1120145 - Crash in nsUrlClassifierPrefixSet::Contains()

Status: RESOLVED FIXED

(Toolkit :: Safe Browsing, defect)

Description

[Hubert Figuiere [:hub]]

I got a crash with mozilla-inbound (build by myself, not releng).

Here is a stack trace
Program received signal SIGSEGV, Segmentation fault.
nsUrlClassifierPrefixSet::Contains (this=0x7fffc9006060, aPrefix=aPrefix@entry=2828678878, aFound=aFound@entry=0x7fffffff679f)
    at /home/hub/source/mozilla/src/toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:245
245	    diff -= mIndexDeltas[i][deltaIndex];
(gdb) 
(gdb) 
(gdb) where
#0  0x00007ffff52df7a9 in nsUrlClassifierPrefixSet::Contains(unsigned int, bool*) (this=0x7fffc9006060, aPrefix=aPrefix@entry=2828678878, aFound=aFound@entry=0x7fffffff679f)
    at /home/hub/source/mozilla/src/toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:245
#1  0x00007ffff52e90b0 in mozilla::safebrowsing::LookupCache::Has(mozilla::safebrowsing::SafebrowsingHash<32u, mozilla::safebrowsing::CompletionComparator> const&, bool*, bool*) (this=this@entry=0x7fffc9637980, aCompletion=..., aHas=aHas@entry=0x7fffffff6846, aComplete=aComplete@entry=0x7fffffff6847)
    at /home/hub/source/mozilla/src/toolkit/components/url-classifier/LookupCache.cpp:199
#2  0x00007ffff52ea277 in mozilla::safebrowsing::Classifier::Check(nsACString_internal const&, nsACString_internal const&, unsigned int, nsICryptoHash*, nsTArray<mozilla::safebrowsing::LookupResult>&) (this=0x7fffc9789e00, aSpec=..., aTables=..., aFreshnessGuarantee=2700, aCryptoHash=aCryptoHash@entry=0x7fffc93d90a0, aResults=...)
    at /home/hub/source/mozilla/src/toolkit/components/url-classifier/Classifier.cpp:278
#3  0x00007ffff52ea4d3 in nsUrlClassifierDBServiceWorker::DoLocalLookup(nsACString_internal const&, nsACString_internal const&, nsICryptoHash*, nsTArray<mozilla::safebrowsing::LookupResult>*) (this=0x7fffc9789d80, spec=..., tables=..., cryptoHash=0x7fffc93d90a0, results=0x7fff9c377fb8) at /home/hub/source/mozilla/src/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:268
#4  0x00007ffff52ea66c in nsUrlClassifierDBService::ClassifyLocal(nsIPrincipal*, bool, tag_nsresult*) (this=0x7fffc92fe480, aPrincipal=<optimized out>, aTrackingProtectionEnabled=<optimized out>, aResponse=0x7fffffff6b58) at /home/hub/source/mozilla/src/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:1362
#5  0x00007ffff3ebf5e5 in mozilla::net::nsHttpChannel::BeginConnect() (this=this@entry=0x7fffa9d8a000) at /home/hub/source/mozilla/src/netwerk/protocol/http/nsHttpChannel.cpp:4887
#6  0x00007ffff3ebfbd6 in mozilla::net::nsHttpChannel::OnProxyAvailable(nsICancelable*, nsIURI*, nsIProxyInfo*, tag_nsresult) (this=0x7fffa9d8a000, request=<optimized out>, uri=<optimized out>, pi=0x0, status=tag_nsresult::NS_OK) at /home/hub/source/mozilla/src/netwerk/protocol/http/nsHttpChannel.cpp:5080
#7  0x00007ffff3dee12c in nsAsyncResolveRequest::DoCallback() (this=this@entry=0x7fff01ca6600) at /home/hub/source/mozilla/src/netwerk/base/src/nsProtocolProxyService.cpp:250
#8  0x00007ffff3dee298 in nsAsyncResolveRequest::Run() (this=this@entry=0x7fff01ca6600) at /home/hub/source/mozilla/src/netwerk/base/src/nsProtocolProxyService.cpp:142
#9  0x00007ffff3dec425 in nsProtocolProxyService::AsyncResolveInternal(nsIURI*, unsigned int, nsIProtocolProxyCallback*, nsICancelable**, bool) (this=0x7fffccaf0c60, uri=0x7fffb10c5e40, flags=0, callback=<optimized out>, result=0x7fffa9d8a478, isSyncOK=<optimized out>) at /home/hub/source/mozilla/src/netwerk/base/src/nsProtocolProxyService.cpp:1208
#10 0x00007ffff3ea6962 in mozilla::net::nsHttpChannel::ResolveProxy() (this=this@entry=0x7fffa9d8a000) at /home/hub/source/mozilla/src/netwerk/protocol/http/nsHttpChannel.cpp:2025
#11 0x00007ffff3ebfafc in mozilla::net::nsHttpChannel::AsyncOpen(nsIStreamListener*, nsISupports*) (this=0x7fffa9d8a000, listener=0x7fff00ac5cc0, context=0x0)
    at /home/hub/source/mozilla/src/netwerk/protocol/http/nsHttpChannel.cpp:4772
#12 0x00007ffff43e09bb in imgLoader::LoadImage(nsIURI*, nsIURI*, nsIURI*, mozilla::net::ReferrerPolicy, nsIPrincipal*, nsILoadGroup*, imgINotificationObserver*, nsISupports*, unsigned int, nsISupports*, unsigned int, nsAString_internal const&, imgRequestProxy**) (this=this@entry=0x7fffe3f31bc0, aURI=aURI@entry=0x7fffb10c5e40, aInitialDocumentURI=aInitialDocumentURI@entry=0x7fff9bdd04e0, aReferrerURI=aReferrerURI@entry=0x7fff9bdd04e0, aReferrerPolicy=aReferrerPolicy@entry=mozilla::net::RP_No_Referrer_When_Downgrade, aLoadingPrincipal=aLoadingPrincipal@entry=0x7fff04678820, aLoadGroup=0x7fff036e98e0, aObserver=0x7fffcf7dc388, aCX=0x7fff419b6800, aLoadFlags=0, aContentPolicyType=3, initiatorType=..., _retval=0x7fffcf7dc398, aCacheKey=<optimized out>)
    at /home/hub/source/mozilla/src/image/src/imgLoader.cpp:2092
#13 0x00007ffff43e0c8b in imgLoader::LoadImage(nsIURI*, nsIURI*, nsIURI*, mozilla::net::ReferrerPolicy, nsIPrincipal*, nsILoadGroup*, imgINotificationObserver*, nsISupports*, unsigned int, nsISupports*, unsigned int, nsAString_internal const&, imgRequestProxy**) (this=this@entry=0x7fffe3f31bc0, aURI=aURI@entry=0x7fffb10c5e40, aInitialDocumentURI=aInitialDocumentURI@entry=0x7fff9bdd04e0, aReferrerURI=aReferrerURI@entry=0x7fff9bdd04e0, aReferrerPolicy=aReferrerPolicy@entry=mozilla::net::RP_No_Referrer_When_Downgrade, aLoadingPrincipal=aLoadingPrincipal@entry=0x7fff04678820, aLoadGroup=0x7fff036e98e0, aObserver=0x7fffcf7dc388, aCX=0x7fff419b6800, aLoadFlags=0, aCacheKey=<optimized out>, aContentPolicyType=<optimized out>, initiatorType=..., _retval=0x7fffcf7dc398)
    at /home/hub/source/mozilla/src/image/src/imgLoader.cpp:2161
#14 0x00007ffff4411198 in nsContentUtils::LoadImage(nsIURI*, nsIDocument*, nsIPrincipal*, nsIURI*, mozilla::net::ReferrerPolicy, imgINotificationObserver*, int, nsAString_internal const&, imgRequestProxy**, unsigned int) (aURI=aURI@entry=0x7fffb10c5e40, aLoadingDocument=aLoadingDocument@entry=
    0x7fff419b6800, aLoadingPrincipal=0x7fff04678820, aReferrer=0x7fff9bdd04e0, aReferrerPolicy=mozilla::net::RP_No_Referrer_When_Downgrade, aObserver=aObserver@entry=0x7fffcf7dc388, aLoadFlags=0, initiatorType=..., aRequest=0x7fffcf7dc398, aContentPolicyType=3) at /home/hub/source/mozilla/src/dom/base/nsContentUtils.cpp:3036
#15 0x00007ffff443c240 in nsImageLoadingContent::LoadImage(nsIURI*, bool, bool, nsImageLoadingContent::ImageLoadType, nsIDocument*, unsigned int) (this=this@entry=0x7fffcf7dc388, aNewURI=0x7fffb10c5e40, aForce=aForce@entry=true, aNotify=aNotify@entry=true, aImageLoadType=aImageLoadType@entry=nsImageLoadingContent::eImageLoadType_Normal, aDocument=aDocument@entry=0x7fff419b6800, aLoadFlags=0) at /home/hub/source/mozilla/src/dom/base/nsImageLoadingContent.cpp:934
#16 0x00007ffff443c43b in nsImageLoadingContent::LoadImage(nsAString_internal const&, bool, bool, nsImageLoadingContent::ImageLoadType) (this=this@entry=0x7fffcf7dc388, aNewURI=..., aForce=aForce@entry=true, aNotify=aNotify@entry=true, aImageLoadType=aImageLoadType@entry=nsImageLoadingContent::eImageLoadType_Normal)
    at /home/hub/source/mozilla/src/dom/base/nsImageLoadingContent.cpp:839
#17 0x00007ffff4a63822 in mozilla::dom::HTMLImageElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) (this=
    0x7fffcf7dc300, aNameSpaceID=0, aName=0x7fffea0ba2c0, aPrefix=0x0, aValue=..., aNotify=<optimized out>) at /home/hub/source/mozilla/src/dom/html/HTMLImageElement.cpp:551
---Type <return> to continue, or q <return> to quit---
#18 0x00007ffff46c0258 in mozilla::dom::Element::SetAttr(nsIAtom*, nsAString_internal const&, mozilla::ErrorResult&) (aNotify=true, aValue=..., aName=<optimized out>, aNameSpaceID=0, this=this@entry=0x7fffcf7dc300) at ../../dist/include/mozilla/dom/Element.h:455
#19 0x00007ffff46c0258 in mozilla::dom::Element::SetAttr(nsIAtom*, nsAString_internal const&, mozilla::ErrorResult&) (this=this@entry=0x7fffcf7dc300, aAttr=<optimized out>, aValue=..., aError=...) at ../../dist/include/mozilla/dom/Element.h:1043
#20 0x00007ffff46d7a31 in mozilla::dom::HTMLImageElementBinding::set_src(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLImageElement*, JSJitSetterCallArgs) (aError=..., aValue=..., aName=<optimized out>, this=0x7fffcf7dc300) at /home/hub/source/mozilla/src/dom/html/nsGenericHTMLElement.h:1016
#21 0x00007ffff46d7a31 in mozilla::dom::HTMLImageElementBinding::set_src(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLImageElement*, JSJitSetterCallArgs) (aError=..., aSrc=..., this=0x7fffcf7dc300) at ../../dist/include/mozilla/dom/HTMLImageElement.h:147
#22 0x00007ffff46d7a31 in mozilla::dom::HTMLImageElementBinding::set_src(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLImageElement*, JSJitSetterCallArgs) (cx=0x7fff180b1620, obj=..., self=0x7fffcf7dc300, args=...) at /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dom/bindings/HTMLImageElementBinding.cpp:165
#23 0x00007ffff499ec61 in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) (cx=cx@entry=0x7fff180b1620, argc=<optimized out>, vp=<optimized out>)
    at /home/hub/source/mozilla/src/dom/bindings/BindingUtils.cpp:2451
#24 0x00007ffff5ad74c8 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (args=..., native=0x7ffff499eb2e <mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*)>, cx=0x7fff180b1620) at /home/hub/source/mozilla/src/js/src/jscntxtinlines.h:227
#25 0x00007ffff5ad74c8 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (cx=cx@entry=0x7fff180b1620, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:498
#26 0x00007ffff5ad7f2a in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x7fff180b1620, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffff8500, rval=..., rval@entry=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:554
#27 0x00007ffff5ad80be in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x7fff180b1620, obj=<optimized out>, fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffff8500, rval=rval@entry=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:627
#28 0x00007ffff5aeead2 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) (this=<optimized out>, cx=cx@entry=0x7fff180b1620, obj=..., obj@entry=..., receiver=..., receiver@entry=..., strict=strict@entry=false, vp=vp@entry=...) at /home/hub/source/mozilla/src/js/src/vm/Shape-inl.h:66
#29 0x00007ffff5ada892 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, js::baseops::QualifiedBool, JS::MutableHandle<JS::Value>, bool) (strict=false, vp=..., shape=..., pobj=..., id=..., receiver=..., obj=..., cx=0x7fff180b1620) at /home/hub/source/mozilla/src/js/src/vm/NativeObject.cpp:2088
#30 0x00007ffff5ada892 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, js::baseops::QualifiedBool, JS::MutableHandle<JS::Value>, bool) (cx=0x7fff180b1620, obj=..., obj@entry=..., receiver=..., receiver@entry=..., id=..., qualified=qualified@entry=js::baseops::Qualified, vp=..., strict=false)
    at /home/hub/source/mozilla/src/js/src/vm/NativeObject.cpp:2128
#31 0x00007ffff5adb028 in SetObjectProperty(JSContext*, JSOp, JS::HandleValue, JS::HandleId, JS::MutableHandleValue) (cx=<optimized out>, op=<optimized out>, lval=..., id=..., rref=...)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:316
#32 0x00007ffff5acd42e in Interpret(JSContext*, js::RunState&) (rval=..., id=..., lval=..., op=<optimized out>, cx=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:352
#33 0x00007ffff5acd42e in Interpret(JSContext*, js::RunState&) (cx=0x7fff180b1620, state=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:2423
#34 0x00007ffff5ad7120 in js::RunScript(JSContext*, js::RunState&) (cx=cx@entry=0x7fff180b1620, state=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:448
#35 0x00007ffff5ad73a1 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (cx=cx@entry=0x7fff180b1620, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:517
#36 0x00007ffff59c77c1 in js_fun_apply(JSContext*, unsigned int, JS::Value*) (cx=cx@entry=0x7fff180b1620, argc=<optimized out>, vp=0x7fffe822a560)
    at /home/hub/source/mozilla/src/js/src/jsfun.cpp:1335
#37 0x00007ffff5ad74c8 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (args=..., native=0x7ffff59c7420 <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, cx=0x7fff180b1620)
    at /home/hub/source/mozilla/src/js/src/jscntxtinlines.h:227
#38 0x00007ffff5ad74c8 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (cx=0x7fff180b1620, args=..., construct=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:498
#39 0x00007ffff5ace730 in Interpret(JSContext*, js::RunState&) (cx=0x7fff180b1620, state=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:2556
#40 0x00007ffff5ad7120 in js::RunScript(JSContext*, js::RunState&) (cx=cx@entry=0x7fff180b1620, state=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:448
#41 0x00007ffff5ad73a1 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (cx=cx@entry=0x7fff180b1620, args=..., construct=construct@entry=js::NO_CONSTRUCT)
---Type <return> to continue, or q <return> to quit---
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:517
#42 0x00007ffff5ad7f2a in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x7fff180b1620, thisv=..., fval=..., argc=<optimized out>, argv=<optimized out>, rval=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:554
#43 0x00007ffff59c5afb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x7fff180b1620, thisv=..., 
    thisv@entry=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at /home/hub/source/mozilla/src/js/src/jsapi.cpp:4559
#44 0x00007ffff468aa73 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) (this=this@entry=0x7fff9cf7d3d0, cx=0x7fff180b1620, aThisVal=..., aThisVal@entry=..., event=..., aRv=...) at /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dom/bindings/EventListenerBinding.cpp:47
#45 0x00007ffff4a24c3d in mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) (this=0x7fff9cf7d3d0, thisObjPtr=@0x7fffffffa798: 0x7fff9b130500, event=..., aRv=..., aExceptionHandling=aExceptionHandling@entry=mozilla::dom::CallbackObject::eReportExceptions) at ../../dist/include/mozilla/dom/EventListenerBinding.h:54
#46 0x00007ffff4a20e3b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) (this=this@entry=0x7fff9b1310d0, aListener=<optimized out>, aListener@entry=0x7fff9b1310f8, aDOMEvent=0x7fffb5abafb0, aCurrentTarget=aCurrentTarget@entry=0x7fff9b130500)
    at /home/hub/source/mozilla/src/dom/events/EventListenerManager.cpp:973
#47 0x00007ffff4a211fc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (this=0x7fff9b1310d0, aPresContext=<optimized out>, aEvent=0x7fff16cf1b70, aDOMEvent=0x7fffffffaa70, aCurrentTarget=0x7fff9b130500, aEventStatus=<optimized out>)
    at /home/hub/source/mozilla/src/dom/events/EventListenerManager.cpp:1124
#48 0x00007ffff4a21530 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /home/hub/source/mozilla/src/dom/events/EventDispatcher.cpp:299
#49 0x00007ffff4a21caf in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) (aTarget=aTarget@entry=0x7fff9b130500, aPresContext=aPresContext@entry=0x7fff42f03000, aEvent=0x7fff16cf1b70, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /home/hub/source/mozilla/src/dom/events/EventDispatcher.cpp:634
#50 0x00007ffff4a21f6e in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=aTarget@entry=0x7fff9b130500, aEvent=aEvent@entry=0x0, aDOMEvent=aDOMEvent@entry=0x7fffb5abafb0, aPresContext=0x7fff42f03000, aEventStatus=aEventStatus@entry=0x7fffffffab9c)
    at /home/hub/source/mozilla/src/dom/events/EventDispatcher.cpp:701
#51 0x00007ffff44e8c9b in nsINode::DispatchEvent(nsIDOMEvent*, bool*) (this=0x7fff9b130500, aEvent=0x7fffb5abafb0, aRetVal=0x7fffffffabff)
    at /home/hub/source/mozilla/src/dom/base/nsINode.cpp:1272
#52 0x00007ffff44da3c0 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) (this=this@entry=0x7fff9b130500, aEvent=..., aRv=...)
    at /home/hub/source/mozilla/src/dom/base/nsINode.cpp:2722
#53 0x00007ffff465e395 in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) (cx=0x7fff180b1620, obj=..., self=0x7fff9b130500, args=...) at /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dom/bindings/EventTargetBinding.cpp:164
#54 0x00007ffff4684207 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) (cx=cx@entry=0x7fff180b1620, argc=<optimized out>, vp=<optimized out>)
    at /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dom/bindings/EventTargetBinding.cpp:342
#55 0x00007ffff5ad74c8 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (args=..., native=0x7ffff4684006 <mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*)>, cx=0x7fff180b1620) at /home/hub/source/mozilla/src/js/src/jscntxtinlines.h:227
#56 0x00007ffff5ad74c8 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (cx=0x7fff180b1620, args=..., construct=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:498
#57 0x00007ffff5ace730 in Interpret(JSContext*, js::RunState&) (cx=0x7fff180b1620, state=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:2556
#58 0x00007ffff5ad7120 in js::RunScript(JSContext*, js::RunState&) (cx=cx@entry=0x7fff180b1620, state=...) at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:448
#59 0x00007ffff5ae104f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) (cx=cx@entry=0x7fff180b1620, script=script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=0x0)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:657
#60 0x00007ffff5ae1498 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (cx=cx@entry=0x7fff180b1620, script=script@entry=..., scopeChainArg=..., rval=0x0)
    at /home/hub/source/mozilla/src/js/src/vm/Interpreter.cpp:694
#61 0x00007ffff59c54cc in Evaluate(JSContext*, JS::HandleObject, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandleValue) (cx=cx@entry=0x7fff180b1620, obj=obj@entry=..., optionsArg=..., srcBuf=..., rval=rval@entry=...) at /home/hub/source/mozilla/src/js/src/jsapi.cpp:4404
#62 0x00007ffff59d28d9 in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (rval=..., srcBuf=..., optionsArg=..., scopeChain=..., cx=cx@entry=0x7fff180b1620) at /home/hub/source/mozilla/src/js/src/jsapi.cpp:4430
#63 0x00007ffff59d28d9 in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (cx=cx@entry=0x7fff180b1620, scopeChain=..., optionsArg=..., srcBuf=..., rval=rval@entry=...) at /home/hub/source/mozilla/src/js/src/jsapi.cpp:4485
#64 0x00007ffff44eab99 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) (aCx=aCx@entry=0x7fff180b1620, aSrcBuf=..., aEvaluationGlobal=..., 
    aEvaluationGlobal@entry=..., aCompileOptions=..., aEvaluateOptions=..., aRetValue=aRetValue@entry=..., aOffThreadToken=0x0) at /home/hub/source/mozilla/src/dom/base/nsJSUtils.cpp:265
#65 0x00007ffff44eaf83 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) (aCx=0x7fff180b1620, aSrcBuf=..., aEvaluationGlobal=..., aEvaluationGlobal@entry=..., aCompileOptions=..., aOffThreadToken=aOffThreadToken@entry=0x0) at /home/hub/source/mozilla/src/dom/base/nsJSUtils.cpp:338
#66 0x00007ffff450a051 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) (this=0x7fff0a6f9a50, aRequest=0x7fffb0fea710, aSrcBuf=..., aOffThreadToken=0x0)
    at /home/hub/source/mozilla/src/dom/base/nsScriptLoader.cpp:1145
#67 0x00007ffff450ac5a in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) (this=this@entry=0x7fff0a6f9a50, aRequest=0x7fffb0fea710, aOffThreadToken=aOffThreadToken@entry=0x0)
    at /home/hub/source/mozilla/src/dom/base/nsScriptLoader.cpp:974
#68 0x00007ffff45153e3 in nsScriptLoader::ProcessPendingRequests() (this=this@entry=0x7fff0a6f9a50) at /home/hub/source/mozilla/src/dom/base/nsScriptLoader.cpp:1189
#69 0x00007ffff451560c in nsScriptLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, tag_nsresult, unsigned int, unsigned char const*) (this=0x7fff0a6f9a50, aLoader=<optimized out>, aContext=<optimized out>, aStatus=<optimized out>, aStringLen=<optimized out>, aString=<optimized out>) at /home/hub/source/mozilla/src/dom/base/nsScriptLoader.cpp:1449
#70 0x00007ffff3df968e in nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (this=0x7fffae895d80, request=<optimized out>, ctxt=<optimized out>, aStatus=tag_nsresult::NS_OK) at /home/hub/source/mozilla/src/netwerk/base/src/nsStreamLoader.cpp:99
#71 0x00007ffff3defe6c in nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (this=0x7fff3e49a8c0, request=0x7fffa6fd9050, context=0x7fffb0fea710, status=tag_nsresult::NS_OK) at /home/hub/source/mozilla/src/netwerk/base/src/nsStreamListenerTee.cpp:53
#72 0x00007ffff3eb8aa2 in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (this=0x7fffa6fd9000, request=<optimized out>, ctxt=<optimized out>, status=tag_nsresult::NS_OK) at /home/hub/source/mozilla/src/netwerk/protocol/http/nsHttpChannel.cpp:5566
#73 0x00007ffff3dd7490 in nsInputStreamPump::OnStateStop() (this=0x7fff9b130e90) at /home/hub/source/mozilla/src/netwerk/base/src/nsInputStreamPump.cpp:721
#74 0x00007ffff3dd75b0 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (this=0x7fff9b130e90, stream=<optimized out>)
    at /home/hub/source/mozilla/src/netwerk/base/src/nsInputStreamPump.cpp:440
#75 0x00007ffff3d74fa3 in nsInputStreamReadyEvent::Run() (this=0x7fff9cf7d400) at /home/hub/source/mozilla/src/xpcom/io/nsStreamUtils.cpp:88
#76 0x00007ffff3d80627 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffebf0aa00, aMayWait=<optimized out>, aResult=0x7fffffffc66f)
    at /home/hub/source/mozilla/src/xpcom/threads/nsThread.cpp:855
#77 0x00007ffff3d95bb9 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=<optimized out>) at /home/hub/source/mozilla/src/xpcom/glue/nsThreadUtils.cpp:265
#78 0x00007ffff3f79f39 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffebfe5f80, aDelegate=0x7ffff7d563a0)
    at /home/hub/source/mozilla/src/ipc/glue/MessagePump.cpp:99
#79 0x00007ffff3f6524c in MessageLoop::Run() (this=0x7ffff7d563a0) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:226
#80 0x00007ffff3f6524c in MessageLoop::Run() (this=0x7ffff7d563a0) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:200
#81 0x00007ffff4d6f34a in nsBaseAppShell::Run() (this=0x7fffebf74c10) at /home/hub/source/mozilla/src/widget/nsBaseAppShell.cpp:164
#82 0x00007ffff52c6a64 in nsAppStartup::Run() (this=0x7fffe7013100) at /home/hub/source/mozilla/src/toolkit/components/startup/nsAppStartup.cpp:281
#83 0x00007ffff52fa1ad in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffc910) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4141
#84 0x00007ffff52fa451 in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffc910, argc=argc@entry=1, argv=argv@entry=0x7fffffffde18, aAppData=aAppData@entry=0x7fffffffcb10) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4217
#85 0x00007ffff52fa6b2 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=1, argv=0x7fffffffde18, aAppData=0x7fffffffcb10, aFlags=<optimized out>)
    at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4437
#86 0x0000000000404425 in do_main(int, char**, nsIFile*) (argc=argc@entry=1, argv=argv@entry=0x7fffffffde18, xreDirectory=0x7ffff7d4d900)
    at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:292
#87 0x0000000000403d09 in main(int, char**) (argc=1, argv=0x7fffffffde18) at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:661
(gdb) 


tip is revision 0af503927b54

Linux, X86_64, Fedora 21.

Comment 1

[Hubert Figuiere [:hub]]

Can't really give STR. I was just browsing (this is my main browser). Firefox didn't crash on reload of the session with said page reloading.

Comment 2

[Gian-Carlo Pascutto [:gcp]]

I think this is a regression from https://hg.mozilla.org/integration/mozilla-inbound/rev/671ad56e6e12

My theory would be that before, updates could never race with lookups because they're on the same worker thread. But that patch added lookups from the main thread. A lookup from the main thread happening at the same time as an update is possible and would produce this crash.

Compare to bug 1050108.

Is there some way to get bug 1100024 without having to add locks to every lookup?

Comment 3

[Dirkjan Ochtman (:djc)]

I just saw this with a releng-built Nightly, while restarting for an update.

Comment 4

[[:mmc] Monica Chew (no longer reading bugmail)]

(In reply to Gian-Carlo Pascutto [:gcp] from comment #2)
> I think this is a regression from
> https://hg.mozilla.org/integration/mozilla-inbound/rev/671ad56e6e12
> 
> My theory would be that before, updates could never race with lookups
> because they're on the same worker thread. But that patch added lookups from
> the main thread. A lookup from the main thread happening at the same time as
> an update is possible and would produce this crash.
> 
> Compare to bug 1050108.
> 
> Is there some way to get bug 1100024 without having to add locks to every
> lookup?

Yes -- move everything to the worker thread :( :( :(

Comment 5

[[:mmc] Monica Chew (no longer reading bugmail)]

Fixed by backout in https://hg.mozilla.org/integration/mozilla-inbound/rev/fbe8067063a0

Comment 6

[alex_mayorga]

FWIW from Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 ID:20150112030201 CSet: 643589c3ef94

Report ID 	Date Submitted
bp-46103720-c4e4-4ebb-b996-d39472150112	1/12/2015	1:08 PM

Comment 7

[Jim Mathies [:jimm]]

Just got this today logging into a mopad - 

https://crash-stats.mozilla.com/report/index/4f45f367-1be7-4b06-92d0-4b4a32150112

Happened when I clicked the sign-in button in the https://login.persona.org/sign_in popup. I wasn't able to reproduce again.

Comment 8

[Kevin Brosnan [Ex-Mozilla]]

[Tracking Requested - why for this release]: common crash, will need uplift to aurora 37.

Comment 9

[[:mmc] Monica Chew (no longer reading bugmail)]

Because of the late merge, this is fixed in Aurora 37 in https://hg.mozilla.org/releases/mozilla-aurora/rev/fbe8067063a0

Comment 10

[Lawrence Mandel [:lmandel] (use needinfo)]

Clearing tracking requests.