Closed Bug 1313740 Opened 8 years ago Closed 8 years ago

[e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse with add-on Decentraleyes


(Core :: Networking: HTTP, defect)

41 Branch
Not set



Tracking Status
firefox49 --- wontfix
firefox50 --- fixed
firefox51 --- fixed
firefox52 --- fixed


(Reporter: 6lobe, Assigned: valentin)



(Keywords: crash, regression, Whiteboard: nightly-community, [necko-active])

Crash Data


(1 file)

This bug was filed from the Socorro interface and is 
report bp-42d5dd1a-da14-4a6c-9b8c-b20422161028.


1. Install the addon Decentraleyes from here:

2. Navigate to:

3. Refresh the page (you may have to do this a few times).

4. Crash.

Here is the regression range:

22:53.79 INFO: Narrowed nightly regression window from [2015-06-05, 2015-06-08] (3 days) to [2015-06-07, 2015-06-08] (1 days) (~0 steps left)
22:53.79 INFO: Got as far as we can go bisecting nightlies...
22:53.79 INFO: Last good revision: 7d4ab4a9febd (2015-06-07)
22:53.79 INFO: First bad revision: 4700d1cdf489 (2015-06-08)
22:53.79 INFO: Pushlog:

I couldnt bisect further because I got some errors.
Crash Signature: [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse] → [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse] [@ RefPtr<T>::assign_assuming_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse ]
Has Regression Range: --- → yes
Has STR: --- → yes
Whiteboard: nightly-community
I can't reproduce the crash with FF49 or 52 on Win 7. I installed the add-on, refreshed the page 20x, no crash.

Is the bug only reproducible on Linux?
Keywords: crash
Sorry I forgot to mention this only happens with e10s enabled.

I can only test on Linux. The crash never happens on first page load. Most of the time it happens on second page load.

I guess this could be the source of the issue?
Well, just forget my previous comment, I can reproduce it now, but only with e10s enabled like you.
CR FF52:

And I confirm the regression range too.
Crash Signature: [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse] [@ RefPtr<T>::assign_assuming_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse ] → [@ RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse] [@ RefPtr<T>::assign_assuming_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse ] [@ mozilla::net::HttpChannelChild::OverrideWit…
Ever confirmed: true
Summary: Crash in RefPtr<T>::assign_with_AddRef | mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse → [e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse
Component: Untriaged → Networking: HTTP
Flags: needinfo?(ehsan)
Keywords: regression
OS: Linux → All
Product: Firefox → Core
Summary: [e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse → [e10s] Crash in mozilla::net::HttpChannelChild::OverrideWithSynthesizedResponse with add-on Decentraleyes
Blocks: 1164397
The problem seems to be that in HttpChannelChild::OnRedirectVerifyCallback we QI mRedirectChannelChild to nsIHttpChannelChild - but in this case mRedirectChannelChild is a DataChannelChild instead.
Not sure exactly what we should do in this case, but it should be easy to avoid the crash.
Josh, any idea what we should do with a DataChannelChild? I assume we should make sure we call CompleteRedirectSetup on it, right?
Flags: needinfo?(josh)
Yeah, looks like should be QIing to nsIChildChannel to ensure we deal properly with data channels.
Flags: needinfo?(josh)
MozReview-Commit-ID: 702H0eJKdx1
Attachment #8806186 - Flags: review?(honzab.moz)
Assignee: nobody → valentin.gosu
Whiteboard: nightly-community → nightly-community, [necko-active]
Comment on attachment 8806186 [details] [diff] [review]
Handle null mNewChannel in OverrideWithSynthesizedResponse

Review of attachment 8806186 [details] [diff] [review]:

I really can't review this, sorry :/
Attachment #8806186 - Flags: review?(honzab.moz) → review?(josh)
Attachment #8806186 - Flags: review?(josh) → review+
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Comment on attachment 8806186 [details] [diff] [review]
Handle null mNewChannel in OverrideWithSynthesizedResponse

Approval Request Comment
[Feature/regressing bug #]: bug 1164397
[User impact if declined]: Crash with the decentraleyes extension installed under e10s when a redirect to a data:// URI occurs
[Describe test coverage new/current, TreeHerder]: currently working on a test.
[Risks and why]: Very low. Just a avoiding a null pointer deref.
[String/UUID change made/needed]: None.
Attachment #8806186 - Flags: approval-mozilla-beta?
Attachment #8806186 - Flags: approval-mozilla-aurora?
Comment on attachment 8806186 [details] [diff] [review]
Handle null mNewChannel in OverrideWithSynthesizedResponse

Fix a crash. Take it in 51 aurora.
Attachment #8806186 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Flags: needinfo?(ehsan)
Comment on attachment 8806186 [details] [diff] [review]
Handle null mNewChannel in OverrideWithSynthesizedResponse

This is in 51, updating 50 uplift request from beta to release
Attachment #8806186 - Flags: approval-mozilla-beta? → approval-mozilla-release?
Comment on attachment 8806186 [details] [diff] [review]
Handle null mNewChannel in OverrideWithSynthesizedResponse

Low risk crash fix, let's include it in 50.1.0
Attachment #8806186 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.