Closed
Bug 495098
Opened 15 years ago
Closed 15 years ago
Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: maarten.ter.huurne, Assigned: smaug)
References
Details
(5 keywords, Whiteboard: [sg:dos])
Crash Data
Attachments
(6 files)
655 bytes,
text/html
|
Details | |
17.66 KB,
application/xml
|
Details | |
373 bytes,
text/x-python
|
Details | |
280 bytes,
text/html
|
Details | |
1.17 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
samuel.sidler+old
:
approval1.9.1.2+
dveditz
:
approval1.9.0.12+
|
Details | Diff | Splinter Review |
1.33 KB,
patch
|
smaug
:
review+
dveditz
:
approval1.8.1.next+
dveditz
:
approval1.8.0.next?
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) The crash occurred when debugging an intranet web application. I reduced the page to a test case of manageable size. The crash occurs every time within seconds of the page loading. The exact same crash happens with Firefox 3.0.10 on Linux x86_64. Reproducible: Always Steps to Reproduce: 1. Load the test case HTML file. 2. Wait. The test case consists of an HTML file and an XML file. The HTML page loads the XML file using XMLHttpRequest. For the XML data file, I will upload both the data file itself and a Python script to generate it. I removed the insertion of the XML data into the DOM tree when minimizing the test case, so the exact content of the XML file probably does not matter anymore, but the crash does not occur when a non-existent file is fetched, so the size might matter to get the timing right. Actual Results: Firefox crashed. Expected Results: I would expect a JavaScript exception if the XMLHttpRequest object is used in an invalid way.
Reporter | ||
Comment 1•15 years ago
|
||
Reporter | ||
Comment 2•15 years ago
|
||
Reporter | ||
Comment 3•15 years ago
|
||
You don't need this unless you want to generate an XML data file of a different size.
Comment 4•15 years ago
|
||
Confirmed with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090527 Shiretoko/3.5pre Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527 Minefield/3.6a1pre The XML file just needs to be at least 1 byte.
Comment 6•15 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527 Minefield/3.6a1pre 53d4788e-b206-42a6-8f71-448a52090527 0 xul.dll xul.dll@0x387a55 1 xul.dll nsPipeInputStream::ReadSegments xpcom/io/nsPipe3.cpp:799 2 xul.dll nsXMLHttpRequest::OnDataAvailable content/base/src/nsXMLHttpRequest.cpp:2113 3 xul.dll nsCrossSiteListenerProxy::OnDataAvailable content/base/src/nsCrossSiteListenerProxy.cpp:348 4 xul.dll nsBaseChannel::OnDataAvailable netwerk/base/src/nsBaseChannel.cpp:708 5 xul.dll nsInputStreamPump::OnStateTransfer netwerk/base/src/nsInputStreamPump.cpp:508 6 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:398 7 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:190 8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 9 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 10 xul.dll nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 11 nspr4.dll PR_GetEnv 12 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:110 13 firefox.exe firefox.exe@0x21a7 14 kernel32.dll kernel32.dll@0x16fe6
Comment 7•15 years ago
|
||
Confirmed using 3.0.10, 3.5pre, and 3.6a1pre on Linux. bp-c7901bea-fce4-4e71-bbfb-c906f2090527 bp-85b68b7c-e4f9-4575-b00a-251542090527 bp-6942995b-2cd3-405a-869d-2aef12090527 0 libxul.so nsXMLHttpRequest::StreamReaderFunc content/base/src/nsXMLHttpRequest.cpp:2083 1 libxul.so nsPipeInputStream::ReadSegments xpcom/io/nsPipe3.cpp:799 2 libxul.so nsXMLHttpRequest::OnDataAvailable content/base/src/nsXMLHttpRequest.cpp:2113 3 libxul.so nsCrossSiteListenerProxy::OnDataAvailable content/base/src/nsCrossSiteListenerProxy.cpp:348 4 libxul.so nsBaseChannel::OnDataAvailable netwerk/base/src/nsBaseChannel.cpp:708 5 libxul.so nsInputStreamPump::OnStateTransfer netwerk/base/src/nsInputStreamPump.cpp:508 6 libxul.so nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:398 7 libxul.so nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111 8 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 9 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:230 10 libxul.so nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 11 libxul.so nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 12 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp:3339 13 firefox-bin main browser/app/nsBrowserApp.cpp:156 14 libc-2.7.so libc-2.7.so@0x1644f
Status: UNCONFIRMED → NEW
Component: General → DOM
Ever confirmed: true
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Summary: Crash when using single XMLHttpRequest object for two simultaneous requests; test case included → Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ]
Version: unspecified → 1.9.0 Branch
Comment 8•15 years ago
|
||
As far as I can see, this only crashes for XMLHttpRequests on local files.
Assignee | ||
Updated•15 years ago
|
Assignee: nobody → Olli.Pettay
Assignee | ||
Comment 9•15 years ago
|
||
I think we want this. At least for branches.
Attachment #380394 -
Flags: superreview?(jonas)
Attachment #380394 -
Flags: review?(jonas)
Attachment #380394 -
Flags: superreview?(jonas)
Attachment #380394 -
Flags: superreview+
Attachment #380394 -
Flags: review?(jonas)
Attachment #380394 -
Flags: review+
Assignee | ||
Comment 10•15 years ago
|
||
Comment on attachment 380394 [details] [diff] [review] null check This is probably too late for .12, but maybe .13?
Attachment #380394 -
Flags: approval1.9.0.12?
Assignee | ||
Comment 11•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/a012b6f9858b
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Comment 12•15 years ago
|
||
Comment on attachment 380394 [details] [diff] [review] null check Approved for 1.9.0.12, a=dveditz for release-drivers
Attachment #380394 -
Flags: approval1.9.0.12? → approval1.9.0.12+
Assignee | ||
Comment 13•15 years ago
|
||
Checking in content/base/src/nsXMLHttpRequest.cpp; /cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v <-- nsXMLHttpRequest.cpp new revision: 1.249; previous revision: 1.248 done
Keywords: fixed1.9.0.12
Comment 14•15 years ago
|
||
Fixed this in 1.9.0.12, so we should fix it in 1.9.1.x, maybe 1.9.1.1?
Flags: wanted1.9.1.x+
Flags: blocking1.9.1.1?
Comment 15•15 years ago
|
||
Not for 1.9.1.1 since this is just an sg:dos, but maybe eventually on the 1.9.1 line.
Flags: blocking1.9.1.1?
Comment 16•15 years ago
|
||
Affects 1.8 too.
Comment 17•15 years ago
|
||
Added patch for 1.8.0 version. Could you please check it? Thanks in advance.
Attachment #387441 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•15 years ago
|
Attachment #387441 -
Flags: review?(Olli.Pettay) → review+
Updated•15 years ago
|
Flags: wanted1.8.1.x+
Updated•15 years ago
|
Attachment #387441 -
Flags: approval1.8.1.next+
Attachment #387441 -
Flags: approval1.8.0.next?
Comment 18•15 years ago
|
||
Comment on attachment 387441 [details] [diff] [review] patch for 1.8.0 Approved for 1.8.1.23, a=dveditz
Comment 20•15 years ago
|
||
If that null check patch applies to mozilla-1.9.1, can we get it nominated for approval1.9.1.2?
blocking1.9.1: ? → .2+
Assignee | ||
Updated•15 years ago
|
Attachment #380394 -
Flags: approval1.9.1.2?
Comment 21•15 years ago
|
||
Comment on attachment 380394 [details] [diff] [review] null check Approved for 1.9.1.2. a=ss for release-drivers
Attachment #380394 -
Flags: approval1.9.1.2? → approval1.9.1.2+
Assignee | ||
Comment 22•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/77009d4f6c4e
status1.9.1:
--- → .2-fixed
Comment 23•15 years ago
|
||
Verified using test case with files in comment #1 and comment #2. 3.0.10 and 3.5 crashed, while neither 3.0.12 nor 3.5.2 do. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)
Comment 24•15 years ago
|
||
(In reply to comment #18) > (From update of attachment 387441 [details] [diff] [review]) > Approved for 1.8.1.23, a=dveditz Can someone land this on 1.8 branch for 1.8.1.24 now that .23 has already shipped?
Comment 25•14 years ago
|
||
(In reply to comment #18) > (From update of attachment 387441 [details] [diff] [review]) > Approved for 1.8.1.23, a=dveditz Although this was the approved one, I landed attachment 380394 [details] [diff] [review] on the 1.8.1 branch as quite clearly it was between 1.8 and 1.8.1 that the file moved. In any case the diff was exactly the same. Checking in content/base/src/nsXMLHttpRequest.cpp; /cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v <-- nsXMLHttpRequest.cpp new revision: 1.156.2.23; previous revision: 1.156.2.22
Keywords: fixed1.8.1.24
Updated•13 years ago
|
Crash Signature: [@ nsXMLHttpRequest::StreamReaderFunc ]
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•