Opened 2 years ago

Closed 2 years ago

#22999 closed defect (duplicate)

SIGSEGV when cancelling out of a download popup

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-crash
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On a particular website, when I click cancel on a download popup, the browser crashes.

System: linux 64bit (arch linux), gnome 3, Tor Browser 7.2
Security slider set to low

1) Go to https://www.projectaon.org/staff/eric/lw01.htm
2) Click on the cogwheel icon
3) A "Download an external file type?" popup shows up
4) Click cancel
5) Browser segfaults here.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f699af3c690 in raise () from /usr/lib/libpthread.so.0
[Current thread is 1 (Thread 0x7f699b371740 (LWP 11239))]
(gdb) bt
#0  0x00007f699af3c690 in raise () at /usr/lib/libpthread.so.0
#1  0x00007f69973ade00 in nsProfileLock::FatalSignalHandler(int, siginfo*, void*) (signo=11, info=0x7ffd9becbd30, context=0x7ffd9becbc00) at /home/debian/build/tor-browser/toolkit/profile/nsProfileLock.cpp:181
#2  0x00007f6997e7f471 in WasmFaultHandler<(Signal)0>(int, siginfo_t*, void*) (signum=<optimized out>, info=0x7ffd9becbd30, context=0x7ffd9becbc00) at /home/debian/build/tor-browser/js/src/wasm/WasmSignalHandlers.cpp:1239
#3  0x00007f699af3c7e0 in <signal handler called> () at /usr/lib/libpthread.so.0
#4  0x00005595d690eb75 in mozalloc_abort(char const*) (msg=msg@entry=0x7ffd9becc3c0 "[Parent 11239] ###!!! ABORT: __delete__()d actor: file /home/debian/build/tor-browser/ipc/glue/ProtocolUtils.cpp, line 299")
    at /home/debian/build/tor-browser/memory/mozalloc/mozalloc_abort.cpp:33
#5  0x00007f6995ba8892 in Abort (aMsg=0x7ffd9becc3c0 "[Parent 11239] ###!!! ABORT: __delete__()d actor: file /home/debian/build/tor-browser/ipc/glue/ProtocolUtils.cpp, line 299") at /home/debian/build/tor-browser/xpcom/base/nsDebugImpl.cpp:449
#6  0x00007f6995ba8892 in NS_DebugBreak(uint32_t, char const*, char const*, char const*, int32_t) (aSeverity=<optimized out>, aStr=0x7f6998051ac7 "__delete__()d actor", aExpr=0x0, aFile=0x7f69980515ed "/home/debian/build/tor-browser/ipc/glue/ProtocolUtils.cpp", aLine=<optimized out>) at /home/debian/build/tor-browser/xpcom/base/nsDebugImpl.cpp:436
#7  0x00007f69960e1c0d in mozilla::dom::PExternalHelperApp::Transition(mozilla::ipc::Trigger, mozilla::dom::PExternalHelperApp::State*) (trigger=..., trigger@entry=..., next=next@entry=0x7f69671ed420)
    at /home/debian/build/tor-browser/obj-x86_64-pc-linux-gnu/ipc/ipdl/PExternalHelperApp.cpp:43
#8  0x00007f69960e2187 in mozilla::dom::PExternalHelperAppParent::SendCancel(nsresult const&) (this=0x7f69671ed400, aStatus=@0x7ffd9becc65c: -2142568446, aStatus@entry=@0x7ffd9becc65c: <optimized out>)
    at /home/debian/build/tor-browser/obj-x86_64-pc-linux-gnu/ipc/ipdl/PExternalHelperAppParent.cpp:57
#9  0x00007f69961d2aaa in mozilla::dom::ExternalHelperAppParent::Cancel(nsresult) (this=<optimized out>, aStatus=-2142568446) at /home/debian/build/tor-browser/uriloader/exthandler/ExternalHelperAppParent.cpp:244
#10 0x00007f69961da93d in nsExternalAppHandler::OnStartRequest(nsIRequest*, nsISupports*) (this=0x7f69672ac900, request=0x7f69671ed468, aCtxt=<optimized out>)
    at /home/debian/build/tor-browser/uriloader/exthandler/nsExternalHelperAppService.cpp:1695
#11 0x00007f69961d274c in mozilla::dom::ExternalHelperAppParent::RecvOnStartRequest(nsCString const&) (this=0x7f69671ed400, entityID=...) at /home/debian/build/tor-browser/uriloader/exthandler/ExternalHelperAppParent.cpp:126
#12 0x00007f69960e528c in mozilla::dom::PExternalHelperAppParent::OnMessageReceived(IPC::Message const&) (this=<optimized out>, msg__=...) at /home/debian/build/tor-browser/obj-x86_64-pc-linux-gnu/ipc/ipdl/PExternalHelperAppParent.cpp:129
#13 0x00007f69960be54a in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) (this=0x7f696968b800, msg__=...) at /home/debian/build/tor-browser/obj-x86_64-pc-linux-gnu/ipc/ipdl/PContentParent.cpp:3052
#14 0x00007f6995ed371f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (this=0x7f696968b8a8, aMsg=...) at /home/debian/build/tor-browser/ipc/glue/MessageChannel.cpp:1743
#15 0x00007f6995ed99bb in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (this=this@entry=0x7f696968b8a8, aMsg=...) at /home/debian/build/tor-browser/ipc/glue/MessageChannel.cpp:1681
#16 0x00007f6995edac4a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) (this=0x7f696968b8a8, aTask=...) at /home/debian/build/tor-browser/ipc/glue/MessageChannel.cpp:1572
#17 0x00007f6995edad98 in mozilla::ipc::MessageChannel::MessageTask::Run() (this=0x7f69674ce0c0) at /home/debian/build/tor-browser/ipc/glue/MessageChannel.cpp:1597
#18 0x00007f6995beb05d in nsThread::ProcessNextEvent(bool, bool*) (this=0x7f6999daf480, aMayWait=<optimized out>, aResult=0x7ffd9beccd9f) at /home/debian/build/tor-browser/xpcom/threads/nsThread.cpp:1216
#19 0x00007f6995c05c61 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aThread@entry=0x7f6999daf480, aMayWait=aMayWait@entry=false) at /home/debian/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:361
#20 0x00007f6995ed132d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7f698c0994c0, aDelegate=0x7f6999da94e0) at /home/debian/build/tor-browser/ipc/glue/MessagePump.cpp:96
#21 0x00007f6995ea20fa in MessageLoop::RunHandler() (this=<optimized out>) at /home/debian/build/tor-browser/ipc/chromium/src/base/message_loop.cc:225
#22 0x00007f6995ea20fa in MessageLoop::Run() (this=<optimized out>) at /home/debian/build/tor-browser/ipc/chromium/src/base/message_loop.cc:205
#23 0x00007f6996e6b2e3 in nsBaseAppShell::Run() (this=0x7f698151b340) at /home/debian/build/tor-browser/widget/nsBaseAppShell.cpp:156
#24 0x00007f6997367657 in nsAppStartup::Run() (this=0x7f6981512600) at /home/debian/build/tor-browser/toolkit/components/startup/nsAppStartup.cpp:283
#25 0x00007f69973b560a in XREMain::XRE_mainRun() (this=this@entry=0x7ffd9becd010) at /home/debian/build/tor-browser/toolkit/xre/nsAppRunner.cpp:5028
#26 0x00007f69973b58b1 in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7ffd9becd010, argc=argc@entry=5, argv=argv@entry=0x7ffd9bece428, aAppData=aAppData@entry=0x7ffd9becd248)
    at /home/debian/build/tor-browser/toolkit/xre/nsAppRunner.cpp:5161
#27 0x00007f69973b5ae7 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=5, argv=0x7ffd9bece428, aAppData=0x7ffd9becd248, aFlags=<optimized out>) at /home/debian/build/tor-browser/toolkit/xre/nsAppRunner.cpp:5252
#28 0x00005595d690e8d1 in do_main(int, char**, char**, nsIFile*) (argc=5, argv=0x7ffd9bece428, envp=<optimized out>, xreDirectory=0x7f6999da1780) at /home/debian/build/tor-browser/browser/app/nsBrowserApp.cpp:282
#29 0x00005595d690e043 in main(int, char**, char**) (argc=5, argv=0x7ffd9bece428, envp=0x7ffd9bece458) at /home/debian/build/tor-browser/browser/app/nsBrowserApp.cpp:415

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by cypherpunks

Keywords: tbb-crash added

Seems like a duplicate: #22610

comment:2 in reply to:  1 Changed 2 years ago by mcs

Resolution: duplicate
Status: newclosed

Replying to cypherpunks:

Seems like a duplicate: #22610

I agree, at least enough to say "close enough." The website in this ticket appears to use a blob URL, which is another type of URL that our current patch for #21766 does not handle well.

Note: See TracTickets for help on using tickets.