Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ]

RESOLVED FIXED in Firefox 9

Status

()

Toolkit
Safe Browsing
--
critical
RESOLVED FIXED
6 years ago
3 years ago

People

(Reporter: Tomcat, Assigned: gcp)

Tracking

({crash})

9 Branch
Firefox 11
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(firefox9+ fixed, firefox10+ fixed)

Details

(Whiteboard: [qa-], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ]
 see https://crash-stats.mozilla.com/report/index/d24025aa-019a-4937-95b4-2026c2111127 as example report.

General overview: https://crash-stats.mozilla.com/report/index/d24025aa-019a-4937-95b4-2026c2111127

Seems there a lot of startup crashers.

Stack:
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsUrlClassifierPrefixSet::Contains 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:234
1 	xul.dll 	nsUrlClassifierPrefixSet::Probe 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:307
2 	xul.dll 	nsUrlClassifierDBService::CheckClean 	
3 	xul.dll 	nsUrlClassifierDBService::LookupURI 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4218
4 	xul.dll 	nsUrlClassifierDBService::Classify 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4165
5 	xul.dll 	nsChannelClassifier::Start 	netwerk/base/src/nsChannelClassifier.cpp:123
6 	xul.dll 	nsHttpChannel::AsyncOpen 	netwerk/protocol/http/nsHttpChannel.cpp:3720
7 	xul.dll 	nsHttpChannel::ContinueProcessRedirection 	netwerk/protocol/http/nsHttpChannel.cpp:3454
8 	xul.dll 	nsHttpChannel::OnRedirectVerifyCallback 	netwerk/protocol/http/nsHttpChannel.cpp:4914
9 	xul.dll 	nsAsyncVerifyRedirectCallbackEvent::Run 	netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:77
10 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
11 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
12 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
13 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
14 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
15 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
16 	xul.dll 	xul.dll@0xbc03bf 	
17 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:228
18 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3557
19 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
20 	firefox.exe 	firefox.exe@0x4033 	
21 	firefox.exe 	__tmainCRTStartup 	crtexe.c:594
22 	firefox.exe 	_SEH_epilog4 	
23 	kernel32.dll 	BaseProcessStart 	
24 	kernel32.dll 	FindAtomW 	
25 	kernel32.dll 	BaseProcessStart 	
26 	firefox.exe 	pre_c_init 	crtexe.c:304
(Assignee)

Comment 1

6 years ago
Looks similar to bug 702217 but when the urlclassifier.pset file is corrupted instead of the urlclassifier3.sqlite one.
(Assignee)

Comment 2

6 years ago
Created attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.
Assignee: nobody → gpascutto
Status: NEW → ASSIGNED
Attachment #578231 - Flags: review?(dcamp)
(Assignee)

Comment 3

6 years ago
Corrupted files can cause startup crashes until the user clears his profile.
tracking-firefox10: --- → ?
tracking-firefox9: --- → ?
(Assignee)

Comment 4

6 years ago
https://tbpl.mozilla.org/?tree=Try&rev=35acdddc2d38

Updated

6 years ago
Attachment #578231 - Flags: review?(dcamp) → review+
(Assignee)

Comment 5

6 years ago
https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=4be41994deb7

Comment 6

6 years ago
https://hg.mozilla.org/mozilla-central/rev/cddc8b0ba0b6

(comment 5 rev id is incorrect, this is the right one)
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 11
(Assignee)

Updated

6 years ago
Attachment #578231 - Flags: approval-mozilla-beta?
Attachment #578231 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 7

6 years ago
- The patch adds more sanity checking before operating on values read from the database, bails out early if the database is detected to be corrupted, and detects if the file appears to be truncated.
- Users hitting the bug may be unable to use Firefox until they clear their profile.

- This triggers when the database is corrupted in a specific way. I suspect it may be trigger-able by cutting the urlclassifier.pset file short by about 2/3'rds.

Comment 8

6 years ago
Comment on attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.

[Triage Comment]
Approving for Aurora, but not a top crasher so minusing for beta at this point in the cycle.
Attachment #578231 - Flags: approval-mozilla-beta?
Attachment #578231 - Flags: approval-mozilla-beta-
Attachment #578231 - Flags: approval-mozilla-aurora?
Attachment #578231 - Flags: approval-mozilla-aurora+

Comment 9

6 years ago
Comment on attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.

[Triage Comment]
Upon further review, we'll take on beta due to the number of startup crashes associated with this bug. Please land asap.
Attachment #578231 - Flags: approval-mozilla-beta- → approval-mozilla-beta+
(Assignee)

Comment 10

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/43b28f79b85b
https://hg.mozilla.org/releases/mozilla-beta/rev/b898413a30e2
status-firefox10: --- → fixed
status-firefox9: --- → fixed
Is this fix testable by QA?
Whiteboard: [qa?]

Updated

6 years ago
tracking-firefox9: ? → +

Updated

5 years ago
tracking-firefox10: ? → +
(Assignee)

Comment 12

5 years ago
>Is this fix testable by QA?

Truncate the urlclassifier.pset file in the profile somewhere around 1/3 of the size. Visit a webpage with a lot of links or images. The browser shouldn't crash. Not sure how easy it is to reproduce manually (you might need to truncate at a very specific point).
Given comment 12, I don't think it is feasible for QA to verify the fix in a timely manner. If someone is already set up to reproduce this bug, it would be appreciate for said person to verify the fix.

Thanks
Whiteboard: [qa?] → [qa-]
Gian-Carlo - I see another similar crash signature in 10b5 - [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&) ] - http://tinyurl.com/6wk3b84 to the reports. Will your fix address this crash as well or should I file a new bug?  Thanks.
(Assignee)

Comment 15

5 years ago
This bug was marked "status-firefox10: fixed" over a month ago. If Firefox 10 is crashing now, the patches here obviously won't help that.
(Assignee)

Comment 16

5 years ago
BTW. if you file the new bug please assign directly to me. I think I see what's wrong.
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.