Closed
Bug 1308327
Opened 8 years ago
Closed 8 years ago
Crash in nsDependentString::nsDependentString called from nsIEHistoryEnumerator::HasMoreElements()
Categories
(Firefox :: Migration, defect)
Tracking
()
VERIFIED
FIXED
Firefox 52
Tracking | Status | |
---|---|---|
firefox49 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | + | verified |
People
(Reporter: mccr8, Assigned: erahm)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file, 1 obsolete file)
1.48 KB,
patch
|
mak
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-b1dfb174-89ce-4706-ba04-7a9fe2161005. ============================================================= This is the number 9 crash on Windows for the Oct 5 Nightly, with 12 crashes. These are null deref crashes, from different install times. (I'm adding nsDependentString to the prefix list in bug 1308320 to hopefully split these signatures out better going forward.) Looking at SuperSearch, it appears that the nsIEHistoryEnumerator variant first appeared in the 10-4 Nightly, so I think this could be a regression from bug 1302855: https://crash-stats.mozilla.com/api/SuperSearch/?signature=%3DnsDependentString%3A%3AnsDependentString&proto_signature=~nsIEHistoryEnumerator&product=Firefox
Reporter | ||
Updated•8 years ago
|
Keywords: regression
Reporter | ||
Comment 1•8 years ago
|
||
Enes, do you have time to look into this? Or have some idea what might be going wrong? Thanks.
Flags: needinfo?(enes.goktas)
Reporter | ||
Comment 2•8 years ago
|
||
I guess this is actually the link I need for my search results: https://crash-stats.mozilla.com/search/?signature=%3DnsDependentString%3A%3AnsDependentString&proto_signature=~nsIEHistoryEnumerator&product=Firefox&_sort=-date&_facets=build_id&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-build_id
Reporter | ||
Comment 3•8 years ago
|
||
[Tracking Requested - why for this release]: Crashes in IE migration tool. It seems like a bad time to crash when somebody is considering using Firefox.
Assignee | ||
Comment 4•8 years ago
|
||
nsDependentSubstring will handle null values correctly, while nsDependentString will assert. This should fix the crash, I don't have an explanation as to why we weren't seeing it before. I was going to have :jaws review this, but they have reviews blocked. I'm not sure of a more appropriate reviewer. MozReview-Commit-ID: CZYdmsVisrc
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → erahm
Status: NEW → ASSIGNED
Updated•8 years ago
|
Comment 5•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #1) > Enes, do you have time to look into this? Or have some idea what might be > going wrong? Thanks. Hm, not sure why this is caused after the browsercomps fold into xul. We didn't really change the logic when merging these libraries. Maybe Benjamin can tell.
Flags: needinfo?(enes.goktas)
Comment 6•8 years ago
|
||
Comment on attachment 8798716 [details] [diff] [review] Use a string class that is okay with null values Review of attachment 8798716 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/components/migration/nsIEHistoryEnumerator.cpp @@ +79,5 @@ > return HasMoreElements(_retval); > } > } > > + nsDependentSubstring title(statURL.pwcsTitle); Makes sense, pwcsTitle is a LPWSTR which MAY be null-terminated, or not. nsDependentString requires the string to always be null-terminated so it was not suitable. it's unfortunate we don't have data len, since this constructor otherwise may create a UINT32_MAX len buffer. I couldn't find any documentation whether pwcsTitle is always null or null terminated, but since the API doesn't pass out a len, I guess we could assume it is and use wcslen? What do you think?
Attachment #8798716 -
Flags: review+
Reporter | ||
Updated•8 years ago
|
Crash Signature: [@ nsDependentString::nsDependentString] → [@ nsDependentString::nsDependentString] [@ nsDependentString::nsDependentString | nsIEHistoryEnumerator::HasMoreElements]
Comment 9•8 years ago
|
||
str |
STR Used: * install the latest version of m-c, leaving everything as default * once the installation has completed, select "Finish" with "Launch Nightly now" selected * under the "Import Settings and Data", ensure "Internet Explorer" is selected, click "Next" You'll get an instant crash every time. Crash Reports: * https://crash-stats.mozilla.com/report/index/f3959012-76a1-40c7-86c8-8311a2161018 * https://crash-stats.mozilla.com/report/index/25c74ea9-e1fd-4977-82bd-38a7c2161018
Has STR: --- → yes
Reporter | ||
Comment 11•8 years ago
|
||
(In reply to Kamil Jozwiak [:kjozwiak] from comment #9) > You'll get an instant crash every time. Now that there's STR it would be good if somebody checked to ensure that older branches are not affected by this. It isn't really clear from the patch why only 52 started being affected.
Comment 12•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #11) > (In reply to Kamil Jozwiak [:kjozwiak] from comment #9) > > You'll get an instant crash every time. > > Now that there's STR it would be good if somebody checked to ensure that > older branches are not affected by this. It isn't really clear from the > patch why only 52 started being affected. I thought this was a regression from bug 1302855 ? I kind of assumed this was all public vs. private string API malarkey (which I understand is not really an explanation without more detail). browsercomps had to use the external string API, and now it doesn't because it's linked into libxul.
Comment 13•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #11) > (In reply to Kamil Jozwiak [:kjozwiak] from comment #9) > > You'll get an instant crash every time. > > Now that there's STR it would be good if somebody checked to ensure that > older branches are not affected by this. It isn't really clear from the > patch why only 52 started being affected. I could only reproduce the crash using fx52.0a1. For each case listed below, I went through the STR in comment#9 five different times. * Win 7 x64 using fx52.0a1 - reproduced several times * Win 7 x64 using fx51.0a2 - couldn't reproduce * Win 7 x64 using fx50.0b8 - couldn't reproduce ** used both "Firefox Start, a fast home page with built-in search" and "Import your home page from IE" under "Home Page Selection" * Win 7 x64 using fx49.0.1 - couldn't reproduce ** used both "Firefox Start, a fast home page with built-in search" and "Import your home page from IE" under "Home Page Selection" Used the following builds: * https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-18-03-02-11-mozilla-central/ * https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-18-00-40-15-mozilla-aurora/ * https://archive.mozilla.org/pub/firefox/candidates/50.0b8-candidates/build1/win32/en-US/ * https://archive.mozilla.org/pub/firefox/releases/49.0.1/win32/en-US/
Reporter | ||
Comment 14•8 years ago
|
||
Great, thanks for confirming that it doesn't affect older branches! It did seem like some weird public private string API key issue, as Gijs said, but I don't think anybody analyzed the issue enough to figure out if that was really the cause, rather than say some cluster of IE users on Nightly doing something odd.
Assignee | ||
Comment 15•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=34e346404336
Assignee | ||
Comment 16•8 years ago
|
||
Comment on attachment 8798716 [details] [diff] [review] Use a string class that is okay with null values Review of attachment 8798716 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/components/migration/nsIEHistoryEnumerator.cpp @@ +79,5 @@ > return HasMoreElements(_retval); > } > } > > + nsDependentSubstring title(statURL.pwcsTitle); Yes I think it's safe to assume it's null terminated if a length is not provided. As it turns out nsDependentSubstring doesn't have the right constructor for a wchar_t (I think). I'll try a slightly different approach.
Assignee | ||
Comment 17•8 years ago
|
||
The internal version of nsDependentString will assert if a null value is passed in. An empty string should be okay though. MozReview-Commit-ID: CZYdmsVisrc
Attachment #8802664 -
Flags: review?(mak77)
Assignee | ||
Updated•8 years ago
|
Attachment #8798716 -
Attachment is obsolete: true
Assignee | ||
Comment 18•8 years ago
|
||
(clearing ni, latest patch still needs review)
Flags: needinfo?(erahm)
Updated•8 years ago
|
Attachment #8802664 -
Flags: review?(mak77) → review+
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 19•8 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/25a2511b2c5a Avoid passing a null value to nsDependentString. r=mak
Keywords: checkin-needed
Comment 20•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/25a2511b2c5a
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 52
Comment 21•8 years ago
|
||
Went through verification using the following build: * https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-24-03-02-05-mozilla-central/ Test Cases Used: * original STR from comment#9 * ensured fx launches without any issues when selecting "Don't import anything" * ensured fx launches without any issues when selecting selecting "Cancel" under the "Import Wizard" Platforms Used: * Win 7 SP1 x64 VM - PASSED (x5 for each build) ** using fx52.0a1, buildId: 20161024030205, changeset: 215f96861176 (x86 & x64) * Win 7 SP1 x86 VM - PASSED (x5 for each build) ** using fx52.0a1, buildId: 20161024030205, changeset: 215f96861176 (x86) Florin, when SV starts going through their smoke tests, could you double check and make sure that importing data from other browsers into fx hasn't regressed under Win 7? I went through some basic tests and it seems like everything is working. I'm not sure if Win 7 is a platform that SV checks when they run through their import/export smoke tests.
Comment 22•8 years ago
|
||
Win 7 is covered often during the Beta cycle but not necessarily for Migration. Will add Andrei and Cornel here, so they can keep the ni? for tracking until we get to test Migration in Beta 52, and make sure we cover Win 7 as one of our 4 platforms.
Flags: needinfo?(florin.mezei)
Flags: needinfo?(cornel.ionce)
Flags: needinfo?(andrei.vaida)
Comment 23•8 years ago
|
||
We have also verified this issue during our Beta tests around Migration. We can confirm this fix on 52.0b4 (20170206101855) under Windows 7 x64 and Windows 10 x86.
Flags: needinfo?(cornel.ionce)
Flags: needinfo?(andrei.vaida)
You need to log in
before you can comment on or make changes to this bug.
Description
•