Bug 1539208 Comment 20 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Analyzing the case on an emulator, FetchDriver::OnStartRequest() exits in 

https://searchfox.org/mozilla-central/source/dom/fetch/FetchDriver.cpp#814

In the case, FetchDriver::mChannel is nullptr, and mResponse is not created in OnStartRequest. Then when we receive the OnDataAvailable, it accesses a nullptr when mResponse->Type() is called, then crash the Firefox.

Now there are two possible problems.

1. mChannel should not be nullptr at the moment.
2. In theory, if FetchDriver::OnStartRequest() returns fail, FetchDriver::OnDataAvailable should not be called. But it is called in this case.
Analyzing the case on an emulator, FetchDriver::OnStartRequest() exits in 

https://searchfox.org/mozilla-central/source/dom/fetch/FetchDriver.cpp#814

In the case, FetchDriver::mChannel is nullptr, and mResponse is not created in OnStartRequest. Then when we receive the OnDataAvailable, it accesses a nullptr when mResponse->Type() is called, then crash the Firefox.

https://searchfox.org/mozilla-central/source/dom/fetch/FetchDriver.cpp#1184

Now there are two possible problems.

1. mChannel should not be nullptr at the moment.
2. In theory, if FetchDriver::OnStartRequest() returns fail, FetchDriver::OnDataAvailable should not be called. But it is called in this case.
Analyzing the case on an emulator, FetchDriver::OnStartRequest() exits in 

https://searchfox.org/mozilla-central/source/dom/fetch/FetchDriver.cpp#814

In the case, FetchDriver::mChannel is nullptr, and mResponse is not created in OnStartRequest. Then when we receive the OnDataAvailable, it accesses a nullptr (mResponse->Type()).

https://searchfox.org/mozilla-central/source/dom/fetch/FetchDriver.cpp#1184

Now there are two possible problems.

1. mChannel should not be nullptr at the moment.
2. In theory, if FetchDriver::OnStartRequest() returns fail, FetchDriver::OnDataAvailable should not be called. But it is called in this case.

Back to Bug 1539208 Comment 20