Closed
Bug 792342
Opened 12 years ago
Closed 4 years ago
Nightly crashed when trying to display site using custom kernel
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: michalpurzynski1, Unassigned)
Details
(Keywords: crash, csectype-nullptr, Whiteboard: [native-crash])
https://blog.mozilla.org/tanvi/2012/09/18/user-specified-content-security-policy/
Every time I try to enter this page on nightly (recent, just updated) on Android it crashes. Tried on SGS3.
Steps to reproduce:
1. Click on a link (didn't type it directly)
2. Get a crash
I can reproduce it anytime here.
Flagged as security, might be a memory problem.
Comment 1•12 years ago
|
||
What kind of crash? Sounds like a dup of 792101.
Comment 2•12 years ago
|
||
can you look into about:crashes and give us a crash id ?
Reporter | ||
Comment 3•12 years ago
|
||
Reporter | ||
Comment 4•12 years ago
|
||
BTW for me it looks like it's 790139. Didn't enable reader mode, but all the rest seems to be the same. I'm using CM 10, which has a custom kernel.
Reporter | ||
Comment 5•12 years ago
|
||
BTW2 - just checked on some random Wikipedia page and enabling reader mode crashes Nightly every time.
Comment 6•12 years ago
|
||
I don't think this needs to be security sensitive, but cc'ing some devs.
Reporter | ||
Comment 7•12 years ago
|
||
Made it so because we don't (yet) know that.
BTW3 - I have the same crash on Firefox Beta on the same device and system. Triggered by visiting wiki.mozilla.org, crashes every time.
I have no repro on stock 4.1.1 (Galaxy Nexus) with today's Nightly (just installed)
Updated•12 years ago
|
Summary: Nightly crashed when trying to display site → Nightly crashed when trying to display site using custom kernel
Comment 9•12 years ago
|
||
The stacks look like a null deref (but they're pretty useless), and the crash doesn't happen on generally used stock Android so i don't think we need to keep this one hidden.
Group: core-security
Keywords: crash,
csec-nullptr
Comment 10•12 years ago
|
||
(In reply to Michal Purzynski [:michal`] from comment #5)
> BTW2 - just checked on some random Wikipedia page and enabling reader mode
> crashes Nightly every time.
Just so we're on the same page - when you say "enabling reader mode", do you mean clicking the reader icon in the URL bar? I'm confused because you say in comment 7 that you can reproduce the same crash just by visiting wiki.mozilla.org. Or do you mean you disabled the reader mode parsing itself (which I believe would require creating a custom build since we don't have any way to toggle this in the UI)?
Comment 11•12 years ago
|
||
If this is only from enabling Reader Mode, then it sounds like a dupe of bug 790139.
Reporter | ||
Comment 12•12 years ago
|
||
There are two independent use cases here:
1. Visit a page like wiki.mozilla.org -> crash after a few seconds. That's just it and nothing more.
2. Enabling reader mode on other any site -> instant crash.
Downloading and setting up a full Android and Fennec development environment now, will take a while but I should have a nice stack trace for you tomorrow. I'm in the CEST zone and it's 8:46pm now. That's why tomorrow.
It will also be easier if you need something more.
Comment 13•12 years ago
|
||
I am able to consistently crash the latest (9-21-2012) by going to "about:crashes" and waiting 2 seconds. Same happens by going to "about:config" and typing anything in the box.
I'm on CM10 on Galaxy Nexus VZW.
Comment 14•12 years ago
|
||
Here is a stack and dump from a Nexus S running CM10 attempting to load about:crashes
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 12411]
0x580dcbae in ?? ()
(gdb) bt
#0 0x580dcbae in ?? ()
#1 0x58033e24 in ?? ()
#2 0x58033e24 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/20i $pc-40
0x580dcb86: mov r8, r6
0x580dcb88: add r10, pc
0x580dcb8a: b.n 0x580dcbac
0x580dcb8c: bic.w r2, r2, #4064 ; 0xfe0
0x580dcb90: mov r0, r4
0x580dcb92: bic.w r2, r2, #31
0x580dcb96: ldrb r2, [r2, #12]
0x580dcb98: ldr.w r2, [r10, r2, lsl #2]
0x580dcb9c: blx r3
0x580dcb9e: str.w r8, [r4, #8]
0x580dcba2: str.w r8, [r4, #12]
0x580dcba6: adds r6, #1
0x580dcba8: cmp r6, r5
0x580dcbaa: beq.n 0x580dcc48
0x580dcbac: mov r1, r7
=> 0x580dcbae: ldr.w r3, [r7], #4
0x580dcbb2: cmp r3, #0
0x580dcbb4: beq.n 0x580dcba6
0x580dcbb6: ldr r3, [r4, #4]
0x580dcbb8: str.w r8, [r4, #8]
Comment 15•12 years ago
|
||
CC'ing Marty in case this might be Ion/JS related
The nightly and my build both have the "push sp" fix
Reporter | ||
Comment 16•12 years ago
|
||
Program received signal SIGSEGV, Segmentation fault.
Loading libraries and symbols...
warning: Could not load shared library symbols for org.mozilla.fennec_michal.
Do you need "set solib-search-path" or "set sysroot"?
[Switching to Thread 26382]
0x6458a574 in ft_module_get_service () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so
(gdb) bt
#0 0x6458a574 in ft_module_get_service () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so
Ignoring packet error, continuing...
Ignoring packet error, continuing...
Ignoring packet error, continuing...
Ignoring packet error, continuing...
Ignoring packet error, continuing...
#1 0x645c1b64 in sfnt_init_face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so
#2 0x6459361c in tt_face_init () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so
#3 0x64587090 in open_face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so
#4 0x64588126 in FT_Open_Face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so
#5 0x6458719e in FT_New_Memory_Face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so
#6 0x640e4cd6 in FT2FontEntry::CreateFontEntry (aProxyEntry=..., aFontData=0x6a4e8000 "", aLength=82372)
at /home/michal/mozilla-central/gfx/thebes/gfxFT2FontList.cpp:170
#7 0x640e4d38 in gfxFT2FontList::MakePlatformFont (this=<optimized out>, aProxyEntry=<optimized out>, aFontData=<optimized out>,
aLength=82372) at /home/michal/mozilla-central/gfx/thebes/gfxFT2FontList.cpp:1138
#8 0x640e2db4 in gfxAndroidPlatform::MakePlatformFont (this=<optimized out>, aProxyEntry=0x6a4e8000,
aFontData=0x141c4 <Address 0x141c4 out of bounds>, aLength=82372) at /home/michal/mozilla-central/gfx/thebes/gfxAndroidPlatform.cpp:164
#9 0x640ddf5e in gfxUserFontSet::LoadFont (this=0x64b67ca0, aProxy=0x66d9df00, aFontData=0x64f29000 "wOFF", aLength=<optimized out>)
at /home/michal/mozilla-central/gfx/thebes/gfxUserFontSet.cpp:690
#10 0x640de506 in gfxUserFontSet::OnLoadComplete (this=0x64b67ca0, aProxy=0x66d9df00, aFontData=0x64f29000 "wOFF", aLength=44739,
aDownloadStatus=NS_OK) at /home/michal/mozilla-central/gfx/thebes/gfxUserFontSet.cpp:472
#11 0x63aa3b5e in nsFontFaceLoader::OnStreamComplete (this=0x69225a90, aLoader=0x6531c860, aContext=<optimized out>, aStatus=NS_OK,
aStringLen=44739, aString=0x64f29000 "wOFF") at /home/michal/mozilla-central/layout/style/nsFontFaceLoader.cpp:211
#12 0x639309ba in nsStreamLoader::OnStopRequest (this=0x6531c860, request=<optimized out>, ctxt=<optimized out>, aStatus=NS_OK)
at /home/michal/mozilla-central/netwerk/base/src/nsStreamLoader.cpp:95
#13 0x63b11c10 in nsCORSListenerProxy::OnStopRequest (this=0x69203400, aRequest=0x64f29000, aContext=0x0, aStatusCode=1589067776)
at /home/michal/mozilla-central/content/base/src/nsCrossSiteListenerProxy.cpp:572
#14 0x63934ae2 in nsStreamListenerWrapper::OnStopRequest (this=<optimized out>, aRequest=0x64f29000, aContext=0x0, aStatusCode=1589067776)
at ../../../dist/include/nsStreamListenerWrapper.h:25
#15 0x6393084e in nsStreamListenerTee::OnStopRequest (this=0x62143800, request=0x69422c30, context=0x0, status=NS_OK)
at /home/michal/mozilla-central/netwerk/base/src/nsStreamListenerTee.cpp:49
#16 0x6397a904 in mozilla::net::nsHttpChannel::OnStopRequest (this=0x69422c00, request=0x0, ctxt=<optimized out>, status=NS_OK)
at /home/michal/mozilla-central/netwerk/protocol/http/nsHttpChannel.cpp:4970
#17 0x63920e7c in nsInputStreamPump::OnStateStop (this=0x692460b0) at /home/michal/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:552
#18 0x63921094 in nsInputStreamPump::OnInputStreamReady (this=0x692460b0, stream=<optimized out>)
at /home/michal/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:374
#19 0x6407ddfe in nsInputStreamReadyEvent::Run (this=0x5fd4c2c0) at /home/michal/mozilla-central/xpcom/io/nsStreamUtils.cpp:161
#20 0x64087df6 in nsThread::ProcessNextEvent (this=0x5eb564c0, mayWait=<optimized out>, result=0x5ff8b927)
at /home/michal/mozilla-central/xpcom/threads/nsThread.cpp:612
#21 0x640689ee in NS_ProcessNextEvent_P (thread=0x692460b0, mayWait=true)
at /home/michal/mozilla-central/objdir-droid/xpcom/build/nsThreadUtils.cpp:220
#22 0x63fb63f6 in mozilla::ipc::MessagePump::Run (this=0x5eb53280, aDelegate=0x5eb7f0e0)
at /home/michal/mozilla-central/ipc/glue/MessagePump.cpp:117
#23 0x640a8530 in MessageLoop::RunInternal (this=0x645f1c8d) at /home/michal/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
#24 0x640a85e6 in RunHandler (this=<optimized out>) at /home/michal/mozilla-central/ipc/chromium/src/base/message_loop.cc:201
---Type <return> to continue, or q <return> to quit---
#25 MessageLoop::Run (this=0x5eb7f0e0) at /home/michal/mozilla-central/ipc/chromium/src/base/message_loop.cc:175
#26 0x63f43a7c in nsBaseAppShell::Run (this=0x5eb54590) at /home/michal/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
#27 0x63e8de70 in nsAppStartup::Run (this=0x5fd4b790) at /home/michal/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:290
#28 0x63909cea in XREMain::XRE_mainRun (this=0x5ff8baec) at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3782
#29 0x6390c354 in XREMain::XRE_main (this=0x5ff8baec, argc=<optimized out>, argv=0x5eb73048, aAppData=<optimized out>)
at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3848
#30 0x6390c4a4 in XRE_main (argc=7, argv=0x5eb73048, aAppData=0x5bd80768, aFlags=<optimized out>)
at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3923
#31 0x6390f71c in GeckoStart (data=0x5d3f1d58, appData=0x5bd80768) at /home/michal/mozilla-central/toolkit/xre/nsAndroidStartup.cpp:73
#32 0x5bd6fd62 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x5c010b28, jc=<optimized out>, jargs=0x20200005)
at /home/michal/mozilla-central/mozglue/android/APKOpen.cpp:983
#33 0x407b1ff4 in ?? ()
#34 0x407b1ff4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)
I have a dev env set up (or so I hope) and can provide any information you may need.
BTW - corrupt stack.:dveditz?
I get the same crash as michal on CM10/SGS3 no matter what page i open, when it finishes loading, just before the loading wheel thing stops spinning it crashes. No reader mode, even after data wipe. Similar trace, too. I can probably attach it if that helps, but i believe its the same crash.
On CM10/SGT10.1 with nightly there is no such crash, for example. This started about 3 weeks ago or so, although both cm10 and nightly got several updates.
Reporter | ||
Comment 18•12 years ago
|
||
I've made some more tests. Nightly - crash, fresh build from mozilla-central - crash, Beta - crash.
I don't have any crashes on Galaxy Tab either (CM9).
Comment 19•12 years ago
|
||
That sounds like bug 790139. This bug even sounds like a dupe of bug 790139.
Updated•12 years ago
|
Whiteboard: [native-crash]
Comment 20•4 years ago
|
||
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•