crash in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned long, unsigned long) | nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult)

RESOLVED INCOMPLETE

Status

()

Core
Document Navigation
--
critical
RESOLVED INCOMPLETE
3 years ago
3 years ago

People

(Reporter: cosmin, Unassigned)

Tracking

({crash})

unspecified
All
Linux
crash
Points:
---

Firefox Tracking Flags

(firefox33 affected)

Details

(crash signature, URL)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-3992274e-7069-49ba-af25-70bac2141008.
=============================================================
(Reporter)

Comment 1

3 years ago
It failed during a mozmill testrun, in test  remote/testSecurity/testSafeBrowsingNotificationBar.js
On Ubuntu 13.10 x64 (mm-ub-1310-64-3)

Stack trace:
0	libxul.so	nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned long, unsigned long)	xpcom/glue/nsTArray-inl.h
1	libxul.so	nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult)	obj-firefox/dist/include/nsTArray.h
2	libxul.so	nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult)	uriloader/base/nsDocLoader.cpp
3	libxul.so	nsDocLoader::DocLoaderIsEmpty(bool)	uriloader/base/nsDocLoader.cpp
4	libxul.so	nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult)	uriloader/base/nsDocLoader.cpp
5	libxul.so	nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult)	netwerk/base/src/nsLoadGroup.cpp
6	libxul.so	nsDocument::DoUnblockOnload()	content/base/src/nsDocument.cpp
7	libxul.so	nsDocument::UnblockOnload(bool)	content/base/src/nsDocument.cpp
8	libxul.so	mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher()	dom/events/AsyncEventDispatcher.cpp
9	libxul.so	mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher()	dom/events/AsyncEventDispatcher.cpp
10	libxul.so	nsRunnable::Release()	xpcom/glue/nsThreadUtils.cpp
11	libxul.so	nsThread::ProcessNextEvent(bool, bool*)	obj-firefox/dist/include/nsCOMPtr.h
12	libxul.so	NS_InvokeByIndex	xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp
13	libxul.so	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)	js/xpconnect/src/XPCWrappedNative.cpp
14	libxul.so	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
15		@0x7f16c2b43204
This crash happened only once so far. But it is at a random memory location:

rash Reason 	SIGSEGV
Crash Address 	0xb32d3870

Marking as security sensitive for now.
Group: core-security
status-firefox33: --- → affected
Olli, is there anything we can do with this?
Component: File Handling → Document Navigation

Comment 4

3 years ago
Didn't see anything obvious. doStopDocumentLoad keeps child nsDocLoaders alive using 
WebProgressList and DoFireOnStateChange uses NOTIFY_LISTENERS which should be safe.
Unfortunately it doesn't seem like this bug is headed anywhere useful. If there is a lurking bug hopefully it'll show up in other tests.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.