Closed Bug 1037221 Opened 10 years ago Closed 5 years ago

crash in mozilla::dom::HTMLBodyElement::ParseAttribute(int, nsIAtom*, nsAString_internal const&, nsAttrValue&)

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Version:
31 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox30 --- unaffected
firefox31 + wontfix
firefox32 --- unaffected
firefox33 --- unaffected

People

(Reporter: u279076, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-27f7ff7e-8b0d-4dfc-893a-ee05f2140709.
=============================================================
0 	xul.dll 	mozilla::dom::HTMLBodyElement::ParseAttribute(int,nsIAtom *,nsAString_internal const &,nsAttrValue &) 	content/html/content/src/HTMLBodyElement.cpp
1 	xul.dll 	mozilla::dom::Element::SetAttr(int,nsIAtom *,nsIAtom *,nsAString_internal const &,bool) 	content/base/src/Element.cpp
2 	xul.dll 	mozilla::dom::ElementBinding::getAttribute 	obj-firefox/dom/bindings/ElementBinding.cpp
3 		@0xa080ec0 	
4 		@0x2 	
5 		@0xffffff85 
=============================================================
More reports:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Adom%3A%3AHTMLBodyElement%3A%3AParseAttribute%28int%2C+nsIAtom%2A%2C+nsAString_internal+const%26%2C+nsAttrValue%26%29

This is a new, low volume crash first starting with Firefox 31.0b8.
This stack makes no sense.  ElementBinding::getAttribute doesn't call Element::SetAttr.
Stack from WinDBG:

ChildEBP RetAddr  
0012d344 016daae4 xul!mozilla::dom::HTMLBodyElement::ParseAttribute(int aNamespaceID = <Memory access error>, class nsIAtom * aAttribute = <Memory access error>, class nsAString_internal * aValue = <Memory access error>, class nsAttrValue * aResult = <Memory access error>)+0x9c [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\content\html\content\src\htmlbodyelement.cpp @ 332]
0012d3b8 0172042a xul!mozilla::dom::Element::SetAttr(int aNamespaceID = 0n0, class nsIAtom * aName = 0x06a41760, class nsIAtom * aPrefix = 0x00000000, class nsAString_internal * aValue = 0x0012d4e0, bool aNotify = true)+0x674 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\content\base\src\element.cpp @ 1814]
0012d3e4 01697087 xul!nsGenericHTMLElement::SetAttr(int aNameSpaceID = 0n0, class nsIAtom * aName = 0x06a41700, class nsIAtom * aPrefix = 0x00000000, class nsAString_internal * aValue = 0x0012d4e0, bool aNotify = true)+0x7a [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 905]
0012d4b4 0167eb81 xul!mozilla::dom::Element::SetAttribute(class nsAString_internal * aName = 0x0012d4ec, class nsAString_internal * aValue = 0x0012d4e0, class mozilla::ErrorResult * aError = 0x0012d4f8)+0x1b7 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\content\base\src\element.cpp @ 879]
0012d508 018ce333 xul!mozilla::dom::ElementBinding::setAttribute(struct JSContext * cx = 0xffffff85, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, class mozilla::dom::Element * self = 0x0a080ec0, class JSJitMethodCallArgs * args = 0x018ce333)+0xb1 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\obj-firefox\dom\bindings\elementbinding.cpp @ 271]
0012d614 00caa7d8 xul!mozilla::dom::GenericBindingMethod(struct JSContext * cx = 0x0a080ec0, unsigned int argc = 0x1d09a9c8, class JS::Value * vp = 0x11618642)+0xc3 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\dom\bindings\bindingutils.cpp @ 2297]
0012d724 00d0d08f mozjs!js::jit::DoNewArray(struct JSContext * cx = 0x00000c99, class js::jit::ICNewArray_Fallback * stub = 0x00000004, unsigned int length = 0xa080ec0, class JS::Handle<js::types::TypeObject *> type = class JS::Handle<js::types::TypeObject *>, class JS::MutableHandle<JS::Value> res = class JS::MutableHandle<JS::Value>)+0x128 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\jit\baselineic.cpp @ 1715]
0012d778 00c6c4d8 mozjs!js::FixedSizeHashSet<JSScript *,js::LazyScriptHashPolicy,769>::getBuckets<js::LazyScriptHashPolicy::Lookup>(struct js::LazyScriptHashPolicy::Lookup * s = 0x00000004, unsigned int * buckets = 0x17165394)+0x2f [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\ds\fixedsizehash.h @ 118]
0012d800 00c558f2 mozjs!EnterBaseline(struct JSContext * cx = 0x10f07a00, struct js::jit::EnterJitData * data = 0x7dff237a)+0xf8 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\jit\baselinejit.cpp @ 126]
0012d8b8 00c82f67 mozjs!js::jit::EnterBaselineMethod(struct JSContext * cx = 0x17165394, class js::RunState * state = 0x0012dc84)+0xb2 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\jit\baselinejit.cpp @ 156]
0012dff8 00c7bcc3 mozjs!Interpret(struct JSContext * cx = 0x00000000, class js::RunState * state = 0x17165394)+0x14f7 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 2645]
0012e130 00c8030c mozjs!js::RunScript(struct JSContext * cx = 0x0a080ec0, class js::RunState * state = 0x0012e170)+0x213 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 422]
0012e348 00cb6eee mozjs!js::Invoke(struct JSContext * cx = 0x0a080ec0, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0xfc [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 497]
0012e40c 00c802b3 mozjs!js::CallOrConstructBoundFunction(struct JSContext * cx = 0x0a080ec0, unsigned int argc = 0, class JS::Value * vp = 0x0012e690)+0x1be [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\jsfun.cpp @ 1282]
0012e628 00c73d02 mozjs!js::Invoke(struct JSContext * cx = 0x0a080ec0, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0xa3 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 468]
0012e88c 00c802b3 mozjs!js_fun_apply(struct JSContext * cx = 0x0a080ec0, unsigned int argc = 2, class JS::Value * vp = 0x06ecd050)+0x1b2 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\jsfun.cpp @ 1020]
0012eaa8 00c820bb mozjs!js::Invoke(struct JSContext * cx = 0x0a080ec0, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0xa3 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 468]
0012f1f0 00c7bcc3 mozjs!Interpret(struct JSContext * cx = 0x00000000, class js::RunState * state = 0x17165394)+0x64b [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 2620]
0012f328 00c8030c mozjs!js::RunScript(struct JSContext * cx = 0x0a080ec0, class js::RunState * state = 0x0012f368)+0x213 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 422]
0012f540 00c800b8 mozjs!js::Invoke(struct JSContext * cx = 0x0a080ec0, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0xfc [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 497]
0012f5e4 00cca611 mozjs!js::Invoke(struct JSContext * cx = 0x0a080ec0, class JS::Value * thisv = 0x0012f730, class JS::Value * fval = 0x0012f670, unsigned int argc = 0, class JS::Value * argv = 0x0012f6a8, class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x188 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\vm\interpreter.cpp @ 531]
0012f60c 01783a93 mozjs!JS::Call(struct JSContext * cx = 0x0a080ec0, class JS::Handle<JS::Value> thisv = class JS::Handle<JS::Value>, class JS::Handle<JS::Value> fval = class JS::Handle<JS::Value>, class JS::HandleValueArray * args = 0x0012f650, class JS::MutableHandle<JS::Value> rval = class JS::MutableHandle<JS::Value>)+0x21 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\js\src\jsapi.cpp @ 5076]
0012f6ec 01619650 xul!mozilla::dom::Function::Call(struct JSContext * cx = 0x0a080ec0, class JS::Handle<JS::Value> aThisVal = class JS::Handle<JS::Value>, class nsTArray<JS::Value> * arguments = 0x19cf8b68, class JS::MutableHandle<JS::Value> aRetVal = class JS::MutableHandle<JS::Value>, class mozilla::ErrorResult * aRv = 0x0012f858)+0x103 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\obj-firefox\dom\bindings\functionbinding.cpp @ 35]
0012f808 0164970a xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(class nsCOMPtr<nsISupports> * thisObjPtr = 0x0012f830, class nsTArray<JS::Value> * arguments = 0x19cf8b68, class JS::MutableHandle<JS::Value> aRetVal = class JS::MutableHandle<JS::Value>, class mozilla::ErrorResult * aRv = 0x17165394, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling = 0n23369482 (No matching enumerant))+0xc0 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\obj-firefox\dist\include\mozilla\dom\functionbinding.h @ 58]
0012f934 016503f1 xul!nsGlobalWindow::RunTimeoutHandler(struct nsTimeout * aTimeout = 0x1bcacd00, class nsIScriptContext * aScx = 0x117a4430)+0x15a [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\dom\base\nsglobalwindow.cpp @ 11982]
0012f9a4 017935b7 xul!nsGlobalWindow::RunTimeout(struct nsTimeout * aTimeout = 0x173d3a00)+0x2d1 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\dom\base\nsglobalwindow.cpp @ 12207]
0012f9c0 0165f0b7 xul!nsGlobalWindow::TimerCallback(class nsITimer * aTimer = 0x13395880, void * aClosure = 0x173d3a00)+0x44 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\dom\base\nsglobalwindow.cpp @ 12452]
0012f9dc 0165efeb xul!nsTimerImpl::Fire(void)+0xc7 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\xpcom\threads\nstimerimpl.cpp @ 566]
0012f9e0 016b2516 xul!nsTimerEvent::Run(void)+0x14 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\xpcom\threads\nstimerimpl.cpp @ 652]
0012fa60 01695c9d xul!nsThread::ProcessNextEvent(bool mayWait = false, bool * result = 0x0012fa78)+0x3b6 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\xpcom\threads\nsthread.cpp @ 715]
0012fa70 019481b5 xul!NS_ProcessNextEvent(class nsIThread * thread = 0x0101b101, bool mayWait = false)+0x2d [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\xpcom\glue\nsthreadutils.cpp @ 263]
0012fa9c 0193b5ce xul!mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate * aDelegate = 0x0102e1a0)+0x46 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\ipc\glue\messagepump.cpp @ 95]
0012fad4 0193b65d xul!MessageLoop::RunHandler(void)+0x51 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\ipc\chromium\src\base\message_loop.cc @ 223]
0012faf4 0189d875 xul!MessageLoop::Run(void)+0x19 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\ipc\chromium\src\base\message_loop.cc @ 197]
0012fb00 018b3dc7 xul!nsBaseAppShell::Run(void)+0x2c [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\widget\xpwidgets\nsbaseappshell.cpp @ 166]
0012fb14 0182844d xul!nsAppShell::Run(void)+0x19 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\widget\windows\nsappshell.cpp @ 186]
0012fbe8 018862c6 xul!XREMain::XRE_mainRun(void)+0x453 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\toolkit\xre\nsapprunner.cpp @ 4019]
0012fc08 018a2186 xul!XREMain::XRE_main(int argc = 0n0, char ** argv = 0x00284d90, struct nsXREAppData * aAppData = 0x0012fd50)+0xe8 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\toolkit\xre\nsapprunner.cpp @ 4088]
0012fd20 004016dd xul!XRE_main(int argc = 0n1, char ** argv = 0x00284d90, struct nsXREAppData * aAppData = 0x0012fd50, unsigned int aFlags = 0)+0x30 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\toolkit\xre\nsapprunner.cpp @ 4300]
0012feb4 004019a2 firefox!do_main(int argc = 0n1, char ** argv = 0x00284d90, class nsIFile * xreDirectory = 0x0101e0a0)+0x283 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\browser\app\nsbrowserapp.cpp @ 282]
0012ff48 00401aad firefox!NS_internal_main(int argc = 0n1, char ** argv = 0x00284d90)+0x11d [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\browser\app\nsbrowserapp.cpp @ 643]
0012ff7c 0040237b firefox!wmain(int argc = 0n0, wchar_t ** argv = 0x00284ba0)+0xf0 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\toolkit\xre\nswindowswmain.cpp @ 112]
0012ffc0 7c817067 firefox!__tmainCRTStartup(void)+0x122 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 552]
0012fff0 00000000 kernel32!BaseProcessStart+0x23
Wow, that's hard to read, how about:
xul!mozilla::dom::HTMLBodyElement::ParseAttribute
xul!mozilla::dom::Element::SetAttr
xul!nsGenericHTMLElement::SetAttr
xul!mozilla::dom::Element::SetAttribute
xul!mozilla::dom::ElementBinding::setAttribute
xul!mozilla::dom::GenericBindingMethod
mozjs!js::jit::DoNewArray
mozjs!js::FixedSizeHashSet<JSScript *,js::LazyScriptHashPolicy,769>::getBuckets<js::LazyScriptHashPolicy::Lookup>
mozjs!EnterBaseline
mozjs!js::jit::EnterBaselineMethod
mozjs!Interpret
mozjs!js::RunScript
mozjs!js::Invoke
mozjs!js::CallOrConstructBoundFunction
mozjs!js::Invoke
mozjs!js_fun_apply
mozjs!js::Invoke
mozjs!Interpret
mozjs!js::RunScript
mozjs!js::Invoke
mozjs!js::Invoke
mozjs!JS::Call
xul!mozilla::dom::Function::Call
xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >
xul!nsGlobalWindow::RunTimeoutHandler
xul!nsGlobalWindow::RunTimeout
xul!nsGlobalWindow::TimerCallback
xul!nsTimerImpl::Fire
xul!nsTimerEvent::Run
xul!nsThread::ProcessNextEvent
xul!NS_ProcessNextEvent
xul!mozilla::ipc::MessagePump::Run
xul!MessageLoop::RunHandler
xul!MessageLoop::Run
xul!nsBaseAppShell::Run
xul!nsAppShell::Run
xul!XREMain::XRE_mainRun
xul!XREMain::XRE_main
xul!XRE_main
firefox!do_main
firefox!NS_internal_main
firefox!wmain
firefox!__tmainCRTStartup
kernel32!BaseProcessStart
Oh uh, so all of this is irrelevant. This is an illegal instruction exception. If I look at the disassembly for this crash, the crashing instruction is:
018723cf c7ff7510ff75    xbegin  7786344a

which seems pretty bogus. It looks like something caused us to jump into the middle of an instruction. If I run the same build and disassemble that function I get:
568f23c5 0f84cb0d6f00    je      xul!mozilla::dom::HTMLBodyElement::ParseAttribute+0x6f0e63 (56fe3196)
568f23cb ff7514          push    dword ptr [ebp+14h]
568f23ce 8bc7            mov     eax,edi
568f23d0 ff7510          push    dword ptr [ebp+10h]
568f23d3 ff7508          push    dword ptr [ebp+8]

(you can see that there's not an instruction at ...23cf, that's one byte past the mov at ...23ce)
The modules list here also contains a bunch of modules like "3khkstub.dll", which appear to be from a MindSpark toolbar from brief Googling.
This is puzzling, because it looks like there's a totally legit stack there, but somehow in the top frame the instruction pointer was shifted by a byte and then we crashed because it was trying to execute in the middle of an instruction.
>xul!mozilla::dom::GenericBindingMethod
>mozjs!js::jit::DoNewArray

That seems pretty unlikely to me.  The stack claims we're on line 1715 of DoNewArray, right?  On beta right now 1715 is:

1715     JSObject *obj = NewInitArray(cx, length, type);

None of this should involve a call to setAttribute.

Unless those two stack frames (DoNewArray and getBuckets) are actually jitcode that confuses the stack walker?
That seems plausible. That stack is from WinDBG, so I can't give you any clues about how it got there. Modulo those two frames the stack seems sane, right? I think the real question is how we got to the situation described in comment 4.
The rest of the stack looks sane, yes.  And I have no idea how our PC ended up skipping around.  :(

Is this an AMD system?  I seem to recall dmajor running into a pc-skipping bug like that before on those...
Flags: needinfo?(dmajor)
"GenuineIntel family 15 model 6 stepping 5 | 2" suggests not AMD?  Or is "Build Architecture Info" not the thing we're running on?
That's the actual CPUID. (We probably should have left that at "CPU Information" when we changed "CPU" to "Build Architecture".)
Interesting!

https://crash-stats.mozilla.com/search/?address=^23cf&signature=~ParseAttribute&_facets=signature&_facets=cpu_info&_facets=useragent_locale&_facets=address&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform

The same one-bit error on six installations with the same Intel CPU model, but otherwise no correlations. A CPU issue is not out of the question.

One particular user hit this extremely consistently and sent us many reports. We probably wouldn't have noticed otherwise. (It's possible that this may have been occurring in very low volume for quite a while)
Flags: needinfo?(dmajor)
In bp-586e0387-a77a-4a73-b89a-0ad662140709 that same user is crashing in the middle of a different instruction nearby:

0:000> u . L1
xul!mozilla::dom::HTMLBodyElement::ParseAttribute+0x82 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\content\html\content\src\htmlbodyelement.cpp @ 323]:
018723b5 a00cc9020f      mov     al,byte ptr ds:[0F02C90Ch]

0:000> u .-2 L2
xul!mozilla::dom::HTMLBodyElement::ParseAttribute+0x80 [c:\builds\moz2_slave\rel-m-beta-w32_bld-00000000000\build\content\html\content\src\htmlbodyelement.cpp @ 323]:
018723b3 3b3da00cc902    cmp     edi,dword ptr [xul!nsGkAtoms::leftmargin (02c90ca0)]
018723b9 0f84d70d6f00    je      xul!mozilla::dom::HTMLBodyElement::ParseAttribute+0x6f0e63 (01f63196)

I haven't been able to find the errata sheet for this particular model.
Crash Signature: [@ mozilla::dom::HTMLBodyElement::ParseAttribute(int, nsIAtom*, nsAString_internal const&, nsAttrValue&)] → [@ mozilla::dom::HTMLBodyElement::ParseAttribute(int, nsIAtom*, nsAString_internal const&, nsAttrValue&)] [@ mozilla::dom::HTMLBodyElement::ParseAttribute]
Priority: -- → P5

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.