Closed Bug 612072 Opened 15 years ago Closed 15 years ago

Crash [@ nsCookieService::EnsureReadDomain(nsCString const&) ]

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
fennec 2.0+ ---

People

(Reporter: Mitch, Assigned: dwitte)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

patch
10.32 KB, patch
sdwilsh
: review+
Details | Diff | Splinter Review
Signature nsCookieService::EnsureReadDomain(nsCString const&) UUID 1a55a928-b026-4a18-b18e-59d802101113 Time 2010-11-13 20:26:06.186717 Uptime 18 Last Crash 24 seconds before submission Install Age 7821 seconds (2.2 hours) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101113042433 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x34 User Comments App Notes AdapterVendorID: 1002, AdapterDeviceID: 9591 Processor Notes EMCheckCompatibility False Related Bugs Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll nsCookieService::EnsureReadDomain netwerk/cookie/nsCookieService.cpp:1943 1 xul.dll nsCookieService::GetCookieStringInternal netwerk/cookie/nsCookieService.cpp:2354 2 xul.dll nsCookieService::GetCookieStringCommon netwerk/cookie/nsCookieService.cpp:1449 3 xul.dll nsCookieService::GetCookieStringFromHttp netwerk/cookie/nsCookieService.cpp:1431 4 xul.dll mozilla::net::HttpBaseChannel::AddCookiesToRequest netwerk/protocol/http/HttpBaseChannel.cpp:1260 5 xul.dll nsHttpChannel::AsyncOpen netwerk/protocol/http/nsHttpChannel.cpp:3555 1937 nsCookieService::EnsureReadDomain(const nsCString &aBaseDomain) 1938 { 1939 NS_ASSERTION(!mDBState->dbConn || mDBState == mDefaultDBState, 1940 "not in default db state"); 1941 1942 // Fast path 1: nothing to read, or we've already finished reading. 1943 if (NS_LIKELY(!mDBState->dbConn || !mDefaultDBState->pendingRead)) 1944 return; One of the pointers on line 1943 is null 4.87 nsCookieService::nsCookieService() 4.88 - : mDBState(&mDefaultDBState) 4.89 + : mDBState(NULL) My money is on mDBState :) I don't have a current build here so I can't easily calculate which field is 0x34 (it mostly depends on sizeof nsTHashtable<>)
Blocks: 547031
Keywords: crash
Hmm. It could be either, since mDBState is likely a pointer to mDefaultDBState. (The latter is also constructed as null by virtue of being an nsRefPtr.) I'll pull the offset and figure out which it is. I doubt I can reproduce this (I haven't seen it in all my testing) so I'll probably have to inspect.
0x34 is dbConn, so mDBState is NULL. Given that this happened well after startup, it's likely that mDBState was nonnull at some point, and somehow got reset.
(In reply to comment #3) > 0x34 is dbConn, so mDBState is NULL. Given that this happened well after > startup, it's likely that mDBState was nonnull at some point, and somehow got > reset. private browsing?
There are 108 crashes since these patches landed a few days ago; all Windows, all 0x34. I don't think PB is involved since Mitch said he didn't use it during that session. Which leaves three possibilities: 1) CloseDBStates() is being called via profile-before-change. This is impossible, since the crash didn't occur during shutdown. (Unless we're calling it at some other point!) 2) 'this' is NULL. (The offset of mDefaultDBState happens to be 0x34 also.) This is impossible, since we'd crash dereferencing mDBState first, which is not at 0x34. 3) The crash is actually occurring on a different line, but the optimizer's messing with us. This is impossible, since we've already nullchecked mDefaultDBState->pendingRead, so we couldn't try to deref it later and discover it's NULL.
Assignee: nobody → dwitte
blocking2.0: --- → betaN+
bsmedberg suggested I take a look at the minidump directly. I'll do that tomorrow.
tracking-fennec: --- → ?
tracking-fennec: ? → 2.0+
I've looked at the minidump, and confirmed that mDBState is NULL with certainty.
tracking-fennec: 2.0+ → ?
tracking-fennec: ? → 2.0+
Attached patch patchSplinter Review
There's nothing really preventing stuff from happening after profile-before-change, so the simple thing is just to guard against it at all the API entrypoints. This didn't used to be a problem because we always had a DBState around, empty or not, whereas now we actually delete it. Now, I have to go through the in-tree consumers to make sure they can deal with this throwing...
Attachment #491339 - Flags: review?(sdwilsh)
Comment on attachment 491339 [details] [diff] [review] patch r=sdwilsh
Attachment #491339 - Flags: review?(sdwilsh) → review+
I hit this crash during shutdown, which explains why mDBState is NULL. JS stack: > 0 anonymous() ["resource://gre/modules/LightweightThemeManager.jsm":238] self = [object Object] req = [object XMLHttpRequest] theme = [object Object] this = [object Object] > 1 AMI_backgroundUpdateCheck() ["resource://gre/modules/AddonManager.jsm":312] scope = [object Object] notifyComplete = [function] pendingUpdates = 1 this = [object Object] > 2 AMP_backgroundUpdateCheck() ["resource://gre/modules/AddonManager.jsm":855] this = [object Object] > 3 AMC_notify(aTimer = [xpconnect wrapped nsITimer]) ["resource://gre/components/addonManager.js":156] this = [object Object] > 4 TM_notify(timer = [xpconnect wrapped nsITimer]) ["resource://gre/components/nsUpdateTimerManager.js":158] timerData = undefined timerID = undefined entries = [xpconnect wrapped nsISimpleEnumerator] catMan = [xpconnect wrapped nsICategoryManager] now = 1290425305 lastUpdateTime = 1290338584 prefLastUpdate = "app.update.lastUpdateTime.addon-background-update-timer" this = [object Object] Native stack: nsCookieService::EnsureReadDomain nsCookieService::GetCookieStringInternal nsCookieService::GetCookieStringCommon nsCookieService::GetCookieStringFromHttp mozilla::net::HttpBaseChannel::AddCookiesToRequest nsHttpChannel::AsyncOpen nsXMLHttpRequest::Send nsIXMLHttpRequest_Send js::CallJSNative js::Interpret js::RunScript js::Invoke js::ExternalInvoke js::ExternalInvoke JS_CallFunctionValue nsXPCWrappedJSClass::CallMethod nsXPCWrappedJS::CallMethod PrepareAndDispatch SharedStub NS_InvokeByIndex_P CallMethodHelper::Invoke CallMethodHelper::Call XPCWrappedNative::CallMethod XPC_WN_CallMethod js::CallJSNative js::Interpret js::RunScript js::Invoke js::ExternalInvoke js::ExternalInvoke JS_CallFunctionValue nsXPCWrappedJSClass::CallMethod nsXPCWrappedJS::CallMethod PrepareAndDispatch SharedStub nsTimerImpl::Fire nsTimerEvent::Run nsThread::ProcessNextEvent NS_ProcessNextEvent_P nsThread::Shutdown NS_InvokeByIndex_P nsProxyObjectCallInfo::Run nsThread::ProcessNextEvent NS_ProcessNextEvent_P nsThread::Shutdown nsCacheService::Shutdown nsCacheProfilePrefObserver::Observe nsObserverList::NotifyObservers nsObserverService::NotifyObservers mozilla::ShutdownXPCOM NS_ShutdownXPCOM_P ScopedXPCOMStartup::~ScopedXPCOMStartup XRE_main NS_internal_main wmain wmainCRTStartup BaseProcessStart
I know it's targeted for betaN but is this going to get checked in for beta8?
Definitely. I'll push it today, pending results from try.
http://hg.mozilla.org/mozilla-central/rev/74b4a2f97e23
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Keywords: topcrash
Hmm. Nothing after 20101124, and it's been a while. So I think this is fixed.
Crash Signature: [@ nsCookieService::EnsureReadDomain(nsCString const&) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: