Closed Bug 792342 Opened 12 years ago Closed 4 years ago

Nightly crashed when trying to display site using custom kernel

Categories

(Firefox for Android Graveyard :: General, defect)

18 Branch
ARM
Android
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: michalpurzynski1, Unassigned)

Details

(Keywords: crash, csectype-nullptr, Whiteboard: [native-crash])

https://blog.mozilla.org/tanvi/2012/09/18/user-specified-content-security-policy/ Every time I try to enter this page on nightly (recent, just updated) on Android it crashes. Tried on SGS3. Steps to reproduce: 1. Click on a link (didn't type it directly) 2. Get a crash I can reproduce it anytime here. Flagged as security, might be a memory problem.
What kind of crash? Sounds like a dup of 792101.
can you look into about:crashes and give us a crash id ?
BTW for me it looks like it's 790139. Didn't enable reader mode, but all the rest seems to be the same. I'm using CM 10, which has a custom kernel.
BTW2 - just checked on some random Wikipedia page and enabling reader mode crashes Nightly every time.
I don't think this needs to be security sensitive, but cc'ing some devs.
Made it so because we don't (yet) know that. BTW3 - I have the same crash on Firefox Beta on the same device and system. Triggered by visiting wiki.mozilla.org, crashes every time.
I have no repro on stock 4.1.1 (Galaxy Nexus) with today's Nightly (just installed)
Summary: Nightly crashed when trying to display site → Nightly crashed when trying to display site using custom kernel
The stacks look like a null deref (but they're pretty useless), and the crash doesn't happen on generally used stock Android so i don't think we need to keep this one hidden.
Group: core-security
Keywords: crash, csec-nullptr
(In reply to Michal Purzynski [:michal`] from comment #5) > BTW2 - just checked on some random Wikipedia page and enabling reader mode > crashes Nightly every time. Just so we're on the same page - when you say "enabling reader mode", do you mean clicking the reader icon in the URL bar? I'm confused because you say in comment 7 that you can reproduce the same crash just by visiting wiki.mozilla.org. Or do you mean you disabled the reader mode parsing itself (which I believe would require creating a custom build since we don't have any way to toggle this in the UI)?
If this is only from enabling Reader Mode, then it sounds like a dupe of bug 790139.
There are two independent use cases here: 1. Visit a page like wiki.mozilla.org -> crash after a few seconds. That's just it and nothing more. 2. Enabling reader mode on other any site -> instant crash. Downloading and setting up a full Android and Fennec development environment now, will take a while but I should have a nice stack trace for you tomorrow. I'm in the CEST zone and it's 8:46pm now. That's why tomorrow. It will also be easier if you need something more.
I am able to consistently crash the latest (9-21-2012) by going to "about:crashes" and waiting 2 seconds. Same happens by going to "about:config" and typing anything in the box. I'm on CM10 on Galaxy Nexus VZW.
Here is a stack and dump from a Nexus S running CM10 attempting to load about:crashes Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 12411] 0x580dcbae in ?? () (gdb) bt #0 0x580dcbae in ?? () #1 0x58033e24 in ?? () #2 0x58033e24 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) x/20i $pc-40 0x580dcb86: mov r8, r6 0x580dcb88: add r10, pc 0x580dcb8a: b.n 0x580dcbac 0x580dcb8c: bic.w r2, r2, #4064 ; 0xfe0 0x580dcb90: mov r0, r4 0x580dcb92: bic.w r2, r2, #31 0x580dcb96: ldrb r2, [r2, #12] 0x580dcb98: ldr.w r2, [r10, r2, lsl #2] 0x580dcb9c: blx r3 0x580dcb9e: str.w r8, [r4, #8] 0x580dcba2: str.w r8, [r4, #12] 0x580dcba6: adds r6, #1 0x580dcba8: cmp r6, r5 0x580dcbaa: beq.n 0x580dcc48 0x580dcbac: mov r1, r7 => 0x580dcbae: ldr.w r3, [r7], #4 0x580dcbb2: cmp r3, #0 0x580dcbb4: beq.n 0x580dcba6 0x580dcbb6: ldr r3, [r4, #4] 0x580dcbb8: str.w r8, [r4, #8]
CC'ing Marty in case this might be Ion/JS related The nightly and my build both have the "push sp" fix
Program received signal SIGSEGV, Segmentation fault. Loading libraries and symbols... warning: Could not load shared library symbols for org.mozilla.fennec_michal. Do you need "set solib-search-path" or "set sysroot"? [Switching to Thread 26382] 0x6458a574 in ft_module_get_service () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so (gdb) bt #0 0x6458a574 in ft_module_get_service () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so Ignoring packet error, continuing... Ignoring packet error, continuing... Ignoring packet error, continuing... Ignoring packet error, continuing... Ignoring packet error, continuing... #1 0x645c1b64 in sfnt_init_face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so #2 0x6459361c in tt_face_init () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so #3 0x64587090 in open_face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so #4 0x64588126 in FT_Open_Face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so #5 0x6458719e in FT_New_Memory_Face () from /home/michal/mozilla-central/objdir-droid/dist/bin/libxul.so #6 0x640e4cd6 in FT2FontEntry::CreateFontEntry (aProxyEntry=..., aFontData=0x6a4e8000 "", aLength=82372) at /home/michal/mozilla-central/gfx/thebes/gfxFT2FontList.cpp:170 #7 0x640e4d38 in gfxFT2FontList::MakePlatformFont (this=<optimized out>, aProxyEntry=<optimized out>, aFontData=<optimized out>, aLength=82372) at /home/michal/mozilla-central/gfx/thebes/gfxFT2FontList.cpp:1138 #8 0x640e2db4 in gfxAndroidPlatform::MakePlatformFont (this=<optimized out>, aProxyEntry=0x6a4e8000, aFontData=0x141c4 <Address 0x141c4 out of bounds>, aLength=82372) at /home/michal/mozilla-central/gfx/thebes/gfxAndroidPlatform.cpp:164 #9 0x640ddf5e in gfxUserFontSet::LoadFont (this=0x64b67ca0, aProxy=0x66d9df00, aFontData=0x64f29000 "wOFF", aLength=<optimized out>) at /home/michal/mozilla-central/gfx/thebes/gfxUserFontSet.cpp:690 #10 0x640de506 in gfxUserFontSet::OnLoadComplete (this=0x64b67ca0, aProxy=0x66d9df00, aFontData=0x64f29000 "wOFF", aLength=44739, aDownloadStatus=NS_OK) at /home/michal/mozilla-central/gfx/thebes/gfxUserFontSet.cpp:472 #11 0x63aa3b5e in nsFontFaceLoader::OnStreamComplete (this=0x69225a90, aLoader=0x6531c860, aContext=<optimized out>, aStatus=NS_OK, aStringLen=44739, aString=0x64f29000 "wOFF") at /home/michal/mozilla-central/layout/style/nsFontFaceLoader.cpp:211 #12 0x639309ba in nsStreamLoader::OnStopRequest (this=0x6531c860, request=<optimized out>, ctxt=<optimized out>, aStatus=NS_OK) at /home/michal/mozilla-central/netwerk/base/src/nsStreamLoader.cpp:95 #13 0x63b11c10 in nsCORSListenerProxy::OnStopRequest (this=0x69203400, aRequest=0x64f29000, aContext=0x0, aStatusCode=1589067776) at /home/michal/mozilla-central/content/base/src/nsCrossSiteListenerProxy.cpp:572 #14 0x63934ae2 in nsStreamListenerWrapper::OnStopRequest (this=<optimized out>, aRequest=0x64f29000, aContext=0x0, aStatusCode=1589067776) at ../../../dist/include/nsStreamListenerWrapper.h:25 #15 0x6393084e in nsStreamListenerTee::OnStopRequest (this=0x62143800, request=0x69422c30, context=0x0, status=NS_OK) at /home/michal/mozilla-central/netwerk/base/src/nsStreamListenerTee.cpp:49 #16 0x6397a904 in mozilla::net::nsHttpChannel::OnStopRequest (this=0x69422c00, request=0x0, ctxt=<optimized out>, status=NS_OK) at /home/michal/mozilla-central/netwerk/protocol/http/nsHttpChannel.cpp:4970 #17 0x63920e7c in nsInputStreamPump::OnStateStop (this=0x692460b0) at /home/michal/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:552 #18 0x63921094 in nsInputStreamPump::OnInputStreamReady (this=0x692460b0, stream=<optimized out>) at /home/michal/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:374 #19 0x6407ddfe in nsInputStreamReadyEvent::Run (this=0x5fd4c2c0) at /home/michal/mozilla-central/xpcom/io/nsStreamUtils.cpp:161 #20 0x64087df6 in nsThread::ProcessNextEvent (this=0x5eb564c0, mayWait=<optimized out>, result=0x5ff8b927) at /home/michal/mozilla-central/xpcom/threads/nsThread.cpp:612 #21 0x640689ee in NS_ProcessNextEvent_P (thread=0x692460b0, mayWait=true) at /home/michal/mozilla-central/objdir-droid/xpcom/build/nsThreadUtils.cpp:220 #22 0x63fb63f6 in mozilla::ipc::MessagePump::Run (this=0x5eb53280, aDelegate=0x5eb7f0e0) at /home/michal/mozilla-central/ipc/glue/MessagePump.cpp:117 #23 0x640a8530 in MessageLoop::RunInternal (this=0x645f1c8d) at /home/michal/mozilla-central/ipc/chromium/src/base/message_loop.cc:208 #24 0x640a85e6 in RunHandler (this=<optimized out>) at /home/michal/mozilla-central/ipc/chromium/src/base/message_loop.cc:201 ---Type <return> to continue, or q <return> to quit--- #25 MessageLoop::Run (this=0x5eb7f0e0) at /home/michal/mozilla-central/ipc/chromium/src/base/message_loop.cc:175 #26 0x63f43a7c in nsBaseAppShell::Run (this=0x5eb54590) at /home/michal/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163 #27 0x63e8de70 in nsAppStartup::Run (this=0x5fd4b790) at /home/michal/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:290 #28 0x63909cea in XREMain::XRE_mainRun (this=0x5ff8baec) at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3782 #29 0x6390c354 in XREMain::XRE_main (this=0x5ff8baec, argc=<optimized out>, argv=0x5eb73048, aAppData=<optimized out>) at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3848 #30 0x6390c4a4 in XRE_main (argc=7, argv=0x5eb73048, aAppData=0x5bd80768, aFlags=<optimized out>) at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3923 #31 0x6390f71c in GeckoStart (data=0x5d3f1d58, appData=0x5bd80768) at /home/michal/mozilla-central/toolkit/xre/nsAndroidStartup.cpp:73 #32 0x5bd6fd62 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x5c010b28, jc=<optimized out>, jargs=0x20200005) at /home/michal/mozilla-central/mozglue/android/APKOpen.cpp:983 #33 0x407b1ff4 in ?? () #34 0x407b1ff4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) I have a dev env set up (or so I hope) and can provide any information you may need. BTW - corrupt stack.:dveditz?
I get the same crash as michal on CM10/SGS3 no matter what page i open, when it finishes loading, just before the loading wheel thing stops spinning it crashes. No reader mode, even after data wipe. Similar trace, too. I can probably attach it if that helps, but i believe its the same crash. On CM10/SGT10.1 with nightly there is no such crash, for example. This started about 3 weeks ago or so, although both cm10 and nightly got several updates.
I've made some more tests. Nightly - crash, fresh build from mozilla-central - crash, Beta - crash. I don't have any crashes on Galaxy Tab either (CM9).
That sounds like bug 790139. This bug even sounds like a dupe of bug 790139.
Whiteboard: [native-crash]
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.