Closed Bug 1267000 Opened 9 years ago Closed 9 years ago

HTTPS proxy results Firefox crash in mozilla::net::SpdyStream31::ChannelPipeFull

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
47 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox46 --- unaffected
firefox47 + fixed
firefox48 --- fixed
firefox49 --- fixed

People

(Reporter: Off.Just.Off, Assigned: mcmanus)

References

Details

(Keywords: crash, regression, reproducible, Whiteboard: [necko-active])

Crash Data

Attachments

(1 file)

null deref with spdy proxy
1.82 KB, patch
u408661
: review+
ritu
: approval-mozilla-aurora+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20160204200225 Steps to reproduce: Enable HTTPS proxy via PAC or nsIProtocolProxyService filter API. For example, open Advanced->Network->Settings and enter to Automated proxy configuration URL following: data:text/plain,%20function%20FindProxyForURL(url,%20host)%20{return%20'HTTPS%20de11.zenguard.org:443';} Try to load any page. Actual results: Crash: https://crash-stats.mozilla.com/report/index/1bd6472d-ae4c-4d05-8d54-d96992160423 Expected results: Should not crash. Last good build is 47.0a1 from 20160205030204. Starting 47.0a1 from 20160206030207 and up to current trunc crush is observed.
OS: Unspecified → Windows 7
Hardware: Unspecified → x86
Component: Untriaged → Networking
Product: Firefox → Core
Crash Signature: mozilla::net::SpdyStream31::ChannelPipeFull
The changelog and regression range points to bug 1241906 and https://hg.mozilla.org/mozilla-central/rev/e56a38a1a4ff
Assignee: nobody → mcmanus
Blocks: 1241906
Keywords: crash, reproducible
Whiteboard: [necko-active]
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
[Tracking Requested - why for this release]:
status-firefox46: --- → unaffected
status-firefox47: --- → affected
status-firefox48: --- → affected
tracking-firefox47: --- → ?
Keywords: regression
Crash Signature: mozilla::net::SpdyStream31::ChannelPipeFull → [@ mozilla::net::SpdyStream31::ChannelPipeFull ]
Attachment #8746179 - Flags: review?(hurley)
This turns out to be a simple case of the stack turning the member null.. we already have a local copy of the pointer for this reason and should have used it in the first place. The regressing bug 1241906 was spdy only, so this doesn't impact h2.
Attachment #8746179 - Flags: review?(hurley) → review+
Comment on attachment 8746179 [details] [diff] [review] null deref with spdy proxy Approval Request Comment [Feature/regressing bug #]: 1241906 [User impact if declined]: null crashes when using spdy based https proxies [Describe test coverage new/current, TreeHerder]: mix of manual and treeherder [Risks and why]: extremely low small targeted fix [String/UUID change made/needed]: none this fixes a crash regression in 47
Attachment #8746179 - Flags: approval-mozilla-beta?
Attachment #8746179 - Flags: approval-mozilla-aurora?
Tracked on 47+. This was mentioned as a top crasher on 47.0b1 at the channel meeting.
tracking-firefox47: ?+
Comment on attachment 8746179 [details] [diff] [review] null deref with spdy proxy Crash fix, Aurora48+, Beta47+
Attachment #8746179 - Flags: approval-mozilla-beta?
Attachment #8746179 - Flags: approval-mozilla-beta+
Attachment #8746179 - Flags: approval-mozilla-aurora?
Attachment #8746179 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/96fcd4518379
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: