Closed Bug 94734 Opened 24 years ago Closed 23 years ago

crash on a bugzilla search

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: bobbell, Assigned: darin.moz)

References

(
URL
)

Details

(Keywords: 64bit, crash, Whiteboard: [adt2 RTM] [ETA 07/31])

Attachments

(6 files)

Script used to build mozilla
425 bytes, text/plain
Details
Output when running mozilla
8.24 KB, text/plain
Details
nsHttp:5 log from build 2002013113
81.55 KB, text/plain
Details
Fix
413 bytes, patch
Details | Diff | Splinter Review
testcase
214 bytes, text/plain
Details
alternate fix
772 bytes, patch
blizzard
: review+
darin.moz
: superreview+
brendan
: approval+
Details | Diff | Splinter Review
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; OSF1 alpha; en-US; rv:0.9.3) Gecko/20010804 BuildID: 2001080416 When I do a bugzilla search, I get the message instructing be to wait. When the screen should refresh with the results, mozilla crashes. Reproducible: Always Steps to Reproduce: 1. Go to bugzilla.mozilla.org 2. Search for a bug (e.g., "corrupt font") 3. Wait for results Actual Results: mozilla crashed instead of displaying results. The "Just a moment" (or whatever the exact text is) screen did display, but not the results. Expected Results: display the results, as my copy of Navigator 4.76 does.
Stack trace (note mozilla was built without symbols):$ dbx /usr/local/mozilla/mozilla-bin core dbx version 5.1 Type 'help' for help. Core file created by program "mozilla-bin" warning: /usr/local/mozilla/mozilla-bin has no symbol table -- very little is supported without it thread 0x8 signal Segmentation fault at >*[__nxm_thread_kill, 0x3ff805cb1d8] ret zero, (ra), 1 (dbx) t > 0 __nxm_thread_kill(0xb, 0x0, 0x3ff805b7914, 0x3ffc01b2000, 0x3ffc01b2000) [0x3ff805cb1d8] 1 pthread_kill(0x0, 0x11fffaab8, 0x0, 0x11fffc010, 0x1) [0x3ff805b7934] 2 (unknown)() [0x3ff805cf854] 3 (unknown)() [0x3ff807f369c] 4 exc_raise_signal_exception(0xb0ffe0003, 0x86, 0x0, 0x3ffbfcb9504, 0x1) [0x3ff807f3a08] 5 (unknown)() [0x3ff805b9470] DBX Fault: Segmentation fault (dbx)
Reporter, can you try a recent nightly build available at: http://ftp.mozilla.org/pub/mozilla/nightly/latest/mozilla-alpha-dec-osf4.0f.tar.gz
This problem still exists with the latest nightly build.
Marking NEW. BTW, this seems to be the first OSF/1 bug report.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This bug is still being produced with Mozilla Build 2001101719. I've verified that other co-workers can also reproduce this bug.
we must have a stack trace to assign it to the correct component. Browser general will never fix a bug... On I386-Linux, win and mac we have talkback... Reporter: It is possible that you can build a debug build or a optimized build with symbols ?
Yes, I believe I can do a debug build. Please specify exactly what parameters you would like me to build Mozilla with, as I don't normally compile it myself and therefore don't know how such a build should be done. All specify whether you would like me to build Mozilla from a nightly release or from the last milestone.
Please read http://www.mozilla.org/build (should contain the build instructions) Please build a nightly build if possible.. Thanks !
I built mozilla from nightly source, using '-O -g3' flags passed to the Compaq Tru64 'cc' and 'cxx' compilers. I didn't do anything else special. I've attached the script 'buildit' that I used to build mozilla. NOTE: I first ran mozilla on the machine where I built it. This started it with a fairly clean profile. The bug was reproduced. However, because that machine was running very low on disk space, I subsequently ran it from a second machine, NFS mounting mozilla from the build machine. This picked up by own profile, and also make it easier to debug the crash. The bug was reproduced in the same fashion. Running mozilla from the second machine via NFS from the first is how I gathered the information in this bug report. When mozilla ran it generated a lot of output to the terminal window from which I ran it. I've attached the file 'mozilla.err', which is a copy-and-paste of this text output. Mozilla stills crashes as expected when retrieving results of a search from bugzilla.mozilla.org. Below you will find a debugging session on that dump. I can give you the dump if you want, or you can tell me what I should investigate. /usr/bin/dbx /usr/local/rpm/tmp/mozilla/dist/bin/mozilla-bin core dbx version 5.1 Type 'help' for help. Core file created by program "mozilla-bin" thread 0xf signal Segmentation fault at >*[__nxm_thread_kill, 0x3ff805cb1d8] ret zero, (ra), 1 (/usr/bin/dbx) t > 0 __nxm_thread_kill(0xb, 0x0, 0x3ff805b7914, 0x3ffc01b2000, 0x3ffc01b2000) [0x3ff805cb1d8] 1 pthread_kill(0x0, 0x11fffaef8, 0x0, 0x11fffc010, 0x1) [0x3ff805b7934] 2 (unknown)() [0x3ff805cf854] 3 (unknown)() [0x3ff807f369c] 4 exc_raise_signal_exception(0xb0ffe0003, 0x86, 0x0, 0x3ffbf938b40, 0x1) [0x3ff807f3a08] 5 (unknown)() [0x3ff805b9470] 6 OnDataAvailable__16nsMultiMixedConvXP10nsIRequestP11nsISupportsP14nsIInputStreamUiUi() ["nsMultiMixedConv.cpp":545, 0x3ffbf938b40] 7 OnDataAvailable__18nsDocumentOpenInfoXP10nsIRequestP11nsISupportsP14nsIInputStreamUiUi() ["nsURILoader.cpp":259, 0x3ffbf78de08] 8 OnDataAvailable__19nsStreamListenerTeeXP10nsIRequestP11nsISupportsP14nsIInputStreamUiUi() ["nsStreamListenerTee.cpp":56, 0x3ffbf91abc8] 9 OnDataAvailable__13nsHttpChannelXP10nsIRequestP11nsISupportsP14nsIInputStreamUiUi() ["nsHttpChannel.cpp":2359, 0x3ffbf9a3104] 10 HandleEvent__22nsOnDataAvailableEventXv() ["nsStreamListenerProxy.cpp":192, 0x3ffbf917ea0] 11 HandlePLEvent__23nsARequestObserverEventXP7PLEvent() ["nsRequestObserverProxy.cpp":79, 0x3ffbf8f04f4] 12 PL_HandleEvent(self = (unallocated - symbol optimized away)) ["plevent.c":590, 0x3ffbfee1668] 13 PL_ProcessPendingEvents(self = (unallocated - symbol optimized away)) ["plevent.c":520, 0x3ffbfee1440] 14 ProcessPendingEvents__16nsEventQueueImplXv() ["nsEventQueue.cpp":388, 0x3ffbfee573c] 15 event_processor_callback__XPvi17GdkInputCondition() ["nsAppShell.cpp":184, 0x3ffbf1568b4] 16 our_gdk_io_invoke__XP11_GIOChannel12GIOConditionPv() ["nsAppShell.cpp":76, 0x3ffbf15622c] 17 (unknown)() [0x300030155c4] 18 (unknown)() [0x3000301786c] 19 (unknown)() [0x3000301808c] 20 g_main_run(0x1, 0x1, 0x300018d5cf0, 0x0, 0x300018d5dac) [0x3000301827c] 21 gtk_main(0x3ffbf147ed0, 0x0, 0x11fffbe00, 0x3ffbfee8dd0, 0x140105a80) [0x300018d5da8] 22 Run__10nsAppShellXv() ["nsAppShell.cpp":364, 0x3ffbf157240] 23 Run__17nsAppShellServiceXv() ["nsAppShellService.cpp":302, 0x3ffbe0a3a9c] 24 main1__XiPPcP11nsISupports() ["nsAppRunner.cpp":1303, 0x12001466c] 25 main() ["nsAppRunner.cpp":1629, 0x1200154f4] (/usr/bin/dbx) Please tell me if you need more information. I may also attempt recompiling with '-g' instead of '-g3' to gather even more debugging information.
Thanks for your stack trace !!! -> Networking
Assignee: asa → darin
Component: Browser-General → Networking: HTTP
QA Contact: doronr → tever
reporter: can you reproduce this problem in a more recent nightly build?
I just reproduced this with 2002013113. I used an optimized build, from an custom RPM. I'll look into generating a debug build again, but this may take a little time.
bobbell: before you bother building debug, you might try capturing a HTTP log while reproducing the crash. here's how: setenv NSPR_LOG_MODULES nsHttp:5 setenv NSPR_LOG_FILE http.log then just attach http.log to this bug report. thx!
Since it seems that debug build will take a little longer to generate, I've attached the log as per the instructions given. I went straight to http://bugzilla.mozilla.org/ and searched for "foo bar" (no quotes). I was given the "please wait" screen, and the mozilla crashed (as usual) instead of displaying the results of the search.
Target Milestone: --- → Future
*** Bug 124557 has been marked as a duplicate of this bug. ***
I am seeing this with Mozilla 0.9.9 on Linux alpha (from redhat rawhide RPM), although it seems to only happen when the query returns a long list of bugs (>70). It also crashes on RedHat's bugzilla, but occurs there even with short lists. It crashes in nsMultiMixedConv::OnDataAvailable (as in OSF). I did the NSPR_LOG_MODULES a couple times with similar results to attachment 67747 [details], although one time it gave me: 1026[120246da0]: nsHttpHandler::ReclaimConnection [conn=20b17e70(bugzilla.redhat.com:80) keep-alive=1] 1026[120246da0]: adding connection to idle list [conn=20b17e70] 1026[120246da0]: active connection count is now 0 1026[120246da0]: nsHttpHandler::ProcessTransactionQ_Locked 1026[120246da0]: >> unable to process transaction queue at this time I can attach the full log if you want to see it. I also did sniffit and it appears to crash in different places (one time in the bug list, one time in the footer). OS --> All, please
It does seem to happen sometimes with shorter lists, but more consistently with longer lists.
1026[120246da0]: >> unable to process transaction queue at this time is neither an error nor a warning. it just indicates that there are no pending transactions to process.
I was unable to reproduce this crash with an unoptimzed build from CVS a few days ago. Currently attempting to recompile with optimization...
Depends on: 134221
no crash with optimization on. I also built from SRPM 20020327 (since original crasher for me was 0.9.9 RPM). Also no crash. RedHat's bugzilla also works, which was a more consistent crasher than Mozilla's bugzilla. worksforme bobbell: if you still can't get it to compile (bug 134221), you might try the latest nightly (20020312), assuming you have OSF v4.x
I am running running Tru64 UNIX V5.1, though I do find it intriguing that an V4.0F build is occuring nightly. It should still run on V5.1, so I may give it a shot. Also note that bug 134221 does not prevent compiling; it prevents the use of the compiled program.
Mozilla 1.0RC1 Alpha-Linux RPM is still crashing here.
Mozilla 1.0rc1 from SRPM works fine...
Keywords: crash
OS=>All (although could be build config on Linux)
OS: OSF/1 → All
*** Bug 143696 has been marked as a duplicate of this bug. ***
Attached patch Fix Splinter Review
I just came across this problem today on a Tru64 UNIX 5.0. After debugging this for a little while I could find the bug. The code that was causing grief was if (!mPartChannel || !(cursor[bufLen-1] == nsCRT::LF) ) bufLen is declared as PRUint32. changing the exporession to if (!mPartChannel || !(cursor[int(bufLen-1)] == nsCRT::LF) ) solved the problem.
(and there was much rejoicing) is that not a compiler bug, then? nominating for mozilla1.0.1 since we finally know what's going on and have a fix.
Keywords: mozilla1.0.1
Can I have review for this fix.
Keywords: review
Shanmugavelu: can you explain how your patch solves this crash? is bufLen sometimes zero? is that the problem?
Yes. The problem is that the buflen in the expression if (!mPartChannel || !(cursor[bufLen-1] == nsCRT::LF) ) is "0". bufLen has been defined as a PRUint32. (ladebug) p bufLen 0 (ladebug) whatis bufLen PRUint32 bufLen
then the question becomes: "is cursor[-1] valid?" if not, then we need to protect against evaluating this expression when bufLen == 0.
Attached file testcase
proper testcase output: 11ffff814 11ffff814 11ffff814 11ffff814 actual testcase output: 11ffff814 51ffff814 11ffff814 11ffff814 (that's with cc, I don't have c++ on OSF) this bug also bites on Alpha-Linux with C, but not C++ (at least for me, gcc-2.96-87). Blizzard might be using an older compiler to make RPMS. dunno. also, if bufLen is positive, the bug doesn't bite.
actually, I can get the bad behavior in c++ with gcc-2.96-101 (so Blizzard is actually using a newer compiler). It seems like this might have been caused (on Linux) by fixing Redhat bug 58746: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58746 For all I know, this is proper behavior in 64-bit land (since it happens on OSF and Linux), although it then ought to show up on Solaris/Sun. adding 64bit keyword.
Keywords: 64bit
dereferencing memory you don't own is never valid. simply casting bufLen - 1 to a signed integer is not a solution. we need to understand how it is that bufLen can be 0 since the original author clearly didn't think that was possible. if we decide that it is rightly possible, then the code needs to avoid bufLen - 1 when bufLen == 0, else we need to fix the code that is leading to bufLen == 0.
Status: NEW → ASSIGNED
Priority: -- → P3
Target Milestone: Future → mozilla1.0.1
I also see bufLen==0 on i686, but it just doesn't crash. Here's what happens during the bad pass through OnDataAvailable buffer="Set-Cookie: LASTORDER=bugs.bug_id ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT\nSet-Cookie: BUGLIST=\n\n" mFirstOnData is false mProcessingHeaders is true on return from ParseHeaders, bufLen is 0 and done is true, so mProcessingHeaders is set to false. because mProcessingHeaders is false, it does: if (!mPartChannel || !(cursor[bufLen-1] == nsCRT::LF) ) bufAmt = PR_MIN(mTokenLen - 1, bufLen); which causes the crash. note that cursor[-1] is actually part of buffer it had allocated earler (it is not dereferencing memory it doesn't own).
Attached patch alternate fixSplinter Review
this isn't going to make 1.0.1 ... -> 1.2alpha
Target Milestone: mozilla1.0.1 → mozilla1.2alpha
cc'ing valeski, who seems to have written most of the relevant code here (according to CVS blame) valeski: could you explain the desired/expected behavior in the particular case here where it crashes? thanks.
*** Bug 159619 has been marked as a duplicate of this bug. ***
from bug 159619: also crashes IA64
Hardware: DEC → All
Comment on attachment 86721 [details] [diff] [review] alternate fix sr=darin this patch looks very good. bufAmt shouldn't change from zero if bufLen is zero, so adding this check definitely doesn't change the intended logic of the block.
Attachment #86721 - Flags: superreview+
-> going to shoot for getting this into both 1.1 and 1.0.1
Priority: P3 → P1
Target Milestone: mozilla1.2alpha → mozilla1.1beta
Comment on attachment 86721 [details] [diff] [review] alternate fix r=blizzard
Attachment #86721 - Flags: review+
Comment on attachment 86721 [details] [diff] [review] alternate fix a=brendan@mozilla.org for trunk and branch. /be
Attachment #86721 - Flags: approval+
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: mozilla1.0.1adt1.0.1, mozilla1.0.1+
Resolution: --- → FIXED
Whiteboard: [adt1 RTM]
-> mozilla1.0.1 waiting for ADT approval.
Target Milestone: mozilla1.1beta → mozilla1.0.1
Lowering to adt2 since it appears to only affect 64bit machines.
Whiteboard: [adt1 RTM] → [adt2 RTM]
can someone with a 64-bit system confirm that this patch makes bugzilla usable again? i don't think tever has access to such a machine, and we really need to get this verified ASAP. thx!
Tested this on a Tru64 UNIX system. Works fine.
marking VERIFIED per previous comment.
Status: RESOLVED → VERIFIED
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch. pls check this in asap, then replace the "mozilla1.0.1+" with "fixed1.0.1". thanks!
Blocks: 143047
Keywords: adt1.0.1adt1.0.1+
Whiteboard: [adt2 RTM] → [adt2 RTM] [ETA 07/31]
fixed1.0.1
Keywords: mozilla1.0.1+fixed1.0.1
*** Bug 162446 has been marked as a duplicate of this bug. ***
Keywords: fixed1.0.1verified1.0.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: