Last Comment Bug 535990 - SwitchProxy triggers a Firefox crash in [@ PL_DHashTableOperate] PREF_PrefIsLocked
: SwitchProxy triggers a Firefox crash in [@ PL_DHashTableOperate] PREF_PrefIsL...
Status: VERIFIED FIXED
: crash, verified1.9.2
Product: Core
Classification: Components
Component: Preferences: Backend (show other bugs)
: 1.9.1 Branch
: x86_64 Linux
: -- critical (vote)
: mozilla1.9.3a2
Assigned To: Mike Hommey [:glandium]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-19 13:00 PST by Mike Hommey [:glandium]
Modified: 2011-06-09 14:58 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2-fixed
.9-fixed


Attachments
patch (502 bytes, patch)
2009-12-19 13:00 PST, Mike Hommey [:glandium]
benjamin: review+
mbeltzner: approval1.9.2.2+
mbeltzner: approval1.9.1.9+
Details | Diff | Splinter Review

Description Mike Hommey [:glandium] 2009-12-19 13:00:30 PST
Created attachment 418513 [details] [diff] [review]
patch

This bug was reported on Debian, but also was reported independently on opensolaris ( http://defect.opensolaris.org/bz/show_bug.cgi?id=12968 )

When SwitchProxy is installed, a crash occurs with the following stack trace:
#6  0x00007f073b2e5dd1 in PL_DHashTableOperate (table=0x7f073baf6510, key=0x7f073b3901aa, op=PL_DHASH_LOOKUP) at pldhash.c:599
#7  0x00007f073ac3d851 in pref_HashTableLookup (key=0x7f073b3901aa) at prefapi.cpp:681
#8  0x00007f073ac3d871 in PREF_PrefIsLocked (pref_name=0x7f073baf6510 "") at prefapi.cpp:799
#9  0x00007f073ac3b24e in nsPrefBranch::GetComplexValue (this=0x7f072b658100, aPrefName=0x7f073b3901aa "intl.charset.default", aType=..., _retval=0x7fffe680a850) at nsPrefBranch.cpp:249
#10 0x00007f073addbb2f in nsContentUtils::GetLocalizedStringPref (aPref=0x7f073b3901aa "intl.charset.default") at nsContentUtils.cpp:2568
#11 0x00007f073acb3b4a in DocumentViewerImpl::GetDefaultCharacterSet (this=0x7f072304d220, aDefaultCharacterSet=...) at nsDocumentViewer.cpp:2890
#12 0x00007f073b0d87df in nsDocShell::SetupNewViewer (this=0x7f07206a3800, aNewViewer=0x7f071607b040) at nsDocShell.cpp:6608
#13 0x00007f073b0df308 in nsDocShell::Embed (this=0x7f07206a3800, aContentViewer=0x7f071607b040, aCommand=<value optimized out>, aExtraInfo=<value optimized out>) at nsDocShell.cpp:5123
#14 0x00007f073b0e545b in nsDocShell::CreateContentViewer (this=0x7f07206a3800, aContentType=<value optimized out>, request=0x7f0717021448, aContentHandler=<value optimized out>) at nsDocShell.cpp:6456
#15 0x00007f073b0eb7f9 in nsDSURIContentListener::DoContent (this=0x7f07206df040, aContentType=0x7f071fc9bc08 "text/html", aIsContentPreferred=0, request=0x7f0717021448, aContentHandler=0x7f0716484d48, 
    aAbortProcess=<value optimized out>) at nsDSURIContentListener.cpp:138
#16 0x00007f073b0ef21b in nsDocumentOpenInfo::TryContentListener (this=0x7f0716484d30, aListener=0x7f07206df040, aChannel=0x7f0717021448) at nsURILoader.cpp:736
#17 0x00007f073b0ef79c in nsDocumentOpenInfo::DispatchContent (this=0x7f0716484d30, request=0x7f0717021448, aCtxt=<value optimized out>) at nsURILoader.cpp:434
#18 0x00007f073b0efed4 in nsDocumentOpenInfo::OnStartRequest (this=0x7f0716484d30, request=0x7f0717021448, aCtxt=0x0) at nsURILoader.cpp:280
#19 0x00007f073b31f956 in NS_InvokeByIndex_P (that=0x7f073baf6510, methodIndex=993591722, paramCount=0, params=0x7f0722f2f2a0) at xptcinvoke_x86_64_linux.cpp:208
#20 0x00007f073ab65ff4 in XPCWrappedNative::CallMethod (ccx=..., mode=<value optimized out>) at xpcwrappednative.cpp:2456

In frame #6, table->ops is NULL, and the line that crashes says:
    keyHash = table->ops->hashKey(table, key);

So, this is a NULL dereference.

The attached patch should be enough to fix the problem. (It seems PREF_PrefIsLocked is the only function that doesn't check for ops)
Comment 1 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-02-20 06:05:46 PST
http://hg.mozilla.org/mozilla-central/rev/96d301b39c91
Comment 2 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-02-20 06:06:04 PST
Comment on attachment 418513 [details] [diff] [review]
patch

Worth taking on the stable branches?
Comment 3 Mike Beltzner [:beltzner, not reading bugmail] 2010-02-22 10:48:05 PST
Comment on attachment 418513 [details] [diff] [review]
patch

a=beltzner for 1.9.2 and 1.9.1
Comment 4 Kyle Huey [:khuey] (khuey@mozilla.com) 2010-02-22 11:11:30 PST
I'll check this in myself later this week, but anyone wants to get to it first :-)
Comment 6 Al Billings [:abillings] 2010-03-22 10:27:47 PDT
Using Ubuntu and SwitchProxy 1.4.1 with Firefox 3.5.8 or 3.6, I cannot reproduce a crash here before the fix so this is a bit hard to verify without some actual repro steps.
Comment 7 Mike Hommey [:glandium] 2010-03-22 10:31:21 PDT
(In reply to comment #6)
> Using Ubuntu and SwitchProxy 1.4.1 with Firefox 3.5.8 or 3.6, I cannot
> reproduce a crash here before the fix so this is a bit hard to verify without
> some actual repro steps.

I think it only happens on 64-bits builds.
Comment 8 Al Billings [:abillings] 2010-03-22 12:21:24 PDT
64-bit builds of what? We don't have a 64-bit Firefox.
Comment 9 Mike Hommey [:glandium] 2010-03-22 12:30:59 PDT
(In reply to comment #8)
> 64-bit builds of what? We don't have a 64-bit Firefox.

... yet. http://armenzg.blogspot.com/2010/03/linux-64-packaged-tests-now-available.html

Also, all linux distributions have had 64-bit Firefox builds for years.
Comment 10 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2010-03-22 17:53:54 PDT
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.2) Gecko/20100319 Firefox/3.6.2
SwitchProxy Tool 1.4.1
Ubuntu 9.10 64-bit (Kernel 2.6.31-20-generic)

Using the above, I've been unable to recreate the crash.  However, when the add-on installs, there is no indication of usage in chrome or the tools menu.  I can't configure any proxies.  When I go to the Add-ons Manager, there is a SwitchProxy Tool entry but clicking on the Preferences button does nothing.

I'd like to request more defined steps to reproduce this...or is it simply installing the add-on and Firefox crashes on startup?  At any rate, a clearer indication of what user actions cause the crash is needed.
Comment 11 Mike Hommey [:glandium] 2010-03-23 00:25:43 PDT
Re-reading the original bug report I got, it appears switchproxy triggers crashes at random times. In other words, instability. The produced crashes were always with the NULL dereference that is fixed here. They were apparently also reproducible on x86.
Comment 12 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2010-03-23 10:37:07 PDT
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.2) Gecko/20100319
Firefox/3.6.2
SwitchProxy Tool 1.4.1
Ubuntu 9.10 64-bit (Kernel 2.6.31-20-generic)

So I've just been using Firefox as I normally do to reproduce this crash.  According to comment 11, this is all that is required to crash with SwitchProxy installed (no clear indication of SwitchProxy usage is given).  Assuming I am correct that one only needs to have SwitchProxy installed/enabled, experiencing no crashes at all in the last 24 hours should be indicative of this bug being fixed.

Were reports of this crash ever submitted to crashstats.mozilla.org?  If so, a decrease or elimination of new instances of this crash would be added indication that this was fixed.

At any rate, if I do not experience this crash today, I'll mark it VERIFIED based on nothing more than I have already stated.
Comment 13 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2010-03-24 13:43:48 PDT
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.2) Gecko/20100319
Firefox/3.6.2
SwitchProxy Tool 1.4.1
Ubuntu 9.10 64-bit (Kernel 2.6.31-20-generic)


I've still not been able to reproduce this crash, marking VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.