Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ]




Safe Browsing
6 years ago
3 years ago


(Reporter: Tomcat, Assigned: gcp)



9 Branch
Firefox 11
Windows XP

Firefox Tracking Flags

(firefox9+ fixed, firefox10+ fixed)


(Whiteboard: [qa-], crash signature)


(1 attachment)



6 years ago
Firefox 9.0 Crash Report [@ nsUrlClassifierPrefixSet::Contains(unsigned int, int*) ]
 see as example report.

General overview:

Seems there a lot of startup crashers.

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsUrlClassifierPrefixSet::Contains 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:234
1 	xul.dll 	nsUrlClassifierPrefixSet::Probe 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:307
2 	xul.dll 	nsUrlClassifierDBService::CheckClean 	
3 	xul.dll 	nsUrlClassifierDBService::LookupURI 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4218
4 	xul.dll 	nsUrlClassifierDBService::Classify 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:4165
5 	xul.dll 	nsChannelClassifier::Start 	netwerk/base/src/nsChannelClassifier.cpp:123
6 	xul.dll 	nsHttpChannel::AsyncOpen 	netwerk/protocol/http/nsHttpChannel.cpp:3720
7 	xul.dll 	nsHttpChannel::ContinueProcessRedirection 	netwerk/protocol/http/nsHttpChannel.cpp:3454
8 	xul.dll 	nsHttpChannel::OnRedirectVerifyCallback 	netwerk/protocol/http/nsHttpChannel.cpp:4914
9 	xul.dll 	nsAsyncVerifyRedirectCallbackEvent::Run 	netwerk/base/src/nsAsyncRedirectVerifyHelper.cpp:77
10 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
11 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
12 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
13 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/
14 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/
15 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
16 	xul.dll 	xul.dll@0xbc03bf 	
17 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:228
18 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3557
19 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
20 	firefox.exe 	firefox.exe@0x4033 	
21 	firefox.exe 	__tmainCRTStartup 	crtexe.c:594
22 	firefox.exe 	_SEH_epilog4 	
23 	kernel32.dll 	BaseProcessStart 	
24 	kernel32.dll 	FindAtomW 	
25 	kernel32.dll 	BaseProcessStart 	
26 	firefox.exe 	pre_c_init 	crtexe.c:304

Comment 1

6 years ago
Looks similar to bug 702217 but when the urlclassifier.pset file is corrupted instead of the urlclassifier3.sqlite one.

Comment 2

6 years ago
Created attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.
Assignee: nobody → gpascutto
Attachment #578231 - Flags: review?(dcamp)

Comment 3

6 years ago
Corrupted files can cause startup crashes until the user clears his profile.
tracking-firefox10: --- → ?
tracking-firefox9: --- → ?

Comment 4

6 years ago


6 years ago
Attachment #578231 - Flags: review?(dcamp) → review+

Comment 5

6 years ago

(comment 5 rev id is incorrect, this is the right one)
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 11


6 years ago
Attachment #578231 - Flags: approval-mozilla-beta?
Attachment #578231 - Flags: approval-mozilla-aurora?

Comment 7

6 years ago
- The patch adds more sanity checking before operating on values read from the database, bails out early if the database is detected to be corrupted, and detects if the file appears to be truncated.
- Users hitting the bug may be unable to use Firefox until they clear their profile.

- This triggers when the database is corrupted in a specific way. I suspect it may be trigger-able by cutting the urlclassifier.pset file short by about 2/3'rds.

Comment 8

6 years ago
Comment on attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.

[Triage Comment]
Approving for Aurora, but not a top crasher so minusing for beta at this point in the cycle.
Attachment #578231 - Flags: approval-mozilla-beta?
Attachment #578231 - Flags: approval-mozilla-beta-
Attachment #578231 - Flags: approval-mozilla-aurora?
Attachment #578231 - Flags: approval-mozilla-aurora+

Comment 9

6 years ago
Comment on attachment 578231 [details] [diff] [review]
Patch 1. Check read data sizes. Sanity check during probe.

[Triage Comment]
Upon further review, we'll take on beta due to the number of startup crashes associated with this bug. Please land asap.
Attachment #578231 - Flags: approval-mozilla-beta- → approval-mozilla-beta+

Comment 10

6 years ago
status-firefox10: --- → fixed
status-firefox9: --- → fixed
Is this fix testable by QA?
Whiteboard: [qa?]


6 years ago
tracking-firefox9: ? → +


6 years ago
tracking-firefox10: ? → +

Comment 12

6 years ago
>Is this fix testable by QA?

Truncate the urlclassifier.pset file in the profile somewhere around 1/3 of the size. Visit a webpage with a lot of links or images. The browser shouldn't crash. Not sure how easy it is to reproduce manually (you might need to truncate at a very specific point).
Given comment 12, I don't think it is feasible for QA to verify the fix in a timely manner. If someone is already set up to reproduce this bug, it would be appreciate for said person to verify the fix.

Whiteboard: [qa?] → [qa-]
Gian-Carlo - I see another similar crash signature in 10b5 - [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&) ] - to the reports. Will your fix address this crash as well or should I file a new bug?  Thanks.

Comment 15

6 years ago
This bug was marked "status-firefox10: fixed" over a month ago. If Firefox 10 is crashing now, the patches here obviously won't help that.

Comment 16

6 years ago
BTW. if you file the new bug please assign directly to me. I think I see what's wrong.
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.