If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

crash in AppendUTF8toUTF16 | NS_ConvertUTF8toUTF16::NS_ConvertUTF8toUTF16 | nsPluginElement::EnsurePluginMimeTypes in FIrefox 42

NEW
Unassigned

Status

()

Core
General
--
critical
2 years ago
2 years ago

People

(Reporter: philipp, Unassigned)

Tracking

({crash, regression})

42 Branch
x86
Windows NT
crash, regression
Points:
---

Firefox Tracking Flags

(firefox41 unaffected, firefox42 affected, firefox43 affected)

Details

(crash signature)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-0ef64fb6-2a4d-4513-bcd9-45b752151103.
=============================================================
Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	AppendUTF8toUTF16(nsACString_internal const&, nsAString_internal&, mozilla::fallible_t const&) 	xpcom/string/nsReadableUtils.cpp
1 	xul.dll 	NS_ConvertUTF8toUTF16::NS_ConvertUTF8toUTF16(nsACString_internal const&) 	xpcom/string/nsString.h
2 	xul.dll 	nsPluginElement::EnsurePluginMimeTypes() 	dom/base/nsPluginArray.cpp
3 	xul.dll 	GetPluginMimeTypes 	dom/base/nsPluginArray.cpp
4 	xul.dll 	nsPluginArray::GetMimeTypes(nsTArray<nsRefPtr<nsMimeType> >&) 	dom/base/nsPluginArray.cpp
5 	xul.dll 	nsMimeTypeArray::NamedGetter(nsAString_internal const&, bool&) 	dom/base/nsMimeTypeArray.cpp
6 		@0x56d517 	
7 		@0x1c 	
8 		@0x6c006f 	
9 	xul.dll 	js::BaseShape::getUnowned(js::ExclusiveContext*, js::StackBaseShape&) 	js/src/vm/Shape.cpp
10 	xul.dll 	js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) 	js/src/proxy/Proxy.cpp
11 	xul.dll 	Interpret 	js/src/vm/Interpreter.cpp

this is a new signature in firefox 42 builds and higher. in early data it's currently on rank #10 of the crash score board for 42.0.
some of the user comments hint at the issue happening repeatedly on particular sites, likely with plugin content being executed as well.

https://crash-stats.mozilla.com/search/?date=%3E2015-01-01&signature=%3DAppendUTF8toUTF16+|+NS_ConvertUTF8toUTF16%3A%3ANS_ConvertUTF8toUTF16+|+nsPluginElement%3A%3AEnsurePluginMimeTypes&_facets=version&_facets=user_comments&_facets=uptime&_facets=adapter_vendor_id&_facets=build_id&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-version
Huh.  So this is not OOM, right?  It claims to be a null-deref; is that correct or is this one of those cases where breakpad claims null while the actual crash is elsewhere?

This code is new in 42 as of bug 1178963.  Looking at the crash reports, some of them are on type, some on description, and some on extension in nsPluginElement::EnsurePluginMimeTypes, correct?

Do we have any correlations with installed plug-ins by any chance?
Flags: needinfo?(madperson)
(In reply to Boris Zbarsky [:bz] from comment #1)
> Huh.  So this is not OOM, right?  It claims to be a null-deref; is that
> correct or is this one of those cases where breakpad claims null while the
> actual crash is elsewhere?

I examined a dump, and given the limited information that is available to me, it looks like the source string's mData == nullptr yet its mLength == 0xf.
That's just weird.  :(
(Reporter)

Comment 4

2 years ago
i spoke with KaiRo on irc - we don't have general correlation data for plugins (if the plugin process itself crashes though, we do have the information which plugin crashed)
Flags: needinfo?(madperson)
You need to log in before you can comment on or make changes to this bug.