236274 - Crash when exporting bookmarks [@ nsCharTraits<unsigned short>::length]

Status: RESOLVED DUPLICATE of bug 236003

(SeaMonkey :: Bookmarks & History, defect)

Description

[Alexander Tsang]

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:) Gecko/20040302

Mozilla crashes when I try to export my bookmarks to a file.

Reproducible: Always
Steps to Reproduce:
1. Open the Bookmark Manager (Bookmarks -> Manage Bookmarks)
2. Select Tools -> Export...
3. Enter a filename if desired, and press Save.

Actual Results:  
Mozilla hangs for a second, then Windows presents a standard crash dialog.

Expected Results:  
Exported bookmarks to file and resumed normal operation.

about:buildconfig

Build platform
target
i586-pc-msvc

Build tools
Compiler 	Version 	Compiler flags
$(CYGWIN_WRAPPER) cl 	12.00.8804 	-TC -nologo -W3 -nologo -Gy -Fd$(PDBFILE)
$(CYGWIN_WRAPPER) cl 	12.00.8804 	-TP -nologo -W3 -nologo -Gy -Fd$(PDBFILE)
-I/usr/X11R6/include

Configure arguments
--without-system-jpg --without-system-zlib --enable-extensions=default,tasks
--enable-crypto --disable-auto-deps --disable-debug --enable-optimize

Comment 1

[Alex Eng]

Reproduced on build 2004030409
Mozilla/5.0 (Windows; U; Win98; en-US; rv:) Gecko/20040304

Dr. Watson's diagnosis:

$ performed an invalid memory access.

Module Name: XPCOM.DLL
Description: $
Version: 1.7b: 2004030108
Product: Mozilla
Manufacturer: Mozilla Foundation

Application Name: Mozilla.exe
Description: Mozilla
Version: 1.7b: 2004030108
Product: Mozilla
Manufacturer: Mozilla Foundation

Comment 2

[Michal Kluka]

I can reprodue it too on Windows 2000 (custom build from 20040304 tarbal). Call 
stack is as follows:

nsCharTraits<unsigned short>::length(const unsigned short * 0x00000000) line 
192 + 5 bytes
nsSubstring::Equals(const unsigned short * 0x00000000, const nsStringComparator 
& {...}) line 540 + 9 bytes
nsBookmarksService::exportBookmarks(nsISupportsArray * 0x04584f18) line 4823 + 
39 bytes
nsBookmarksService::DoCommand(nsBookmarksService * const 0x03a515bc, 
nsISupportsArray * 0x045849c0, nsIRDFResource * 0x03a84bb0, nsISupportsArray * 
0x04584f18) line 4913 + 15 bytes
XPTC_InvokeByIndex(nsISupports * 0x03a515bc, unsigned int 19, unsigned int 3, 
nsXPTCVariant * 0x0012cb74) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x043e77a8, JSObject * 0x04470628, unsigned int 
3, long * 0x0457634c, long * 0x0012ce3c) line 1287 + 14 bytes
js_Invoke(JSContext * 0x043e77a8, unsigned int 3, unsigned int 0) line 941 + 23 
bytes
js_Interpret(JSContext * 0x043e77a8, long * 0x0012d770) line 2962 + 15 bytes
js_Invoke(JSContext * 0x043e77a8, unsigned int 1, unsigned int 2) line 958 + 13 
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x04185488, 
nsXPCWrappedJS * 0x04500cd0, unsigned short 5, const nsXPTMethodInfo * 
0x031efb80, nsXPTCMiniVariant * 0x0012dab0) line 1336 + 22 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x04500cd0, unsigned short 5, 
const nsXPTMethodInfo * 0x031efb80, nsXPTCMiniVariant * 0x0012dab0) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x04500cd0, unsigned int 5, unsigned int * 
0x0012db60, unsigned int * 0x0012db50) line 117 + 31 bytes
SharedStub() line 147
XPTC_InvokeByIndex(nsISupports * 0x04500cd0, unsigned int 5, unsigned int 1, 
nsXPTCVariant * 0x0012dcd0) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x043e77a8, JSObject * 0x04539558, unsigned int 
1, long * 0x045760e8, long * 0x0012df98) line 1287 + 14 bytes
js_Invoke(JSContext * 0x043e77a8, unsigned int 1, unsigned int 0) line 941 + 23 
bytes
js_Interpret(JSContext * 0x043e77a8, long * 0x0012e8cc) line 2962 + 15 bytes
js_Invoke(JSContext * 0x043e77a8, unsigned int 1, unsigned int 2) line 958 + 13 
bytes
js_InternalInvoke(JSContext * 0x043e77a8, JSObject * 0x045399d0, long 72588232, 
unsigned int 0, unsigned int 1, long * 0x0012eb40, long * 0x0012eb3c) line 1035 
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x043e77a8, JSObject * 0x045399d0, long 
72588232, unsigned int 1, long * 0x0012eb40, long * 0x0012eb3c) line 3589 + 31 
bytes
nsJSContext::CallEventHandler(JSObject * 0x045399d0, JSObject * 0x04539bc8, 
unsigned int 1, long * 0x0012eb40, long * 0x0012eb3c) line 1267 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04458a78, 
nsIDOMEvent * 0x04574c48) line 175 + 52 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04459db8, 
nsIDOMEvent * 0x04574c48, nsIDOMEventTarget * 0x04575f30, unsigned int 8, 
unsigned int 7) line 1434 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04458a20, 
nsIPresContext * 0x04405148, nsEvent * 0x0012f31c, nsIDOMEvent * * 0x0012f1f8, 
nsIDOMEventTarget * 0x04575f30, unsigned int 7, nsEventStatus * 0x0012f36c) 
line 1529
nsXULElement::HandleDOMEvent(nsIPresContext * 0x04405148, nsEvent * 0x0012f31c, 
nsIDOMEvent * * 0x0012f1f8, unsigned int 7, nsEventStatus * 0x0012f36c) line 
2879
PresShell::HandleDOMEventWithTarget(PresShell * const 0x044065c0, nsIContent * 
0x04440108, nsEvent * 0x0012f31c, nsEventStatus * 0x0012f36c) line 6105
nsMenuFrame::Execute(nsGUIEvent * 0x0012f7a4) line 1650
nsMenuFrame::HandleEvent(nsMenuFrame * const 0x04566864, nsIPresContext * 
0x04405148, nsGUIEvent * 0x0012f7a4, nsEventStatus * 0x0012f598) line 447
PresShell::HandleEventInternal(nsEvent * 0x0012f7a4, nsIView * 0x044efc90, 
unsigned int 1, nsEventStatus * 0x0012f598) line 6069 + 33 bytes
PresShell::HandleEvent(PresShell * const 0x044065dc, nsIView * 0x044efc90, 
nsGUIEvent * 0x0012f7a4, nsEventStatus * 0x0012f598, int 0, int & 1) line 5918 
+ 25 bytes
nsViewManager::HandleEvent(nsView * 0x045653e8, nsGUIEvent * 0x0012f7a4, int 0) 
line 2301
nsViewManager::DispatchEvent(nsViewManager * const 0x04405e38, nsGUIEvent * 
0x0012f7a4, nsEventStatus * 0x0012f690) line 2039 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f7a4) line 79
nsWindow::DispatchEvent(nsWindow * const 0x045654a4, nsGUIEvent * 0x0012f7a4, 
nsEventStatus & nsEventStatus_eIgnore) line 1064 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f7a4) line 1085
nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 
0x00000000) line 5207 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 
0x00000000) line 5462
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 4128811, long * 
0x0012fc28) line 4001 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x000302e6, unsigned int 514, unsigned int 0, 
long 4128811) line 1346 + 27 bytes
USER32! 77e3a2d0()
USER32! 77e145e5()
USER32! 77e1a816()
nsAppShellService::Run(nsAppShellService * const 0x0313e4e0) line 484
main1(int 1, char * * 0x002c6d00, nsISupports * 0x03067f60) line 1291 + 32 bytes
main(int 1, char * * 0x002c6d00) line 1678 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c5987e7()


Crash will happen in nsCharTraits.h line 192. The pointer passed in is NULL. 

Comment 3

[Andrew Schultz]

I seeing this on linux with the same stack as comment 2, but only with builds
starting with 2004030508 (2004030405 does not crash).

anyway, I suspected strings due to recent shakeups, but I don't see any changes
in the relevant code (bookmarks or string).  Anyway, the bookmarks code is
pretty wrong:

http://lxr.mozilla.org/mozilla/source/xpfe/components/bookmarks/src/nsBookmarksService.cpp#4808

1. format is initialized to NULL
2. if getArgumentN succeeds, format is set to something and it is checked for
being NULL.
3. format is compared against "RDF"

if getArgumentN fails, Mozilla is guaranteed to crash.

Comment 4

[Olivier Cahagne]

*** Bug 236743 has been marked as a duplicate of this bug. ***

Comment 5

[Andrew Schultz]

dupe of a bug getting more attention (crash already fixed)

*** This bug has been marked as a duplicate of 236003 ***