Closed Bug 1765354 Opened 2 years ago Closed 2 years ago

Stack overflow crash in [@ je_free | StringResult::~StringResult]

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1271960

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [domcore-s2-revisit])

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/0fb69f51-a65a-477e-83cc-e97e40220419

Reason: EXCEPTION_STACK_OVERFLOW

Top 10 frames of crashing thread:

0 mozglue.dll je_free memory/build/malloc_decls.h:54
1 xul.dll StringResult::~StringResult dom/xslt/xpath/txExprResult.h:108
2 xul.dll txLiteralExpr::~txLiteralExpr dom/xslt/xpath/txExpr.h:569
3 xul.dll txLREAttribute::~txLREAttribute dom/xslt/xslt/txInstructions.h:167
4 xul.dll txLREAttribute::~txLREAttribute dom/xslt/xslt/txInstructions.h:167
5 xul.dll txStartLREElement::~txStartLREElement dom/xslt/xslt/txInstructions.h:322
6 xul.dll txApplyDefaultElementTemplate::~txApplyDefaultElementTemplate dom/xslt/xslt/txInstructions.h:284
7 xul.dll txLREAttribute::~txLREAttribute dom/xslt/xslt/txInstructions.h:167
8 xul.dll txStartLREElement::~txStartLREElement dom/xslt/xslt/txInstructions.h:322
9 xul.dll txApplyDefaultElementTemplate::~txApplyDefaultElementTemplate dom/xslt/xslt/txInstructions.h:284

I suspect this might be related to bug 1271960. We're recursing 10s of thousands of time in the XSLT parser which ultimately leads to a crash overflow. Unfortunately I couldn't find useful comments in the crash reports to help figure out what kind of file was being parsed.

See Also: → 1765392

I looked for other crashes where the proto signature contains txStartLREElement, and it turned up another signature. For instance: bp-41cd5ea9-7afc-43b2-bef6-1474a0220419

Though to be fair nsTSubstring<T>::Finalize should probably get added to the prefix list, so I'm sure most crashes with that signature aren't this, but there are something like 29 that match that in the last month.

Crash Signature: [@ je_free | StringResult::~StringResult] [@ RtlEnterCriticalSection | StringResult::~StringResult] → [@ je_free | StringResult::~StringResult] [@ RtlEnterCriticalSection | StringResult::~StringResult] [@ je_free | nsTSubstring<T>::Finalize ]

Per discussion in the team meeting - his may be fixed by bug 1271960. We will monitor it for a while for verification.

Whiteboard: [domcore-s2-revisit]

This looks gone.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.