ARM/AARCH64: Firefox crashes on NULL nsIChannel** result pointer in nsIOService::NewChannelFromURIWithProxyFlagsInternal()

RESOLVED INACTIVE
(Needinfo from 2 people)

Status

()

Core
XPCOM
P5
normal
RESOLVED INACTIVE
2 years ago
9 hours ago

People

(Reporter: Charles Robertson, Unassigned, NeedInfo)

Tracking

45 Branch
ARM
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 2016042600

Steps to reproduce:

Run Firefox on an ARM64 machine and a crash (seg-fault/core dump) will occur soon after start up. This only happens on an ARM/AARCH64 hardware. We have reproduced this on a RaspberryPI3 and a HPE ProLiant m400 server running SLES12 and openSUSE Tumbleweed respectfully.


Actual results:

A seg-fault/core dump occurs several seconds after FF is up and running regardless of what the user is doing. The stack back trace shows a NULL nsIChannel** result pointer in nsIOService::NewChannelFromURIWithProxyFlagsInternal() which when the method completes successfully a nsCOMPtr<nsIChannel>::forget() is called with the NULL result pointer which then causes the core dump.

The core dump file is attached: aarch64-firefox.core



Expected results:

It appears the nsIChannel** result pointer which is passed to the nsIOService methods from libxul.so should not be NULL.

Where/when is this pointer allocated? Is there a possible missed case that it could be NULL before being passed to the nsIOService module?

Here's the full stack trace. Sorry it's rather lengthy:

#0  0x0000ffffb7974cd8 in raise () from /lib64/libpthread.so.0
#1  0x0000ffffb4f9c1ac in nsProfileLock::FatalSignalHandler (signo=11, info=<optimized out>, context=<optimized out>) at /usr/src/debug/mozilla/toolkit/profile/nsProfileLock.cpp:185
#2  <signal handler called>
#3  nsCOMPtr<nsIChannel>::forget<nsIChannel> (aRhs=0x0, this=0xffffee1fde00) at ../../dist/include/nsCOMPtr.h:714
#4  nsIOService::NewChannelFromURIWithProxyFlagsInternal (this=this@entry=0xffffb7399260, aURI=aURI@entry=0xffff980eee40, aProxyURI=aProxyURI@entry=0x0, aProxyFlags=aProxyFlags@entry=0, 
    aLoadInfo=<optimized out>, result=result@entry=0x0) at /usr/src/debug/mozilla/netwerk/base/nsIOService.cpp:827
#5  0x0000ffffb395a13c in nsIOService::NewChannelFromURIWithProxyFlags2 (this=this@entry=0xffffb7399260, aURI=0xffff980eee40, aProxyURI=aProxyURI@entry=0x0, aProxyFlags=aProxyFlags@entry=0, 
    aLoadingNode=aLoadingNode@entry=0x0, aLoadingPrincipal=aLoadingPrincipal@entry=0xffffb0ff3100, aTriggeringPrincipal=<optimized out>, aSecurityFlags=<optimized out>, 
    aContentPolicyType=aContentPolicyType@entry=2496590536, result=result@entry=0x0) at /usr/src/debug/mozilla/netwerk/base/nsIOService.cpp:867
#6  0x0000ffffb395a1a0 in nsIOService::NewChannelFromURI2 (this=this@entry=0xffffb7399260, aURI=<optimized out>, aLoadingNode=aLoadingNode@entry=0x0, aLoadingPrincipal=aLoadingPrincipal@entry=0xffffb0ff3100, 
    aTriggeringPrincipal=<optimized out>, aSecurityFlags=<optimized out>, aContentPolicyType=aContentPolicyType@entry=2496590536, result=result@entry=0x0)
    at /usr/src/debug/mozilla/netwerk/base/nsIOService.cpp:665
#7  0x0000ffffb395a254 in nsIOService::NewChannel2 (this=0xffffb7399260, aSpec=..., aCharset=<optimized out>, aBaseURI=<optimized out>, aLoadingNode=0x0, aLoadingPrincipal=0xffffb0ff3100, 
    aTriggeringPrincipal=<optimized out>, aSecurityFlags=<optimized out>, aContentPolicyType=2496590536, result=0x0) at /usr/src/debug/mozilla/netwerk/base/nsIOService.cpp:920
#8  0x0000ffffb38f679c in _NS_InvokeByIndex () from /usr/lib64/firefox/libxul.so
#9  0x0000ffffb3cf887c in CallMethodHelper::Invoke (this=0xa) at /usr/src/debug/mozilla/js/xpconnect/src/XPCWrappedNative.cpp:2097
#10 CallMethodHelper::Call (this=0xa) at /usr/src/debug/mozilla/js/xpconnect/src/XPCWrappedNative.cpp:1414
#11 XPCWrappedNative::CallMethod (ccx=..., mode=mode@entry=XPCWrappedNative::CALL_METHOD) at /usr/src/debug/mozilla/js/xpconnect/src/XPCWrappedNative.cpp:1381
#12 0x0000ffffb3cfe0e0 in XPC_WN_CallMethod (cx=cx@entry=0xffff9fd61000, argc=8, vp=0xffffabc55778) at /usr/src/debug/mozilla/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1115
#13 0x0000ffffb54583c8 in js::CallJSNative (args=..., native=0xffffb3cfdf34 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:240
#14 js::Invoke (cx=0xffff9fd61000, args=..., construct=<optimized out>) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:444
#15 0x0000ffffb544e08c in Interpret (cx=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:2766
#16 0x0000ffffb54580f8 in js::RunScript (cx=cx@entry=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:391
#17 0x0000ffffb5458314 in js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:462
#18 0x0000ffffb5375eec in js::fun_call (cx=cx@entry=0xffff9fd61000, argc=<optimized out>, vp=vp@entry=0xffffee1ff468) at /usr/src/debug/mozilla/js/src/jsfun.cpp:1192
#19 0x0000ffffb5388014 in js::fun_apply (cx=cx@entry=0xffff9fd61000, argc=<optimized out>, vp=0xffffee1ff468) at /usr/src/debug/mozilla/js/src/jsfun.cpp:1210
#20 0x0000ffffb54583c8 in js::CallJSNative (args=..., native=0xffffb5387e8c <js::fun_apply(JSContext*, unsigned int, JS::Value*)>, cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:240
#21 js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:444
#22 0x0000ffffb5458b5c in js::Invoke (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:496
#23 0x0000ffffb53e3924 in js::DirectProxyHandler::call (this=this@entry=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xffff9fd61000, proxy=..., proxy@entry=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/DirectProxyHandler.cpp:77
#24 0x0000ffffb53e540c in js::CrossCompartmentWrapper::call (this=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=0xffff9fd61000, wrapper=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/CrossCompartmentWrapper.cpp:289
#25 0x0000ffffb53e746c in js::Proxy::call (cx=cx@entry=0xffff9fd61000, proxy=proxy@entry=..., args=...) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:391
#26 0x0000ffffb53e8110 in js::proxy_Call (cx=cx@entry=0xffff9fd61000, argc=<optimized out>, vp=<optimized out>) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:683
#27 0x0000ffffb54584e0 in js::CallJSNative (args=..., native=0xffffb53e80b0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:240
#28 js::Invoke (cx=0xffff9fd61000, args=..., construct=<optimized out>) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:432
#29 0x0000ffffb544e08c in Interpret (cx=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:2766
#30 0x0000ffffb54580f8 in js::RunScript (cx=cx@entry=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:391
#31 0x0000ffffb5458314 in js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:462
#32 0x0000ffffb5458b5c in js::Invoke (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:496
#33 0x0000ffffb53e3924 in js::DirectProxyHandler::call (this=this@entry=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xffff9fd61000, proxy=..., proxy@entry=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/DirectProxyHandler.cpp:77
#34 0x0000ffffb53e540c in js::CrossCompartmentWrapper::call (this=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=0xffff9fd61000, wrapper=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/CrossCompartmentWrapper.cpp:289
#35 0x0000ffffb53e746c in js::Proxy::call (cx=cx@entry=0xffff9fd61000, proxy=proxy@entry=..., args=...) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:391
#36 0x0000ffffb53e8110 in js::proxy_Call (cx=cx@entry=0xffff9fd61000, argc=<optimized out>, vp=<optimized out>) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:683
#37 0x0000ffffb54584e0 in js::CallJSNative (args=..., native=0xffffb53e80b0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:240
#38 js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:432
#39 0x0000ffffb5458b5c in js::Invoke (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:496
#40 0x0000ffffb5458cc0 in js::InvokeGetter (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., rval=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:605
#41 0x0000ffffb5458d1c in CallGetter (cx=cx@entry=0xffff9fd61000, obj=..., obj@entry=..., receiver=..., receiver@entry=..., shape=..., shape@entry=..., vp=..., vp@entry=...)
    at /usr/src/debug/mozilla/js/src/vm/NativeObject.cpp:1667
#42 0x0000ffffb5458f5c in GetExistingProperty<(js::AllowGC)1> (vp=..., shape=..., obj=..., receiver=..., cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/vm/NativeObject.cpp:1719
#43 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/vm/NativeObject.cpp:1934
#44 js::NativeGetProperty (cx=0xffff9fd61000, obj=..., receiver=..., id=..., vp=...) at /usr/src/debug/mozilla/js/src/vm/NativeObject.cpp:1968
#45 0x0000ffffb539b2c8 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at /usr/src/debug/mozilla/js/src/vm/NativeObject.h:1471
#46 0x0000ffffb5459420 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jsobj.h:823
#47 js::GetProperty (cx=0xffff9fd61000, v=..., name=..., vp=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:4015
#48 0x0000ffffb544e518 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=<optimized out>) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:203
#49 Interpret (cx=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:2487
---Type <return> to continue, or q <return> to quit---
#50 0x0000ffffb54580f8 in js::RunScript (cx=cx@entry=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:391
#51 0x0000ffffb5458314 in js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:462
#52 0x0000ffffb5458b5c in js::Invoke (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:496
#53 0x0000ffffb53e3924 in js::DirectProxyHandler::call (this=this@entry=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xffff9fd61000, proxy=..., proxy@entry=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/DirectProxyHandler.cpp:77
#54 0x0000ffffb53e540c in js::CrossCompartmentWrapper::call (this=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=0xffff9fd61000, wrapper=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/CrossCompartmentWrapper.cpp:289
#55 0x0000ffffb53e746c in js::Proxy::call (cx=cx@entry=0xffff9fd61000, proxy=proxy@entry=..., args=...) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:391
#56 0x0000ffffb53e8110 in js::proxy_Call (cx=cx@entry=0xffff9fd61000, argc=<optimized out>, vp=<optimized out>) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:683
#57 0x0000ffffb54584e0 in js::CallJSNative (args=..., native=0xffffb53e80b0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:240
#58 js::Invoke (cx=0xffff9fd61000, args=..., construct=<optimized out>) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:432
#59 0x0000ffffb544e08c in Interpret (cx=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:2766
#60 0x0000ffffb54580f8 in js::RunScript (cx=cx@entry=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:391
#61 0x0000ffffb5458314 in js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:462
#62 0x0000ffffb5458b5c in js::Invoke (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:496
#63 0x0000ffffb53e3924 in js::DirectProxyHandler::call (this=this@entry=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xffff9fd61000, proxy=..., proxy@entry=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/DirectProxyHandler.cpp:77
#64 0x0000ffffb53e540c in js::CrossCompartmentWrapper::call (this=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=0xffff9fd61000, wrapper=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/CrossCompartmentWrapper.cpp:289
#65 0x0000ffffb53e746c in js::Proxy::call (cx=cx@entry=0xffff9fd61000, proxy=proxy@entry=..., args=...) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:391
#66 0x0000ffffb53e8110 in js::proxy_Call (cx=cx@entry=0xffff9fd61000, argc=<optimized out>, vp=<optimized out>) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:683
#67 0x0000ffffb54584e0 in js::CallJSNative (args=..., native=0xffffb53e80b0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:240
#68 js::Invoke (cx=0xffff9fd61000, args=..., construct=<optimized out>) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:432
#69 0x0000ffffb544e08c in Interpret (cx=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:2766
#70 0x0000ffffb54580f8 in js::RunScript (cx=cx@entry=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:391
#71 0x0000ffffb5458314 in js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:462
#72 0x0000ffffb5458b5c in js::Invoke (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:496
#73 0x0000ffffb53e3924 in js::DirectProxyHandler::call (this=this@entry=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xffff9fd61000, proxy=..., proxy@entry=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/DirectProxyHandler.cpp:77
#74 0x0000ffffb53e540c in js::CrossCompartmentWrapper::call (this=0xffffb7189858 <js::CrossCompartmentWrapper::singleton>, cx=0xffff9fd61000, wrapper=..., args=...)
    at /usr/src/debug/mozilla/js/src/proxy/CrossCompartmentWrapper.cpp:289
#75 0x0000ffffb53e746c in js::Proxy::call (cx=cx@entry=0xffff9fd61000, proxy=proxy@entry=..., args=...) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:391
#76 0x0000ffffb53e8110 in js::proxy_Call (cx=cx@entry=0xffff9fd61000, argc=<optimized out>, vp=<optimized out>) at /usr/src/debug/mozilla/js/src/proxy/Proxy.cpp:683
#77 0x0000ffffb54584e0 in js::CallJSNative (args=..., native=0xffffb53e80b0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0xffff9fd61000) at /usr/src/debug/mozilla/js/src/jscntxtinlines.h:240
#78 js::Invoke (cx=0xffff9fd61000, args=..., construct=<optimized out>) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:432
#79 0x0000ffffb544e08c in Interpret (cx=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:2766
#80 0x0000ffffb54580f8 in js::RunScript (cx=cx@entry=0xffff9fd61000, state=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:391
#81 0x0000ffffb5458314 in js::Invoke (cx=cx@entry=0xffff9fd61000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:462
#82 0x0000ffffb5458b5c in js::Invoke (cx=cx@entry=0xffff9fd61000, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at /usr/src/debug/mozilla/js/src/vm/Interpreter.cpp:496
#83 0x0000ffffb5339ca4 in JS::Call (cx=0xffff9fd61000, thisv=..., thisv@entry=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at /usr/src/debug/mozilla/js/src/jsapi.cpp:2837
#84 0x0000ffffb40e8c70 in mozilla::dom::Function::Call (this=this@entry=0xffff99407970, cx=0xffff9fd61000, aThisVal=..., arguments=..., aRetVal=..., aRv=...)
    at /usr/src/debug/obj/dom/bindings/FunctionBinding.cpp:37
#85 0x0000ffffb3f5d580 in mozilla::dom::Function::Call<nsCOMPtr<nsISupports> > (aCompartment=0x0, aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aExecutionReason=<optimized out>, aRv=..., 
    aRetVal=..., arguments=..., thisVal=..., this=0xffff99407970) at ../../dist/include/mozilla/dom/FunctionBinding.h:58
#86 nsGlobalWindow::RunTimeoutHandler (this=this@entry=0xffff9fd61800, aTimeout=aTimeout@entry=0xffff995a8dd0, aScx=<optimized out>) at /usr/src/debug/mozilla/dom/base/nsGlobalWindow.cpp:11814
#87 0x0000ffffb3f5d9c8 in nsGlobalWindow::RunTimeout (this=0xffff9fd61800, aTimeout=0xffff995a8dd0) at /usr/src/debug/mozilla/dom/base/nsGlobalWindow.cpp:12049
#88 0x0000ffffb3f5dc60 in nsGlobalWindow::TimerCallback (aTimer=<optimized out>, aClosure=<optimized out>) at /usr/src/debug/mozilla/dom/base/nsGlobalWindow.cpp:12295
#89 0x0000ffffb38f322c in nsTimerImpl::Fire (this=0xffff995a8e40) at /usr/src/debug/mozilla/xpcom/threads/nsTimerImpl.cpp:526
#90 0x0000ffffb38ebefc in nsTimerEvent::Run (this=0xffffa754d3e0) at /usr/src/debug/mozilla/xpcom/threads/TimerThread.cpp:282
#91 0x0000ffffb38ecf20 in nsThread::ProcessNextEvent (this=0xffffb7389a10, aMayWait=false, aResult=0xffffee203fff) at /usr/src/debug/mozilla/xpcom/threads/nsThread.cpp:972
#92 0x0000ffffb390a090 in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /usr/src/debug/mozilla/xpcom/glue/nsThreadUtils.cpp:297
#93 0x0000ffffb3ab58dc in mozilla::ipc::MessagePump::Run (this=0xffffb0f5ebc0, aDelegate=0xffffb0f230a0) at /usr/src/debug/mozilla/ipc/glue/MessagePump.cpp:95
#94 0x0000ffffb3a9e85c in MessageLoop::RunInternal (this=this@entry=0xffffb0f230a0) at /usr/src/debug/mozilla/ipc/chromium/src/base/message_loop.cc:234
#95 0x0000ffffb3a9e9ac in MessageLoop::RunHandler (this=0xffffb0f230a0) at /usr/src/debug/mozilla/ipc/chromium/src/base/message_loop.cc:227
#96 MessageLoop::Run (this=0xffffb0f230a0) at /usr/src/debug/mozilla/ipc/chromium/src/base/message_loop.cc:201
#97 0x0000ffffb4a7e980 in nsBaseAppShell::Run (this=0xffffaab6c820) at /usr/src/debug/mozilla/widget/nsBaseAppShell.cpp:156
#98 0x0000ffffb4f6dc3c in nsAppStartup::Run (this=0xffffaab10150) at /usr/src/debug/mozilla/toolkit/components/startup/nsAppStartup.cpp:281
#99 0x0000ffffb4fa30f8 in XREMain::XRE_mainRun (this=this@entry=0xffffee2042b8) at /usr/src/debug/mozilla/toolkit/xre/nsAppRunner.cpp:4285
#100 0x0000ffffb4fa3354 in XREMain::XRE_main (this=this@entry=0xffffee2042b8, argc=argc@entry=1, argv=argv@entry=0xffffee205808, aAppData=<optimized out>)
    at /usr/src/debug/mozilla/toolkit/xre/nsAppRunner.cpp:4382
#101 0x0000ffffb4fa354c in XRE_main (argc=1, argv=0xffffee205808, aAppData=<optimized out>, aFlags=<optimized out>) at /usr/src/debug/mozilla/toolkit/xre/nsAppRunner.cpp:4484
---Type <return> to continue, or q <return> to quit---
#102 0x00000000004055f4 in do_main (argc=argc@entry=1, argv=argv@entry=0xffffee205808, xreDirectory=0xffffb7357c90) at /usr/src/debug/mozilla/browser/app/nsBrowserApp.cpp:212
#103 0x0000000000404c9c in main (argc=1, argv=0xffffee205808) at /usr/src/debug/mozilla/browser/app/nsBrowserApp.cpp:352
(Reporter)

Updated

2 years ago
OS: Unspecified → Linux
Hardware: Unspecified → ARM
are you using 48-bit virtual address?
if so, this might be related to bug 1143022.
in that case, can you try firefox 49 that contains the fix for bug 1143022 ?
Flags: needinfo?(cgrobertson)
(Reporter)

Comment 2

2 years ago
(In reply to Tooru Fujisawa [:arai] from comment #1)
> are you using 48-bit virtual address?
> if so, this might be related to bug 1143022.
> in that case, can you try firefox 49 that contains the fix for bug 1143022 ?

We ported the fix for bug 1143022 to our FF45esr build. But this does not fix our problem which is a NULL nsIChannel **result pointer passed to the nsIOService methods as you can see in the stack trace.

At the end of nsIOService::NewChannelFromURIWithProxyFlagsInternal(), if everything is successful, there is a call to channel.forget(result) that checks the result pointer is not NULL else seg-fault.

I could not attach the core dump since it was too big.
(Reporter)

Comment 3

2 years ago
I should have mentioned in my last comment that we put a check around the call to channel.forget() at the end of nsIOService::NewChannelFromURIWithProxyFlagsInternal():

if (result) {
  channel.forget(result);
}

We tested FF with this on our ARM machines including the RPi3. It solved the crash and we could not see any other side affects even after extensive testing. This is only a temporary fix though, until we solve the issue with the NULL result pointer.
(Reporter)

Comment 4

2 years ago
...oh, and yes. We are running with 48-bit virtual address.
I cannot reproduce this on PINE64/Ubuntu 16.04.

Updated

2 years ago
See Also: → bug 1303953

Updated

2 years ago
Duplicate of this bug: 1255364

Updated

2 years ago
Flags: needinfo?(cgrobertson)

Comment 7

a year ago
Assuming bug 1255364 is in fact the exact same issue, I see two possibilities here:

* The GMP update service is passing incorrect arguments (a null pointer) on arm64. In which case we'd move this to the media plugin component and look for fixes probably in that JS. There is some OS-specific code in the GMP updater to select the correct media plugin binary, but not a lot.

* The GMP update code is correct but we're not round-tripping arguments through the JS/XPCOM boundary correctly. Then this would go into the XPCOM component and you'd have to debug the xptcall JS->XPCOM calling layer. This has processor-specific code at http://searchfox.org/mozilla-central/source/xpcom/reflect/xptcall/md/unix/xptcinvoke_aarch64.cpp so this would be my first suspect. I'm going to presumptively move this bug to XPCOM based on this hunch.

In any case, it's unlikely that the core Mozilla project can dedicate debugging time to this, so I'm going to mark this a P5. Charles or Jan, I'd be happy to assist you with debugging if you want to dive into this.
Flags: needinfo?(jhorak)
Flags: needinfo?(cgrobertson)

Updated

a year ago
Component: Untriaged → XPCOM
Priority: -- → P5
Product: Firefox → Core
Gonna guess that this is the same issue as bug 1304962, since the patch explicitly mentions nsIOService::NewChannel2, which is in the backtrace, and ESR 38 wouldn't have that patch.

Comment 9

9 hours ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 hours ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.