff_build/mozilla-1.9.2/obj-sparc-sun-solaris2.10/browser/dist$ nm -D lib/libxul.so | grep PR_Malloc [58720] | 0| 140|FUNC |GLOB |0 |UNDEF |PR_Malloc user@host:~/ff_build/mozilla-1.9.2/obj-sparc-sun-solaris2.10/browser/dist$ nm -D lib/libnspr4.so | grep PR_Malloc [114] | 129592| 140|FUNC |GLOB |0 |10 |PR_Malloc The issue really seems to arise from the PR_Malloc within mozilla-1.9.2/nsprpub/pr/src/malloc/prmem.c For the meanwhile I'll try to #undef _PR_ZONE_ALLOCATOR within mozilla-1.9.2/nsprpub/pr/include/private/primpl.h If you need any other details, just ask, I'll keep this crashing debug build for a while here. Reproducible: Always Steps to Reproduce: 1. start firefox 2. wait (1min to ~1/2 hour) Actual Results: Crashing with SIGBUS Expected Results: If the memory size to be allocated >= 8 the resulting address should be divisible by 8 (at least on SPARC). (gdb) bt #0 0xfcb384c0 in PropertyProvider::GetSpacingInternal (this=0xffbfcf40, aStart=0, aLength=20, aSpacing=0xffbfbfbc, aIgnoreTabs=1) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/generic/nsTextFrameThebes.cpp:2386 #1 0xfcb38320 in PropertyProvider::GetSpacing (this=0xffbfcf40, aStart=0, aLength=20, aSpacing=0xffbfbfbc) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/generic/nsTextFrameThebes.cpp:2366 #2 0xfeb339c4 in GetAdjustedSpacing (aTextRun=0xf1c9c7a0, aStart=0, aEnd=20, aProvider=0xffbfcf40, aSpacing=0xffbfbfbc) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/gfx/thebes/src/gfxFont.cpp:1998 #3 0xfeb33cbc in gfxTextRun::GetAdjustedSpacingArray (this=0xf1c9c7a0, aStart=0, aEnd=20, aProvider=0xffbfcf40, aSpacingStart=0, aSpacingEnd=20, aSpacing=0xffbfbfb0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/gfx/thebes/src/gfxFont.cpp:2029 #4 0xfeb33ee0 in gfxTextRun::DrawGlyphs (this=0xf1c9c7a0, aFont=0xf12bc3e0, aContext=0xf12c7ad0, aDrawToPath=0, aPt=0xffbfcd40, aStart=0, aEnd=20, aProvider=0xffbfcf40, aSpacingStart=0, aSpacingEnd=20) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/gfx/thebes/src/gfxFont.cpp:2061 #5 0xfeb34d38 in gfxTextRun::Draw (this=0xf1c9c7a0, aContext=0xf12c7ad0, aPt=..., aStart=0, aLength=20, aDirtyRect=0xffbfcff0, aProvider=0xffbfcf40, aAdvanceWidth=0xffbfd010) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/gfx/thebes/src/gfxFont.cpp:2274 #6 0xfcb42d98 in nsTextFrame::DrawText (this=0xf1cacde0, aCtx=0xf12c7ad0, aTextBaselinePt=..., aOffset=0, aLength=20, aDirtyRect=0xffbfcff0, aProvider=0xffbfcf40, aAdvanceWidth=@0xffbfd010, aDrawSoftHyphen=0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/generic/nsTextFrameThebes.cpp:4766 #7 0xfcb42cb4 in nsTextFrame::PaintText (this=0xf1cacde0, aRenderingContext=0xf1666b40, aPt=..., aDirtyRect=...) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/generic/nsTextFrameThebes.cpp:4753 #8 0xfcb3ea60 in nsDisplayText::Paint (this=0xf0eae030, aBuilder=0xffbfd1fc, aCtx=0xf1666b40) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/generic/nsTextFrameThebes.cpp:3854 #9 0xfc8fad18 in nsDisplayList::Paint (this=0xffbfd4c4, aBuilder=0xffbfd1fc, aCtx=0xf1666b40) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/base/nsDisplayList.cpp:405 #10 0xfc98ef00 in PresShell::RenderDocument (this=0xf20fef80, aRect=..., aFlags=2, aBackgroundColor=4294967295, aThebesContext=0xf12c7ad0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/layout/base/nsPresShell.cpp:5370 #11 0xfd0bd28c in nsCanvasRenderingContext2D::DrawWindow (this=0xf1265920, aWindow=0xf2954940, aX=0, aY=0, aW=768, aH=432, aBGColor=..., flags=0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/content/canvas/src/nsCanvasRenderingContext2D.cpp:3381 #12 0xfeab300c in NS_InvokeByIndex_P () from /sw/solaris10/ff_build/mozilla-1.9.2/obj-sparc-sun-solaris2.10/browser/dist/lib/libxul.so #13 0xfc34976c in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/js/src/xpconnect/src/xpcwrappednative.cpp:2722 #14 0xfc363f34 in XPC_WN_CallMethod (cx=0xf4eddc00, obj=0xf1cd70a0, argc=6, argv=0xf1c060d4, vp=0xffbfdc84) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1740 #15 0xfb5b64c8 in js_Invoke (cx=0xf4eddc00, argc=6, vp=0xf1c060cc, flags=2) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/js/src/jsinterp.cpp:1360 #16 0xfb59b130 in js_Interpret (cx=0xf4eddc00) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/js/src/jsops.cpp:2240 #17 0xfb5b6538 in js_Invoke (cx=0xf4eddc00, argc=3, vp=0xf1c06020, flags=0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/js/src/jsinterp.cpp:1368 #18 0xfb5b6868 in js_InternalInvoke (cx=0xf4eddc00, obj=0xf4eea5e0, fval=-248566048, flags=0, argc=3, argv=0xf165f3a0, rval=0xffbfe430) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/js/src/jsinterp.cpp:1423 #19 0xfb4fa7b8 in JS_CallFunctionValue (cx=0xf4eddc00, obj=0xf4eea5e0, fval=-248566048, argc=3, argv=0xf165f3a0, rval=0xffbfe430) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/js/src/jsapi.cpp:5112 #20 0xfd5e2740 in nsJSContext::CallEventHandler (this=0xf4ef6100, aTarget=0xf5bd53e0, aScope=0xf4eea5e0, aHandler=0xf12f2ee0, aargv=0xf1663724, arv=0xffbfe52c) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/dom/base/nsJSEnvironment.cpp:2134 #21 0xfd650124 in nsGlobalWindow::RunTimeout (this=0xf5bd53e0, aTimeout=0xf1ccbb80) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/dom/base/nsGlobalWindow.cpp:8115 #22 0xfd651344 in nsGlobalWindow::TimerCallback (aTimer=0xf1ccbbc0, aClosure=0xf1ccbb80) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/dom/base/nsGlobalWindow.cpp:8449 #23 0xfea86188 in nsTimerImpl::Fire (this=0xf1ccbbc0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/xpcom/threads/nsTimerImpl.cpp:427 #24 0xfea86554 in nsTimerEvent::Run (this=0xf1662d00) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/xpcom/threads/nsTimerImpl.cpp:519 #25 0xfea76f6c in nsThread::ProcessNextEvent (this=0xf658e610, mayWait=1, result=0xffbfe7ec) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/xpcom/threads/nsThread.cpp:527 #26 0xfe99b9a0 in NS_ProcessNextEvent_P (thread=0xf658e610, mayWait=1) at nsThreadUtils.cpp:250 #27 0xfe6be93c in nsBaseAppShell::Run (this=0xf658ecf0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/widget/src/xpwidgets/nsBaseAppShell.cpp:170 #28 0xfe153fbc in nsAppStartup::Run (this=0xf57108c0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/toolkit/components/startup/src/nsAppStartup.cpp:183 #29 0xfc27c928 in XRE_main (argc=1, argv=0xffbfee1c, aAppData=0xf650a0c0) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/toolkit/xre/nsAppRunner.cpp:3506 #30 0x0001217c in main (argc=1, argv=0xffbfee1c) at /opt/zmaw/sw/solaris10/ff_build/mozilla-1.9.2/browser/app/nsBrowserApp.cpp:158

Sorry, forget everything about NS_Alloc I said above. Looking at the backtrace, aSpacing is in fact a nsAutoTArray with its memory allocated on the stack. The misalignment happens through the use of array of chars. This is how I try to fix it: nsTArray.h:899 char mAutoBuf[sizeof(Header) + N * sizeof(elem_type)] __attribute__ ((aligned(__alignof__(E)))); I'll tell you whether this works.

I met this problem before, but I forgot how I solved it. I'll check.

I suppose it is a dupe of Bug 448658.