Closed Bug 1055456 Opened 6 years ago Closed 6 years ago

Crash in [@ nsTypeAheadFind::GetSearchContainers]

Categories

(Toolkit :: Find Toolbar, defect)

x86_64
Linux
defect
Not set
blocker

Tracking

()

VERIFIED FIXED
mozilla34
Tracking Status
e10s - ---
firefox34 + verified

People

(Reporter: smaug, Assigned: smaug)

References

Details

(Keywords: regression, topcrash)

Crash Data

Attachments

(1 file)

https://crash-stats.mozilla.com/report/index/335cd18c-3f3f-40ee-9f70-c99232140819

(This is a blocker for me to use e10s builds. They crash all the time.
"Search for text when I start typing" enabled)
This is the #4 topcrasher for Firefox 34.0a1 for the last 7 days with 182/11183 crashes. It happens on Mac, Windows, and Linux.  The crash signature first appeared 2012-04-08 but the recent crashes only started up again with the 2014081703 build. 

Comments from other crash reports: 

"This crash seems to happen on about:newtab when I press a key with the focus on the page. It doesn't happen in about:blank, and doesn't seem to depend on whether about:newtab is in Blank or Classic mode. "

"I tried to search in my downloads - I pressed Ctrl+F on 'all downloads' tab and started to type '.24'. on first char window became blank and then Firefox died. RIP. "
Crash Signature: [@ nsTypeAheadFind::GetSearchContainers(nsISupports*, nsISelectionController*, bool, bool, nsIPresShell**, nsPresContext**) ]
Keywords: topcrash
Summary: [E10s] [@ nsTypeAheadFind::GetSearchContainers] → Crash in [@ nsTypeAheadFind::GetSearchContainers]
I explicitly filed this for e10s, since that is where this is happening for me.
Blocks: e10s
(In reply to Olli Pettay [:smaug] from comment #2)
> I explicitly filed this for e10s, since that is where this is happening for
> me.

I hit it on a non-E10S nightly and it's nearly the same stack: https://crash-stats.mozilla.com/report/index/3d49e6ad-749f-40b1-8b02-edccd2140826
Assignee: nobody → bugs
Ah, most probably a regression from bug 263049
Blocks: 263049
Nothing guarantees a binding has anonymous content.
Attached patch null checkSplinter Review
As far as I see, this is a null+offset crash.
So better to null check the return value of GetAnonymousContent().
And there is no need to null check 'child' since do_QueryInterface is null safe.
Attachment #8479935 - Flags: review?(mrbkap)
Comment on attachment 8479935 [details] [diff] [review]
null check

Wait, this isn't enough. There would be just more null pointer crashes.
Attachment #8479935 - Flags: review?(mrbkap)
Comment on attachment 8479935 [details] [diff] [review]
null check

No, this should be fine.
searchRootNode points to non-null rootNode, if we don't have anonContent.
Attachment #8479935 - Flags: review?(mrbkap)
Comment on attachment 8479935 [details] [diff] [review]
null check

Review of attachment 8479935 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry, I should have caught this in my original review.
Attachment #8479935 - Flags: review?(mrbkap) → review+
m-i is closed :(
I don't expect a null check needing a tryserver run.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/47f8093426c4
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Keywords: regression
This crash signature stopped showing up so I'm marking it verified based on crash-stats.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.