706049 - Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ]

Status: RESOLVED FIXED

(Toolkit :: Safe Browsing, defect)

Description

[Carsten Book [:Tomcat]]

Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ]
 see https://crash-stats.mozilla.com/report/index/d24025aa-019a-4937-95b4-2026c2111127 as example report.

General overview: https://crash-stats.mozilla.com/report/index/d24025aa-019a-4937-95b4-2026c2111127

Seems there a lot of startup crashers.

Stack:
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsUrlClassifierPrefixSet::Contains 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:234
1 	xul.dll 	nsUrlClassifierPrefixSet::Probe 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:307
2 	xul.dll 	nsUrlClassifierDBService::CheckClean 	
3 	xul.dll 	nsUrlClassifierDBService::LookupURI 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4218
4 	xul.dll 	nsUrlClassifierDBService::Classify 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4165
5 	xul.dll 	nsChannelClassifier::Start 	netwerk/base/src/nsChannelClassifier.cpp:123
6 	xul.dll 	nsHttpChannel::AsyncOpen 	netwerk/protocol/http/nsHttpChannel.cpp:3720
7 	xul.dll 	nsHttpChannel::ContinueProcessRedirection 	netwerk/protocol/http/nsHttpChannel.cpp:3454
8 	xul.dll 	nsHttpChannel::OnRedirectVerifyCallback 	netwerk/protocol/http/nsHttpChannel.cpp:4914
9 	xul.dll 	nsAsyncVerifyRedirectCallbackEvent::Run 	netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:77
10 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
11 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
12 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
13 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
14 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
15 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
16 	xul.dll 	xul.dll@0xbc03bf 	
17 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:228
18 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3557
19 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
20 	firefox.exe 	firefox.exe@0x4033 	
21 	firefox.exe 	__tmainCRTStartup 	crtexe.c:594
22 	firefox.exe 	_SEH_epilog4 	
23 	kernel32.dll 	BaseProcessStart 	
24 	kernel32.dll 	FindAtomW 	
25 	kernel32.dll 	BaseProcessStart 	
26 	firefox.exe 	pre_c_init 	crtexe.c:304

Comment 1

[Gian-Carlo Pascutto [:gcp]]

Looks similar to bug 702217 but when the urlclassifier.pset file is corrupted instead of the urlclassifier3.sqlite one.

Comment 2

[Gian-Carlo Pascutto [:gcp]]

Attachment: Patch 1. Check read data sizes. Sanity check during probe.

Comment 3

[Gian-Carlo Pascutto [:gcp]]

Corrupted files can cause startup crashes until the user clears his profile.

Comment 4

[Gian-Carlo Pascutto [:gcp]]

https://tbpl.mozilla.org/?tree=Try&rev=35acdddc2d38

Comment 5

[Gian-Carlo Pascutto [:gcp]]

https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=4be41994deb7

Comment 6

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/cddc8b0ba0b6

(comment 5 rev id is incorrect, this is the right one)

Comment 7

[Gian-Carlo Pascutto [:gcp]]

- The patch adds more sanity checking before operating on values read from the database, bails out early if the database is detected to be corrupted, and detects if the file appears to be truncated.
- Users hitting the bug may be unable to use Firefox until they clear their profile.

- This triggers when the database is corrupted in a specific way. I suspect it may be trigger-able by cutting the urlclassifier.pset file short by about 2/3'rds.

Comment 8

[Alex Keybl [:akeybl]]

Comment on attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.

[Triage Comment]
Approving for Aurora, but not a top crasher so minusing for beta at this point in the cycle.

Comment 9

[Alex Keybl [:akeybl]]

Comment on attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.

[Triage Comment]
Upon further review, we'll take on beta due to the number of startup crashes associated with this bug. Please land asap.

Comment 10

[Gian-Carlo Pascutto [:gcp]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/43b28f79b85b
https://hg.mozilla.org/releases/mozilla-beta/rev/b898413a30e2

Comment 11

[u279076]

Is this fix testable by QA?

Comment 12

[Gian-Carlo Pascutto [:gcp]]

>Is this fix testable by QA?

Truncate the urlclassifier.pset file in the profile somewhere around 1/3 of the size. Visit a webpage with a lot of links or images. The browser shouldn't crash. Not sure how easy it is to reproduce manually (you might need to truncate at a very specific point).

Comment 13

[u279076]

Given comment 12, I don't think it is feasible for QA to verify the fix in a timely manner. If someone is already set up to reproduce this bug, it would be appreciate for said person to verify the fix.

Thanks

Comment 14

[Marcia Knous [:marcia]]

Gian-Carlo - I see another similar crash signature in 10b5 - [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&) ] - http://tinyurl.com/6wk3b84 to the reports. Will your fix address this crash as well or should I file a new bug?  Thanks.

Comment 15

[Gian-Carlo Pascutto [:gcp]]

This bug was marked "status-firefox10: fixed" over a month ago. If Firefox 10 is crashing now, the patches here obviously won't help that.

Comment 16

[Gian-Carlo Pascutto [:gcp]]

BTW. if you file the new bug please assign directly to me. I think I see what's wrong.