Last Comment Bug 663465 - crash [@ nsWebSocketEstablishedConnection::ConsoleError]
: crash [@ nsWebSocketEstablishedConnection::ConsoleError]
Status: VERIFIED FIXED
: crash, verified-aurora, verified-beta
Product: Core
Classification: Components
Component: Networking: WebSockets (show other bugs)
: Trunk
: ARM Android
: -- critical (vote)
: mozilla6
Assigned To: Josh Matthews [:jdm]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-10 11:01 PDT by Naoki Hirata :nhirata (please use needinfo instead of cc)
Modified: 2011-07-26 18:44 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
6+


Attachments
Avoid derefencing null connection pointer when closing a websocket. (933 bytes, patch)
2011-06-10 13:00 PDT, Josh Matthews [:jdm]
mcmanus: review+
christian: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description Naoki Hirata :nhirata (please use needinfo instead of cc) 2011-06-10 11:01:18 PDT
This bug was filed from the Socorro interface and is 
report bp-0a0cd71d-c32e-4880-bc7a-f16a12110610 .
============================================================= 
Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	nsWebSocketEstablishedConnection::ConsoleError 	content/base/src/nsWebSocket.cpp:399
1 	libxul.so 	nsWebSocketEstablishedConnection::FailConnection 	content/base/src/nsWebSocket.cpp:428
2 	libxul.so 	nsWebSocket::Close 	content/base/src/nsWebSocket.cpp:1304
3 	libxul.so 	nsIWebSocket_Close 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:27806
4 	libxul.so 	js::Interpret 	js/src/jsinterp.cpp:4678
5 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:613
6 	libxul.so 	js::ExternalInvoke 	js/src/jsinterp.cpp:816
7 	libxul.so 	JS_CallFunctionValue 	js/src/jsapi.cpp:5087
8 	libxul.so 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1901
9 	libxul.so 	nsGlobalWindow::RunTimeout 	nsCOMPtr.h:888
10 	libxul.so 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:9585
11 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:425
12 	libxul.so 	nsTimerEvent::Run 	nsAutoPtr.h:969
13 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
14 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
15 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
16 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
17 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
18 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:511
19 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:191
20 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:671
21 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
22 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
23 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:511
24 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:514
25 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:799
26 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
27 	libc.so 	libc.so@0xd43a 

STR:
1. go to chat.mibbit.com
2. wait for it to finish loading
3. if you don't get the crash; hit reload

Expected: no crash
Actual: this crash and bug
Comment 1 Naoki Hirata :nhirata (please use needinfo instead of cc) 2011-06-10 11:09:03 PDT
Mozilla/5.0 (Android; Linux armv71; rv7.0a1) Gecko/20110610 Firefox/7.0a1 Fennec/7.0a1
Device: Thunderbolt
OS: Android 2.2

bug 663468 also is related to this via the website.
Comment 2 Josh Matthews [:jdm] 2011-06-10 11:51:32 PDT
This will probably be hidden by bug 537787, but it would be good to figure out why this is crashing as-is.
Comment 3 Josh Matthews [:jdm] 2011-06-10 12:27:28 PDT
Aha. Because we fail in ParseURL, the connection object is never initialized to non-null. Close, however, assumes it's non-null and happily derefences a null pointer.
Comment 4 Josh Matthews [:jdm] 2011-06-10 13:00:50 PDT
Created attachment 538585 [details] [diff] [review]
Avoid derefencing null connection pointer when closing a websocket.
Comment 5 Patrick McManus [:mcmanus] 2011-06-10 13:45:40 PDT
Comment on attachment 538585 [details] [diff] [review]
Avoid derefencing null connection pointer when closing a websocket.

Review of attachment 538585 [details] [diff] [review]:
-----------------------------------------------------------------

thanks
Comment 6 Dão Gottwald [:dao] 2011-06-11 11:35:34 PDT
http://hg.mozilla.org/mozilla-central/rev/51e2db1a5567
Comment 7 Mark Finkle (:mfinkle) (use needinfo?) 2011-06-16 14:36:23 PDT
I still see crashing coming into 6.0a2, but no more crashes coming into 7.0a1
Comment 8 Mark Finkle (:mfinkle) (use needinfo?) 2011-06-16 14:37:07 PDT
(In reply to comment #7)
> I still see crashing coming into 6.0a2, but no more crashes coming into 7.0a1

Needed on mozilla-aurora. Seems safe, as it's been on trunk for a few days.
Comment 9 christian 2011-06-16 15:09:06 PDT
Comment on attachment 538585 [details] [diff] [review]
Avoid derefencing null connection pointer when closing a websocket.

Approved for mozilla-aurora
Comment 10 Patrick McManus [:mcmanus] 2011-06-17 05:31:53 PDT
http://hg.mozilla.org/releases/mozilla-aurora/rev/10884b0d2970
Comment 11 Andreea Pod 2011-07-21 00:15:38 PDT
Verified fixed on Firefox 6 Beta 2: Mozilla /5.0 (Android;Linux armv7l;rv:6.0) Gecko/20110713 Firefox/6.0 Fennec/6.0

Device: LG Optimus 2X (Android 2.2)
Comment 12 Kevin Brosnan [:kbrosnan] 2011-07-21 00:21:12 PDT
This can't be verified in Firefox 6 yet. We don't have the beta 3 build with the change.
Comment 13 Andreea Pod 2011-07-21 00:41:49 PDT
Ok Kevin, I was testing this following the steps from description and I didn't got any crash, probably I should leave this one to someone else to verify after beta 3.
Comment 14 Kevin Brosnan [:kbrosnan] 2011-07-26 18:44:53 PDT
Andreea, in reviewing this I made a mistake. I saw that the patch was checked into Aurora and did not notice that the checkin date was a month prior. 

Visiting chat.mibbit.com did not crash

Mozilla/5.0 (Android; Linux armv7l; rv:8.0a1) Gecko/20110726 Firefox/8.0a1 Fennec/8.0a1 ID:20110726030825

Mozilla/5.0 (Android; Linux armv7l; rv:7.0a2) Gecko/20110726 Firefox/7.0a2 Fennec/7.0a2 ID:20110726042816

Note You need to log in before you can comment on or make changes to this bug.