1348882 - Null deref crash [@ nsStringRepr | mozilla::dom::FetchBody<mozilla::dom::Request>::ContinueConsumeBody]

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect, P2)

Description

[Jesse Schwartzentruber (:truber)]

Attachment: testcase.html

The attached testcase crashes on null in mozilla-central rev 1b9293be5163.

==18201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3677660b96 bp 0x7ffc2a061e70 sp 0x7ffc2a061b40 T0)
==18201==The signal is caused by a WRITE memory access.
==18201==Hint: address points to the zero page.
    #0 0x7f3677660b95 in nsStringRepr /home/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:304:7
    #1 0x7f3677660b95 in nsAString /home/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:1012
    #2 0x7f3677660b95 in nsString /home/worker/workspace/build/src/obj-firefox/dist/include/nsTString.h:33
    #3 0x7f3677660b95 in mozilla::dom::FetchBody<mozilla::dom::Request>::ContinueConsumeBody(nsresult, unsigned int, unsigned char*) /home/worker/workspace/build/src/dom/fetch/Fetch.cpp:1204
    #4 0x7f36776630a2 in mozilla::dom::(anonymous namespace)::ConsumeBodyDoneObserver<mozilla::dom::Request>::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /home/worker/workspace/build/src/dom/fetch/Fetch.cpp:772:19
    #5 0x7f367318db82 in mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsStreamLoader.cpp:105:30
    #6 0x7f36730dc3c3 in nsInputStreamPump::OnStateStop() /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:715:20
    #7 0x7f36730da185 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:433:25
    #8 0x7f3672ecf0cd in nsInputStreamReadyEvent::Run() /home/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:96:20
    #9 0x7f3672f2f71c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #10 0x7f3672f2c048 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #11 0x7f3673cd83b1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #12 0x7f3673c38ee0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #13 0x7f3673c38ee0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #14 0x7f3673c38ee0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #15 0x7f3678eec1ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #16 0x7f367c3606d1 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Regression range:
INFO: Last good revision: c141993d03eeebd21e4d5a3a07ae9c92695a125f
INFO: First bad revision: 18e1ee2de339a5c1020bb194b2797924117da11b
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c141993d03eeebd21e4d5a3a07ae9c92695a125f&tochange=18e1ee2de339a5c1020bb194b2797924117da11b

Fix range:
INFO: First good revision: c1c525b8403fe6f44d99c1972ae89b392752de19
INFO: Last bad revision: 66e9c71b3bf27a597c3164605c07e3d553370093
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=66e9c71b3bf27a597c3164605c07e3d553370093&tochange=c1c525b8403fe6f44d99c1972ae89b392752de19

Not sure which of the two bugs fixed this crash, but calling this fixed either way. NI myself to land the testcase as a crashtest.

Comment 2

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f201d9d60042
Add crashtest. r=me

Comment 3

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/f201d9d60042