Closed
Bug 1348882
Opened 8 years ago
Closed 7 years ago
Null deref crash [@ nsStringRepr | mozilla::dom::FetchBody<mozilla::dom::Request>::ContinueConsumeBody]
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: truber, Assigned: baku)
References
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(1 file)
284 bytes,
text/html
|
Details |
The attached testcase crashes on null in mozilla-central rev 1b9293be5163.
==18201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3677660b96 bp 0x7ffc2a061e70 sp 0x7ffc2a061b40 T0)
==18201==The signal is caused by a WRITE memory access.
==18201==Hint: address points to the zero page.
#0 0x7f3677660b95 in nsStringRepr /home/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:304:7
#1 0x7f3677660b95 in nsAString /home/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:1012
#2 0x7f3677660b95 in nsString /home/worker/workspace/build/src/obj-firefox/dist/include/nsTString.h:33
#3 0x7f3677660b95 in mozilla::dom::FetchBody<mozilla::dom::Request>::ContinueConsumeBody(nsresult, unsigned int, unsigned char*) /home/worker/workspace/build/src/dom/fetch/Fetch.cpp:1204
#4 0x7f36776630a2 in mozilla::dom::(anonymous namespace)::ConsumeBodyDoneObserver<mozilla::dom::Request>::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /home/worker/workspace/build/src/dom/fetch/Fetch.cpp:772:19
#5 0x7f367318db82 in mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsStreamLoader.cpp:105:30
#6 0x7f36730dc3c3 in nsInputStreamPump::OnStateStop() /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:715:20
#7 0x7f36730da185 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:433:25
#8 0x7f3672ecf0cd in nsInputStreamReadyEvent::Run() /home/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:96:20
#9 0x7f3672f2f71c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
#10 0x7f3672f2c048 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#11 0x7f3673cd83b1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#12 0x7f3673c38ee0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#13 0x7f3673c38ee0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#14 0x7f3673c38ee0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#15 0x7f3678eec1ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#16 0x7f367c3606d1 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
Flags: in-testsuite?
Updated•8 years ago
|
Blocks: ServiceWorkers-stability
Updated•8 years ago
|
Priority: -- → P2
Comment 1•7 years ago
|
||
Regression range:
INFO: Last good revision: c141993d03eeebd21e4d5a3a07ae9c92695a125f
INFO: First bad revision: 18e1ee2de339a5c1020bb194b2797924117da11b
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c141993d03eeebd21e4d5a3a07ae9c92695a125f&tochange=18e1ee2de339a5c1020bb194b2797924117da11b
Fix range:
INFO: First good revision: c1c525b8403fe6f44d99c1972ae89b392752de19
INFO: Last bad revision: 66e9c71b3bf27a597c3164605c07e3d553370093
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=66e9c71b3bf27a597c3164605c07e3d553370093&tochange=c1c525b8403fe6f44d99c1972ae89b392752de19
Not sure which of the two bugs fixed this crash, but calling this fixed either way. NI myself to land the testcase as a crashtest.
Assignee: nobody → amarchesini
Blocks: 1312410
Status: NEW → RESOLVED
Has Regression Range: --- → yes
Closed: 7 years ago
status-firefox56:
--- → fixed
status-firefox-esr52:
--- → wontfix
Flags: needinfo?(ryanvm)
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Version: Trunk → 52 Branch
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f201d9d60042
Add crashtest. r=me
Updated•7 years ago
|
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
Comment 3•7 years ago
|
||
bugherder |
You need to log in
before you can comment on or make changes to this bug.
Description
•