Open
Bug 765465
Opened 12 years ago
Updated 2 years ago
nsIStorageStream memory corruption when written into and read from nsIHttpChannel
Categories
(Core :: Networking, defect, P5)
Tracking
()
UNCONFIRMED
People
(Reporter: passfree, Unassigned)
Details
(Whiteboard: [necko-would-take])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 Build ID: 20120420145725 Steps to reproduce: I am writing a simple extension which creates a http channel and assigns a storage stream as an upload stream via the methods exposed by nsIUploadChannel interface. The browser will crash after data has been written into the storage stream output stream. Actual results: Here is an information about the crash: 0 libSystem.B.dylib 0x00007fffffe00800 __memcpy + 96 1 XUL 0x0000000100f58f98 NS_CopySegmentToBuffer(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) + 40 (nsStreamUtils.cpp:760) 2 XUL 0x0000000100f5af88 nsStorageInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) + 248 (nsStorageStream.cpp:454) 3 XUL 0x0000000100f55dcd nsMultiplexInputStream::Read(char*, unsigned int, unsigned int*) + 157 (nsMultiplexInputStream.cpp:224) 4 XUL 0x0000000100f55dcd nsMultiplexInputStream::Read(char*, unsigned int, unsigned int*) + 157 (nsMultiplexInputStream.cpp:224) 5 XUL 0x000000010004d526 nsBufferedInputStream::Fill() + 102 (nsBufferedStreams.cpp:426) 6 XUL 0x000000010004cf59 nsBufferedInputStream::ReadSegments(unsigned int (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) + 217 (nsBufferedStreams.cpp:389) 7 XUL 0x00000001000db97e nsHttpTransaction::ReadSegments(nsAHttpSegmentReader*, unsigned int, unsigned int*) + 142 (nsHttpTransaction.cpp:506) 8 XUL 0x00000001000cd692 nsHttpConnection::OnSocketWritable() + 354 (nsHttpConnection.cpp:1097) 9 XUL 0x00000001000cd770 nsHttpConnection::OnOutputStreamReady(nsIAsyncOutputStream*) + 16 (nsHttpConnection.cpp:1332) 10 XUL 0x00000001000ccc66 nsHttpConnection::Activate(nsAHttpTransaction*, unsigned char, int) + 374 (nsHttpConnection.cpp:380) 11 XUL 0x00000001000d19cd nsHttpConnectionMgr::DispatchTransaction(nsHttpConnectionMgr::nsConnectionE ntry*, nsHttpTransaction*, unsigned char, nsHttpConnection*) + 397 (nsHttpConnectionMgr.cpp:1284) 12 XUL 0x00000001000d3096 nsHttpConnectionMgr::nsHalfOpenSocket::OnOutputStreamReady(nsIAsyncOutputSt ream*) + 1014 (nsHttpConnectionMgr.cpp:2210) 13 XUL 0x000000010006ec6a nsSocketOutputStream::OnSocketReady(unsigned int) + 122 (nsCOMPtr.h:480) 14 XUL 0x00000001000723ce nsSocketTransport::OnSocketReady(PRFileDesc*, short) + 398 (nsSocketTransport2.cpp:1568) 15 XUL 0x0000000100074df7 nsSocketTransportService::DoPollIteration(bool) + 1095 (nsSocketTransportService2.cpp:762) 16 XUL 0x000000010007505b nsSocketTransportService::Run() + 251 (nsSocketTransportService2.cpp:648) 17 XUL 0x0000000100f6e317 nsThread::ProcessNextEvent(bool, bool*) + 407 (nsThread.cpp:657) 18 XUL 0x000000010001de5a NS_ProcessNextEvent_P(nsIThread*, bool) + 26 (nsThreadUtils.cpp:245) 19 XUL 0x0000000100f6e09d nsThread::ThreadFunc(void*) + 141 (nsThread.cpp:288) 20 libnspr4.dylib 0x0000000103694b4e _pt_root + 158 (ptthread.c:190) 21 libSystem.B.dylib 0x00007fff8964dfd6 _pthread_start + 331 22 libSystem.B.dylib 0x00007fff8964de89 thread_start + 13 I use something similar to this: let PR_UINT32_MAX = Math.pow(2, 32) - 1; let storageStream = createInstance('...@mozilla.org/storagestream;1', 'nsIStorageStream'); storageStream.init(DEFAULT_SEGMENT_SIZE, PR_UINT32_MAX, null); this.outputStream = streamTransportService.createOutputTransport(storageStream.getOutputStream( 0), -1, -1, true).openOutputStream(0, DEFAULT_SEGMENT_SIZE, DEFAULT_SEGMENT_COUNT).QueryInterface(CI.nsIAsyncOutputStream); request.upload(storageStream.newInputStream(0), forwarder); The function request.upload does this: let mimeInputStream = createInstance('@mozilla.org/network/mime-input-stream;1', 'nsIMIMEInputStream'); mimeInputStream.addContentLength = false; mimeInputStream.setData(inputStream); this.channel.QueryInterface(CI.nsIUploadChannel); this.channel.setUploadStream(mimeInputStream, '', -1); this.channel.asyncOpen(streamListener, this); Notice that this.outputStream is an asyn output stream which I pump data into every time it is available. The crash does not occur on first instance when write method is called but at later time. If I don't call write no crash will occur. Also, the crash wont occur immediately after or during a call to write. Also, I have tested the rest of the code with a simple pipe implementation just to see if I am doing everything else correctly and it is working perfectly fine. Though, I need a storage stream because I want to allow other extension developers to be able to observe my requests and the data they carry. This is why I need a storage stream.
Comment 1•11 years ago
|
||
Is there any way you can write a complete JS-based test for this? XPCShell testing should be able to show it.
Updated•8 years ago
|
Whiteboard: [necko-would-take]
Comment 2•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•