Last Comment Bug 495098 - Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ]
: Crash when using single XMLHttpRequest object for two simultaneous requests; ...
Status: RESOLVED FIXED
[sg:dos]
: crash, fixed1.8.1.24, testcase, verified1.9.0.12, verified1.9.1
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 1.9.0 Branch
: All All
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug] (high review load, please consider other reviewers)
:
Mentors:
: 504634 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-27 11:22 PDT by Maarten ter Huurne
Modified: 2011-06-13 10:01 PDT (History)
12 users (show)
samuel.sidler+old: wanted1.9.1.x+
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2+
.2-fixed


Attachments
Test case HTML (655 bytes, text/html)
2009-05-27 11:23 PDT, Maarten ter Huurne
no flags Details
XML data file loaded through XMLHttpRequest (17.66 KB, application/xml)
2009-05-27 11:24 PDT, Maarten ter Huurne
no flags Details
Python script that generates table.xml (373 bytes, text/x-python)
2009-05-27 11:25 PDT, Maarten ter Huurne
no flags Details
Single-file testcase (280 bytes, text/html)
2009-05-28 23:04 PDT, Michael Ryan
no flags Details
null check (1.17 KB, patch)
2009-05-29 02:19 PDT, Olli Pettay [:smaug] (high review load, please consider other reviewers)
jonas: review+
jonas: superreview+
samuel.sidler+old: approval1.9.1.2+
dveditz: approval1.9.0.12+
Details | Diff | Review
patch for 1.8.0 (1.33 KB, patch)
2009-07-08 06:22 PDT, Jan Horak
bugs: review+
dveditz: approval1.8.1.next+
dveditz: approval1.8.0.next?
Details | Diff | Review

Description Maarten ter Huurne 2009-05-27 11:22:21 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

The crash occurred when debugging an intranet web application. I reduced the page to a test case of manageable size. The crash occurs every time within seconds of the page loading.

The exact same crash happens with Firefox 3.0.10 on Linux x86_64.


Reproducible: Always

Steps to Reproduce:
1. Load the test case HTML file.
2. Wait.

The test case consists of an HTML file and an XML file. The HTML page loads the XML file using XMLHttpRequest. For the XML data file, I will upload both the data file itself and a Python script to generate it. I removed the insertion of the XML data into the DOM tree when minimizing the test case, so the exact content of the XML file probably does not matter anymore, but the crash does not occur when a non-existent file is fetched, so the size might matter to get the timing right.

Actual Results:  
Firefox crashed.

Expected Results:  
I would expect a JavaScript exception if the XMLHttpRequest object is used in an invalid way.
Comment 1 Maarten ter Huurne 2009-05-27 11:23:55 PDT
Created attachment 379926 [details]
Test case HTML
Comment 2 Maarten ter Huurne 2009-05-27 11:24:38 PDT
Created attachment 379927 [details]
XML data file loaded through XMLHttpRequest
Comment 3 Maarten ter Huurne 2009-05-27 11:25:36 PDT
Created attachment 379928 [details]
Python script that generates table.xml

You don't need this unless you want to generate an XML data file of a different size.
Comment 4 Michael Ryan 2009-05-27 15:39:33 PDT
Confirmed with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090527 Shiretoko/3.5pre
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527 Minefield/3.6a1pre

The XML file just needs to be at least 1 byte.
Comment 6 Michael Ryan 2009-05-27 21:49:16 PDT
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527
Minefield/3.6a1pre

53d4788e-b206-42a6-8f71-448a52090527

0  	xul.dll  	xul.dll@0x387a55  	
1 	xul.dll 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
2 	xul.dll 	nsXMLHttpRequest::OnDataAvailable 	content/base/src/nsXMLHttpRequest.cpp:2113
3 	xul.dll 	nsCrossSiteListenerProxy::OnDataAvailable 	content/base/src/nsCrossSiteListenerProxy.cpp:348
4 	xul.dll 	nsBaseChannel::OnDataAvailable 	netwerk/base/src/nsBaseChannel.cpp:708
5 	xul.dll 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
6 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
7 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
9 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
10 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
11 	nspr4.dll 	PR_GetEnv 	
12 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
13 	firefox.exe 	firefox.exe@0x21a7 	
14 	kernel32.dll 	kernel32.dll@0x16fe6
Comment 7 Dave Garrett 2009-05-27 22:25:14 PDT
Confirmed using 3.0.10, 3.5pre, and 3.6a1pre on Linux.
bp-c7901bea-fce4-4e71-bbfb-c906f2090527
bp-85b68b7c-e4f9-4575-b00a-251542090527
bp-6942995b-2cd3-405a-869d-2aef12090527
0  	libxul.so  	nsXMLHttpRequest::StreamReaderFunc  	 content/base/src/nsXMLHttpRequest.cpp:2083
1 	libxul.so 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
2 	libxul.so 	nsXMLHttpRequest::OnDataAvailable 	content/base/src/nsXMLHttpRequest.cpp:2113
3 	libxul.so 	nsCrossSiteListenerProxy::OnDataAvailable 	content/base/src/nsCrossSiteListenerProxy.cpp:348
4 	libxul.so 	nsBaseChannel::OnDataAvailable 	netwerk/base/src/nsBaseChannel.cpp:708
5 	libxul.so 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
6 	libxul.so 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
7 	libxul.so 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
8 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
9 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:230
10 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
11 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
12 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3339
13 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
14 	libc-2.7.so 	libc-2.7.so@0x1644f
Comment 8 Michael Ryan 2009-05-28 23:04:08 PDT
Created attachment 380374 [details]
Single-file testcase

As far as I can see, this only crashes for XMLHttpRequests on local files.
Comment 9 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-05-29 02:19:25 PDT
Created attachment 380394 [details] [diff] [review]
null check

I think we want this. At least for branches.
Comment 10 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-06-15 03:12:43 PDT
Comment on attachment 380394 [details] [diff] [review]
null check

This is probably too late for .12, but maybe .13?
Comment 11 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-06-15 03:13:29 PDT
http://hg.mozilla.org/mozilla-central/rev/a012b6f9858b
Comment 12 Daniel Veditz [:dveditz] 2009-06-16 15:37:37 PDT
Comment on attachment 380394 [details] [diff] [review]
null check

Approved for 1.9.0.12, a=dveditz for release-drivers
Comment 13 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-06-17 00:19:17 PDT
Checking in content/base/src/nsXMLHttpRequest.cpp;
/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.249; previous revision: 1.248
done
Comment 14 Samuel Sidler (old account; do not CC) 2009-07-06 20:07:28 PDT
Fixed this in 1.9.0.12, so we should fix it in 1.9.1.x, maybe 1.9.1.1?
Comment 15 Samuel Sidler (old account; do not CC) 2009-07-07 13:59:53 PDT
Not for 1.9.1.1 since this is just an sg:dos, but maybe eventually on the 1.9.1 line.
Comment 16 Martin Stránský 2009-07-08 02:45:40 PDT
Affects 1.8 too.
Comment 17 Jan Horak 2009-07-08 06:22:19 PDT
Created attachment 387441 [details] [diff] [review]
patch for 1.8.0

Added patch for 1.8.0 version. Could you please check it? Thanks in advance.
Comment 18 Daniel Veditz [:dveditz] 2009-07-13 17:01:01 PDT
Comment on attachment 387441 [details] [diff] [review]
patch for 1.8.0

Approved for 1.8.1.23, a=dveditz
Comment 19 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-07-16 15:42:56 PDT
Can this go into 1.9.1.x?
Comment 20 Mike Beltzner [:beltzner, not reading bugmail] 2009-07-21 20:13:10 PDT
If that null check patch applies to mozilla-1.9.1, can we get it nominated for approval1.9.1.2?
Comment 21 Samuel Sidler (old account; do not CC) 2009-07-22 11:20:19 PDT
Comment on attachment 380394 [details] [diff] [review]
null check

Approved for 1.9.1.2. a=ss for release-drivers
Comment 22 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-07-22 12:47:40 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/77009d4f6c4e
Comment 23 juan becerra [:juanb] 2009-07-30 11:31:25 PDT
Verified using test case with files in comment #1 and comment #2. 3.0.10 and 3.5 crashed, while neither 3.0.12 nor 3.5.2 do.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)
Comment 24 Robert Kaiser (not working on stability any more) 2009-08-24 04:02:55 PDT
(In reply to comment #18)
> (From update of attachment 387441 [details] [diff] [review])
> Approved for 1.8.1.23, a=dveditz

Can someone land this on 1.8 branch for 1.8.1.24 now that .23 has already shipped?
Comment 25 Mark Banner (:standard8) 2010-02-05 05:22:15 PST
(In reply to comment #18)
> (From update of attachment 387441 [details] [diff] [review])
> Approved for 1.8.1.23, a=dveditz

Although this was the approved one, I landed attachment 380394 [details] [diff] [review] on the 1.8.1 branch as quite clearly it was between 1.8 and 1.8.1 that the file moved. In any case the diff was exactly the same.

Checking in content/base/src/nsXMLHttpRequest.cpp;
/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.156.2.23; previous revision: 1.156.2.22
Comment 26 Brandon Sterne (:bsterne) 2010-02-09 15:46:18 PST
*** Bug 504634 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.