Closed
Bug 1313740
Opened 7 years ago
Closed 7 years ago
[e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse with add-on Decentraleyes
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
People
(Reporter: 6lobe, Assigned: valentin)
References
Details
(Keywords: crash, regression, Whiteboard: nightly-community, [necko-active])
Crash Data
Attachments
(1 file)
|
2.15 KB,
patch
|
jdm
:
review+
gchang
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-release+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-42d5dd1a-da14-4a6c-9b8c-b20422161028. ============================================================= STR: 1. Install the addon Decentraleyes from here: https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/ 2. Navigate to: https://www.bytemark.co.uk/ 3. Refresh the page (you may have to do this a few times). 4. Crash. Here is the regression range: 22:53.79 INFO: Narrowed nightly regression window from [2015-06-05, 2015-06-08] (3 days) to [2015-06-07, 2015-06-08] (1 days) (~0 steps left) 22:53.79 INFO: Got as far as we can go bisecting nightlies... 22:53.79 INFO: Last good revision: 7d4ab4a9febd (2015-06-07) 22:53.79 INFO: First bad revision: 4700d1cdf489 (2015-06-08) 22:53.79 INFO: Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7d4ab4a9febd&tochange=4700d1cdf489 I couldnt bisect further because I got some errors.
Crash Signature: [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse] → [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse]
[@ RefPtr<T>::assign_assuming_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse ]
Has Regression Range: --- → yes
Has STR: --- → yes
Whiteboard: nightly-community
I can't reproduce the crash with FF49 or 52 on Win 7. I installed the add-on, refreshed the page 20x, no crash. Is the bug only reproducible on Linux?
Sorry I forgot to mention this only happens with e10s enabled. I can only test on Linux. The crash never happens on first page load. Most of the time it happens on second page load. I guess this could be the source of the issue? https://bugzilla.mozilla.org/show_bug.cgi?id=1164397
Well, just forget my previous comment, I can reproduce it now, but only with e10s enabled like you. CR FF52: https://crash-stats.mozilla.com/report/index/55c2304f-1897-407d-9e33-d25042161029 And I confirm the regression range too.
Status: UNCONFIRMED → NEW
Crash Signature: [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse]
[@ RefPtr<T>::assign_assuming_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse ] → [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse]
[@ RefPtr<T>::assign_assuming_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse ]
[@ mozilla::net::HttpChannelChild::OverrideWit…
Ever confirmed: true
Summary: Crash in RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse → [e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse
Component: Untriaged → Networking: HTTP
Flags: needinfo?(ehsan)
Keywords: regression
OS: Linux → All
Product: Firefox → Core
Summary: [e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse → [e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse with add-on Decentraleyes
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox51:
--- → affected
status-firefox52:
--- → affected
|
Assignee | |
Comment 4•7 years ago
|
||
The problem seems to be that in HttpChannelChild::OnRedirectVerifyCallback we QI mRedirectChannelChild to nsIHttpChannelChild - but in this case mRedirectChannelChild is a DataChannelChild instead. Not sure exactly what we should do in this case, but it should be easy to avoid the crash.
|
|
Assignee | |
Comment 5•7 years ago
|
||
Josh, any idea what we should do with a DataChannelChild? I assume we should make sure we call CompleteRedirectSetup on it, right?
Flags: needinfo?(josh)
|
||
Comment 6•7 years ago
|
||
Yeah, looks like https://dxr.mozilla.org/mozilla-central/rev/e3279760cd977aac30bd9e8032d3ee71f55d2a67/netwerk/protocol/http/HttpChannelChild.cpp#1532 should be QIing to nsIChildChannel to ensure we deal properly with data channels.
Flags: needinfo?(josh)
|
|
Assignee | |
Comment 7•7 years ago
|
||
MozReview-Commit-ID: 702H0eJKdx1
Attachment #8806186 -
Flags: review?(honzab.moz)
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → valentin.gosu
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•7 years ago
|
Whiteboard: nightly-community → nightly-community, [necko-active]
|
||
Comment 8•7 years ago
|
||
Comment on attachment 8806186 [details] [diff] [review] Handle null mNewChannel in OverrideWithSynthesizedResponse Review of attachment 8806186 [details] [diff] [review]: ----------------------------------------------------------------- I really can't review this, sorry :/
Attachment #8806186 -
Flags: review?(honzab.moz) → review?(josh)
|
|
||
Updated•7 years ago
|
Attachment #8806186 -
Flags: review?(josh) → review+
|
|
Assignee | |
Comment 9•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/af46e53372abd9a03188e580dbe76ac54f209ed6 Bug 1313740 - Handle null mNewChannel in OverrideWithSynthesizedResponse r=jdm
|
||
Comment 10•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/af46e53372ab
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
|
|
Assignee | |
Comment 11•7 years ago
|
||
Comment on attachment 8806186 [details] [diff] [review] Handle null mNewChannel in OverrideWithSynthesizedResponse Approval Request Comment [Feature/regressing bug #]: bug 1164397 [User impact if declined]: Crash with the decentraleyes extension installed under e10s when a redirect to a data:// URI occurs [Describe test coverage new/current, TreeHerder]: currently working on a test. [Risks and why]: Very low. Just a avoiding a null pointer deref. [String/UUID change made/needed]: None.
Attachment #8806186 -
Flags: approval-mozilla-beta?
Attachment #8806186 -
Flags: approval-mozilla-aurora?
|
||
Comment 12•7 years ago
|
||
Comment on attachment 8806186 [details] [diff] [review] Handle null mNewChannel in OverrideWithSynthesizedResponse Fix a crash. Take it in 51 aurora.
Attachment #8806186 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 13•7 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/8cc3ea80f82c
|
||
Updated•7 years ago
|
Flags: needinfo?(ehsan)
|
||
Comment 14•7 years ago
|
||
Comment on attachment 8806186 [details] [diff] [review] Handle null mNewChannel in OverrideWithSynthesizedResponse This is in 51, updating 50 uplift request from beta to release
Attachment #8806186 -
Flags: approval-mozilla-beta? → approval-mozilla-release?
|
||
Updated•7 years ago
|
Comment on attachment 8806186 [details] [diff] [review] Handle null mNewChannel in OverrideWithSynthesizedResponse Low risk crash fix, let's include it in 50.1.0
Attachment #8806186 -
Flags: approval-mozilla-release? → approval-mozilla-release+
|
|
||
Comment 16•7 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-release/rev/b977ed05722e
You need to log in
before you can comment on or make changes to this bug.
Description
•