Closed Bug 495098 Opened 15 years ago Closed 15 years ago

Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.1 --- .2+
status1.9.1 --- .2-fixed

People

(Reporter: maarten.ter.huurne, Assigned: smaug)

References

Details

(5 keywords, Whiteboard: [sg:dos])

Crash Data

Attachments

(6 files)

Test case HTML
655 bytes, text/html
Details
XML data file loaded through XMLHttpRequest
17.66 KB, application/xml
Details
Python script that generates table.xml
373 bytes, text/x-python
Details
Single-file testcase
280 bytes, text/html
Details
null check
1.17 KB, patch
sicking
: review+
sicking
: superreview+
samuel.sidler+old
: approval1.9.1.2+
dveditz
: approval1.9.0.12+
Details | Diff | Splinter Review
patch for 1.8.0
1.33 KB, patch
smaug
: review+
dveditz
: approval1.8.1.next+
dveditz
: approval1.8.0.next?
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

The crash occurred when debugging an intranet web application. I reduced the page to a test case of manageable size. The crash occurs every time within seconds of the page loading.

The exact same crash happens with Firefox 3.0.10 on Linux x86_64.


Reproducible: Always

Steps to Reproduce:
1. Load the test case HTML file.
2. Wait.

The test case consists of an HTML file and an XML file. The HTML page loads the XML file using XMLHttpRequest. For the XML data file, I will upload both the data file itself and a Python script to generate it. I removed the insertion of the XML data into the DOM tree when minimizing the test case, so the exact content of the XML file probably does not matter anymore, but the crash does not occur when a non-existent file is fetched, so the size might matter to get the timing right.

Actual Results:  
Firefox crashed.

Expected Results:  
I would expect a JavaScript exception if the XMLHttpRequest object is used in an invalid way.
Attached file Test case HTML 

    
    

    
  


  
You don't need this unless you want to generate an XML data file of a different size.

    
    

    
  
Confirmed with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090527 Shiretoko/3.5pre
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527 Minefield/3.6a1pre

The XML file just needs to be at least 1 byte.

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527
Minefield/3.6a1pre

53d4788e-b206-42a6-8f71-448a52090527

0  	xul.dll  	xul.dll@0x387a55  	
1 	xul.dll 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
2 	xul.dll 	nsXMLHttpRequest::OnDataAvailable 	content/base/src/nsXMLHttpRequest.cpp:2113
3 	xul.dll 	nsCrossSiteListenerProxy::OnDataAvailable 	content/base/src/nsCrossSiteListenerProxy.cpp:348
4 	xul.dll 	nsBaseChannel::OnDataAvailable 	netwerk/base/src/nsBaseChannel.cpp:708
5 	xul.dll 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
6 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
7 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
9 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
10 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
11 	nspr4.dll 	PR_GetEnv 	
12 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
13 	firefox.exe 	firefox.exe@0x21a7 	
14 	kernel32.dll 	kernel32.dll@0x16fe6

    
    

    
  
Confirmed using 3.0.10, 3.5pre, and 3.6a1pre on Linux.
bp-c7901bea-fce4-4e71-bbfb-c906f2090527
bp-85b68b7c-e4f9-4575-b00a-251542090527
bp-6942995b-2cd3-405a-869d-2aef12090527
0  	libxul.so  	nsXMLHttpRequest::StreamReaderFunc  	 content/base/src/nsXMLHttpRequest.cpp:2083
1 	libxul.so 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
2 	libxul.so 	nsXMLHttpRequest::OnDataAvailable 	content/base/src/nsXMLHttpRequest.cpp:2113
3 	libxul.so 	nsCrossSiteListenerProxy::OnDataAvailable 	content/base/src/nsCrossSiteListenerProxy.cpp:348
4 	libxul.so 	nsBaseChannel::OnDataAvailable 	netwerk/base/src/nsBaseChannel.cpp:708
5 	libxul.so 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
6 	libxul.so 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
7 	libxul.so 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
8 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
9 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:230
10 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
11 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
12 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3339
13 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
14 	libc-2.7.so 	libc-2.7.so@0x1644f
Status: UNCONFIRMED → NEW
Component: General → DOM
Ever confirmed: true
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Summary: Crash when using single XMLHttpRequest object for two simultaneous requests; test case included → Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ]
Version: unspecified → 1.9.0 Branch

    
    

    
  

      
      
      
      

        Attached file
          
        Single-file testcase
      

    


  
As far as I can see, this only crashes for XMLHttpRequests on local files.
Assignee: nobody → Olli.Pettay

    
    

    
  

      
      
      
      

        Attached patch
          
          
        null checkSplinter Review
      

    


  
I think we want this. At least for branches.

        Attachment #380394 -
        Flags: superreview?(jonas)

        Attachment #380394 -
        Flags: review?(jonas)

        Attachment #380394 -
        Flags: superreview?(jonas)

        Attachment #380394 -
        Flags: superreview+

        Attachment #380394 -
        Flags: review?(jonas)

        Attachment #380394 -
        Flags: review+

    
    

    
  
Comment on attachment 380394 [details] [diff] [review]
null check

This is probably too late for .12, but maybe .13?

        Attachment #380394 -
        Flags: approval1.9.0.12?

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/a012b6f9858b
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Keywords: crash, 
          
            testcase
Whiteboard: [sg:dos]

    
    

    
  
Comment on attachment 380394 [details] [diff] [review]
null check

Approved for 1.9.0.12, a=dveditz for release-drivers

        Attachment #380394 -
        Flags: approval1.9.0.12? → approval1.9.0.12+

    
    

    
  
Checking in content/base/src/nsXMLHttpRequest.cpp;
/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.249; previous revision: 1.248
done
Keywords: fixed1.9.0.12

    
    

    
  
Fixed this in 1.9.0.12, so we should fix it in 1.9.1.x, maybe 1.9.1.1?
Flags: wanted1.9.1.x+
Flags: blocking1.9.1.1?

    
    

    
  
Not for 1.9.1.1 since this is just an sg:dos, but maybe eventually on the 1.9.1 line.
Flags: blocking1.9.1.1?

    
    

    
  
Affects 1.8 too.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch for 1.8.0Splinter Review
      

    


  
Added patch for 1.8.0 version. Could you please check it? Thanks in advance.

        Attachment #387441 -
        Flags: review?(Olli.Pettay)

        Attachment #387441 -
        Flags: review?(Olli.Pettay) → review+
Flags: wanted1.8.1.x+

        Attachment #387441 -
        Flags: approval1.8.1.next+

        Attachment #387441 -
        Flags: approval1.8.0.next?

    
    

    
  
Comment on attachment 387441 [details] [diff] [review]
patch for 1.8.0

Approved for 1.8.1.23, a=dveditz

    
    

    
  
Can this go into 1.9.1.x?
blocking1.9.1: --- → ?

    
    

    
  
If that null check patch applies to mozilla-1.9.1, can we get it nominated for approval1.9.1.2?
blocking1.9.1: ? → .2+

        Attachment #380394 -
        Flags: approval1.9.1.2?

    
    

    
  
Comment on attachment 380394 [details] [diff] [review]
null check

Approved for 1.9.1.2. a=ss for release-drivers

        Attachment #380394 -
        Flags: approval1.9.1.2? → approval1.9.1.2+

    
    

    
  
Verified using test case with files in comment #1 and comment #2. 3.0.10 and 3.5 crashed, while neither 3.0.12 nor 3.5.2 do.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)
Keywords: fixed1.9.0.12verified1.9.0.12, 
          
            verified1.9.1

    
    

    
  
(In reply to comment #18)
> (From update of attachment 387441 [details] [diff] [review])
> Approved for 1.8.1.23, a=dveditz

Can someone land this on 1.8 branch for 1.8.1.24 now that .23 has already shipped?

    
    

    
  
(In reply to comment #18)
> (From update of attachment 387441 [details] [diff] [review])
> Approved for 1.8.1.23, a=dveditz

Although this was the approved one, I landed attachment 380394 [details] [diff] [review] on the 1.8.1 branch as quite clearly it was between 1.8 and 1.8.1 that the file moved. In any case the diff was exactly the same.

Checking in content/base/src/nsXMLHttpRequest.cpp;
/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.156.2.23; previous revision: 1.156.2.22
Keywords: fixed1.8.1.24
Crash Signature: [@ nsXMLHttpRequest::StreamReaderFunc ]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: