Closed Bug 721196 Opened 10 years ago Closed 6 years ago

Firefox Crash [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&) ]

Categories

(Toolkit :: Safe Browsing, defect, P5)

10 Branch
x86
Windows 7
defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [startupcrash])

Crash Data

Seen while looking at crash stats data. http://tinyurl.com/6wk3b84 to the crashes. Some in 9.0.1 and in 10.0b3, b4 and b5.

https://crash-stats.mozilla.com/report/index/3e489edd-7e5e-4bc2-8f8d-4f7ce2120124

Frame 	Module 	Signature [Expand] 	Source
0 		@0xf4359ed0 	
1 	xul.dll 	nsUrlClassifierPrefixSet::StoreToFd 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:417
2 	xul.dll 	nsUrlClassifierPrefixSet::StoreToFile 	toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp:463
3 	xul.dll 	nsUrlClassifierDBServiceWorker::ConstructPrefixSet 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:3653
4 	xul.dll 	nsUrlClassifierDBServiceWorker::LoadPrefixSet 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:3689
5 	xul.dll 	nsUrlClassifierDBServiceWorker::OpenDb 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:3483
6 	xul.dll 	nsUrlClassifierDBServiceWorker::BeginUpdate 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:2884
7 	xul.dll 	UrlClassifierDBServiceWorkerProxy::BeginUpdateRunnable::Run 	toolkit/components/url-classifier/nsUrlClassifierProxies.cpp:105
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
9 	xul.dll 	nsRunnable::Release 	obj-firefox/xpcom/build/nsThreadUtils.cpp:55
10 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
11 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
12 	msvcr80.dll 	_callthreadstartex 	f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\threadex.c:348
13 	msvcr80.dll 	_threadstartex 	f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\threadex.c:326
14 	kernel32.dll 	BaseThreadStart
When I first looked at this, I checked the docs for OpenNSPRFileDesc which note that the fd is NULL on failure, and though my code was wrong by only checking rv.

However the OpenNSPRFileDesc that's actually exposed seems to set the return value correctly:

https://mxr.mozilla.org/mozilla-central/source/xpcom/io/nsLocalFileWin.cpp#343
https://mxr.mozilla.org/mozilla-central/source/xpcom/io/nsLocalFileWin.cpp#883

Then I looked at AutoCloseFD:

https://mxr.mozilla.org/mozilla-central/source/xpcom/glue/FileUtils.h#68

I'm the only one passing them around by reference, so I was scared for a moment that the marked line + line 61 could cause it to be closed at the function call. But afaik taking a reference will *not* invoke the addressoff operator.

So, I have no idea what's wrong here. There seems to be plenty of code using the same open/write idiom, and fileFd seems to be the only thing that could be invalid here:

PRUint32 magic = PREFIXSET_VERSION_MAGIC;
written = PR_Write(fileFd, &magic, sizeof(PRUint32));
A few lines higher, there's this call:

mozilla::fallocate(fileFd, size);

Taras, is it possible for this to fail in such a manner that fileFd gets invalidated?
(In reply to Gian-Carlo Pascutto (:gcp) from comment #2)
> A few lines higher, there's this call:
> 
> mozilla::fallocate(fileFd, size);
> 
> Taras, is it possible for this to fail in such a manner that fileFd gets
> invalidated?

This does not look like an invalid fd error, so no I do not see how fallocate could cause this.
Hmm, looking at the fallocate code also shows nothing that can explain this. 

Most or almost all of these are startup crashes. This looks similar to Bug 597260.
It's #32 top browser crasher in 11.0 and #26 in 12.0b4.
Keywords: topcrash
Whiteboard: [startupcrash]
It's #592 top browser crasher in 13.0.1.
Keywords: topcrash
Duplicate of this bug: 794146
Crash Signature: [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&) ] → [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&)] [@ nsUrlClassifierPrefixSet::StoreToFile(nsIFile*)]
Crash Signature: [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&)] [@ nsUrlClassifierPrefixSet::StoreToFile(nsIFile*)] → [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&)] [@ nsUrlClassifierPrefixSet::StoreToFile(nsIFile*)] [@ nsUrlClassifierPrefixSet::LoadFromFd(mozilla::Scoped<mozilla::ScopedClosePRFDTraits>&)]
Product: Firefox → Toolkit
Crash Signature: [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&)] [@ nsUrlClassifierPrefixSet::StoreToFile(nsIFile*)] [@ nsUrlClassifierPrefixSet::LoadFromFd(mozilla::Scoped<mozilla::ScopedClosePRFDTraits>&)] → [@ nsUrlClassifierPrefixSet::StoreToFd(mozilla::AutoFDClose&)] [@ nsUrlClassifierPrefixSet::StoreToFile(nsIFile*)] [@ nsUrlClassifierPrefixSet::LoadFromFd(mozilla::Scoped<mozilla::ScopedClosePRFDTraits>&)] [@ nsUrlClassifierPrefixSet::StoreToFd] [@ ns…
Assignee: gpascutto → nobody
Priority: -- → P2
Priority: P2 → P5
This is not actionable. Closing.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.