Closed Bug 529041 Opened 15 years ago Closed 15 years ago

Crash in nsXMLHttpRequest::Send [@ xul.dll@0x438302] [@ xul.dll@0x42b6ff]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta4-fixed
status1.9.1 --- unaffected

People

(Reporter: sicking, Assigned: sicking)

References

Details

(Keywords: topcrash, Whiteboard: [crashkill][crashkill-thirdparty][crashkill-fix])

Crash Data

Attachments

(1 file, 1 obsolete file)

Patch to fix
10.95 KB, patch
Biesinger
: review+
Details | Diff | Splinter Review 
This is currently the #2 topcrash for Firefox3.6b2

The stack basically starts out in 

nsDocument::DispatchContentLoadedEvents()  Line 3895

Firing the "DOMContentLoaded" event. Eventually we end up firing a JS-implemented event-listener which calls

nsXMLHttpRequest::Send(aBody=0x08ca2f00)  + 0x42c708 bytes

Seems like we're dying with a nullpointer dereference, but can't tell yet what exact code this is happening in.
Flags: blocking1.9.2?
Whiteboard: [crashkill]
Summary: Crash in nsXMLHttpRequest::Send [xul.dll@0x438302] → Crash in nsXMLHttpRequest::Send [@xul.dll@0x438302]
The failing line is:

rv = uploadChannel->ExplicitSetUploadStream(postDataStream, contentType, -1, method, PR_FALSE);

with uploadChannel being null. Likely someone has replaced the http-channel implementation with one of their own, and hasn't implemented nsIUploadChannel2 on it (which isn't surprising since it's a new interface).

We could easily detect this and report to the error console. This would prevent the crash from happening, but would also prevent the code from working correctly.
Marking this blocking since it's a regression and a top-crasher.
Flags: blocking1.9.2? → blocking1.9.2+
Heavily correlated with McAfee SiteAdvisor, so they probably replace our http channel implementation.

http://people.mozilla.com/crash_analysis/20091116/20091116_Firefox_3.6b2-interesting-addons.txt
Keywords: topcrash
Whiteboard: [crashkill] → [crashkill][crashkill-thirdparty]
Attached patch patch (obsolete) — Splinter Review 
well, if you absolutely want this to work xmlhttprequest can be incestuous.

algorithm:
qi for nsIUploadChannel2, on failure rescue all your data from the existing channel and CI by ID the CID for our impl and then give it all the data you rescued and continue on with life.

note that it's illegal for anyone to recycle/shadow a CID, if anyone does we should blocklist them. As long as we play nice and try to use the contract first, I have no qualms about falling back to our working CID. To do this, xmlhttprequest should probably eagerly qi to nsIUploadChannel2.

Attached is a compiling implementation of the above algorithm. No testing has been done.
Comment on attachment 412814 [details] [diff] [review]
patch

I don't think we'll want to do this. It duplicates too much code, and would make it impossible to override http-channels used by XHR. Even in cases where the channel does support nsIUploadChannel2, or when nsIUploadChannel would do just fine.

In any event it doesn't address the redirect code which suffers the same problem.
Attachment #412814 - Flags: review-
Attached patch Patch to fixSplinter Review 
This patch makes us fall back to using nsIUploadChannel if nsIUploadChannel2 isn't available.

This results in a change in behavior, files with an unknown content type sent using XMLHttpRequest get a "Content-Type:application/octet-stream" header rather than no content-type header.

So we really do want people that implement a http protocol handler so that we can do the right thing. We should reach out to McAfee and get them to fix Site Advisor.

I put a console-service warning in the ioservice that detects if a returned http-channel can't be QIed to nsIUploadChannel2. However I was worried about performance impact if we warn every time a http channel is created, so we just warn the first time. We additionally warn every time XMLHttpRequest is used in order to reduce the likelyhood that developers don't see the warning.
Attachment #412814 - Attachment is obsolete: true
Attachment #413010 - Flags: review?(cbiesinger)
Comment on attachment 413010 [details] [diff] [review]
Patch to fix

+++ b/content/base/src/nsXMLHttpRequest.cpp

+        consoleService->LogStringMessage(NS_LITERAL_STRING("Http channel implementation doesn't support nsIUploadChannel2. An extension has supplied a non-functional http protocol handler. This will browser behavior and in future releases not work at all.").get());

Not localizable?

Even if you want to keep the message hardcoded, can you break it into 80-character lines?

Also s/browser/break/?

+++ b/netwerk/base/src/nsIOService.cpp
+                consoleService->LogStringMessage(NS_LITERAL_STRING("Http channel implementation doesn't support nsIUploadChannel2. An extension has supplied a non-functional http protocol handler. This will break browser behavior and in future releases not work at all.").get());

same comments as above (esp. line length)


Can you add a comment about why you're adding this warning, and mention this bug, and mention that it's temporary?

+        nsCOMPtr<nsIUploadChannel> uploadChannel;

Wouldn't it be simpler to just always initialize this?

Can you add a comment how not implementing uploadChannel2 can happen?
Attachment #413010 - Flags: review?(cbiesinger) → review+
You know... another way to fix this would be: keep using nsIUploadChannel; make up a special content type "x-internal/x-empty-content-type" and make the http channel interpret that as "send no content type". Slightly hacky, I admit.
I actually thought about that too. I don't really feel strongly either way. It does seem awfully hacky. And there's a risk that things would behave strangely since if someone overrides the http-channel they might do weird things with such a content-type.
Yeah, good point. I also don't feel strongly either way, so let's go with what we have here, I think.
Fixed on trunk

http://hg.mozilla.org/mozilla-central/rev/9511efaadcea

We're string frozen so I can't make the message localizable at this point
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
+                consoleService->LogStringMessage(NS_LITERAL_STRING(
+                    "Http channel implementation doesn't support "
+                    "nsIUploadChannel2. An extension has supplied a "
+                    "non-functional http protocol handler. This will break "
+                    "behavior and in future releases not work at all.").get());
+            }

This is broken on Windows Mobile because the compiler seems to think the first string is wide and the rest are not (perhaps some fun with the way |L"foo" "bar| is handled?).
Yes, that's what NS_L() is for (dig that short macro name!).

/be
Fixed in 1.9.2

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/bb4e5ea3ba69
status1.9.1: --- → unaffected
status1.9.2: --- → final-fixed
Whiteboard: [crashkill][crashkill-thirdparty] → [crashkill][crashkill-thirdparty][crashkill-fix]
(In reply to comment #13)
> We're string frozen so I can't make the message localizable at this point

Surely we're not string frozen on trunk...
Summary: Crash in nsXMLHttpRequest::Send [@xul.dll@0x438302] → Crash in nsXMLHttpRequest::Send [@xul.dll@0x438302][@ xul.dll@0x42b6ff]
Summary: Crash in nsXMLHttpRequest::Send [@xul.dll@0x438302][@ xul.dll@0x42b6ff] → Crash in nsXMLHttpRequest::Send [@ xul.dll@0x438302] [@ xul.dll@0x42b6ff]
400-600 crashes per day in b2 and b3.  

what kind of testing is needed to verify the patch that landed on the branch in comment 16?
Keywords: testcase-wanted
re: comment 18

a lot of the user comments suggest they are doing a search on google or other search providers.  

Looking at what is going on in the discussion on the fix, and putting that together with the user comments on the crash, it sounds like an abstracted test case would emulate search suggestions where user starts typing and suggestions start appearing though the interaction via XMLHttpRequest.   

do we have such a test case, or a test case that suggests just pound heavily on a site or search box that has the search suggest feature.

does that sound right?

what other web app kinds of capabilities might exercise this code?
There's two approaches to testing this.

To test specifically what this addon does, i.e. register a protocol-handler and attempt to use XMLHttpRequest POST data to it.

Or simply run our existing mochi/unit/litmus tests with various addons installed.

IMHO we should do both.
Severity: normal → critical
Flags: in-testsuite?
Target Milestone: --- → mozilla1.9.3a1
Crash Signature: [@ xul.dll@0x438302] [@ xul.dll@0x42b6ff]
Code comment says:
    // Eventually we should remove this and simply require that http channels
    // implement the new interface.

This was 3 years ago. Time to remove this now?
Crash Signature: [@ xul.dll@0x438302] [@ xul.dll@0x42b6ff] → [@ xul.dll@0x438302] [@ xul.dll@0x42b6ff]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: