Closed Bug 536911 Opened 10 years ago Closed 10 years ago

crash [@ memcpy | nsJARInputStream::Read(char*, unsigned int, unsigned int*) ]

Categories

(Core :: Networking: JAR, defect, critical)

1.9.2 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- .4-fixed

People

(Reporter: david.maza.AU, Assigned: taras.mozilla)

References

Details

(Keywords: crash, verified1.9.2, Whiteboard: [crashkill])

Crash Data

Attachments

(1 file, 3 obsolete files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b6pre) Gecko/20091226 Firefox/3.1b3pre GTB5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b6pre) Gecko/20091226 Firefox/3.1b3pre GTB5 (.NET CLR 3.5.30729)

Firefox crashes on startup as of build 20091226 with the error signature:

memcpy | nsJARInputStream::Read(char*, unsigned int, unsigned int*)

Reproducible: Always
Keywords: crash
Priority: -- → P1
Version: unspecified → 1.9.2 Branch
Signature	memcpy | nsJARInputStream::Read(char*, unsigned int, unsigned int*)
UUID	52f66f82-395a-4ed0-8f01-019fe2091227
Time 	2009-12-27 16:54:39.160117
Uptime	0
Last Crash	6 seconds before submission
Product	Firefox
Version	3.7a1pre
Build ID	20091226043635
Branch	1.9.3
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature 	Source
0 	mozcrt19.dll 	memcpy 	memcpy.asm:188
1 	xul.dll 	nsJARInputStream::Read(char*,unsigned int,unsigned int*) 	modules/libjar/nsJARInputStream.cpp:239
2 	xul.dll 	nsJARInputThunk::Read(char*,unsigned int,unsigned int*) 	modules/libjar/nsJARChannel.cpp:207
3 	xul.dll 	nsInputStreamTransport::Read(char*,unsigned int,unsigned int*) 	netwerk/base/src/nsStreamTransportService.cpp:233
4 	xul.dll 	nsStreamCopierOB::FillOutputBuffer(nsIOutputStream*,void*,char*,unsigned int,unsigned int,unsigned int*) 	xpcom/io/nsStreamUtils.cpp:566
5 	xul.dll 	nsPipeOutputStream::WriteSegments(unsigned int (*)(nsIOutputStream*,void*,char*,unsigned int,unsigned int,unsigned int*),void*,unsigned int,unsigned int*) 	xpcom/io/nsPipe3.cpp:1137
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: P1 → --
Summary: TOPCRASH: memcpy | nsJARInputStream::Read(char*, unsigned int, unsigned int*) → crash [@ memcpy | nsJARInputStream::Read(char*, unsigned int, unsigned int*) ]
Judging from the unusual startup stack I'm guessing that this is a race condition caused by one of the extensions.
Attached patch Missing null check (obsolete) — Splinter Review
Reread the code a few times and found that this is likely caused by a missing null check
Assignee: nobody → tglek
Attachment #419476 - Flags: review?(alfredkayser)
Flags: wanted1.9.2+
Attached patch now with a testcase (obsolete) — Splinter Review
Attachment #419476 - Attachment is obsolete: true
Attachment #419490 - Flags: review?(alfredkayser)
Attachment #419476 - Flags: review?(alfredkayser)
This also occurs in Safe Mode before I can get to the Safe Mode Options screen.
(In reply to comment #5)
> This also occurs in Safe Mode before I can get to the Safe Mode Options screen.

As a workaround you could try moving your extension jars out of the way to find the corrupt one.
Well I doubt it's an extension since I still receive crashes on a clean profile with no extensions installed. Also I compared the reports from 3 different users and neither of them have the same extensions between them installed.

http://crash-stats.mozilla.com/report/index/1ca6fd5e-ddc4-4ac6-804d-ae74d2091230
http://crash-stats.mozilla.com/report/index/d037f8c6-ba0c-427e-a250-d7cd72091229
http://crash-stats.mozilla.com/report/index/b4581c09-0759-4821-8a56-487c12091226
Comment on attachment 419490 [details] [diff] [review]
now with a testcase

Confirmed. GetData is documented to return null on corrupted file and should be checked therefor.
Attachment #419490 - Flags: review?(alfredkayser) → review+
(In reply to comment #7)
> Well I doubt it's an extension since I still receive crashes on a clean profile
> with no extensions installed. Also I compared the reports from 3 different
> users and neither of them have the same extensions between them installed.
Keywords: checkin-needed
Whiteboard: checkin
Oops my reply got submitted prematurely. Sounds like one of the system jars got corrupted. David, please try the following build to see if it fixes your crash(it has the above patch in it).

Also please backup your firefox profile + data, among other things it's very valuable that you can reproduce this crash reliably.

https://build.mozilla.org/tryserver-builds/tglek@mozilla.com-try-adf298d323b0/try-adf298d323b0-win32.zip
Keywords: checkin-needed
Whiteboard: checkin
Carrying over review. Previous patch corrupted an existing testcase.
Attachment #419490 - Attachment is obsolete: true
Attachment #419625 - Flags: review+
Keywords: checkin-needed
Comment on attachment 419625 [details] [diff] [review]
419490: now with a testcase(fixed testcase)

>+ * The Initial Developer of the Original Code is
>+ * Taras Glek <tglek@mozilla.com>

You are not the initial developer, as you are employed by MoCo, which means the initial developer is "Mozilla Foundation" (yes, MoFo instead of MoCo). If you've done this for other files, they will need to be corrected as well.
Indeed, I see two other files with you listed as the initial developer. Both these two and the patch in this bug should be changed to have "Mozilla Foundation" as the initial developer and to list you instead as a contributor.

modules/libjar/test/unit/test_dirjar_bug525755.js
modules/libjar/test/unit/test_jarinput_stream_zipreader_reference.js
Status: NEW → ASSIGNED
Keywords: checkin-needed
Well I'm not receiving any error messages or crashes using the supplied Try Server build yet the 12/26/2009 Nightly Build is still crashing.
http://hg.mozilla.org/mozilla-central/rev/89cf6d3f66f1
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 537398
This is a trival startup crashkill with a testcase, I'd like to land this on 192 asap.
Attachment #419625 - Flags: approval1.9.2.2?
Keywords: checkin-needed
Keywords: checkin-needed
Whiteboard: [crashkill][needs 1.9.2 landing]
No longer blocks: 537398
Depends on: 537398
Comment on attachment 419625 [details] [diff] [review]
419490: now with a testcase(fixed testcase)

Can we get this patch rolled together with the license header changes from bug 537398
Attachment #419625 - Flags: approval1.9.2.2? → approval1.9.2.2-
Please approve this asap
Attachment #419625 - Attachment is obsolete: true
Attachment #433156 - Flags: review+
Attachment #433156 - Flags: approval1.9.2.2?
Comment on attachment 433156 [details] [diff] [review]
now with copyright stuff

Approved for 1.9.2.3, a=dveditz for release-drivers
Attachment #433156 - Flags: approval1.9.2.2? → approval1.9.2.3+
hm, looks like this has already landed on 1.9.2 but status has not been updated.
Please, revert if i'm wrong.
Whiteboard: [crashkill][needs 1.9.2 landing] → [crashkill]
Marking as verified for 1.9.2 based on passing crashtests on tinderbox.
Keywords: verified1.9.2
Crash Signature: [@ memcpy | nsJARInputStream::Read(char*, unsigned int, unsigned int*) ]
You need to log in before you can comment on or make changes to this bug.