Crash in [@ns_if_addref<nsOfflineCacheDevice*>(nsOfflineCacheDevice*) ] (initialization of the offline cache)

VERIFIED DUPLICATE of bug 502403

Status

()

Core
Networking: Cache
--
critical
VERIFIED DUPLICATE of bug 502403
9 years ago
7 years ago

People

(Reporter: Ehsan, Unassigned)

Tracking

({crash})

Trunk
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

9 years ago
We have a number of these crashes mostly from 3.5.1 and 3.5.2 (but one from 3.5 as well), which seems to have something to do with the initialization of the offline cache service:

<http://crash-stats.mozilla.com/report/list?query_search=signature&query_type=exact&query=ns_if_addref%3CnsOfflineCacheDevice*%3E(nsOfflineCacheDevice*)&date=&range_value=1&range_unit=weeks&do_query=1&signature=ns_if_addref%3CnsOfflineCacheDevice*%3E(nsOfflineCacheDevice*)>

The crash happens on this line:

<http://hg.mozilla.org/releases/mozilla-1.9.1/annotate/001b77ffc015/netwerk/cache/src/nsDiskCacheDeviceSQL.cpp#l954>

It seems like the |cacheService| pointer is somehow corrupted.

On a sidenote, is the code on line 950 correct?  What if an extension for example tries to override nsICacheService?  I'd expect this to crash in that case.

The user reports indicate that some of them have seen this when clicking the Advanced button in the Options window.  But I don't see any reason why this can't happen when a web page tries to use the offline cache (and thus triggering the initialization of the offline cache.)  If that can happen, then we'd have a crash which can get triggered from a webpage.  Thus, I'm filing this as a security bug.
(Reporter)

Comment 1

9 years ago
Thanks for the duplicate hint, Henrik!
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 502403
Status: RESOLVED → VERIFIED
Group: core-security
(Assignee)

Updated

7 years ago
Crash Signature: [@ns_if_addref<nsOfflineCacheDevice*>(nsOfflineCacheDevice*) ]
You need to log in before you can comment on or make changes to this bug.