Closed Bug 706049 Opened 13 years ago Closed 13 years ago

Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ]

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Version:
9 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 11
Tracking Flags:
Tracking Status
firefox9 + fixed
firefox10 + fixed

People

(Reporter: cbook, Assigned: gcp)

Details

(Keywords: crash, Whiteboard: [qa-])

Crash Data

Attachments

(1 file)

Patch 1. Check read data sizes. Sanity check during probe.
3.76 KB, patch
dcamp
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ] see https://crash-stats.mozilla.com/report/index/d24025aa-019a-4937-95b4-2026c2111127 as example report. General overview: https://crash-stats.mozilla.com/report/index/d24025aa-019a-4937-95b4-2026c2111127 Seems there a lot of startup crashers. Stack: Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll nsUrlClassifierPrefixSet::Contains toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:234 1 xul.dll nsUrlClassifierPrefixSet::Probe toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:307 2 xul.dll nsUrlClassifierDBService::CheckClean 3 xul.dll nsUrlClassifierDBService::LookupURI toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4218 4 xul.dll nsUrlClassifierDBService::Classify toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4165 5 xul.dll nsChannelClassifier::Start netwerk/base/src/nsChannelClassifier.cpp:123 6 xul.dll nsHttpChannel::AsyncOpen netwerk/protocol/http/nsHttpChannel.cpp:3720 7 xul.dll nsHttpChannel::ContinueProcessRedirection netwerk/protocol/http/nsHttpChannel.cpp:3454 8 xul.dll nsHttpChannel::OnRedirectVerifyCallback netwerk/protocol/http/nsHttpChannel.cpp:4914 9 xul.dll nsAsyncVerifyRedirectCallbackEvent::Run netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:77 10 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 11 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:308 12 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 13 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 14 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175 15 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189 16 xul.dll xul.dll@0xbc03bf 17 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:228 18 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3557 19 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:107 20 firefox.exe firefox.exe@0x4033 21 firefox.exe __tmainCRTStartup crtexe.c:594 22 firefox.exe _SEH_epilog4 23 kernel32.dll BaseProcessStart 24 kernel32.dll FindAtomW 25 kernel32.dll BaseProcessStart 26 firefox.exe pre_c_init crtexe.c:304
Looks similar to bug 702217 but when the urlclassifier.pset file is corrupted instead of the urlclassifier3.sqlite one.
Assignee: nobody → gpascutto
Status: NEW → ASSIGNED
Attachment #578231 - Flags: review?(dcamp)
Corrupted files can cause startup crashes until the user clears his profile.
tracking-firefox10: --- → ?
tracking-firefox9: --- → ?
Attachment #578231 - Flags: review?(dcamp) → review+
https://hg.mozilla.org/mozilla-central/rev/cddc8b0ba0b6 (comment 5 rev id is incorrect, this is the right one)
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 11
Attachment #578231 - Flags: approval-mozilla-beta?
Attachment #578231 - Flags: approval-mozilla-aurora?
- The patch adds more sanity checking before operating on values read from the database, bails out early if the database is detected to be corrupted, and detects if the file appears to be truncated. - Users hitting the bug may be unable to use Firefox until they clear their profile. - This triggers when the database is corrupted in a specific way. I suspect it may be trigger-able by cutting the urlclassifier.pset file short by about 2/3'rds.
Comment on attachment 578231 [details] [diff] [review] Patch 1. Check read data sizes. Sanity check during probe. [Triage Comment] Approving for Aurora, but not a top crasher so minusing for beta at this point in the cycle.
Attachment #578231 - Flags: approval-mozilla-beta?
Attachment #578231 - Flags: approval-mozilla-beta-
Attachment #578231 - Flags: approval-mozilla-aurora?
Attachment #578231 - Flags: approval-mozilla-aurora+
Comment on attachment 578231 [details] [diff] [review] Patch 1. Check read data sizes. Sanity check during probe. [Triage Comment] Upon further review, we'll take on beta due to the number of startup crashes associated with this bug. Please land asap.
Attachment #578231 - Flags: approval-mozilla-beta- → approval-mozilla-beta+
Is this fix testable by QA?
Whiteboard: [qa?]
>Is this fix testable by QA? Truncate the urlclassifier.pset file in the profile somewhere around 1/3 of the size. Visit a webpage with a lot of links or images. The browser shouldn't crash. Not sure how easy it is to reproduce manually (you might need to truncate at a very specific point).
Given comment 12, I don't think it is feasible for QA to verify the fix in a timely manner. If someone is already set up to reproduce this bug, it would be appreciate for said person to verify the fix. Thanks
Whiteboard: [qa?] → [qa-]
Gian-Carlo - I see another similar crash signature in 10b5 - [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&) ] - http://tinyurl.com/6wk3b84 to the reports. Will your fix address this crash as well or should I file a new bug? Thanks.
This bug was marked "status-firefox10: fixed" over a month ago. If Firefox 10 is crashing now, the patches here obviously won't help that.
BTW. if you file the new bug please assign directly to me. I think I see what's wrong.
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: