Closed
Bug 910518
Opened 11 years ago
Closed 11 years ago
crash in mozilla::net::nsHttpChannel::CallOnStartRequest()
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: alice0775, Assigned: mcmanus)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
|
2.20 KB,
patch
|
jduell.mcbugs
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-8857a083-ee82-49d6-afab-1e72e2130829 : Aurora25.0a2 bp-d7a0723b-a472-45f6-bc1e-2a7182130829 : Firefox24b6 bp-dce1f83f-c23c-4c9b-9a82-fa8c92130829 : Firefox23.0.1 ============================================================= I am not sure the crash seems to do not happen in Nightly26.0a1. Reproducible: intermittently Steps To Reproduce: 1. Open https://paperc.com/store/overview 2. Click "Allow" button if door hanger was popuped 3. Click "Restrote Privous Session" 4. Exit browser 5. Start Browser again 6. Repeat from step 3, or step 1 if "Restrote Privous Session" disabled
|
Reporter | |
Comment 1•11 years ago
|
||
Sorry, STR in commnet #0 is wrong Steps Ro Reproduce: 1. Open https://paperc.com/store/overview 2. Click "Allow" button if door hanger was popuped 3. Exit browser 4. Start Browser again 5. Click "Restore Previous Session" --- Crashing happens while loading page. if not, continue step 6. 6. Repeat from step 3, or step 1 if "Restore Previous Session" disabled
|
|
Reporter | |
Comment 2•11 years ago
|
||
Aha, Crashing in Nightly26.0a1 too. bp-c8e20425-3f40-4ade-af22-c5ec82130829
tracking-firefox26:
--- → ?
|
|
Reporter | |
Comment 3•11 years ago
|
||
Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/c7b8d71aa25d Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927095854 Bad: http://hg.mozilla.org/mozilla-central/rev/2d96ee8d9dd4 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927200536 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c7b8d71aa25d&tochange=2d96ee8d9dd4 Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/f16404a61304 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927112256 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/c6cb52ebb2c8 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927123555 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f16404a61304&tochange=c6cb52ebb2c8 In local build: Last Good: f16404a61304 First Bad: 8e8915a37f5a Regressed by: 8e8915a37f5a Mark Banner — Bug 793580 - Part 1: Use unsigned types in ExceptionArgParser::parseResult; r=ehsan
Blocks: 793580
|
|
Reporter | |
Comment 5•11 years ago
|
||
Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/c7b8d71aa25d Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927095854 Bad: http://hg.mozilla.org/mozilla-central/rev/2d96ee8d9dd4 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927200536 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c7b8d71aa25d&tochange=2d96ee8d9dd4 Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/c5a7b7544f12 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927094355 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/0129800fa8a1 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120927103456 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c5a7b7544f12&tochange=0129800fa8a1 In local build: Last Good: 198e780680c1 First Bad: dcae72a1333c Regressed by: dcae72a1333c Patrick McManus — bug 769764 move proxy resolution to separate thread and remove sync api r=biesi sr=josh
Blocks: 769764
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ mozilla::net::nsHttpChannel::CallOnStartRequest()] → [@ mozilla::net::nsHttpChannel::CallOnStartRequest() ]
|
||
Comment 6•11 years ago
|
||
Patrick, we see no reason to track this (it's non-critical). Anything here look critical to you?
Flags: needinfo?(mcmanus)
|
Assignee | |
Comment 7•11 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #6) > Patrick, we see no reason to track this (it's non-critical). Anything here > look critical to you? its a null deref - so there isn't a security problem. and it appears to have been around for a while at low volume so I don't see the need to track. however on the positive side I think I know what's going on and it really is just a matter of checking a couple pointers before de-reffing. I can't reproduce using the STR, so I'll upload a patch to try and let Alice confirm.
Flags: needinfo?(mcmanus)
|
|
Assignee | |
Comment 8•11 years ago
|
||
Alice, can you try this build and see if it helps? https://tbpl.mozilla.org/?tree=Try&rev=a537abf7c286
|
|
Reporter | |
Comment 9•11 years ago
|
||
I cannot reproduce the crash with the try-build. http://hg.mozilla.org/try/rev/a537abf7c286 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 ID:20130903155244
|
|
Assignee | |
Comment 10•11 years ago
|
||
Attachment #799448 -
Flags: review?(jduell.mcbugs)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
|
|
||
Updated•11 years ago
|
|
||
Comment 11•11 years ago
|
||
Comment on attachment 799448 [details] [diff] [review] check httpchannel for listener release on redirect callback Review of attachment 799448 [details] [diff] [review]: ----------------------------------------------------------------- Patrick: So do we know how the culprit in the regression range in comment 5 (ie. bug 769764) changed things in a way that made us have mListener sometimes be null here? My only concern is that we need to make sure that OnStart/Stop get called. If OnStart is now called in some error/etc path and by the time we're here it's null, than this patch is fine. But if OnStop is never called we've got an IDL contract violation.
|
|
Assignee | |
Comment 12•11 years ago
|
||
the regression range is the code that makes a lot of code that used to be synchronous to asyncOpen now be truly async because the proxy lookup is truly async. I don't know the exact trail of tears that leads to this crash, but I can imagine that the new behavior provides opportunities for exactly the double error path.. especially when mixed with a redirect cocktail. there are only a handful of places ReleaseListeners() is used to set mListener to null. its worth noting that the other uses of mListener are all null checked (in onstop and oda), indicating that this problem is pervasive and probly just couldn't be triggered in onstart previously.
|
|
||
Comment 13•11 years ago
|
||
Comment on attachment 799448 [details] [diff] [review] check httpchannel for listener release on redirect callback Can we at least log or NS_WARN or so?
|
|
||
Comment 14•11 years ago
|
||
Comment on attachment 799448 [details] [diff] [review] check httpchannel for listener release on redirect callback Review of attachment 799448 [details] [diff] [review]: ----------------------------------------------------------------- warning would be nice.
Attachment #799448 -
Flags: review?(jduell.mcbugs) → review+
|
|
Assignee | |
Comment 15•11 years ago
|
||
added ns_warning()s https://hg.mozilla.org/integration/mozilla-inbound/rev/610bbc0fcf01
|
||
Comment 16•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/610bbc0fcf01
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in
before you can comment on or make changes to this bug.
Description
•