null pointer writes in mozilla::net::Predictor::LearnNative
Categories
(Core :: Networking, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox67 | --- | affected |
People
(Reporter: hanno, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(5 files)
I see relatively regular crashes in mozilla::net::Predictor::LearnNative. Unfortunately I can't reliably reproduce them.
They differ slightly in their stack traces, I got 4 variations that I'll all attach.
The most common variant:
==6241==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f73ed107ffa bp 0x7ffe82c88270 sp 0x7ffe82c87aa0 T0)
==6241==The signal is caused by a WRITE memory access.
==6241==Hint: address points to the zero page.
#0 0x7f73ed107ff9 in mozilla::net::Predictor::LearnNative(nsIURI*, nsIURI*, unsigned int, mozilla::OriginAttributes const&) /builds/worker/workspace/build/src/netwerk/base/Predictor.cpp:1419:5
#1 0x7f73ed10e796 in mozilla::net::PredictorLearn(nsIURI*, nsIURI*, unsigned int, nsILoadGroup*) /builds/worker/workspace/build/src/netwerk/base/Predictor.cpp:2172:21
#2 0x7f73f5521b12 in mozilla::dom::FontFaceSet::StartLoad(gfxUserFontEntry*, gfxFontFaceSrc const*) /builds/worker/workspace/build/src/layout/style/FontFaceSet.cpp:655:3
#3 0x7f73efcf4d80 in gfxUserFontEntry::DoLoadNextSrc(bool) /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:579:35
#4 0x7f73efcfe7f8 in LoadNextSrc /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:430:3
#5 0x7f73efcfe7f8 in gfxUserFontEntry::FontDataDownloadComplete(unsigned char const*, unsigned int, nsresult) /builds/worker/workspace/build/src/gfx/thebes/gfxUserFontSet.cpp:832
#6 0x7f73f55f01ff in nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/workspace/build/src/layout/style/nsFontFaceLoader.cpp:267:23
#7 0x7f73ed25afd9 in mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsStreamLoader.cpp:94:20
#8 0x7f73edae160c in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/nsCORSListenerProxy.cpp:615:27
#9 0x7f73eda3c153 in mozilla::net::HttpBaseChannel::DoNotifyListener() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpBaseChannel.cpp:3317:15
#10 0x7f73eda6f5b6 in mozilla::net::HttpAsyncAborter<mozilla::net::HttpChannelChild>::HandleAsyncAbort() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpBaseChannel.h:855:10
#11 0x7f73eda6f324 in mozilla::net::HttpChannelChild::HandleAsyncAbort() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1346:39
#12 0x7f73edafab54 in applyImpl<mozilla::net::HttpChannelChild, void (mozilla::net::HttpChannelChild::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1119:12
#13 0x7f73edafab54 in apply<mozilla::net::HttpChannelChild, void (mozilla::net::HttpChannelChild::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1125
#14 0x7f73edafab54 in mozilla::detail::RunnableMethodImpl<mozilla::net::HttpChannelChild*, void (mozilla::net::HttpChannelChild::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171
#15 0x7f73ecf99576 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#16 0x7f73ecf9f868 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#17 0x7f73edf20d4a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#18 0x7f73ede6851f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#19 0x7f73ede6851f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#20 0x7f73ede6851f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#21 0x7f73f5103019 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#22 0x7f73f93fa5ef in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:908:20
#23 0x7f73ede6851f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#24 0x7f73ede6851f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#25 0x7f73ede6851f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#26 0x7f73f93f9f94 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:746:34
#27 0x55bdb5d923d4 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#28 0x55bdb5d923d4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#29 0x7f740c58db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#30 0x55bdb5cb7aa8 in _start (/root/firefox/firefox+0x2aaa8)
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
|
|
Reporter | |
Comment 3•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
||
Comment 4•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/21dcc5f55dca
null pointer writes in mozilla::net::Predictor::LearnNative, r=valentin
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 7•5 years ago
|
||
With a new ASAN build just downloaded I'm still seeing these crashes. (Just got one that's similar to attachment "asan trace 1").
Shall I open new bugs for those? (Given that they looked all very similar I assumed a common source despite differences in the stack trace.)
|
|
||
Comment 8•5 years ago
|
||
Does it crash on the diagnostic assert https://searchfox.org/mozilla-central/rev/dc0adc07db3df9431a0876156f50c65d580010cb/netwerk/base/Predictor.cpp#1417 ?
|
|
Reporter | |
Comment 9•5 years ago
|
||
Looks like two lines later:
==27346==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fc4f1a0d34a bp 0x7fffb228ad10 sp 0x7fffb228a540 T0)
==27346==The signal is caused by a WRITE memory access.
==27346==Hint: address points to the zero page.
#0 0x7fc4f1a0d349 in mozilla::net::Predictor::LearnNative(nsIURI*, nsIURI*, unsigned int, mozilla::OriginAttributes const&) /builds/worker/workspace/build/src/netwerk/base/Predictor.cpp:1419:5
#1 0x7fc4f1a14295 in mozilla::net::PredictorLearn(nsIURI*, nsIURI*, unsigned int, mozilla::dom::Document*) /builds/worker/workspace/build/src/netwerk/base/Predictor.cpp:2197:21
#2 0x7fc4f9f07c12 in mozilla::css::Loader::LoadSheet(mozilla::css::SheetLoadData*, mozilla::css::StyleSheetState, bool) /builds/worker/workspace/build/src/layout/style/Loader.cpp:1551:5
#3 0x7fc4f9f16c62 in mozilla::css::Loader::LoadStyleLink(nsIStyleSheetLinkingElement::SheetInfo const&, nsICSSLoaderObserver*) /builds/worker/workspace/build/src/layout/style/Loader.cpp:1993:8
#4 0x7fc4f5030e90 in nsStyleLinkElement::DoUpdateStyleSheet(mozilla::dom::Document*, mozilla::dom::ShadowRoot*, nsICSSLoaderObserver*, nsIStyleSheetLinkingElement::ForceUpdate) /builds/worker/workspace/build/src/dom/base/nsStyleLinkElement.cpp:353:42
#5 0x7fc4f7e9d804 in applyImpl<mozilla::dom::HTMLLinkElement, void (mozilla::dom::HTMLLinkElement::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1119:12
#6 0x7fc4f7e9d804 in apply<mozilla::dom::HTMLLinkElement, void (mozilla::dom::HTMLLinkElement::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1125
#7 0x7fc4f7e9d804 in mozilla::detail::RunnableMethodImpl<mozilla::dom::HTMLLinkElement*, void (mozilla::dom::HTMLLinkElement::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171
#8 0x7fc4f4a2a59c in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5264:15
#9 0x7fc4f4cb6171 in mozilla::dom::Document::EndUpdate() /builds/worker/workspace/build/src/dom/base/Document.cpp:4623:3
#10 0x7fc4f7fef80a in nsHTMLDocument::EndUpdate() /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2028:13
#11 0x7fc4f4f95426 in ~mozAutoDocUpdate /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:34:18
#12 0x7fc4f4f95426 in nsINode::ReplaceOrInsertBefore(bool, nsINode, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2396
#13 0x7fc4f58c7e52 in InsertBefore /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1684:12
#14 0x7fc4f58c7e52 in AppendChild /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1687
#15 0x7fc4f58c7e52 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:1021
#16 0x7fc4f74a2bbe in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#17 0x7fc4fe02e787 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:13
#18 0x7fc4fe02e787 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:532
#19 0x7fc4fe0165cf in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:10
#20 0x7fc4fe0165cf in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3051
#21 0x7fc4fdff9328 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:420:10
#22 0x7fc4fe02f0f6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560:13
#23 0x7fc4fe030d42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:8
#24 0x7fc4fe51ba20 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/JSFunction.cpp:1219:10
#25 0x7fc4fe02e787 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:13
#26 0x7fc4fe02e787 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:532
#27 0x7fc4fe0165cf in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:10
#28 0x7fc4fe0165cf in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3051
#29 0x7fc4fdff9328 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:420:10
#30 0x7fc4fe02f0f6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560:13
#31 0x7fc4fe030d42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:8
#32 0x7fc4fec05886 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#33 0x7fc4f6c68054 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#34 0x7fc4f7be14db in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#35 0x7fc4f7be14db in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1038
#36 0x7fc4f7be33f2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1237:17
#37 0x7fc4f7bc9e7c in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
#38 0x7fc4f7bc9e7c in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:351
#39 0x7fc4f7bc8665 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:553:16
#40 0x7fc4f7bcdf7c in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1044:11
#41 0x7fc4f7bd4cba in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#42 0x7fc4f4f8b89a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1020:17
#43 0x7fc4f4a1daa9 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4063:28
#44 0x7fc4f4a1d873 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4033:10
#45 0x7fc4f4cb84e2 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4700:3
#46 0x7fc4f4d86d84 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1119:12
#47 0x7fc4f4d86d84 in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1125
#48 0x7fc4f4d86d84 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171
#49 0x7fc4f186ebc1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:292:32
#50 0x7fc4f189ea26 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#51 0x7fc4f18a4d18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#52 0x7fc4f282efea in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#53 0x7fc4f277488f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#54 0x7fc4f277488f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#55 0x7fc4f277488f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#56 0x7fc4f9aad779 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#57 0x7fc4fdda9ddf in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:908:20
#58 0x7fc4f277488f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#59 0x7fc4f277488f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#60 0x7fc4f277488f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#61 0x7fc4fdda9784 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:746:34
#62 0x5581cc28a3d4 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#63 0x5581cc28a3d4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
#64 0x7fc510efbb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#65 0x5581cc1afaa8 in _start (/root/firefox/firefox+0x2aaa8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/netwerk/base/Predictor.cpp:1419:5 in mozilla::net::Predictor::LearnNative(nsIURI*, nsIURI*, unsigned int, mozilla::OriginAttributes const&)
==27346==ABORTING
|
||
Updated•5 years ago
|
|
|
||
Comment 10•5 years ago
|
||
(In reply to Hanno Boeck from comment #9)
Looks like two lines later:
It's a standard MOZ_LOG call and I have no idea why it should crash here.
|
||
Updated•2 years ago
|
|
||
Updated•6 months ago
|
Description
•