Closed Bug 1147746 Opened 11 years ago Closed 11 years ago

Null pointer crash in HttpChannelChild::ResetInterception

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox39 --- fixed

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

Details

Attachments

(1 file)

Null check mInterceptListener in HttpChannelChild::ResetInterception
876 bytes, patch
jdm
: review+
Details | Diff | Splinter Review
Got this under the debugger: (lldb) bt * thread #1: tid = 0x3f1cae, 0x0000000100b63567 XUL`nsRefPtr<mozilla::net::HttpChannelChild>::assign_assuming_AddRef(this=0x0000000000000010, aNewPtr=0x0000000000000000) + 23 at nsRefPtr.h:44, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10) frame #0: 0x0000000100b63567 XUL`nsRefPtr<mozilla::net::HttpChannelChild>::assign_assuming_AddRef(this=0x0000000000000010, aNewPtr=0x0000000000000000) + 23 at nsRefPtr.h:44 frame #1: 0x0000000100b6353f XUL`nsRefPtr<mozilla::net::HttpChannelChild>::assign_with_AddRef(this=0x0000000000000010, aRawPtr=0x0000000000000000) + 63 at nsRefPtr.h:31 frame #2: 0x0000000100b57a4f XUL`nsRefPtr<mozilla::net::HttpChannelChild>::operator=(this=0x0000000000000010, aRhs=0x0000000000000000) + 47 at nsRefPtr.h:134 frame #3: 0x0000000100b2777f XUL`mozilla::net::InterceptStreamListener::Cleanup(this=0x0000000000000000) + 47 at HttpChannelChild.cpp:160 * frame #4: 0x0000000100b3102d XUL`mozilla::net::HttpChannelChild::ResetInterception(this=0x0000000126480000) + 45 at HttpChannelChild.cpp:2077 frame #5: 0x0000000100b3b676 XUL`mozilla::net::InterceptedChannelContent::ResetInterception(this=0x0000000124abbac0) + 150 at InterceptedChannel.cpp:279 frame #6: 0x0000000103b0a89a XUL`mozilla::dom::workers::FetchEventRunnable::ResumeRequest::Run(this=0x0000000122dd5c40) + 58 at ServiceWorkerManager.cpp:2264 frame #7: 0x0000000100767c6f XUL`nsThread::ProcessNextEvent(this=0x0000000113981040, aMayWait=false, aResult=0x00007fff5fbfc313) + 2095 at nsThread.cpp:855 frame #8: 0x00000001007c483a XUL`NS_ProcessPendingEvents(aThread=0x0000000113981040, aTimeout=20) + 154 at nsThreadUtils.cpp:207 frame #9: 0x0000000103da4e79 XUL`nsBaseAppShell::NativeEventCallback(this=0x00000001139616a0) + 201 at nsBaseAppShell.cpp:98 frame #10: 0x0000000103e1fb6d XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x00000001139616a0) + 445 at nsAppShell.mm:377 frame #11: 0x00007fff8716c681 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #12: 0x00007fff8715e80d CoreFoundation`__CFRunLoopDoSources0 + 269 frame #13: 0x00007fff8715de3f CoreFoundation`__CFRunLoopRun + 927 frame #14: 0x00007fff8715d858 CoreFoundation`CFRunLoopRunSpecific + 296 frame #15: 0x00007fff8bf17aef HIToolbox`RunCurrentEventLoopInMode + 235 frame #16: 0x00007fff8bf1786a HIToolbox`ReceiveNextEventCommon + 431 frame #17: 0x00007fff8bf176ab HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #18: 0x00007fff89a4df81 AppKit`_DPSNextEvent + 964 frame #19: 0x00007fff89a4d730 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194 frame #20: 0x0000000103e1e697 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x00000001180905e0, _cmd=0x00007fff8a3a89c8, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff7515ff60, flag='\x01') + 119 at nsAppShell.mm:118 frame #21: 0x00007fff89a41593 AppKit`-[NSApplication run] + 594 frame #22: 0x0000000103e20527 XUL`nsAppShell::Run(this=0x00000001139616a0) + 167 at nsAppShell.mm:651 frame #23: 0x0000000104ded0bb XUL`XRE_RunAppShell + 347 at nsEmbedFunctions.cpp:743 frame #24: 0x0000000100e056b6 XUL`mozilla::ipc::MessagePumpForChildProcess::Run(this=0x0000000113921240, aDelegate=0x00007fff5fbff0e0) + 198 at MessagePump.cpp:272 frame #25: 0x0000000100d78125 XUL`MessageLoop::RunInternal(this=0x00007fff5fbff0e0) + 117 at message_loop.cc:233 frame #26: 0x0000000100d78035 XUL`MessageLoop::RunHandler(this=0x00007fff5fbff0e0) + 21 at message_loop.cc:226 frame #27: 0x0000000100d77fdd XUL`MessageLoop::Run(this=0x00007fff5fbff0e0) + 45 at message_loop.cc:200 frame #28: 0x0000000104dec887 XUL`XRE_InitChildProcess(aArgc=3, aArgv=0x00007fff5fbff3e8, aGMPLoader=0x0000000000000000) + 3095 at nsEmbedFunctions.cpp:580 frame #29: 0x000000010000213b plugin-container`content_process_main(argc=6, argv=0x00007fff5fbff3e8) + 299 at plugin-container.cpp:211 frame #30: 0x0000000100002232 plugin-container`main(argc=7, argv=0x00007fff5fbff3e8) + 34 at MozillaRuntimeMain.cpp:11 frame #31: 0x00000001000017c4 plugin-container`start + 52
Blocks: ServiceWorkers-v1
Comment on attachment 8583599 [details] [diff] [review] Null check mInterceptListener in HttpChannelChild::ResetInterception Review of attachment 8583599 [details] [diff] [review]: ----------------------------------------------------------------- This looks like it comes from cancelling an intercepted channel, so performing this check rather than returning is correct.
Attachment #8583599 - Flags: review?(josh) → review+
https://hg.mozilla.org/mozilla-central/rev/11bc172a8665
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox39: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: