Crash in std::deque<T>::_M_push_back_aux<T> when selecting text on GMail

NEW
Unassigned

Status

()

--
critical
Rank:
1
2 years ago
a year ago

People

(Reporter: padenot, Unassigned)

Tracking

({crash})

45 Branch
Unspecified
Linux
crash
Points:
---

Firefox Tracking Flags

(platform-rel -, firefox47 affected, firefox48 affected, firefox49 affected)

Details

(Whiteboard: [platform-rel-Google] [platform-rel-Gmail], crash signature)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-f0ef5753-0eea-4046-a0d9-3d4072160523.
=============================================================

I've been able to repro this on current nightly on Linux by selecting text in the gmail "compose" window.
Whiteboard: [platform-rel-Google] [platform-rel-Gmail]

Updated

2 years ago
platform-rel: --- → ?

Updated

2 years ago
platform-rel: ? → +
Crash volume for signature 'std::deque<T>::_M_push_back_aux<T>':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 2 crashes from 2016-06-07.
 - beta    (version 48): 1 crash from 2016-06-06.
 - release (version 47): 138 crashes from 2016-05-31.
 - esr     (version 45): 0 crash from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          2          0          0          0          0
 - beta             0          0          0          0          1          0          0
 - release         30         27         17         18         18         17          4
 - esr              0          0          0          0          0          0          0

Affected platform: Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
I just ran into this crash:
https://dxr.mozilla.org/mozilla-central/source/dom/base/nsPlainTextSerializer.cpp#375

From a quick look, the crashing code was inlined, but the null deref seems to occur here:
https://dxr.mozilla.org/mozilla-central/source/dom/base/nsPlainTextSerializer.cpp#375
how can this result in a null deref ?
Note, I too ran into this crash while using GMail.

Updated

2 years ago
Rank: 1
(In reply to Benoit Jacob [:bjacob] (mostly away) from comment #2)
> I just ran into this crash:
> https://dxr.mozilla.org/mozilla-central/source/dom/base/
> nsPlainTextSerializer.cpp#375
> 
> From a quick look, the crashing code was inlined, but the null deref seems
> to occur here:
> https://dxr.mozilla.org/mozilla-central/source/dom/base/
> nsPlainTextSerializer.cpp#375
> how can this result in a null deref ?

OOM? Paul: are you still able to repro? What's the value of 'this' when you crash?
Flags: needinfo?(padenot)
(Reporter)

Comment 5

2 years ago
I can't repro anymore, but it seems unlikely this is an OOM, this machine has a 64bits OS and has 32GB or RAM.
Flags: needinfo?(padenot)
Low-volume (18 crashes in the last 7 days) Linux-only crash. I don't see any instances in Firefox version 50+ but it's likely that this bug is still in there.
platform-rel: + → -
This crash is still happening, though still in extremely low volume. Here's a report from 55: bp-66beb2e8-489d-40a9-8354-f10f30170607.
You need to log in before you can comment on or make changes to this bug.