Nightly crashed when trying to display site using custom kernel




6 years ago
2 years ago


(Reporter: michal, Unassigned)


({crash, csectype-nullptr})

18 Branch
crash, csectype-nullptr

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [native-crash])

Every time I try to enter this page on nightly (recent, just updated) on Android it crashes. Tried on SGS3.

Steps to reproduce:
1. Click on a link (didn't type it directly)
2. Get a crash

I can reproduce it anytime here.

Flagged as security, might be a memory problem.

Comment 1

6 years ago
What kind of crash? Sounds like a dup of 792101.
can you look into about:crashes and give us a crash id ?
BTW for me it looks like it's 790139. Didn't enable reader mode, but all the rest seems to be the same. I'm using CM 10, which has a custom kernel.
BTW2 - just checked on some random Wikipedia page and enabling reader mode crashes Nightly every time.
I don't think this needs to be security sensitive, but cc'ing some devs.
Made it so because we don't (yet) know that.

BTW3 - I have the same crash on Firefox Beta on the same device and system. Triggered by visiting, crashes every time.
I have no repro on stock 4.1.1 (Galaxy Nexus) with today's Nightly (just installed)
Summary: Nightly crashed when trying to display site → Nightly crashed when trying to display site using custom kernel
The stacks look like a null deref (but they're pretty useless), and the crash doesn't happen on generally used stock Android so i don't think we need to keep this one hidden.
Group: core-security
Keywords: crash, csec-nullptr
(In reply to Michal Purzynski [:michal`] from comment #5)
> BTW2 - just checked on some random Wikipedia page and enabling reader mode
> crashes Nightly every time.

Just so we're on the same page - when you say "enabling reader mode", do you mean clicking the reader icon in the URL bar? I'm confused because you say in comment 7 that you can reproduce the same crash just by visiting Or do you mean you disabled the reader mode parsing itself (which I believe would require creating a custom build since we don't have any way to toggle this in the UI)?
If this is only from enabling Reader Mode, then it sounds like a dupe of bug 790139.
There are two independent use cases here:

1. Visit a page like -> crash after a few seconds. That's just it and nothing more.

2. Enabling reader mode on other any site -> instant crash.

Downloading and setting up a full Android and Fennec development environment now, will take a while but I should have a nice stack trace for you tomorrow. I'm in the CEST zone and it's 8:46pm now. That's why tomorrow.

It will also be easier if you need something more.

Comment 13

6 years ago
I am able to consistently crash the latest (9-21-2012) by going to "about:crashes" and waiting 2 seconds.  Same happens by going to "about:config" and typing anything in the box.

I'm on CM10 on Galaxy Nexus VZW.
Here is a stack and dump from a Nexus S running CM10 attempting to load about:crashes

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 12411]
0x580dcbae in ?? ()
(gdb) bt
#0  0x580dcbae in ?? ()
#1  0x58033e24 in ?? ()
#2  0x58033e24 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/20i $pc-40
   0x580dcb86:	mov	r8, r6
   0x580dcb88:	add	r10, pc
   0x580dcb8a:	b.n	0x580dcbac
   0x580dcb8c:	bic.w	r2, r2, #4064	; 0xfe0
   0x580dcb90:	mov	r0, r4
   0x580dcb92:	bic.w	r2, r2, #31
   0x580dcb96:	ldrb	r2, [r2, #12]
   0x580dcb98:	ldr.w	r2, [r10, r2, lsl #2]
   0x580dcb9c:	blx	r3
   0x580dcb9e:	str.w	r8, [r4, #8]
   0x580dcba2:	str.w	r8, [r4, #12]
   0x580dcba6:	adds	r6, #1
   0x580dcba8:	cmp	r6, r5
   0x580dcbaa:	beq.n	0x580dcc48
   0x580dcbac:	mov	r1, r7
=> 0x580dcbae:	ldr.w	r3, [r7], #4
   0x580dcbb2:	cmp	r3, #0
   0x580dcbb4:	beq.n	0x580dcba6
   0x580dcbb6:	ldr	r3, [r4, #4]
   0x580dcbb8:	str.w	r8, [r4, #8]
CC'ing Marty in case this might be Ion/JS related

The nightly and my build both have the "push sp" fix
Program received signal SIGSEGV, Segmentation fault.
Loading libraries and symbols...
warning: Could not load shared library symbols for org.mozilla.fennec_michal.
Do you need "set solib-search-path" or "set sysroot"?
[Switching to Thread 26382]
0x6458a574 in ft_module_get_service () from /home/michal/mozilla-central/objdir-droid/dist/bin/
(gdb) bt
#0  0x6458a574 in ft_module_get_service () from /home/michal/mozilla-central/objdir-droid/dist/bin/
Ignoring packet error, continuing...
Ignoring packet error, continuing...
Ignoring packet error, continuing...
Ignoring packet error, continuing...
Ignoring packet error, continuing...
#1  0x645c1b64 in sfnt_init_face () from /home/michal/mozilla-central/objdir-droid/dist/bin/
#2  0x6459361c in tt_face_init () from /home/michal/mozilla-central/objdir-droid/dist/bin/
#3  0x64587090 in open_face () from /home/michal/mozilla-central/objdir-droid/dist/bin/
#4  0x64588126 in FT_Open_Face () from /home/michal/mozilla-central/objdir-droid/dist/bin/
#5  0x6458719e in FT_New_Memory_Face () from /home/michal/mozilla-central/objdir-droid/dist/bin/
#6  0x640e4cd6 in FT2FontEntry::CreateFontEntry (aProxyEntry=..., aFontData=0x6a4e8000 "", aLength=82372)
    at /home/michal/mozilla-central/gfx/thebes/gfxFT2FontList.cpp:170
#7  0x640e4d38 in gfxFT2FontList::MakePlatformFont (this=<optimized out>, aProxyEntry=<optimized out>, aFontData=<optimized out>, 
    aLength=82372) at /home/michal/mozilla-central/gfx/thebes/gfxFT2FontList.cpp:1138
#8  0x640e2db4 in gfxAndroidPlatform::MakePlatformFont (this=<optimized out>, aProxyEntry=0x6a4e8000, 
    aFontData=0x141c4 <Address 0x141c4 out of bounds>, aLength=82372) at /home/michal/mozilla-central/gfx/thebes/gfxAndroidPlatform.cpp:164
#9  0x640ddf5e in gfxUserFontSet::LoadFont (this=0x64b67ca0, aProxy=0x66d9df00, aFontData=0x64f29000 "wOFF", aLength=<optimized out>)
    at /home/michal/mozilla-central/gfx/thebes/gfxUserFontSet.cpp:690
#10 0x640de506 in gfxUserFontSet::OnLoadComplete (this=0x64b67ca0, aProxy=0x66d9df00, aFontData=0x64f29000 "wOFF", aLength=44739, 
    aDownloadStatus=NS_OK) at /home/michal/mozilla-central/gfx/thebes/gfxUserFontSet.cpp:472
#11 0x63aa3b5e in nsFontFaceLoader::OnStreamComplete (this=0x69225a90, aLoader=0x6531c860, aContext=<optimized out>, aStatus=NS_OK, 
    aStringLen=44739, aString=0x64f29000 "wOFF") at /home/michal/mozilla-central/layout/style/nsFontFaceLoader.cpp:211
#12 0x639309ba in nsStreamLoader::OnStopRequest (this=0x6531c860, request=<optimized out>, ctxt=<optimized out>, aStatus=NS_OK)
    at /home/michal/mozilla-central/netwerk/base/src/nsStreamLoader.cpp:95
#13 0x63b11c10 in nsCORSListenerProxy::OnStopRequest (this=0x69203400, aRequest=0x64f29000, aContext=0x0, aStatusCode=1589067776)
    at /home/michal/mozilla-central/content/base/src/nsCrossSiteListenerProxy.cpp:572
#14 0x63934ae2 in nsStreamListenerWrapper::OnStopRequest (this=<optimized out>, aRequest=0x64f29000, aContext=0x0, aStatusCode=1589067776)
    at ../../../dist/include/nsStreamListenerWrapper.h:25
#15 0x6393084e in nsStreamListenerTee::OnStopRequest (this=0x62143800, request=0x69422c30, context=0x0, status=NS_OK)
    at /home/michal/mozilla-central/netwerk/base/src/nsStreamListenerTee.cpp:49
#16 0x6397a904 in mozilla::net::nsHttpChannel::OnStopRequest (this=0x69422c00, request=0x0, ctxt=<optimized out>, status=NS_OK)
    at /home/michal/mozilla-central/netwerk/protocol/http/nsHttpChannel.cpp:4970
#17 0x63920e7c in nsInputStreamPump::OnStateStop (this=0x692460b0) at /home/michal/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:552
#18 0x63921094 in nsInputStreamPump::OnInputStreamReady (this=0x692460b0, stream=<optimized out>)
    at /home/michal/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:374
#19 0x6407ddfe in nsInputStreamReadyEvent::Run (this=0x5fd4c2c0) at /home/michal/mozilla-central/xpcom/io/nsStreamUtils.cpp:161
#20 0x64087df6 in nsThread::ProcessNextEvent (this=0x5eb564c0, mayWait=<optimized out>, result=0x5ff8b927)
    at /home/michal/mozilla-central/xpcom/threads/nsThread.cpp:612
#21 0x640689ee in NS_ProcessNextEvent_P (thread=0x692460b0, mayWait=true)
    at /home/michal/mozilla-central/objdir-droid/xpcom/build/nsThreadUtils.cpp:220
#22 0x63fb63f6 in mozilla::ipc::MessagePump::Run (this=0x5eb53280, aDelegate=0x5eb7f0e0)
    at /home/michal/mozilla-central/ipc/glue/MessagePump.cpp:117
#23 0x640a8530 in MessageLoop::RunInternal (this=0x645f1c8d) at /home/michal/mozilla-central/ipc/chromium/src/base/
#24 0x640a85e6 in RunHandler (this=<optimized out>) at /home/michal/mozilla-central/ipc/chromium/src/base/
---Type <return> to continue, or q <return> to quit--- 
#25 MessageLoop::Run (this=0x5eb7f0e0) at /home/michal/mozilla-central/ipc/chromium/src/base/
#26 0x63f43a7c in nsBaseAppShell::Run (this=0x5eb54590) at /home/michal/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
#27 0x63e8de70 in nsAppStartup::Run (this=0x5fd4b790) at /home/michal/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:290
#28 0x63909cea in XREMain::XRE_mainRun (this=0x5ff8baec) at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3782
#29 0x6390c354 in XREMain::XRE_main (this=0x5ff8baec, argc=<optimized out>, argv=0x5eb73048, aAppData=<optimized out>)
    at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3848
#30 0x6390c4a4 in XRE_main (argc=7, argv=0x5eb73048, aAppData=0x5bd80768, aFlags=<optimized out>)
    at /home/michal/mozilla-central/toolkit/xre/nsAppRunner.cpp:3923
#31 0x6390f71c in GeckoStart (data=0x5d3f1d58, appData=0x5bd80768) at /home/michal/mozilla-central/toolkit/xre/nsAndroidStartup.cpp:73
#32 0x5bd6fd62 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x5c010b28, jc=<optimized out>, jargs=0x20200005)
    at /home/michal/mozilla-central/mozglue/android/APKOpen.cpp:983
#33 0x407b1ff4 in ?? ()
#34 0x407b1ff4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

I have a dev env set up (or so I hope) and can provide any information you may need.

BTW - corrupt stack.:dveditz?
I get the same crash as michal on CM10/SGS3 no matter what page i open, when it finishes loading, just before the loading wheel thing stops spinning it crashes. No reader mode, even after data wipe. Similar trace, too. I can probably attach it if that helps, but i believe its the same crash.

On CM10/SGT10.1 with nightly there is no such crash, for example. This started about 3 weeks ago or so, although both cm10 and nightly got several updates.
I've made some more tests. Nightly - crash, fresh build from mozilla-central - crash, Beta - crash.

I don't have any crashes on Galaxy Tab either (CM9).
That sounds like bug 790139. This bug even sounds like a dupe of bug 790139.


6 years ago
Whiteboard: [native-crash]
You need to log in before you can comment on or make changes to this bug.