Closed
Bug 590121
Opened 15 years ago
Closed 14 years ago
Null-pointer deref leading to crash [@ nsTArray_base] when serializing nsHttpResponseHead
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jmaher, Assigned: jduell.mcbugs)
References
Details
Attachments
(1 file)
|
1.41 KB,
patch
|
dwitte
:
review+
|
Details | Diff | Splinter Review |
Name=Fennec
Version=2.0a1pre
BuildID=20100824024116
SourceRepository=http://hg.mozilla.org/mobile-browser
SourceStamp=f662427a3796
Copyright=Copyright (c) 2008 Mozilla.org
ID={a23983c0-fd0e-11dc-95ff-0800200c9a66}
[Gecko]
MinVersion=1.9.2b5pre
MaxVersion=2.0b5pre
I downloaded the latest build of gtk maemo5 mozilla-central fennec and put it on my n900. I do this normally every week and the last 4 weeks I have had no trouble.
Today I tried to run mochitests:
python runtests.py --appname=../fennec/fennec --certificate-path=../certs --utility-path=../bin
When I do this, the browser starts up and immediately crashes. Vivien has experienced this on a desktop build as well.
If I turn off IPC (browser.tabs.remote=false), I don't see the crash, but I don't see any page load, just a blank browser (no about: page, 1 tab).
In trying to narrow this down, I do this (browser.tabs.remote=true):
- launch fennec with mochitest profile 'fennec -no-rmeote -profile /tmp/blah', fennec loads as expected
- launch fennec with mochitest profile + url 'fennec -no-remote -profile /tmp/blah http://www.google.com', loads and immediately crashes
- launch fennec 'fennec', fennec launches and runs as expected
- launch fennec with url 'fennec http://www.google.com', fennec launches and runs as expected
So it appears that the -profile or -no-remote flags are causing a crash. Doing a mock run of mochitests a nd CTRL+C will leave the profile intact so it can be examined.
|
Reporter | |
Comment 1•15 years ago
|
||
in looking more into this (on a desktop build), I see the crash whenever I
enter a URL into the urlbar and I have this in my preferences:
user_pref("network.proxy.type", 2);
user_pref("network.proxy.autoconfig_url", "data:text/plain,function
FindProxyForURL(url, host){return 'DIRECT';}");
NOTE: the autoconfig_url is very simplified in this example compared to what we
test with, but it should help simplify the problem.
|
|
Reporter | |
Comment 2•15 years ago
|
||
lastly, adding a browser.tabs.remote=false in the user.js section of the profile allows me to enter a url http://127.0.0.1:8888/tests/ and run mochitests manually.
|
|
Reporter | |
Comment 3•15 years ago
|
||
hmm, it seems that just the browser-tabs.remote=false on desktop with no other changes allows me to run tests successfully.
Seems like it is narrowed down to remote=true and network.proxy.* setup.
|
|
Reporter | |
Comment 4•15 years ago
|
||
this is really a problem, what is the ETA to fix this?
|
||
Comment 5•15 years ago
|
||
CC'ing some network guys to see if any of them can help with e10s and network.proxy.* causing problems.
Maybe there are already bugs filed on it.
|
|
Reporter | |
Comment 6•15 years ago
|
||
any chance we can get a fix for this? This morning I pulled the latest code for m-c/m-b and this is still a problem.
|
|
Reporter | |
Updated•15 years ago
|
blocking2.0: --- → ?
tracking-fennec: --- → ?
|
||
Comment 7•15 years ago
|
||
What's the crash stack? Can you pull it off the device?
|
|
Reporter | |
Comment 8•15 years ago
|
||
this fails on linux desktop as well. I am not sure where all the crash information is located, I get a exit with code -11 on my linux desktop when running this.
The reproduction steps are dead simple. If there is something I should add to my mozconfig to help out, let me know and I can do that.
|
|
Reporter | |
Comment 9•15 years ago
|
||
ok, I did a debug build (--enable-debug in my mozconfig) and ran this inside of gdb. I found that inside of gdb this doesn't crash the same way as it does outside of the debugger.
what doesn't work:
Here is the cli I run:
./fennec -no-remote -profile /tmp/tmpfA59bG
- type in http://www.google.com upon load
- browser crashes
Now in gdb, I do this:
gdb --args ./fennec -no-remote -profile /tmp/tmpfA59bG
- type in http://www.google.com upon load
- no crash!
Now if I do this:
gdb --args ./fennec -no-remote -profile /tmp/tmpfA59bG
I see this:
(gdb) bt
#0 0x011fce0b in void mozilla::net::PHttpChannelParent::Write<nsHttpResponseHead>(nsHttpResponseHead const&, IPC::Message*) () from /home/joel/mozilla/mobilebase-i686-pc-linux-gnu/dist/bin/libxul.so
#1 0x011fc761 in mozilla::net::PHttpChannelParent::SendRedirect1Begin (this=0xb20204c0, newChannel=0xb20a07c0, newUri=..., redirectFlags=@0xbfffeccc, responseHead=...) at PHttpChannelParent.cpp:229
#2 0x0048cc2b in mozilla::net::HttpChannelParentListener::AsyncOnChannelRedirect (this=0xb2032100, oldChannel=0xb7d95630, newChannel=0xb7d957d0, redirectFlags=4, callback=0x4)
at /home/joel/mozilla/mobilesrc/netwerk/protocol/http/HttpChannelParentListener.cpp:227
#3 0x003cfdc8 in nsAsyncRedirectVerifyHelper::DelegateOnChannelRedirect (this=0xb2032fd0, sink=0xb2032104, oldChannel=0xb7d95630, newChannel=0xb7d957d0, flags=4)
at /home/joel/mozilla/mobilesrc/netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:180
#4 0x003d01a1 in nsAsyncRedirectVerifyHelper::Run (this=0xb2032fd0) at /home/joel/mozilla/mobilesrc/netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:274
#5 0x012c27bf in nsThread::ProcessNextEvent (this=0xb7dd4dd0, mayWait=0, result=0xbfffed9c) at /home/joel/mozilla/mobilesrc/xpcom/threads/nsThread.cpp:547
#6 0x01273c70 in NS_ProcessNextEvent_P (thread=0xb22f1220, mayWait=0) at nsThreadUtils.cpp:250
#7 0x0118269b in mozilla::ipc::MessagePump::Run (this=0xb7dd9a30, aDelegate=0xb7d237c0) at /home/joel/mozilla/mobilesrc/ipc/glue/MessagePump.cpp:110
#8 0x01302da5 in MessageLoop::RunInternal (this=0xb7d237c0) at /home/joel/mozilla/mobilesrc/ipc/chromium/src/base/message_loop.cc:219
#9 0x01302e54 in MessageLoop::RunHandler (this=0xb22f1220) at /home/joel/mozilla/mobilesrc/ipc/chromium/src/base/message_loop.cc:202
#10 MessageLoop::Run (this=0xb22f1220) at /home/joel/mozilla/mobilesrc/ipc/chromium/src/base/message_loop.cc:176
#11 0x01086f4a in nsBaseAppShell::Run (this=0xb715dfb0) at /home/joel/mozilla/mobilesrc/widget/src/xpwidgets/nsBaseAppShell.cpp:175
#12 0x00ebf9e4 in nsAppStartup::Run (this=0xb53cd460) at /home/joel/mozilla/mobilesrc/toolkit/components/startup/src/nsAppStartup.cpp:191
#13 0x003bde1a in XRE_main (argc=5, argv=0xbffff414, aAppData=0xb7d10380) at /home/joel/mozilla/mobilesrc/toolkit/xre/nsAppRunner.cpp:3662
#14 0x0804988b in main (argc=5, argv=0xbffff414) at /home/joel/mozilla/mobilesrc/mobile/app/nsBrowserApp.cpp:155
(gdb)
Hope this helps!!
|
|
Reporter | |
Comment 10•15 years ago
|
||
err, the crashing gdb command is: 'gdb --args ./fennec -no-remote -profile /tmp/tmpfA59bG http://www.google.com'
|
Assignee | |
Comment 11•15 years ago
|
||
cc-ing bz/biesi, who are hopefuly more familiar with the proxy code.
|
||
Comment 12•15 years ago
|
||
So at the crash point.. why did we crash? Are we dereferencing a bogus or null pointer? Something else?
Jason, your hope may be .. in vain. :(
|
||
Comment 13•15 years ago
|
||
Yeah, we're dereferencing a null pointer:
#0 0xb5b9db40 in nsTArray_base::Length (this=0x0) at ../../../../dist/include/nsTArray.h:66
#1 0xb706a356 in IPC::ParamTraits<nsTArray<nsHttpHeaderArray::nsEntry> >::Write (aMsg=0xae159b20, aParam=...)
at ../../dist/include/IPC/IPCMessageUtils.h:256
#2 0xb7068cb8 in WriteParam<nsTArray<nsHttpHeaderArray::nsEntry> > (m=0xae159b20, p=...)
at /home/crowder/mobilla/ipc/chromium/src/chrome/common/ipc_message_utils.h:124
#3 0xb706912f in IPC::ParamTraits<nsHttpHeaderArray>::Write (aMsg=0xae159b20, aParam=...) at ../../dist/include/mozilla/net/PHttpChannelParams.h:149
#4 0xb7068cd2 in WriteParam<nsHttpHeaderArray> (m=0xae159b20, p=...) at /home/crowder/mobilla/ipc/chromium/src/chrome/common/ipc_message_utils.h:124
#5 0xb7069149 in IPC::ParamTraits<nsHttpResponseHead>::Write (aMsg=0xae159b20, aParam=...)
at ../../dist/include/mozilla/net/PHttpChannelParams.h:168
#6 0xb7068d62 in WriteParam<nsHttpResponseHead> (m=0xae159b20, p=...)
at /home/crowder/mobilla/ipc/chromium/src/chrome/common/ipc_message_utils.h:124
#7 0xb706a154 in mozilla::net::PHttpChannelParent::Write<nsHttpResponseHead> (this=0xae3f0580, __v=..., __msg=0xae159b20)
at ../../ipc/ipdl/_ipdlheaders/mozilla/net/PHttpChannelParent.h:242
#8 0xb706691e in mozilla::net::PHttpChannelParent::SendRedirect1Begin (this=0xae3f0580, newChannel=0xae157d00, newUri=...,
redirectFlags=@0xbfffeb0c, responseHead=...) at PHttpChannelParent.cpp:229
#9 0xb5d07dbf in mozilla::net::HttpChannelParentListener::AsyncOnChannelRedirect (this=0xae1039a0, oldChannel=0xb44a3490, newChannel=0xb44a3630,
redirectFlags=4, callback=0xae159af4) at /home/crowder/mobilla/netwerk/protocol/http/HttpChannelParentListener.cpp:227
#10 0xb5beb5e4 in nsAsyncRedirectVerifyHelper::DelegateOnChannelRedirect (this=0xae159af0, sink=0xae1039a4, oldChannel=0xb44a3490,
newChannel=0xb44a3630, flags=4) at /home/crowder/mobilla/netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:180
#11 0xb5bebb04 in nsAsyncRedirectVerifyHelper::Run (this=0xae159af0) at /home/crowder/mobilla/netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:274
#12 0xb717e44e in nsThread::ProcessNextEvent (this=0xb44e0d30, mayWait=0, result=0xbfffec3c) at /home/crowder/mobilla/xpcom/threads/nsThread.cpp:547
#13 0xb710b7dd in NS_ProcessNextEvent_P (thread=0xb44e0d30, mayWait=0) at nsThreadUtils.cpp:250
#14 0xb6f9ed00 in mozilla::ipc::MessagePump::Run (this=0xb44e3af0, aDelegate=0xb44238a0) at /home/crowder/mobilla/ipc/glue/MessagePump.cpp:110
#15 0xb71e2ad7 in MessageLoop::RunInternal (this=0xb44238a0) at /home/crowder/mobilla/ipc/chromium/src/base/message_loop.cc:219
#16 0xb71e2a57 in MessageLoop::RunHandler (this=0xb44238a0) at /home/crowder/mobilla/ipc/chromium/src/base/message_loop.cc:202
#17 0xb71e29fb in MessageLoop::Run (this=0xb44238a0) at /home/crowder/mobilla/ipc/chromium/src/base/message_loop.cc:176
#18 0xb6e42236 in nsBaseAppShell::Run (this=0xb31cb3d0) at /home/crowder/mobilla/widget/src/xpwidgets/nsBaseAppShell.cpp:175
#19 0xb6bb4839 in nsAppStartup::Run (this=0xb1299640) at /home/crowder/mobilla/toolkit/components/startup/src/nsAppStartup.cpp:191
#20 0xb5bb4d34 in XRE_main (argc=5, argv=0xbffff3d4, aAppData=0xb4410380) at /home/crowder/mobilla/toolkit/xre/nsAppRunner.cpp:3662
#21 0x08049927 in main (argc=5, argv=0xbffff3d4) at /home/crowder/mobilla/mobile/app/nsBrowserApp.cpp:155
(gdb) f 7
#7 0xb706a154 in mozilla::net::PHttpChannelParent::Write<nsHttpResponseHead> (this=0xae3f0580, __v=..., __msg=0xae159b20)
at ../../ipc/ipdl/_ipdlheaders/mozilla/net/PHttpChannelParent.h:242
242 IPC::WriteParam(__msg, __v);
(gdb) f 8
#8 0xb706691e in mozilla::net::PHttpChannelParent::SendRedirect1Begin (this=0xae3f0580, newChannel=0xae157d00, newUri=...,
redirectFlags=@0xbfffeb0c, responseHead=...) at PHttpChannelParent.cpp:229
229 Write(responseHead, __msg);
(gdb) f 9
#9 0xb5d07dbf in mozilla::net::HttpChannelParentListener::AsyncOnChannelRedirect (this=0xae1039a0, oldChannel=0xb44a3490, newChannel=0xb44a3630,
redirectFlags=4, callback=0xae159af4) at /home/crowder/mobilla/netwerk/protocol/http/HttpChannelParentListener.cpp:227
227 *oldHttpChannel->GetResponseHead());
(gdb) p oldHttpChannel.mResponseHead
$15 = {mRawPtr = 0x0}
|
|
||
Comment 14•15 years ago
|
||
Ok, so the thing is... we handle proxies, especially proxy autodetect and PAC as internal-type redirects. The redirects happen without us having made any request anywhere, so there is no response head on the channel being redirected from.
|
||
Updated•15 years ago
|
Assignee: nobody → jduell
|
|
||
Updated•14 years ago
|
tracking-fennec: ? → 2.0b1+
Summary: unable to run mochitest on fennec due to crashing fennec → Null-pointer deref leading to crash [@ nsTArray_base] when serializing nsHttpResponseHead
|
|
Assignee | |
Updated•14 years ago
|
Assignee: jduell → nobody
Component: General → Networking: HTTP
Product: Fennec → Core
QA Contact: general → networking.http
|
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → jduell.mcbugs
|
|
Assignee | |
Comment 16•14 years ago
|
||
Just does the same logic (create temp respHead object) for redirects as we do in regular OnStart:
http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/HttpChannelParent.cpp#309
I.e. pass empty temp object if respHead is null
Attachment #473310 -
Flags: review?(dwitte)
|
||
Comment 17•14 years ago
|
||
Comment on attachment 473310 [details] [diff] [review]
Fixes null responseHead in redirect code
r=dwitte
Attachment #473310 -
Flags: review?(dwitte) → review+
|
|
Assignee | |
Updated•14 years ago
|
Keywords: checkin-needed
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
|
|
Assignee | |
Comment 18•14 years ago
|
||
Status: NEW → RESOLVED
blocking2.0: final+ → ?
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
Keywords: checkin-needed
|
|
||
Updated•14 years ago
|
blocking2.0: ? → -
You need to log in
before you can comment on or make changes to this bug.
Description
•