Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ]

RESOLVED FIXED

Status

()

Core
DOM
--
critical
RESOLVED FIXED
8 years ago
6 years ago

People

(Reporter: Maarten ter Huurne, Assigned: smaug)

Tracking

(5 keywords)

1.9.0 Branch
crash, fixed1.8.1.24, testcase, verified1.9.0.12, verified1.9.1
Points:
---
Bug Flags:
wanted1.9.1.x +
wanted1.8.1.x +

Firefox Tracking Flags

(blocking1.9.1 .2+, status1.9.1 .2-fixed)

Details

(Whiteboard: [sg:dos], crash signature)

Attachments

(6 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

The crash occurred when debugging an intranet web application. I reduced the page to a test case of manageable size. The crash occurs every time within seconds of the page loading.

The exact same crash happens with Firefox 3.0.10 on Linux x86_64.


Reproducible: Always

Steps to Reproduce:
1. Load the test case HTML file.
2. Wait.

The test case consists of an HTML file and an XML file. The HTML page loads the XML file using XMLHttpRequest. For the XML data file, I will upload both the data file itself and a Python script to generate it. I removed the insertion of the XML data into the DOM tree when minimizing the test case, so the exact content of the XML file probably does not matter anymore, but the crash does not occur when a non-existent file is fetched, so the size might matter to get the timing right.

Actual Results:  
Firefox crashed.

Expected Results:  
I would expect a JavaScript exception if the XMLHttpRequest object is used in an invalid way.
(Reporter)

Comment 1

8 years ago
Created attachment 379926 [details]
Test case HTML
(Reporter)

Comment 2

8 years ago
Created attachment 379927 [details]
XML data file loaded through XMLHttpRequest
(Reporter)

Comment 3

8 years ago
Created attachment 379928 [details]
Python script that generates table.xml

You don't need this unless you want to generate an XML data file of a different size.

Comment 4

8 years ago
Confirmed with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090527 Shiretoko/3.5pre
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527 Minefield/3.6a1pre

The XML file just needs to be at least 1 byte.

Comment 5

8 years ago
https://developer.mozilla.org/En/How_to_get_a_stacktrace_for_a_bug_report

Comment 6

8 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090527
Minefield/3.6a1pre

53d4788e-b206-42a6-8f71-448a52090527

0  	xul.dll  	xul.dll@0x387a55  	
1 	xul.dll 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
2 	xul.dll 	nsXMLHttpRequest::OnDataAvailable 	content/base/src/nsXMLHttpRequest.cpp:2113
3 	xul.dll 	nsCrossSiteListenerProxy::OnDataAvailable 	content/base/src/nsCrossSiteListenerProxy.cpp:348
4 	xul.dll 	nsBaseChannel::OnDataAvailable 	netwerk/base/src/nsBaseChannel.cpp:708
5 	xul.dll 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
6 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
7 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
9 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
10 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
11 	nspr4.dll 	PR_GetEnv 	
12 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
13 	firefox.exe 	firefox.exe@0x21a7 	
14 	kernel32.dll 	kernel32.dll@0x16fe6

Comment 7

8 years ago
Confirmed using 3.0.10, 3.5pre, and 3.6a1pre on Linux.
bp-c7901bea-fce4-4e71-bbfb-c906f2090527
bp-85b68b7c-e4f9-4575-b00a-251542090527
bp-6942995b-2cd3-405a-869d-2aef12090527
0  	libxul.so  	nsXMLHttpRequest::StreamReaderFunc  	 content/base/src/nsXMLHttpRequest.cpp:2083
1 	libxul.so 	nsPipeInputStream::ReadSegments 	xpcom/io/nsPipe3.cpp:799
2 	libxul.so 	nsXMLHttpRequest::OnDataAvailable 	content/base/src/nsXMLHttpRequest.cpp:2113
3 	libxul.so 	nsCrossSiteListenerProxy::OnDataAvailable 	content/base/src/nsCrossSiteListenerProxy.cpp:348
4 	libxul.so 	nsBaseChannel::OnDataAvailable 	netwerk/base/src/nsBaseChannel.cpp:708
5 	libxul.so 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
6 	libxul.so 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
7 	libxul.so 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
8 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
9 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:230
10 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
11 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
12 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3339
13 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
14 	libc-2.7.so 	libc-2.7.so@0x1644f
Status: UNCONFIRMED → NEW
Component: General → DOM
Ever confirmed: true
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Summary: Crash when using single XMLHttpRequest object for two simultaneous requests; test case included → Crash when using single XMLHttpRequest object for two simultaneous requests; test case included [@ nsXMLHttpRequest::StreamReaderFunc ]
Version: unspecified → 1.9.0 Branch

Comment 8

8 years ago
Created attachment 380374 [details]
Single-file testcase

As far as I can see, this only crashes for XMLHttpRequests on local files.
(Assignee)

Updated

8 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Comment 9

8 years ago
Created attachment 380394 [details] [diff] [review]
null check

I think we want this. At least for branches.
Attachment #380394 - Flags: superreview?(jonas)
Attachment #380394 - Flags: review?(jonas)
Attachment #380394 - Flags: superreview?(jonas)
Attachment #380394 - Flags: superreview+
Attachment #380394 - Flags: review?(jonas)
Attachment #380394 - Flags: review+
(Assignee)

Comment 10

8 years ago
Comment on attachment 380394 [details] [diff] [review]
null check

This is probably too late for .12, but maybe .13?
Attachment #380394 - Flags: approval1.9.0.12?
(Assignee)

Comment 11

8 years ago
http://hg.mozilla.org/mozilla-central/rev/a012b6f9858b
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Keywords: crash, testcase
Whiteboard: [sg:dos]
Comment on attachment 380394 [details] [diff] [review]
null check

Approved for 1.9.0.12, a=dveditz for release-drivers
Attachment #380394 - Flags: approval1.9.0.12? → approval1.9.0.12+
(Assignee)

Comment 13

8 years ago
Checking in content/base/src/nsXMLHttpRequest.cpp;
/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.249; previous revision: 1.248
done
Keywords: fixed1.9.0.12
Fixed this in 1.9.0.12, so we should fix it in 1.9.1.x, maybe 1.9.1.1?
Flags: wanted1.9.1.x+
Flags: blocking1.9.1.1?
Not for 1.9.1.1 since this is just an sg:dos, but maybe eventually on the 1.9.1 line.
Flags: blocking1.9.1.1?

Comment 16

8 years ago
Affects 1.8 too.

Comment 17

8 years ago
Created attachment 387441 [details] [diff] [review]
patch for 1.8.0

Added patch for 1.8.0 version. Could you please check it? Thanks in advance.
Attachment #387441 - Flags: review?(Olli.Pettay)
(Assignee)

Updated

8 years ago
Attachment #387441 - Flags: review?(Olli.Pettay) → review+
Flags: wanted1.8.1.x+
Attachment #387441 - Flags: approval1.8.1.next+
Attachment #387441 - Flags: approval1.8.0.next?
Comment on attachment 387441 [details] [diff] [review]
patch for 1.8.0

Approved for 1.8.1.23, a=dveditz
Can this go into 1.9.1.x?
blocking1.9.1: --- → ?
If that null check patch applies to mozilla-1.9.1, can we get it nominated for approval1.9.1.2?
blocking1.9.1: ? → .2+
(Assignee)

Updated

8 years ago
Attachment #380394 - Flags: approval1.9.1.2?
Comment on attachment 380394 [details] [diff] [review]
null check

Approved for 1.9.1.2. a=ss for release-drivers
Attachment #380394 - Flags: approval1.9.1.2? → approval1.9.1.2+
(Assignee)

Comment 22

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/77009d4f6c4e
status1.9.1: --- → .2-fixed
Verified using test case with files in comment #1 and comment #2. 3.0.10 and 3.5 crashed, while neither 3.0.12 nor 3.5.2 do.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12 (.NET CLR 3.5.30729)
Keywords: fixed1.9.0.12 → verified1.9.0.12, verified1.9.1

Comment 24

8 years ago
(In reply to comment #18)
> (From update of attachment 387441 [details] [diff] [review])
> Approved for 1.8.1.23, a=dveditz

Can someone land this on 1.8 branch for 1.8.1.24 now that .23 has already shipped?
(In reply to comment #18)
> (From update of attachment 387441 [details] [diff] [review])
> Approved for 1.8.1.23, a=dveditz

Although this was the approved one, I landed attachment 380394 [details] [diff] [review] on the 1.8.1 branch as quite clearly it was between 1.8 and 1.8.1 that the file moved. In any case the diff was exactly the same.

Checking in content/base/src/nsXMLHttpRequest.cpp;
/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v  <--  nsXMLHttpRequest.cpp
new revision: 1.156.2.23; previous revision: 1.156.2.22
Keywords: fixed1.8.1.24
Duplicate of this bug: 504634
Crash Signature: [@ nsXMLHttpRequest::StreamReaderFunc ]
You need to log in before you can comment on or make changes to this bug.