crash in unsigned char* nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::AppendElements<unsigned char>(unsigned char const*, unsigned int)

NEW
Unassigned

Status

Firefox OS
NFC
--
critical
3 years ago
2 years ago

People

(Reporter: nhirata, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

This bug was filed from the Socorro interface and is 
report bp-8d38eef3-a3fb-4c30-b98f-405c92150110.
=============================================================
 0 	libc.so 	libc.so@0x2223e 	
1 	libxul.so 	unsigned char* nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::AppendElements<unsigned char>(unsigned char const*, unsigned int) 	/builds/slave/b2g_m-cen_flm-kk_ntly-00000000/build/objdir-gecko/dist/include/nsTArray.h:525
2 	libxul.so 	mozilla::NfcMessageHandler::TechDiscoveredNotification(android::Parcel const&, mozilla::EventOptions&) 	dom/nfc/gonk/NfcMessageHandler.cpp
3 	libxul.so 	mozilla::NfcEventRunnable::Run() 	dom/nfc/gonk/NfcService.cpp
4 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
5 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
6 	libxul.so 	mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
7 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
8 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
9 	libxul.so 	nsThread::ThreadFunc(void*) 	xpcom/threads/nsThread.cpp
10 	libnss3.so 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c
Ø 11 	libc.so 	libc.so@0xd22a 	
Ø 12 	libc.so 	libc.so@0xd3c2 	

Show/hide other threads

More crashes:
https://crash-stats.mozilla.com/signature/?product=B2G&android_device=flame&date=%3E%3D2015-01-01+00%3A00%3A00&signature=unsigned+char*+nsTArray_Impl%3Cunsigned+char%2C+nsTArrayInfallibleAllocator%3E%3A%3AAppendElements%3Cunsigned+char%3E%28unsigned+char+const*%2C+unsigned+int%29&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1

Looks like NFC crashes.
STR:
1. enable NFC on a flame-kk
2. enable NFC on a nexus-5 running android
3. touch the backs of the phones together
Here's TechDiscoveredNotification:

bool
NfcMessageHandler::TechDiscoveredNotification(const Parcel& aParcel, EventOptions& aOptions)
{
  aOptions.mSessionId = aParcel.readInt32();
  aOptions.mIsP2P = aParcel.readInt32();

  int32_t techCount = aParcel.readInt32();
  aOptions.mTechList.AppendElements(
    static_cast<const uint8_t*>(aParcel.readInplace(techCount)), techCount);

  int32_t idCount = aParcel.readInt32();
  aOptions.mTagId.AppendElements(
    static_cast<const uint8_t*>(aParcel.readInplace(idCount)), idCount);

...

Parcel::readInplace can return a null pointer. We need to check for this before calling AppendElements.

Updated

2 years ago
Crash Signature: [@ unsigned char* nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::AppendElements<unsigned char>(unsigned char const*, unsigned int)] → [@ unsigned char* nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::AppendElements<unsigned char>(unsigned char const*, unsigned int)] [@ unsigned char* nsTArray_Impl<T>::AppendElements<T>]
You need to log in before you can comment on or make changes to this bug.