crash in UnescapeAndConvert when accessing http://www.w3.org/TR/html5/

RESOLVED WORKSFORME

Status

defect
--
critical
RESOLVED WORKSFORME
4 years ago
3 years ago

People

(Reporter: tonymec, Unassigned)

Tracking

({crash, regression})

SeaMonkey Tracking Flags

(seamonkey2.42 unaffected, seamonkey2.43 affected)

Details

(Whiteboard: [CLOSEME 2016-12-11 WFM], crash signature, )

This bug was filed from the Socorro interface and is 
report bp-6acce554-5804-4546-a200-0a76b2160109.
=============================================================
Also:
bp-407d43db-b159-4612-bf75-638e52160109
bp-51c78635-ffbf-47f3-a58d-82fbd2160108
bp-7770b15d-28da-4f35-9cb3-8906d2160108
bp-b45707b9-e4b4-4707-a1c0-840282160108

All these crashes (all at UnescapeAndConvert) happened during restart of a session containing a tab for http://www.w3.org/TR/html5/ — the two most recent just as I clicked that tab. Then I omitted that tab from the session to be restarted and there was no more crash.

According to MXR, the identifier UnescapeAndConvert is a function name used only in the source file mailnews/compose/src/nsSmtpUrl.cpp (and in particular nowhere in mozilla-central) but I had set SeaMonkey to open only the browser and ChatZilla at startup, not MailNews

The crashing build is:
UA:"Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 SeaMonkey/2.43a1"
ID:20160108003001 en-US
c-c:625d871a9669ee81da4b6128efc95301dae3f7cb
m-c:d4213241bb796fdfa7a5ad4f1989e97b44474364

There was no crash with the same session in the previous nightly, whose seamonkey-2.43a1.en-US.linux-x86_64.txt had the following contents:
20160107003001
http://hg.mozilla.org/mozilla-central/rev/1ec3a3ff68f2d1a54e6ed33e926c28fee286bdf1
http://hg.mozilla.org/comm-central/rev/3f5e39b93615

and also none in any earlier build.

Here are the crash details, as seen by Socorro for the most recent of these crashes (the one from which this bug report was generated):


Signature 	UnescapeAndConvert More Reports Search
UUID 	6acce554-5804-4546-a200-0a76b2160109
Date Processed 	2016-01-09T00:47:29.395992+00:00
Uptime 	749
Last Crash 	1435 seconds before submission
Install Age 	9552 since version was first installed.
Install Time 	2016-01-08 22:05:48
Product 	SeaMonkey
Version 	2.43a1
Build ID 	20160108003001
Release Channel 	nightly
OS 	Linux
OS Version 	0.0.0 Linux 4.1.13-5-default #1 SMP PREEMPT Thu Nov 26 16:35:17 UTC 2015 (49475c3) x86_64
Build Architecture 	amd64
Build Architecture Info 	family 6 model 23 stepping 10 | 2
Crash Reason 	SIGSEGV
Crash Address 	0x0
User Comments 	During crashed session restore. Again as I clicked on the tab for the W3C HTML5 standard. I'll omit it at next restart.
App Notes 	

OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Q45/Q43  -- 2.1 Mesa 11.0.8 -- texture_from_pixmap
WebGL? libGL.so.1? libGL.so.1+ GL Context? GL Context+ WebGL+ 

Processor Notes 	processor_prod-processor-i-69281bad_17121; MozillaProcessorAlgorithm2015; skunk_classifier: reject - not a plugin hang
EMCheckCompatibility 	

False

Winsock LSP 	

Adapter Vendor ID 	

Adapter Device ID 	

Bugzilla - Report this bug in SeaMonkey Core Plugins Toolkit
Related Bugs

Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	libxul.so 	UnescapeAndConvert 	/builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpUrl.cpp:46
1 	libxul.so 	nsMailtoUrl::ParseMailtoUrl(char*) 	/builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpUrl.cpp:211
2 	libxul.so 	nsMailtoUrl::ParseUrl() 	/builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpUrl.cpp:305
3 	libxul.so 	nsSmtpService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) 	/builds/slave/c-cen-t-lnx64/build/mailnews/compose/src/nsSmtpService.cpp:315
4 	libxul.so 	nsIOService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) 	netwerk/base/nsIOService.cpp
5 	libxul.so 	NS_NewURI(nsIURI**, nsACString_internal const&, char const*, nsIURI*, nsIIOService*) 	netwerk/base/nsNetUtil.inl
6 	libxul.so 	NS_NewURI(nsIURI**, nsAString_internal const&, char const*, nsIURI*, nsIIOService*) 	netwerk/base/nsNetUtil.inl
7 	libxul.so 	nsGenericHTMLElement::GetURIAttr(nsIAtom*, nsIAtom*, nsIURI**) const 	dom/html/nsGenericHTMLElement.cpp
8 	libxul.so 	nsGenericHTMLElement::GetHrefURIForAnchors() const 	dom/html/nsGenericHTMLElement.cpp
9 	libxul.so 	mozilla::dom::HTMLAnchorElement::GetHrefURI() const 	dom/html/HTMLAnchorElement.cpp
10 	libxul.so 	mozilla::dom::Link::GetURI() const 	dom/base/Link.cpp
11 	libxul.so 	mozilla::dom::Link::LinkState() const 	dom/base/Link.cpp
12 	libxul.so 	nsIDocument::FlushPendingLinkUpdates() 	dom/base/nsDocument.cpp
13 	libxul.so 	nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) 	layout/base/nsCSSFrameConstructor.cpp
14 	libxul.so 	nsCSSFrameConstructor::ResolveStyleContext(nsIFrame*, nsIContent*, nsIContent*, nsFrameConstructorState*) 	layout/base/nsCSSFrameConstructor.cpp
15 	libxul.so 	nsCSSFrameConstructor::ResolveStyleContext(nsCSSFrameConstructor::InsertionPoint const&, nsIContent*, nsFrameConstructorState*) 	layout/base/nsCSSFrameConstructor.cpp
16 	libxul.so 	nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) 	layout/base/nsCSSFrameConstructor.cpp
17 	libxul.so 	nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) 	layout/base/nsCSSFrameConstructor.cpp
18 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) 	layout/base/nsCSSFrameConstructor.cpp
19 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) 	layout/base/nsCSSFrameConstructor.cpp
20 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames() 	layout/base/nsCSSFrameConstructor.cpp
21 	libxul.so 	mozilla::RestyleManager::ProcessPendingRestyles() 	layout/base/RestyleManager.cpp
22 	libxul.so 	PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) 	layout/base/nsPresShell.cpp
23 	libxul.so 	nsRefreshDriver::Tick(long, mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
24 	libxul.so 	mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) 	layout/base/nsRefreshDriver.cpp
25 	libxul.so 	mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
26 	libxul.so 	mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
27 	libxul.so 	nsRunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, mozilla::TimeStamp>::Run() 	xpcom/glue/nsThreadUtils.h
28 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
29 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	/builds/slave/c-cen-t-lnx64/build/mozilla/xpcom/glue/nsThreadUtils.cpp:297
30 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
31 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
32 	libxul.so 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp
33 	libxul.so 	nsAppStartup::Run() 	/builds/slave/c-cen-t-lnx64/build/mozilla/toolkit/components/startup/nsAppStartup.cpp:281
34 	libxul.so 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
35 	libxul.so 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
36 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp
37 	seamonkey 	do_main 	/builds/slave/c-cen-t-lnx64-ntly/build/suite/app/nsSuiteApp.cpp:197
38 	seamonkey 	main 	/builds/slave/c-cen-t-lnx64-ntly/build/suite/app/nsSuiteApp.cpp:330
Ø 39 	libc-2.19.so 	libc-2.19.so@0x21b04 	
40 	seamonkey 	_init 	
41 	seamonkey 	seamonkey@0x55cb 	
42 	seamonkey 	__libc_csu_fini 	
43 	seamonkey 	seamonkey@0x55cb 	
44 	seamonkey 	_start
From hg.mozilla.org: list of chagesets from the "last kown good" excluded to the "first known bad" included (most recent first):

625d871a9669 for bug 1231642
d880f3209683 for bug 1135663 (a=DONTBUILD)
b2008d57aef4 for bug 1230739
601987a78df2 for bug 1237085
c73aed47dd73 for bug 1228438
586f1324ab64 for bug 1233827
b5ed5553699e for bug 1235355
015e0b60011d for bug 1236296
d991c6964795 for bug 1236164
09bf778fb288 for bug 1234619
17f2d83ce40a for bug 623986

I would have done it too for mozilla-central but there are too many. So I'm just extracting here the relevant info from comment #0:
Last known good: 1ec3a3ff68f2d1a54e6ed33e926c28fee286bdf1
First known bad: d4213241bb796fdfa7a5ad4f1989e97b44474364
bp-2751cde4-c1db-4508-8da2-ff7992160110

The page can be read in Lynx (2.8.7rel.2, 21 Jun 2010) with no problem. Let's try a few others...

- Firefox... OK
UA:"Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0" (en-US) ID:20160109030208 CSet:0f363ae95dc90d593394ef464aa500804c824962

- Konqueror... OK in Webkit...  OK in KHTML... OK in Okular (View Source)
Konqueror 4.14.10

- Opera... OK
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 OPR/32.0.1948.69

Firefox and SeaMonkey from ftp.mozilla.org, Konqueror and Opera from download.opensuse.org
Whiteboard: parity-Firefox
> All these crashes (all at UnescapeAndConvert) happened during restart of a session
> containing a tab for http://www.w3.org/TR/html5/
I think that page has a mailto link

> http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/dom/html/nsGenericHTMLElement.cpp#l1764
This calls NewURIWithDocumentCharset
> http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/netwerk/base/nsNetUtil.inl#l126
> http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/netwerk/base/nsNetUtil.inl#l115
Which passes to NS_NewURI and then to ioService->NewURI()
> http://hg.mozilla.org/mozilla-central/annotate/d4213241bb79/netwerk/base/nsIOService.cpp#l627
Since this is a mailto: uri it gets passed to:

nsSmtpService::NewURI()
> http://hg.mozilla.org/comm-central/annotate/1eb99f6f98f7/mailnews/compose/src/nsSmtpService.cpp#l315

nsMailtoUrl::ParseUrl()
> http://hg.mozilla.org/comm-central/annotate/97f8959797c9/mailnews/compose/src/nsSmtpUrl.cpp#l305

nsMailtoUrl::ParseMailtoUrl()
> http://hg.mozilla.org/comm-central/annotate/97f8959797c9/mailnews/compose/src/nsSmtpUrl.cpp#l211

nsMailtoUrl::ParseMailtoUrl()
UnescapeAndConvert()
mimeConverter->DecodeMimeHeaderToUTF8()
> http://hg.mozilla.org/comm-central/annotate/97f8959797c9/mailnews/compose/src/nsSmtpUrl.cpp#l46
Component: General → MIME
Product: SeaMonkey → MailNews Core
Whiteboard: parity-Firefox
The code for UnescapeAndConvert contains all sorts of interesting edge cases for XPCONNECT. It is likely that some core mozilla code changed something, and that resulted in a failure of one of the edge cases.

Edge cases:

1) Using an out parameter as an input.
2) Using AutoCString
3) In the JS, calling through arguments rather than directly.

Thoughts, jcranmer?
Flags: needinfo?(Pidgeot18)
(In reply to Tony Mechelynck [:tonymec] from comment #0)
> ...
> The crashing build is:
> UA:"Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
> SeaMonkey/2.43a1"
> ID:20160108003001 en-US
> c-c:625d871a9669ee81da4b6128efc95301dae3f7cb
> m-c:d4213241bb796fdfa7a5ad4f1989e97b44474364
> 
> There was no crash with the same session in the previous nightly, whose
> seamonkey-2.43a1.en-US.linux-x86_64.txt had the following contents:
> 20160107003001
> http://hg.mozilla.org/mozilla-central/rev/
> 1ec3a3ff68f2d1a54e6ed33e926c28fee286bdf1
> http://hg.mozilla.org/comm-central/rev/3f5e39b93615
> 
> and also none in any earlier build.

your nod to possible regression range might not totally square with crash-stats, which lists these seamonkey crashes
bp-e81ce54a-4f4d-4a4d-80e9-dc08a2151128	2015-11-28 17:53:54
bp cced7942-e446-47b9-81da-79b152151001	2015-10-01 06:48:20 
these are the oldest I find.

And no crashes for Thunderbird.
(In reply to Kent James (:rkent) from comment #5)
> The code for UnescapeAndConvert contains all sorts of interesting edge cases
> for XPCONNECT. It is likely that some core mozilla code changed something,
> and that resulted in a failure of one of the edge cases.
> 
> Edge cases:
> 
> 1) Using an out parameter as an input.
> 2) Using AutoCString
> 3) In the JS, calling through arguments rather than directly.
> 
> Thoughts, jcranmer?

The crash is in UnescapeAndConvert, not anything deeper in xpconnect. As a SIGSEGV, the most likely scenario is someone is null, the obvious candidates being mimeConverter or possibly the string. The registers on the crashing thread seem to indicate that this is not the case, though, so my next guess (without being able to catch it in a debugger) is that there's some heap corruption that's overwriting a vtable pointer or vtable entry.
Flags: needinfo?(Pidgeot18)
Is this now WFM?
Nothing on crash-stats with your email address after bp-7b2403eb-fb31-4cc4-b0ea-688722160701 - i.e. many months.
Flags: needinfo?(antoine.mechelynck)
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #8)
> Is this now WFM?
> Nothing on crash-stats with your email address after
> bp-7b2403eb-fb31-4cc4-b0ea-688722160701 - i.e. many months.

It's just that at comment #0 "I omitted that tab" from my session and did not restore it afterwards. I'll try. If it crashes again I shall say so and remove the tab again.
UA:"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49a1" 
ID:20161110003001 en-US 
c-c:5cb6c4f805a525ffda697c35221af3612f4cccf3 
m-c:336759fad4621dfcd0a3293840edbed67018accd

I've put that URL back into my session and it doesn't seem to crash — or not every time. I propose to close this bug if the crash does not reappear within a month.
Flags: needinfo?(antoine.mechelynck)
Whiteboard: [CLOSEME WFM 2016-12-11]
Whiteboard: [CLOSEME WFM 2016-12-11] → [CLOSEME 2016-12-11 WFM]
No reply to comment #10 in more than a month, closing.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.