Opened 4 years ago

Closed 4 years ago

#17097 closed defect (fixed)

Print dialog sometimes causes OS X Tor Browser to crash

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-crash, TorBrowserTeam201509R
Cc: mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On OS X, when I launch the Print dialog (using command+P) and then cancel (by hitting ESC) a few times, I can get Tor Browser 5.0.2 to crash. Here's the stack trace:

* thread #1: tid = 0x1f6347, 0x0000000101f32460 XUL`nsCOMPtr<nsIDOMWindow>::operator->(this=0x00007fff5fbfc668) const + 96 at nsCOMPtr.h:697, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000101f32460 XUL`nsCOMPtr<nsIDOMWindow>::operator->(this=0x00007fff5fbfc668) const + 96 at nsCOMPtr.h:697
   694 	
   695 	  T* operator->() const MOZ_NO_ADDREF_RELEASE_ON_RETURN
   696 	  {
-> 697 	    MOZ_ASSERT(mRawPtr != 0,
   698 	               "You can't dereference a NULL nsCOMPtr with operator->().");
   699 	    return get();
   700 	  }
(lldb) bt
* thread #1: tid = 0x1f6347, 0x0000000101f32460 XUL`nsCOMPtr<nsIDOMWindow>::operator->(this=0x00007fff5fbfc668) const + 96 at nsCOMPtr.h:697, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000101f32460 XUL`nsCOMPtr<nsIDOMWindow>::operator->(this=0x00007fff5fbfc668) const + 96 at nsCOMPtr.h:697
    frame #1: 0x00000001033f2b21 XUL`ThirdPartyUtil::GetFirstPartyURIInternal(this=0x0000000117104550, aChannel=0x0000000000000000, aNode=0x0000000128659000, aLogErrors=true, aOutput=0x00007fff5fbfc898) + 1809 at ThirdPartyUtil.cpp:651
    frame #2: 0x00000001033f2404 XUL`ThirdPartyUtil::GetFirstPartyURI(this=0x0000000117104550, aChannel=0x0000000000000000, aNode=0x0000000128659000, aOutput=0x00007fff5fbfc898) + 52 at ThirdPartyUtil.cpp:575
    frame #3: 0x00000001033f238e XUL`ThirdPartyUtil::GetFirstPartyIsolationURI(this=0x0000000117104550, aChannel=0x0000000000000000, aNode=0x0000000128659000, aOutput=0x00007fff5fbfc898) + 174 at ThirdPartyUtil.cpp:561
    frame #4: 0x00000001033f01e3 XUL`ThirdPartyUtil::GetFirstPartyHost(aChannel=0x0000000000000000, aDocument=0x0000000128659000, aResult=0x00007fff5fbfc958) + 163 at ThirdPartyUtil.cpp:47
    frame #5: 0x000000010344a48a XUL`ThirdPartyUtil::GetFirstPartyHost(aDocument=0x0000000128659000, aResult=0x00007fff5fbfc958) + 42 at ThirdPartyUtil.h:36
    frame #6: 0x000000010348f7c5 XUL`nsDocument::cycleCollection::Unlink(this=0x000000010a2f2a80, p=0x0000000128659000) + 1237 at nsDocument.cpp:2166
    frame #7: 0x000000010474c2cd XUL`nsHTMLDocument::cycleCollection::Unlink(this=0x000000010a2f2a80, p=0x0000000128659000) + 61 at nsHTMLDocument.cpp:203
    frame #8: 0x0000000101e1aad2 XUL`nsCycleCollector::CollectWhite(this=0x0000000112097000) + 882 at nsCycleCollector.cpp:3297
    frame #9: 0x0000000101e1c1d6 XUL`nsCycleCollector::Collect(this=0x0000000112097000, aCCType=SliceCC, aBudget=0x00007fff5fbfcc18, aManualListener=0x0000000000000000, aPreferShorterSlices=false) + 534 at nsCycleCollector.cpp:3648
    frame #10: 0x0000000101e1e40a XUL`nsCycleCollector_collectSlice(budget=0x00007fff5fbfcc18, aPreferShorterSlices=false) + 298 at nsCycleCollector.cpp:4249
    frame #11: 0x0000000103550dbd XUL`nsJSContext::RunCycleCollectorSlice() + 493 at nsJSEnvironment.cpp:1533
    frame #12: 0x00000001035510ff XUL`ICCTimerFired(aTimer=0x0000000113c239a0, aClosure=0x0000000000000000) + 127 at nsJSEnvironment.cpp:1591
    frame #13: 0x0000000101f0487a XUL`nsTimerImpl::Fire(this=0x0000000113c239a0) + 986 at nsTimerImpl.cpp:631
    frame #14: 0x0000000101f04c91 XUL`nsTimerEvent::Run(this=0x00000001172a72f0) + 209 at nsTimerImpl.cpp:724
    frame #15: 0x0000000101eff653 XUL`nsThread::ProcessNextEvent(this=0x000000010044e7c0, aMayWait=false, aResult=0x00007fff5fbfcf83) + 1699 at nsThread.cpp:855
    frame #16: 0x0000000101f57e2b XUL`NS_ProcessPendingEvents(aThread=0x000000010044e7c0, aTimeout=20) + 171 at nsThreadUtils.cpp:207
    frame #17: 0x0000000105103279 XUL`nsBaseAppShell::NativeEventCallback(this=0x00000001125e70c0) + 201 at nsBaseAppShell.cpp:98
    frame #18: 0x000000010517d3c1 XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x00000001125e70c0) + 433 at nsAppShell.mm:378
    frame #19: 0x00007fff8b9835b1 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #20: 0x00007fff8b974c62 CoreFoundation`__CFRunLoopDoSources0 + 242
    frame #21: 0x00007fff8b9743ef CoreFoundation`__CFRunLoopRun + 831
    frame #22: 0x00007fff8b973e75 CoreFoundation`CFRunLoopRunSpecific + 309
    frame #23: 0x00007fff91922a0d HIToolbox`RunCurrentEventLoopInMode + 226
    frame #24: 0x00007fff919227b7 HIToolbox`ReceiveNextEventCommon + 479
    frame #25: 0x00007fff919225bc HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 65
    frame #26: 0x00007fff8f04724e AppKit`_DPSNextEvent + 1434
    frame #27: 0x00007fff8f04689b AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
    frame #28: 0x000000010517bff7 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x0000000100405980, _cmd=0x00007fff8fa7a5c3, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff758c3d00, flag='\x01') + 119 at nsAppShell.mm:120
    frame #29: 0x00007fff8f03a99c AppKit`-[NSApplication run] + 553
    frame #30: 0x000000010517dd6c XUL`nsAppShell::Run(this=0x00000001125e70c0) + 172 at nsAppShell.mm:653
    frame #31: 0x0000000105d9d55c XUL`nsAppStartup::Run(this=0x0000000113c76f60) + 156 at nsAppStartup.cpp:281
    frame #32: 0x0000000105e49130 XUL`XREMain::XRE_mainRun(this=0x00007fff5fbfef50) + 5104 at nsAppRunner.cpp:4444
    frame #33: 0x0000000105e49a6e XUL`XREMain::XRE_main(this=0x00007fff5fbfef50, argc=5, argv=0x00007fff5fbff8a8, aAppData=0x00007fff5fbff230) + 1006 at nsAppRunner.cpp:4524
    frame #34: 0x0000000105e49ebd XUL`XRE_main(argc=5, argv=0x00007fff5fbff8a8, aAppData=0x00007fff5fbff230, aFlags=0) + 77 at nsAppRunner.cpp:4743
    frame #35: 0x0000000100001d66 firefox`do_main(argc=5, argv=0x00007fff5fbff8a8, xreDirectory=0x0000000100420100) + 1750 at nsBrowserApp.cpp:294
    frame #36: 0x00000001000011f1 firefox`main(argc=5, argv=0x00007fff5fbff8a8) + 321 at nsBrowserApp.cpp:667
    frame #37: 0x0000000100000c54 firefox`start + 52

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by arthuredelstein

The stack trace indicates that top at ThirdPartyUtil.cpp:651 was null. So we need to do a null check there. It also looks safer if we check to make sure that topDoc is non-null as well.

Here's a patch for review:
https://github.com/arthuredelstein/tor-browser/commit/17097

Once I apply this patch, I no longer get crashes as described.

Last edited 4 years ago by arthuredelstein (previous) (diff)

comment:2 Changed 4 years ago by arthuredelstein

Keywords: TorBrowserTeam201509R added; TorBrowserTeam201509 removed
Status: newneeds_review

comment:3 Changed 4 years ago by mcs

Cc: mcs added

Nice find. The patch looks good to me.
r=mcs

comment:4 Changed 4 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Yep. Seems fine. I merged it for 5.0.3 and 5.5a3. Thanks!

Note: See TracTickets for help on using tickets.