Crash in ActorChild::SetFeature

RESOLVED FIXED in Firefox 39

Status

()

defect
RESOLVED FIXED
4 years ago
a month ago

People

(Reporter: Ehsan, Assigned: bkelly)

Tracking

unspecified
mozilla39
x86
macOS
Points:
---

Firefox Tracking Flags

(firefox39 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Seems like CacheStorageChild::RecvOpenResponse can be called with a null actor.

(lldb) bt
* thread #1: tid = 0x2b5da1, 0x0000000103ecf4bc XUL`nsRefPtr<mozilla::dom::cache::Feature>::get(this=0x0000000000000038) const + 12 at nsRefPtr.h:216, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x38)
    frame #0: 0x0000000103ecf4bc XUL`nsRefPtr<mozilla::dom::cache::Feature>::get(this=0x0000000000000038) const + 12 at nsRefPtr.h:216
    frame #1: 0x0000000103ebe995 XUL`nsRefPtr<mozilla::dom::cache::Feature>::operator mozilla::dom::cache::Feature*(this=0x0000000000000038) const + 21 at nsRefPtr.h:229
    frame #2: 0x0000000103e9c8f7 XUL`mozilla::dom::cache::ActorChild::SetFeature(this=0x0000000000000030, aFeature=0x0000000000000000) + 39 at ActorChild.cpp:21
    frame #3: 0x0000000103ea94b2 XUL`mozilla::dom::cache::CacheStorageChild::RecvOpenResponse(this=0x0000000122ef79d0, aRequestId=0x00007fff5fbfc130, aRv=0x00007fff5fbfc12c, aActor=0x0000000000000000) + 338 at CacheStorageChild.cpp:140
  * frame #4: 0x0000000102216ad4 XUL`mozilla::dom::cache::PCacheStorageChild::OnMessageReceived(this=0x0000000122ef79d0, __msg=0x00007fff5fbfc660) + 2452 at PCacheStorageChild.cpp:382
    frame #5: 0x0000000101df675c XUL`mozilla::ipc::PBackgroundChild::OnMessageReceived(this=0x000000011ec90d80, __msg=0x00007fff5fbfc660) + 172 at PBackgroundChild.cpp:1001
    frame #6: 0x0000000101d9ee2e XUL`mozilla::ipc::MessageChannel::DispatchAsyncMessage(this=0x000000011ec90de0, aMsg=0x00007fff5fbfc660) + 302 at MessageChannel.cpp:1211
    frame #7: 0x0000000101d9e0f9 XUL`mozilla::ipc::MessageChannel::DispatchMessage(this=0x000000011ec90de0, aMsg=0x00007fff5fbfc660) + 201 at MessageChannel.cpp:1138
    frame #8: 0x0000000101d9a6b4 XUL`mozilla::ipc::MessageChannel::OnMaybeDequeueOne(this=0x000000011ec90de0) + 484 at MessageChannel.cpp:1122
    frame #9: 0x0000000101db9433 XUL`void DispatchToMethod<mozilla::ipc::MessageChannel, bool (obj=0x000000011ec90de0, method=0x0000000101d9a4d0, arg=0x00000001202811b0)()>(mozilla::ipc::MessageChannel*, bool (mozilla::ipc::MessageChannel::*)(), Tuple0 const&) + 131 at tuple.h:383
    frame #10: 0x0000000101db9326 XUL`RunnableMethod<mozilla::ipc::MessageChannel, bool (this=0x0000000120281180)(), Tuple0>::Run() + 86 at task.h:310
    frame #11: 0x0000000101dbdaa8 XUL`mozilla::ipc::MessageChannel::RefCountedTask::Run(this=0x000000012019be90) + 40 at MessageChannel.h:437
    frame #12: 0x0000000101dbda74 XUL`mozilla::ipc::MessageChannel::DequeueTask::Run(this=0x0000000121f96580) + 36 at MessageChannel.h:454
    frame #13: 0x0000000101d362d0 XUL`MessageLoop::RunTask(this=0x0000000100433540, task=0x0000000121f96580) + 96 at message_loop.cc:361
    frame #14: 0x0000000101d3683f XUL`MessageLoop::DeferOrRunPendingTask(this=0x0000000100433540, pending_task=0x00007fff5fbfc818) + 79 at message_loop.cc:369
    frame #15: 0x0000000101d36a64 XUL`MessageLoop::DoWork(this=0x0000000100433540) + 292 at message_loop.cc:447
    frame #16: 0x0000000101da1f22 XUL`mozilla::ipc::DoWorkRunnable::Run(this=0x0000000100467770) + 146 at MessagePump.cpp:233
    frame #17: 0x000000010170b99f XUL`nsThread::ProcessNextEvent(this=0x0000000100428800, aMayWait=false, aResult=0x00007fff5fbfca73) + 2095 at nsThread.cpp:855
    frame #18: 0x000000010176543a XUL`NS_ProcessPendingEvents(aThread=0x0000000100428800, aTimeout=20) + 154 at nsThreadUtils.cpp:207
    frame #19: 0x0000000104c6c1e9 XUL`nsBaseAppShell::NativeEventCallback(this=0x00000001173cd6c0) + 201 at nsBaseAppShell.cpp:98
    frame #20: 0x0000000104ce6a5d XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x00000001173cd6c0) + 445 at nsAppShell.mm:377
    frame #21: 0x00007fff8aae3661 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #22: 0x00007fff8aad57ed CoreFoundation`__CFRunLoopDoSources0 + 269
    frame #23: 0x00007fff8aad4e1f CoreFoundation`__CFRunLoopRun + 927
    frame #24: 0x00007fff8aad4838 CoreFoundation`CFRunLoopRunSpecific + 296
    frame #25: 0x00007fff8549443f HIToolbox`RunCurrentEventLoopInMode + 235
    frame #26: 0x00007fff854941ba HIToolbox`ReceiveNextEventCommon + 431
    frame #27: 0x00007fff85493ffb HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #28: 0x00007fff8c17f6d1 AppKit`_DPSNextEvent + 964
    frame #29: 0x00007fff8c17ee80 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
    frame #30: 0x0000000104ce5587 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x00000001173cd760, _cmd=0x00007fff8cad2b88, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff7411ff60, flag='\x01') + 119 at nsAppShell.mm:118
    frame #31: 0x00007fff8c172e23 AppKit`-[NSApplication run] + 594
    frame #32: 0x0000000104ce7417 XUL`nsAppShell::Run(this=0x00000001173cd6c0) + 167 at nsAppShell.mm:651
    frame #33: 0x0000000105be1c7c XUL`nsAppStartup::Run(this=0x000000011951b730) + 156 at nsAppStartup.cpp:281
    frame #34: 0x0000000105c91f88 XUL`XREMain::XRE_mainRun(this=0x00007fff5fbfe9c8) + 6120 at nsAppRunner.cpp:4167
    frame #35: 0x0000000105c927de XUL`XREMain::XRE_main(this=0x00007fff5fbfe9c8, argc=5, argv=0x00007fff5fbff2c8, aAppData=0x00007fff5fbfec48) + 798 at nsAppRunner.cpp:4243
    frame #36: 0x0000000105c92ca2 XUL`XRE_main(argc=5, argv=0x00007fff5fbff2c8, aAppData=0x00007fff5fbfec48, aFlags=0) + 98 at nsAppRunner.cpp:4463
    frame #37: 0x0000000100002bae firefox`do_main(argc=5, argv=0x00007fff5fbff2c8, xreDirectory=0x000000010041d280) + 1870 at nsBrowserApp.cpp:294
    frame #38: 0x0000000100001f65 firefox`main(argc=5, argv=0x00007fff5fbff2c8) + 293 at nsBrowserApp.cpp:667
    frame #39: 0x00000001000019e4 firefox`start + 52
This is a silly error on my part.  We need to check cacheChild before we use it in CacheStorageChild::RecvOpenResponse().
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
(Reporter)

Updated

4 years ago
Attachment #8573431 - Flags: review?(ehsan) → review+
https://hg.mozilla.org/mozilla-central/rev/48fb33eac947
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.