Closed Bug 1128219 Opened 5 years ago Closed 5 years ago

uBlock add-on crash in mozilla::net::HttpBaseChannel::DoNotifyListener()

Categories

(Core :: Networking: HTTP, defect, critical)

Product:
Core
Component:
Networking: HTTP
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox37 --- unaffected
firefox38 + fixed

People

(Reporter: cpeterson, Assigned: mayhemer)

References

Details

(Keywords: crash, regression, reproducible)

Crash Data

Attachments

(1 file, 1 obsolete file)

v1 (ci msg)
1.21 KB, patch
mayhemer
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-391e4e4d-8c0e-4144-9fe3-c15e02150201.
=============================================================

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::net::HttpBaseChannel::DoNotifyListener() 	netwerk/protocol/http/HttpBaseChannel.cpp
1 	XUL 	mozilla::net::nsHttpChannel::HandleAsyncAbort() 	netwerk/protocol/http/HttpBaseChannel.h
2 	XUL 	nsRunnableMethodImpl<void (mozilla::net::nsHttpChannel::*)(), void, true>::Run() 	obj-firefox/x86_64/dist/include/nsThreadUtils.h
3 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
4 	XUL 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
5 	XUL 	nsXMLHttpRequest::Send(nsIVariant*, mozilla::dom::Nullable<nsXMLHttpRequest::RequestBody> const&) 	dom/base/nsXMLHttpRequest.cpp
6 	XUL 	mozilla::dom::XMLHttpRequestBinding::send 	dom/base/nsXMLHttpRequest.h
7 	XUL 	mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) 	dom/bindings/BindingUtils.cpp
8 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
9 	XUL 	js_fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
10 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
11 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
12 	XUL 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
13 		@0x1007e040f 	
14 		@0x113c4578f 	
15 		@0x1007da7f0 	
16 	XUL 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
17 	XUL 	js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 	js/src/jit/BaselineJIT.cpp
18 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
19 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
20 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
21 	XUL 	js_fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
22 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
23 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
24 	XUL 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
25 		@0x1007e040f 	
26 		@0x113c4578f 	
27 		@0x1007da7f0 	
28 	XUL 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
29 	XUL 	js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 	js/src/jit/BaselineJIT.cpp
30 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
31 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
32 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
33 	XUL 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
34 	XUL 	mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) 	obj-firefox/x86_64/dom/bindings/EventHandlerBinding.cpp
35 	XUL 	void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) 	obj-firefox/x86_64/dist/include/mozilla/dom/EventHandlerBinding.h
36 	XUL 	mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) 	dom/events/JSEventHandler.cpp
37 	XUL 	mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) 	dom/events/EventListenerManager.cpp
38 	XUL 	mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) 	dom/events/EventListenerManager.cpp
39 	XUL 	mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) 	dom/events/EventDispatcher.cpp
40 	XUL 	mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) 	dom/events/EventDispatcher.cpp
41 	XUL 	mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) 	dom/events/EventDispatcher.cpp
42 	XUL 	nsXMLHttpRequest::ChangeState(unsigned int, bool) 	dom/base/nsXMLHttpRequest.h
43 	XUL 	nsXMLHttpRequest::ChangeStateToDone() 	dom/base/nsXMLHttpRequest.cpp
44 	XUL 	nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) 	dom/base/nsXMLHttpRequest.cpp
45 	XUL 	nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) 	dom/security/nsCORSListenerProxy.cpp
46 	XUL 	nsCORSPreflightListener::OnStartRequest(nsIRequest*, nsISupports*) 	dom/security/nsCORSListenerProxy.cpp
47 	XUL 	nsCORSListenerProxy::OnStartRequest(nsIRequest*, nsISupports*) 	dom/security/nsCORSListenerProxy.cpp
48 	XUL 	mozilla::net::HttpBaseChannel::DoNotifyListener() 	netwerk/protocol/http/HttpBaseChannel.cpp
49 	XUL 	mozilla::net::nsHttpChannel::HandleAsyncAbort() 	netwerk/protocol/http/HttpBaseChannel.h
50 	XUL 	nsRunnableMethodImpl<void (mozilla::net::nsHttpChannel::*)(), void, true>::Run() 	obj-firefox/x86_64/dist/include/nsThreadUtils.h
51 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
52 	XUL 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
53 	XUL 	nsXMLHttpRequest::Send(nsIVariant*, mozilla::dom::Nullable<nsXMLHttpRequest::RequestBody> const&) 	dom/base/nsXMLHttpRequest.cpp
54 	XUL 	mozilla::dom::XMLHttpRequestBinding::send 	dom/base/nsXMLHttpRequest.h
55 	XUL 	mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) 	dom/bindings/BindingUtils.cpp
56 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
57 	XUL 	js_fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
58 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
59 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
60 	XUL 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
61 		@0x1007e040f 	
62 		@0x113c4578f 	
63 		@0x1007da7f0 	
64 	XUL 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
65 	XUL 	js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 	js/src/jit/BaselineJIT.cpp
66 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
67 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
68 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
69 	XUL 	js_fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
70 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
71 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
72 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
73 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
74 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
75 	XUL 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
76 	XUL 	mozilla::dom::OnBeforeUnloadEventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, nsString&, mozilla::ErrorResult&) 	obj-firefox/x86_64/dom/bindings/EventHandlerBinding.cpp
77 	XUL 	void mozilla::dom::OnBeforeUnloadEventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, nsString&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) 	obj-firefox/x86_64/dist/include/mozilla/dom/EventHandlerBinding.h
78 	XUL 	mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) 	dom/events/JSEventHandler.cpp
79 	XUL 	mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) 	dom/events/EventListenerManager.cpp
80 	XUL 	mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) 	dom/events/EventListenerManager.cpp
81 	XUL 	mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) 	dom/events/EventDispatcher.cpp
82 	XUL 	mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) 	dom/events/EventDispatcher.cpp
83 	XUL 	mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) 	dom/events/EventDispatcher.cpp
84 	XUL 	nsDocumentViewer::PermitUnloadInternal(bool, bool*, bool*) 	layout/base/nsDocumentViewer.cpp
85 	XUL 	nsDocumentViewer::PermitUnload(bool, bool*) 	layout/base/nsDocumentViewer.cpp
86 	XUL 	NS_InvokeByIndex 	xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp
87 	XUL 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
88 	XUL 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
89 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
Ø 119 	AppKit 	AppKit@0x18b450 	
120 	XUL 	-[GeckoNSApplication sendEvent:] 	widget/cocoa/nsAppShell.mm
Ø 121 	AppKit 	AppKit@0x17607 	
122 	XUL 	nsAppShell::Run() 	widget/cocoa/nsAppShell.mm
123 	XUL 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
124 	XUL 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
125 	XUL 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
126 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp
127 	firefox 	main 	browser/app/nsBrowserApp.cpp
128 	firefox 	start
STR:
1. Install uBlock add-on:
https://github.com/gorhill/uBlock/releases/tag/0.8.6.0
https://github.com/gorhill/uBlock/releases/download/0.8.6.0/uBlock.firefox.xpi
2. Open http://www.sfgate.com
3. Close sfgate.com tab

RESULT:
Crash!
Keywords: regression, regressionwindow-wanted, reproducible
Summary: crash in mozilla::net::HttpBaseChannel::DoNotifyListener() → uBlock add-on crash in mozilla::net::HttpBaseChannel::DoNotifyListener()
I think this might be a regression in Nightly 2015-01-16. I tried to bisect this crash and hit a bunch of problems.

I hit this assertion failure in the Nightly 2015-01-16 debug build:

[479] ###!!! ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../dist/include/nsCOMPtr.h, line 698
#01: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x383b2a]
#02: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x38761f]
#03: XRE_AddJarManifestLocation[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0xce1d6]
#04: nsXPTCStubBase::Stub249()[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0xfbff3]
#05: js::BaseProxyHandler::finalizeInBackground(JS::Value) const[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0xfddba0]
#06: js::BaseProxyHandler::finalizeInBackground(JS::Value) const[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x186f444]
#07: js::BaseProxyHandler::finalizeInBackground(JS::Value) const[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x17ed5a7]
#08: js::BaseProxyHandler::finalizeInBackground(JS::Value) const[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x18b3418]
#09: js::RegExpToSharedNonInline(JSContext*, JS::Handle<JSObject*>, js::RegExpGuard*)[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x3978d1a]
#10: js::AutoWaivePolicy::~AutoWaivePolicy()[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x393a216]
#11: js::ForwardToNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x377dfe8]
#12: js::RegExpToSharedNonInline(JSContext*, JS::Handle<JSObject*>, js::RegExpGuard*)[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x3978d1a]
#13: js::AutoWaivePolicy::~AutoWaivePolicy()[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x393a216]
#14: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x395a011]
#15: JS::HeapCellRelocate(js::gc::Cell**)[/Users/chris/Downloads/_FIREFOX/2015-01-16.app/Contents/MacOS/XUL +0x34eb377]


Nightly 2015-01-17 and 2015-01-18 would hang my MacBook Pro, requiring a hard reboot.

I hit this assertion failure in the Nightly 2015-01-17 debug build:

JavaScript error: resource://gre/modules/RemoteAddonsChild.jsm, line 389: NS_ERROR_XPC_BAD_OP_ON_WN_PROTO: Illegal operation on WrappedNative prototype object
JavaScript error: resource://gre/modules/RemoteAddonsChild.jsm, line 389: NS_ERROR_XPC_BAD_OP_ON_WN_PROTO: Illegal operation on WrappedNative prototype object
JavaScript error: , line 0: Error: Permission denied to access property 'toString'
JavaScript error: , line 0: Error: Permission denied to access property 'message'
JavaScript error: , line 0: uncaught exception: unknown (can't convert to string)
Assertion failure: !JS_IsExceptionPending(cx), at /builds/slave/m-cen-osx64-st-an-d-0000000000/build/src/js/xpconnect/wrappers/XrayWrapper.cpp:891
#01: js::BaseProxyHandler::isScripted() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x8019eb]
#02: js::BaseProxyHandler::isScripted() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x807fa7]
#03: js::BaseProxyHandler::hasOwn(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool*) const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38ce4f7]
#04: js::BaseProxyHandler::isScripted() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x809009]
#05: js::AppendUnique(JSContext*, JS::AutoIdVector&, JS::AutoIdVector&)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d8f48]
#06: js::proxy_LookupGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSObject*>, JS::MutableHandle<js::Shape*>)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38dad1c]
#07: JS_CopyPropertiesFrom(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3838ee4]
#08: JS::isGCEnabled()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x375bea6]
#09: js::BaseProxyHandler::isScripted() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x83be2f]
#10: js::BaseProxyHandler::has(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool*) const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38ce20a]
#11: js::BaseProxyHandler::isScripted() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x83c269]
#12: js::AppendUnique(JSContext*, JS::AutoIdVector&, JS::AutoIdVector&)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d902f]
#13: js::proxy_LookupGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSObject*>, JS::MutableHandle<js::Shape*>)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38dad1c]
#14: JS_CopyPropertiesFrom(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3838ee4]
#15: js::MemoryReportingSundriesThreshold()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3975483]
#16: js::RegExpToSharedNonInline(JSContext*, JS::Handle<JSObject*>, js::RegExpGuard*)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3990dc9]
#17: JS_CopyPropertiesFrom(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3838f03]
#18: JS_CopyPropertiesFrom(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3838ff5]
#19: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x395d5b0]
#20: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x39535bc]
#21: js::AutoWaivePolicy::~AutoWaivePolicy()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3945306]
#22: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3965141]
#23: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d382e]
#24: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d34e7]
#25: js::BaseProxyHandler::isScripted() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x80a52d]
#26: js::BaseProxyHandler::isScripted() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x80a4b2]
#27: js::AppendUnique(JSContext*, JS::AutoIdVector&, JS::AutoIdVector&)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d9e5d]
#28: js::proxy_Call(JSContext*, unsigned int, JS::Value*)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38dbdc0]
#29: js::RegExpToSharedNonInline(JSContext*, JS::Handle<JSObject*>, js::RegExpGuard*)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3983e1a]
#30: js::AutoWaivePolicy::~AutoWaivePolicy()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x39452f6]
#31: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x395cc09]
#32: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x39535bc]
#33: js::AutoWaivePolicy::~AutoWaivePolicy()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3945306]
#34: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3965141]
#35: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d382e]
#36: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d34e7]
#37: js::AppendUnique(JSContext*, JS::AutoIdVector&, JS::AutoIdVector&)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38d9e5d]
#38: js::proxy_Call(JSContext*, unsigned int, JS::Value*)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x38dbdc0]
#39: js::RegExpToSharedNonInline(JSContext*, JS::Handle<JSObject*>, js::RegExpGuard*)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3983e1a]
#40: js::AutoWaivePolicy::~AutoWaivePolicy()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x39452f6]
#41: js::ProtoKeyToClass(JSProtoKey)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3965141]
#42: JS::CompileOptions::CompileOptions(JSContext*, JSVersion)[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x3765944]
#43: js::BaseProxyHandler::finalizeInBackground(JS::Value) const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xf3a43d]
#44: mac_plugin_interposing_child_OnShowCursor[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x1fa2357]
#45: mac_plugin_interposing_child_OnShowCursor[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x1fa2450]
#46: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x5140c6]
#47: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x58a5a6]
#48: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x477ec2]
#49: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x476c3e]
#50: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x4717e2]
#51: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x452bf9]
#52: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x452f1a]
#53: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x47b1b5]
#54: XRE_AddJarManifestLocation[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xcda56]
#55: nsXPTCStubBase::Stub249()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xfb873]
#56: XRE_AddJarManifestLocation[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xcd21e]
#57: JSPrincipals::dump()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xc87589]
#58: JSPrincipals::dump()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xc8703d]
#59: XRE_AddJarManifestLocation[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xcda56]
#60: nsXPTCStubBase::Stub249()[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0xfb77d]
#61: mac_plugin_interposing_child_OnShowCursor[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x21fa717]
#62: mac_plugin_interposing_child_OnShowCursor[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x224da5e]
#63: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x80681]
#64: __CFRunLoopDoSources0[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x7280d]
#65: __CFRunLoopRun[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x71e3f]
#66: CFRunLoopRunSpecific[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x71858]
#67: RunCurrentEventLoopInMode[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x2eaef]
#68: ReceiveNextEventCommon[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x2e86a]
#69: _BlockUntilNextEventMatchingListInModeWithFilter[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x2e6ab]
#70: _DPSNextEvent[/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x23f81]
#71: -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x23730]
#72: mac_plugin_interposing_child_OnShowCursor[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x224cf06]
#73: -[NSApplication run][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x17593]
#74: mac_plugin_interposing_child_OnShowCursor[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x224e1ab]
#75: XRE_RunAppShell[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x2d1ebb7]
#76: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x47b322]
#77: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x4523e0]
#78: JS::CompileOptions::introductionScript() const[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x4522e0]
#79: XRE_InitChildProcess[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/XUL +0x2d1e634]
#80: start[/Users/chris/Downloads/_FIREFOX/2015-01-17.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container +0x1ad8]
Monica: do this HttpBaseChannel crash look like a regression from bug 1100024? I bisected inbound builds to this pushlog:

https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1db2020eae48&tochange=25d9ba8ceb7a
Blocks: 1100024
Flags: needinfo?(mmc)
Keywords: regressionwindow-wanted
Actually, the code should be rewriten as:

if (mListener) mListener->OnStart(..)
mIsPending = false;
if (mListener) mListener->OnStop()

Then we are 100% safe, if it somehow happens the listener is unset from the channel, as apparently is in this case.
mayhemer would know better than me. I didn't touch that code directly but the push you mentioned could affect the callpath.

Are you still seeing this regularly? I pushed a change on 1/28 that should reduce the scope of this problem.
https://hg.mozilla.org/mozilla-central/rev/b6d3a8960d38
Flags: needinfo?(mmc)
[Tracking Requested - why for this release]:

This crash is still 100% reproducible for me in Nightly build 2015-02-02. You might need to disable e10s to reliably reproduce the crash.
status-firefox37: --- → unaffected
tracking-firefox38: --- → ?
Tracking since this is a recent regression and reproducible - Honza are you able to put up a potential fix for this?
tracking-firefox38: ?+
Flags: needinfo?(honzab.moz)
Yep, pretty easy to w/a.
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Flags: needinfo?(honzab.moz)
Attached patch v1 (obsolete) — Splinter Review
Attachment #8561366 - Flags: review?(mcmanus)
Comment on attachment 8561366 [details] [diff] [review]
v1

Review of attachment 8561366 [details] [diff] [review]:
-----------------------------------------------------------------

thanks honza
Attachment #8561366 - Flags: review?(mcmanus) → review+
Attachment #8564177 - Flags: review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/95666abd1447
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox38: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.