Closed Bug 802599 Opened 8 years ago Closed 7 years ago
Assertion failure: false, at toolkit/components/places/Async
Favicon Helpers .cpp:527 Crash [@ Async Fetch And Set Icon For Page] or use-after-free across threads
The attached test (from a crossfuzz instance) triggers some assertions and crashes, but in an opt-build (AddressSanitizer) it also shows a use-after-free. To reproduce, the following instructions should work on Linux: 1. Download an AdressSanitizer debug and opt builds at http://people.mozilla.org/~choller/firefox/asan/ 2. Unpack the attached test, create a new profile, move prefs.js from the test to the profile (might not be necessary, but it enables stuff like private browsing to prevent caching effects etc.) 3. Open cross_fuzz_randomized_20110105_seed.html with the debug build, after at most 30 seconds you should get: WARNING: NS_ENSURE_TRUE(mMutable) failed: file /builds/slave/try-lnx64-dbg/build/netwerk/base/src/nsSimpleURI.cpp, line 272 WARNING: attempt to modify an immutable nsStandardURL: file /builds/slave/try-lnx64-dbg/build/netwerk/base/src/nsStandardURL.cpp, line 1210 Assertion failure: false, at /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:527 ASAN:SIGSEGV ================================================================= ==701== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7f98623049b5 sp 0x7fff0ce65440 bp 0x7fff0ce65550 T0) AddressSanitizer can not provide additional info. #0 0x7f98623049b4 in AsyncFetchAndSetIconForPage /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:528 #1 0x7f9862304082 in mozilla::places::AsyncFetchAndSetIconForPage::start(nsIURI*, nsIURI*, mozilla::places::AsyncFaviconFetchMode, unsigned int, nsIFaviconDataCallback*) /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:489 [...] 4. Start the opt-build firefox (I recommend using "taskset -c 0 firefox/firefox cross_fuzz_randomized_20110105_seed.html" because the issue is a thread race which reproduces much more reliably on a single core) and you should see after at most 30 seconds: ==992== ERROR: AddressSanitizer heap-use-after-free on address 0x7eff7a7d2cc0 at pc 0x7effb43bc7af bp 0x7eff792fe710 sp 0x7eff792fe708 READ of size 4 at 0x7eff7a7d2cc0 thread T29 #0 0x7effb43bc7ae in nsAutoRefCnt::operator unsigned int() const /builds/slave/try-lnx64/build/../../../dist/include/nsISupportsImpl.h:266 #1 0x7effb491cb74 in ~nsCOMPtr_base /builds/slave/try-lnx64/build/../../../dist/include/nsCOMPtr.h:408 0x7eff7a7d2cc0 is located 64 bytes inside of 120-byte region [0x7eff7a7d2c80,0x7eff7a7d2cf8) freed by thread T0 here: #0 0x4335e0 in free ??:0 #1 0x7effb43bc6c6 in nsXPCWrappedJS::Release() /builds/slave/try-lnx64/build/js/xpconnect/src/XPCWrappedJS.cpp:197 [... full log attached ...] I don't know if the two issues are related to each other. Marking s-s due to use-after-free. Version Info: The opt-build I tried was from rev 942ed5747b63, the debug build was from 8f702f78a929.
Attachment #672293 - Attachment mime type: application/java-archive → application/zip
fixed by bug 722983 ?
decoder, is this bug still reproducible? see comment 3
Wasn't able to reproduce this with a recent build. I'll mark it as WFM.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.