Closed Bug 1147746 Opened 5 years ago Closed 5 years ago

Null pointer crash in HttpChannelChild::ResetInterception

Categories

(Core :: Networking, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla39
Tracking Status
firefox39 --- fixed

People

(Reporter: ehsan, Assigned: ehsan)

References

Details

Attachments

(1 file)

Got this under the debugger:

(lldb) bt
* thread #1: tid = 0x3f1cae, 0x0000000100b63567 XUL`nsRefPtr<mozilla::net::HttpChannelChild>::assign_assuming_AddRef(this=0x0000000000000010, aNewPtr=0x0000000000000000) + 23 at nsRefPtr.h:44, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10)
    frame #0: 0x0000000100b63567 XUL`nsRefPtr<mozilla::net::HttpChannelChild>::assign_assuming_AddRef(this=0x0000000000000010, aNewPtr=0x0000000000000000) + 23 at nsRefPtr.h:44
    frame #1: 0x0000000100b6353f XUL`nsRefPtr<mozilla::net::HttpChannelChild>::assign_with_AddRef(this=0x0000000000000010, aRawPtr=0x0000000000000000) + 63 at nsRefPtr.h:31
    frame #2: 0x0000000100b57a4f XUL`nsRefPtr<mozilla::net::HttpChannelChild>::operator=(this=0x0000000000000010, aRhs=0x0000000000000000) + 47 at nsRefPtr.h:134
    frame #3: 0x0000000100b2777f XUL`mozilla::net::InterceptStreamListener::Cleanup(this=0x0000000000000000) + 47 at HttpChannelChild.cpp:160
  * frame #4: 0x0000000100b3102d XUL`mozilla::net::HttpChannelChild::ResetInterception(this=0x0000000126480000) + 45 at HttpChannelChild.cpp:2077
    frame #5: 0x0000000100b3b676 XUL`mozilla::net::InterceptedChannelContent::ResetInterception(this=0x0000000124abbac0) + 150 at InterceptedChannel.cpp:279
    frame #6: 0x0000000103b0a89a XUL`mozilla::dom::workers::FetchEventRunnable::ResumeRequest::Run(this=0x0000000122dd5c40) + 58 at ServiceWorkerManager.cpp:2264
    frame #7: 0x0000000100767c6f XUL`nsThread::ProcessNextEvent(this=0x0000000113981040, aMayWait=false, aResult=0x00007fff5fbfc313) + 2095 at nsThread.cpp:855
    frame #8: 0x00000001007c483a XUL`NS_ProcessPendingEvents(aThread=0x0000000113981040, aTimeout=20) + 154 at nsThreadUtils.cpp:207
    frame #9: 0x0000000103da4e79 XUL`nsBaseAppShell::NativeEventCallback(this=0x00000001139616a0) + 201 at nsBaseAppShell.cpp:98
    frame #10: 0x0000000103e1fb6d XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x00000001139616a0) + 445 at nsAppShell.mm:377
    frame #11: 0x00007fff8716c681 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #12: 0x00007fff8715e80d CoreFoundation`__CFRunLoopDoSources0 + 269
    frame #13: 0x00007fff8715de3f CoreFoundation`__CFRunLoopRun + 927
    frame #14: 0x00007fff8715d858 CoreFoundation`CFRunLoopRunSpecific + 296
    frame #15: 0x00007fff8bf17aef HIToolbox`RunCurrentEventLoopInMode + 235
    frame #16: 0x00007fff8bf1786a HIToolbox`ReceiveNextEventCommon + 431
    frame #17: 0x00007fff8bf176ab HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #18: 0x00007fff89a4df81 AppKit`_DPSNextEvent + 964
    frame #19: 0x00007fff89a4d730 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
    frame #20: 0x0000000103e1e697 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x00000001180905e0, _cmd=0x00007fff8a3a89c8, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff7515ff60, flag='\x01') + 119 at nsAppShell.mm:118
    frame #21: 0x00007fff89a41593 AppKit`-[NSApplication run] + 594
    frame #22: 0x0000000103e20527 XUL`nsAppShell::Run(this=0x00000001139616a0) + 167 at nsAppShell.mm:651
    frame #23: 0x0000000104ded0bb XUL`XRE_RunAppShell + 347 at nsEmbedFunctions.cpp:743
    frame #24: 0x0000000100e056b6 XUL`mozilla::ipc::MessagePumpForChildProcess::Run(this=0x0000000113921240, aDelegate=0x00007fff5fbff0e0) + 198 at MessagePump.cpp:272
    frame #25: 0x0000000100d78125 XUL`MessageLoop::RunInternal(this=0x00007fff5fbff0e0) + 117 at message_loop.cc:233
    frame #26: 0x0000000100d78035 XUL`MessageLoop::RunHandler(this=0x00007fff5fbff0e0) + 21 at message_loop.cc:226
    frame #27: 0x0000000100d77fdd XUL`MessageLoop::Run(this=0x00007fff5fbff0e0) + 45 at message_loop.cc:200
    frame #28: 0x0000000104dec887 XUL`XRE_InitChildProcess(aArgc=3, aArgv=0x00007fff5fbff3e8, aGMPLoader=0x0000000000000000) + 3095 at nsEmbedFunctions.cpp:580
    frame #29: 0x000000010000213b plugin-container`content_process_main(argc=6, argv=0x00007fff5fbff3e8) + 299 at plugin-container.cpp:211
    frame #30: 0x0000000100002232 plugin-container`main(argc=7, argv=0x00007fff5fbff3e8) + 34 at MozillaRuntimeMain.cpp:11
    frame #31: 0x00000001000017c4 plugin-container`start + 52
Comment on attachment 8583599 [details] [diff] [review]
Null check mInterceptListener in HttpChannelChild::ResetInterception

Review of attachment 8583599 [details] [diff] [review]:
-----------------------------------------------------------------

This looks like it comes from cancelling an intercepted channel, so performing this check rather than returning is correct.
Attachment #8583599 - Flags: review?(josh) → review+
https://hg.mozilla.org/mozilla-central/rev/11bc172a8665
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.