Closed Bug 607723 Opened 14 years ago Closed 14 years ago

Segfault (null deref) [@ nsPrefetchNode::OnStopRequest]

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 616861

People

(Reporter: cjones, Unassigned)

Details

(Keywords: crash)

Crash Data

This happened after I loaded engadget.com, zoomed and panned around, and clicked a link by accident. It happened a few seconds after the clicked link started loading. Haven't tried to repro. Program received signal SIGSEGV, Segmentation fault. 0x8172cd12 in nsPrefetchNode::OnStopRequest (this=0x4448cc00, aRequest=<value optimized out>, aContext=<value optimized out>, aStatus=<value optimized out>) at /home/cjones/mozilla/mozilla-central/uriloader/prefetch/nsPrefetchService.cpp:338 (gdb) p mChannel $1 = { <nsCOMPtr_base> = { mRawPtr = 0x0 }, <No data fields>} (gdb) bt #0 0x8172cd12 in nsPrefetchNode::OnStopRequest (this=0x4448cc00, aRequest=<value optimized out>, aContext=<value optimized out>, aStatus=<value optimized out>) at /home/cjones/mozilla/mozilla-central/uriloader/prefetch/nsPrefetchService.cpp:338 #1 0x81275ffa in mozilla::net::HttpChannelChild::OnStopRequest (this=0x41be2ae0, statusCode=@0xbed07e2c) at /home/cjones/mozilla/mozilla-central/netwerk/protocol/http/HttpChannelChild.cpp:383 #2 0x812760a6 in mozilla::net::HttpChannelChild::RecvOnStopRequest (this=0x0, statusCode=@0xbed07e2c) at /home/cjones/mozilla/mozilla-central/netwerk/protocol/http/HttpChannelChild.cpp:362 #3 0x818c963c in mozilla::net::PHttpChannelChild::OnMessageReceived (this=0x41be2ae0, __msg=<value optimized out>) at PHttpChannelChild.cpp:553 #4 0x818a2a7c in mozilla::dom::PContentChild::OnMessageReceived (this=0x40d150c8, __msg=...) at PContentChild.cpp:720 #5 0x81853284 in mozilla::ipc::AsyncChannel::OnDispatchMessage (this=0x40d150d0, msg=...) at /home/cjones/mozilla/mozilla-central/ipc/glue/AsyncChannel.cpp:262 #6 0x81855cc2 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x40d150d0) at /home/cjones/mozilla/mozilla-central/ipc/glue/RPCChannel.cpp:438 #7 0x81856604 in DispatchToMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)()> (this=<value optimized out>) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/tuple.h:383 #8 RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run (this=<value optimized out>) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/task.h:307 #9 0x818565b0 in Run (this=<value optimized out>) at ../../dist/include/mozilla/ipc/RPCChannel.h:449 #10 mozilla::ipc::RPCChannel::DequeueTask::Run (this=<value optimized out>) at ../../dist/include/mozilla/ipc/RPCChannel.h:474 #11 0x81928562 in MessageLoop::RunTask (this=0xbed08a34, task=0x42798850) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:343 #12 0x81928986 in MessageLoop::DeferOrRunPendingTask (this=0x40d150d0, pending_task=<value optimized out>) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:351 #13 0x81928bf0 in MessageLoop::DoWork (this=0xbed08a34) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:451 #14 0x81854d68 in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>) at /home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:70 #15 0x81903624 in nsThread::ProcessNextEvent (this=0x40d0c790, mayWait=<value optimized out>, result=<value optimized out>) at /home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:547 #16 0x818de506 in NS_ProcessNextEvent_P (thread=0x40d150d0, mayWait=0) at nsThreadUtils.cpp:250 #17 0x81854be6 in mozilla::ipc::MessagePump::Run (this=0x40d0f0a0, aDelegate=0xbed08a34) at /home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:110 #18 0x81854c7c in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x40d0c790, aDelegate=0x1) at /home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:229 #19 0x8192864e in MessageLoop::RunInternal (this=0xbed08a34) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:219 #20 0x819286ac in RunHandler (this=0x40d0c790) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:202 #21 MessageLoop::Run (this=0x40d0c790) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:176 #22 0x81816460 in nsBaseAppShell::Run (this=0x423e5500) at /home/cjones/mozilla/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:181 #23 0x8120d78a in XRE_RunAppShell () at /home/cjones/mozilla/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:631 #24 0x81854c76 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x40d0f0a0, aDelegate=0x423e5500) at /home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:215 #25 0x8192864e in MessageLoop::RunInternal (this=0xbed08a34) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:219 #26 0x819286ac in RunHandler (this=0x40d0f0a0) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:202 #27 MessageLoop::Run (this=0x40d0f0a0) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:176 #28 0x8120db44 in XRE_InitChildProcess (aArgc=<value optimized out>, aArgv=0x40d150b0, aProcess=GeckoProcessType_Content) at /home/cjones/mozilla/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:506 #29 0x80004ecc in ChildProcessInit (argc=<value optimized out>, argv=0xbed08b84) at /home/cjones/mozilla/mozilla-central/other-licenses/android/APKOpen.cpp:564 #30 0x000091a4 in main (argc=6, argv=0xbed08b84) at /home/cjones/mozilla/mozilla-central/ipc/app/MozillaRuntimeMainAndroid.cpp:68
I suspect this is a result of nsPrefetchService::OnStateChange calling StopPrefetch, which calls CancelChannel and nulls out mChannel.
This is the #1 top crash for Fennec 4.0b3.
Severity: normal → critical
tracking-fennec: --- → ?
Version: unspecified → Trunk
This looks like a dup of bug 616861, and we haven't seen any further crashes on nightlies since that landed, so I'm going to dup this forward.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ nsPrefetchNode::OnStopRequest]
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.