i could not find the cause that only when using Chromium i get a crash but when using Firefox i never don't.
some hints to the nginx experts that might help:
1. i use my handler module + filter module. (when module is disabled - no crash)
2. i use C++ code in shared lib and sometimes the crash is in the c++ object deconstructor . the object is allocated on the stack (not ptr, just regular declaration like: obj_t obj1) and freed automatically and end of function.
3. i attach here the headers of FF / CHR browsers.
4. when using valgrind - i get some warnings (see below) but never crash, even in CHR
5. the nginx runs on vurtual machine (centos 6.3) under ubuntu 12.10. the browser runs on the ubuntu.
6. the response handler runs when subrequest returns from an upstream server, then the handler continues and goes to the filter module.
7. sometimes when using palloc i got alignment errors so i used pnalloc. is it the source of the bug ? when to use palloc and when to use pnalloc ? (see below the function that uses pnalloc)
8. when restarting nginx and doing CTRL+F5 in CHR browser (right after the previous crash) - its easy to get another crash again with the same stack trace, while when browsing to anbother page - it takes time to reproduce the crash.

===============

Thread [1] (Suspended: Signal 'SIGABRT' received. Description: Aborted.)
15 raise() 0x00007ffff64e18a5
14 abort() 0x00007ffff64e3085
13 __libc_message() 0x00007ffff651efe7
12 malloc_printerr() 0x00007ffff6524916
11 _int_free() 0x00007ffff6527443
10 ngx_destroy_pool() ngx_palloc.c:87 0x0000000000406a22
9 ngx_http_free_request() ngx_http_request.c:3081 0x000000000044dbfb
8 ngx_http_close_request() ngx_http_request.c:3006 0x000000000044d9b3
7 ngx_http_terminate_handler() ngx_http_request.c:2176 0x000000000044bc38
6 ngx_http_run_posted_requests() ngx_http_request.c:1903 0x000000000044b1ad
5 ngx_http_request_handler() ngx_http_request.c:1869 0x000000000044b0b6
4 ngx_epoll_process_events() ngx_epoll_module.c:683 0x00000000004377d6
3 ngx_process_events_and_timers() ngx_event.c:247 0x00000000004281f4
2 ngx_single_process_cycle() ngx_process_cycle.c:316 0x0000000000434442
1 main() nginx.c:409 0x0000000000403cdc

valgrind:
==27496== Address 0x90c0b2d is 29 bytes inside a block of size 3,366 free'd
==27496== at 0x4C2645F: operator delete(void*) (vg_replace_malloc.c:387)
==27496== by 0x59B73AD: SBB::ResponseBean::~ResponseBean() (in /usr/local/lib/libClientAPI-C-Lib.so)
==27496== by 0x57ABB04: ngx_sbb_med_handle_va_response (in /usr/local/lib/libngx_sbb_mediator.so)
==27496== by 0x4A933D: ngx_sbb_va_response_handler (ngx_sbb_module.c:274)
==27496== by 0x4AA372: ngx_sbb_post_subrequest_handler (ngx_sbb_mod_utils.c:89)
==27496== by 0x44B3C0: ngx_http_finalize_request (ngx_http_request.c:1961)
==27496== by 0x465407: ngx_http_upstream_finalize_request (ngx_http_upstream.c:3095)


CHR headers:
GET /index.php?cat=1&pag=1&det=108 HTTP/1.1
Host: ---
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Ubuntu/12.10 Chromium/22.0.1229.94 Chrome/22.0.1229.94 Safari/537.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://yellowmockup.com/index.php?cat=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,he;q=0.6
Accept-Charset: UTF-8,*;q=0.5
Cookie: adOtr=4aYP5; PRLST=Ya; UTGv2=h4a59e6b096ada50ad0a1243f0549366c032; x-autozoom=150f; SPSI=56aa48be644d6ac8ccec5dd82ade576d


FF headers:
GET /index.php?cat=1&pag=1&det=108 HTTP/1.1
Host: ---
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: UTGv2=h430c577bc94965b18d99cd502407af14a80; SPSI=63c40df4be7823f2acbc8e966a8817df; PRLST=zi/Jv/DT; adOtr=04Hd6
Pragma: no-cache
Cache-Control: no-cache

another crash dump:
Thread [1] (Suspended: Signal 'SIGSEGV' received. Description: Segmentation fault.)
16 memcpy() 0x00007ffff65381ab
15 sbb_strncpy() ngx_sbb_utils.c:12 0x00000000004a9e5f
14 ngx_sbb_utils_str2char() ngx_sbb_mod_utils.c:253 0x00000000004aaab7
13 ngx_sbb_med_prepare_va_request() 0x00007ffff725d7b4
12 ngx_sbb_handler() ngx_sbb_module.c:229 0x00000000004a913d
11 ngx_http_core_rewrite_phase() ngx_http_core_module.c:931 0x000000000043d2a1
10 ngx_http_core_run_phases() ngx_http_core_module.c:877 0x000000000043d103
9 ngx_http_handler() ngx_http_core_module.c:860 0x000000000043d07a
8 ngx_http_process_request() ngx_http_request.c:1687 0x000000000044ac51
7 ngx_http_process_request_headers() ngx_http_request.c:1135 0x0000000000449809
6 ngx_http_process_request_line() ngx_http_request.c:933 0x0000000000448fbe
5 ngx_http_init_request() ngx_http_request.c:519 0x000000000044873f
4 ngx_epoll_process_events() ngx_epoll_module.c:683 0x00000000004377d6
3 ngx_process_events_and_timers() ngx_event.c:247 0x00000000004281f4
2 ngx_single_process_cycle() ngx_process_cycle.c:316 0x0000000000434442
1 main() nginx.c:409 0x0000000000403cdc
=============

// copies exactly n bytes from src to dest, then adds null in n+1 (alloc dst to n+1 first !)
u_char * sbb_strncpy(u_char *dst, u_char *src, size_t n)
{
memcpy(dst, src, n);
dst[n] = '\0';

return dst;
}

// allocate, copy and add terminating null. do not return null but null_str to avoid segmentation fault later (dereferencing null ptr)
u_char* ngx_sbb_utils_str2char(ngx_http_request_t *r, ngx_str_t *ngx_str)
{
u_char *res = NULL;

if ( (!ngx_str) || (!r))
return (u_char*)gv_null_str;

res = ngx_pnalloc(r->pool, ngx_str->len+1);
if (!res)
return (u_char*)gv_null_str;

return sbb_strncpy(res, ngx_str->data, ngx_str->len); // adds terminating null
}