Closed
Bug 243639
Opened 20 years ago
Closed 18 years ago
[@ memcpy] Crash ... [gmail]
Categories
(Core :: Internationalization, defect, P5)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: timeless, Assigned: smontagu)
References
()
Details
(Keywords: crash)
Crash Data
> msvcr71.dll!memcpy(unsigned char * dst=0x03133060, unsigned char *
src=0x0203dfa8, unsigned long count=0xffffffe0) Line 171 Asm
uconv.dll!UTF16ConvertToUnicode(unsigned char & aState=0x00, unsigned
char & aData=0x00, const char * aSrc=0x0203dfa8, int * aSrcLength=0x0012f780,
unsigned short * aDest=0x03133060, int * aDestLength=0x0012f78c) Line 96 + 0x11
C++
uconv.dll!nsUTF16ToUnicode::Convert(const char * aSrc=0x0203dfa8, int *
aSrcLength=0x0012f780, unsigned short * aDest=0x03133060, int *
aDestLength=0x0012f78c) Line 258 + 0x23 C++
gkparser.dll!nsScanner::Append(const char * aBuffer=0x0203dfa8,
unsigned int aLen=0x00000001) Line 346 + 0x22 C++
gkparser.dll!ParserWriteFunc(nsIInputStream * in=0x0312b118, void *
closure=0x0012f96c, const char * fromRawSegment=0x0203df88, unsigned int
toOffset=0x00000000, unsigned int count=0x00000021, unsigned int *
writeCount=0x0012f980) Line 2365 + 0x13 C++
xpcom.dll!nsByteArrayInputStream::ReadSegments(unsigned int
(nsIInputStream *, void *, const char *, unsigned int, unsigned int, unsigned
int *)* writer=0x01a80510, void * aClosure=0x0012f96c, unsigned int
aCount=0x00000021, unsigned int * aNumRead=0x0012f980) Line 118 + 0x27 C++
gkparser.dll!nsParser::OnDataAvailable(nsIRequest * request=0x035977d8,
nsISupports * aContext=0x00000000, nsIInputStream * pIStream=0x0312b118,
unsigned int sourceOffset=0x00000000, unsigned int aLength=0x00000021) Line
2422 + 0x1d C++
docshell.dll!nsDocumentOpenInfo::OnDataAvailable(nsIRequest *
request=0x035977d8, nsISupports * aCtxt=0x00000000, nsIInputStream *
inStr=0x0312b118, unsigned int sourceOffset=0x00000000, unsigned int
count=0x00000021) Line 342 + 0x2e C++
necko.dll!nsHTTPCompressConv::do_OnDataAvailable(nsIRequest *
request=0x035977d8, nsISupports * aContext=0x00000000, unsigned int
aSourceOffset=0x00000000, char * buffer=0x02f6eec8, unsigned int
aCount=0x00000021) Line 368 + 0x2b C++
necko.dll!nsHTTPCompressConv::OnDataAvailable(nsIRequest *
request=0x035977d8, nsISupports * aContext=0x00000000, nsIInputStream *
iStr=0x0312b0f8, unsigned int aSourceOffset=0x00000000, unsigned int
aCount=0x00000033) Line 291 + 0x1f C++
necko.dll!nsStreamListenerTee::OnDataAvailable(nsIRequest *
request=0x035977d8, nsISupports * context=0x00000000, nsIInputStream *
input=0x02bb5350, unsigned int offset=0x00000000, unsigned int
count=0x00000033) Line 97 + 0x33 C++
necko.dll!nsHttpChannel::OnDataAvailable(nsIRequest *
request=0x02f9c750, nsISupports * ctxt=0x00000000, nsIInputStream *
input=0x02bb5350, unsigned int offset=0x00000000, unsigned int
count=0x00000033) Line 3702 + 0x3f C++
necko.dll!nsInputStreamPump::OnStateTransfer() Line 434 + 0x41 C++
necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *
stream=0x02bb5350) Line 337 + 0xb C++
xpcom.dll!nsOutputStreamReadyEvent::EventHandler(PLEvent *
plevent=0x02a82504) Line 119 C++
xpcom.dll!PL_HandleEvent(PLEvent * self=0x02a82504) Line 692 + 0xa
C
xpcom.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00e0ed78) Line
627 + 0x9 C
xpcom.dll!_md_EventReceiverProc(HWND__ * hwnd=0x000a07f6, unsigned int
uMsg=0x0000c127, unsigned int wParam=0x00000000, long lParam=0x00e0ed78) Line
1433 + 0x9 C
shaver asked:
<shaver> is destEnd before dest
destEnd<dest 0x00000001 int
'yes'
in nsUTF16ToUnicode::Convert,
aSrc[0] 0x0a '␊' const char
aSrc[1] 0x00 const char
so
else if(aSrc[0] && !aSrc[1]) { // 0xhh 0x00 (hh != 00)
mState = 0;
mEndian = kLittleEndian;
}
There's sanity checking for state=1 and state=2 but not 0
I was loading gmail... (i think)
- aSrc,7 0x0203dfa8 "
" const char *
[0x0] 0x0a '␊' const char
[0x1] 0x00 const char
[0x2] 0x00 const char
[0x3] 0x80 '€' const char
[0x4] 0x01 '␁' const char
[0x5] 0x00 const char
[0x6] 0x00 const char
aSrcLength is 1, which would have flagged for the aState=2 case...
I fished url out of:
((*(nsACString*)(&(*(nsCSubstring*)(&(*((nsStandardURL*)
0x0282e2c8)).mSpec))))).mData
which came from
request->mOriginalURI->mRawPtr 0x0282e2c8
in > necko.dll!nsHTTPCompressConv::do_OnDataAvailable(nsIRequest *
request=0x035977d8, nsISupports * aContext=0x00000000, unsigned int
aSourceOffset=0x00000000, char * buffer=0x02f6eec8, unsigned int
aCount=0x00000021) Line 368 + 0x2b C++
Comment 1•20 years ago
|
||
Dupe of bug 244178 (or other way around really, but bug 244178 already has a fix...). *** This bug has been marked as a duplicate of 244178 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Comment 2•20 years ago
|
||
Sorry for the delay. We may have to add an additional sanity checking here nonetheless. I was playing with a patch before I got on the road. I'll revisit it when I get back home.
Comment 3•20 years ago
|
||
reopening not fixed with these instructions: 1. run mozilla 2. edit prefs>navigator>inernet search 3. (*) advanced 4. ok 5. view>show>sidebar 6. tabs>search (or whatever to get the search sidebar open) 7. select [x] dmoz.org [x] google [x] askjeeves 8. search "hello" 9. click search 10. (wait for results) view by search engine: askjeeves 11. (wait for flash) click back twice (or once, here it crashed after the first back). Stacktrace: memcpy(unsigned char * 0x037bded0, unsigned char * 0x0394dee8, unsigned long 0xffffffe0) line 171 UTF16ConvertToUnicode(unsigned char & 0x00, unsigned char & 0x00, const char * 0x0394dee8, int * 0x0012f0ec, unsigned short * 0x037bded0, int * 0x0012f0e8) line 96 + 17 bytes nsUTF16ToUnicode::Convert(nsUTF16ToUnicode * const 0x035ab1c0, const char * 0x0394dee8, int * 0x0012f0ec, unsigned short * 0x037bded0, int * 0x0012f0e8) line 258 + 35 bytes nsConverterInputStream::Fill(unsigned int * 0x03ee7384) line 205 + 100 bytes nsConverterInputStream::Read(nsConverterInputStream * const 0x03ee7368, unsigned short * 0x0394df10, unsigned int 0x00000100, unsigned int * 0x03fda264) line 98 + 15 bytes nsCSSScanner::Read(unsigned int & 0x00000000) line 304 + 35 bytes nsCSSScanner::Next(unsigned int & 0x00000000, nsCSSToken & {...}) line 432 + 12 bytes CSSParserImpl::GetToken(unsigned int & 0x00000000, int 0x00000001) line 845 + 25 bytes CSSParserImpl::Parse(CSSParserImpl * const 0x0255a480, nsIUnicharInputStream * 0x03ee7368, nsIURI * 0x038effa8, nsICSSStyleSheet * & 0x00000000) line 573 + 14 bytes CSSLoaderImpl::ParseSheet(nsIUnicharInputStream * 0x03ee7368, SheetLoadData * 0x03f29c88, int & 0x00000000) line 1457 + 60 bytes SheetLoadData::OnStreamComplete(SheetLoadData * const 0x03f29c88, nsIUnicharStreamLoader * 0x035ab158, nsISupports * 0x00000000, unsigned int 0x00000000, nsIUnicharInputStream * 0x03ee7368) line 823 + 23 bytes nsUnicharStreamLoader::OnStopRequest(nsUnicharStreamLoader * const 0x035ab15c, nsIRequest * 0x040227d0, nsISupports * 0x00000000, unsigned int 0x00000000) line 196 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x040227d8, nsIRequest * 0x035ab208, nsISupports * 0x00000000, unsigned int 0x00000000) line 3620 nsInputStreamPump::OnStateStop() line 506 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x035ab20c, nsIAsyncInputStream * 0x038be3cc) line 340 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x038be534) line 119 PL_HandleEvent(PLEvent * 0x038be534) line 692 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00edc378) line 627 + 9 bytes nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00edf270) line 391 + 12 bytes nsWindow::DispatchPendingEvents() line 3624 nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x00670061, long * 0x0012fc28) line 3938 nsWindow::WindowProc(HWND__ * 0x0009054a, unsigned int 0x00000200, unsigned int 0x00000000, long 0x00670061) line 1342 + 27 bytes USER32! 77e01ef0() USER32! 77e0204c() USER32! 77e021af() nsAppShellService::Run(nsAppShellService * const 0x00f74f90) line 524 main1(int 0x00000001, char * * 0x00262410, nsISupports * 0x00ee3f50) line 1334 + 32 bytes main(int 0x00000001, char * * 0x00262410) line 1811 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e81af6() Assertions before crash: Security Error: Content at wyciwyg://0/chrome://communicator/content/search/inte rnetresults.xul?internetsearch:engine=engine://D%253A%255Cmozilla%255Ctree6%255C mozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%255Cbin%255Csearchplugins%255Cdmoz .src&engine=engine://D%253A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i686-pc-cy gwin-debug%255Cdist%255Cbin%255Csearchplugins%255Cgoogle.src&engine=engine://D%2 53A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%255C bin%255Csearchplugins%255Cjeeves.src&text=test may not load or link to chrome:// communicator/content/search/internetresults.xul?internetsearch:engine=engine://D %253A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%25 5Cbin%255Csearchplugins%255Cdmoz.src&engine=engine://D%253A%255Cmozilla%255Ctree 6%255Cmozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%255Cbin%255Csearchplugins%25 5Cgoogle.src&engine=engine://D%253A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i6 86-pc-cygwin-debug%255Cdist%255Cbin%255Csearchplugins%255Cjeeves.src&text=test. ###!!! ASSERTION: Could not convert external JavaScript to Unicode!: 'NS_SUCCEED ED(rv)', file d:/mozilla/tree6/mozilla/content/base/src/nsScriptLoader.cpp, line 878 ###!!! ASSERTION: Could not convert external JavaScript to Unicode!: 'NS_SUCCEED ED(rv)', file d:/mozilla/tree6/mozilla/content/base/src/nsScriptLoader.cpp, line 878 ###!!! ASSERTION: Could not convert external JavaScript to Unicode!: 'NS_SUCCEED ED(rv)', file d:/mozilla/tree6/mozilla/content/base/src/nsScriptLoader.cpp, line 878 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Decoder returned an error but filled the output buffer! Should not happen.: '0 < mUnicharData->GetBufferSize() - mUnicharDataLength', file d:/ mozilla/tree6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 214 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221 ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223 ###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
Status: VERIFIED → UNCONFIRMED
OS: Windows XP → All
Resolution: DUPLICATE → ---
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Comment 4•18 years ago
|
||
Frank, is this still an issue with current trunk build?
Comment 5•18 years ago
|
||
Seems to work fine with a current trunk build. WFM or do you have a bug to dupe to in hand?
Comment 6•18 years ago
|
||
(In reply to comment #5) > Seems to work fine with a current trunk build. WFM or do you have a bug to dupe > to in hand? No, not really. Marking WFM then.
Status: NEW → RESOLVED
Closed: 20 years ago → 18 years ago
Resolution: --- → WORKSFORME
Updated•13 years ago
|
Crash Signature: [@ memcpy]
You need to log in
before you can comment on or make changes to this bug.
Description
•