Closed Bug 243639 Opened 20 years ago Closed 18 years ago

[@ memcpy] Crash ... [gmail]

Categories

(Core :: Internationalization, defect, P5)

Product:
Core
Component:
Internationalization
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Assigned: smontagu)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

>	msvcr71.dll!memcpy(unsigned char * dst=0x03133060, unsigned char * 
src=0x0203dfa8, unsigned long count=0xffffffe0)  Line 171	Asm
 	uconv.dll!UTF16ConvertToUnicode(unsigned char & aState=0x00, unsigned 
char & aData=0x00, const char * aSrc=0x0203dfa8, int * aSrcLength=0x0012f780, 
unsigned short * aDest=0x03133060, int * aDestLength=0x0012f78c)  Line 96 + 0x11
	C++
 	uconv.dll!nsUTF16ToUnicode::Convert(const char * aSrc=0x0203dfa8, int * 
aSrcLength=0x0012f780, unsigned short * aDest=0x03133060, int * 
aDestLength=0x0012f78c)  Line 258 + 0x23	C++
 	gkparser.dll!nsScanner::Append(const char * aBuffer=0x0203dfa8, 
unsigned int aLen=0x00000001)  Line 346 + 0x22	C++
 	gkparser.dll!ParserWriteFunc(nsIInputStream * in=0x0312b118, void * 
closure=0x0012f96c, const char * fromRawSegment=0x0203df88, unsigned int 
toOffset=0x00000000, unsigned int count=0x00000021, unsigned int * 
writeCount=0x0012f980)  Line 2365 + 0x13	C++
 	xpcom.dll!nsByteArrayInputStream::ReadSegments(unsigned int 
(nsIInputStream *, void *, const char *, unsigned int, unsigned int, unsigned 
int *)* writer=0x01a80510, void * aClosure=0x0012f96c, unsigned int 
aCount=0x00000021, unsigned int * aNumRead=0x0012f980)  Line 118 + 0x27	C++
 	gkparser.dll!nsParser::OnDataAvailable(nsIRequest * request=0x035977d8, 
nsISupports * aContext=0x00000000, nsIInputStream * pIStream=0x0312b118, 
unsigned int sourceOffset=0x00000000, unsigned int aLength=0x00000021)  Line 
2422 + 0x1d	C++
 	docshell.dll!nsDocumentOpenInfo::OnDataAvailable(nsIRequest * 
request=0x035977d8, nsISupports * aCtxt=0x00000000, nsIInputStream * 
inStr=0x0312b118, unsigned int sourceOffset=0x00000000, unsigned int 
count=0x00000021)  Line 342 + 0x2e	C++
 	necko.dll!nsHTTPCompressConv::do_OnDataAvailable(nsIRequest * 
request=0x035977d8, nsISupports * aContext=0x00000000, unsigned int 
aSourceOffset=0x00000000, char * buffer=0x02f6eec8, unsigned int 
aCount=0x00000021)  Line 368 + 0x2b	C++
 	necko.dll!nsHTTPCompressConv::OnDataAvailable(nsIRequest * 
request=0x035977d8, nsISupports * aContext=0x00000000, nsIInputStream * 
iStr=0x0312b0f8, unsigned int aSourceOffset=0x00000000, unsigned int 
aCount=0x00000033)  Line 291 + 0x1f	C++
 	necko.dll!nsStreamListenerTee::OnDataAvailable(nsIRequest * 
request=0x035977d8, nsISupports * context=0x00000000, nsIInputStream * 
input=0x02bb5350, unsigned int offset=0x00000000, unsigned int 
count=0x00000033)  Line 97 + 0x33	C++
 	necko.dll!nsHttpChannel::OnDataAvailable(nsIRequest * 
request=0x02f9c750, nsISupports * ctxt=0x00000000, nsIInputStream * 
input=0x02bb5350, unsigned int offset=0x00000000, unsigned int 
count=0x00000033)  Line 3702 + 0x3f	C++
 	necko.dll!nsInputStreamPump::OnStateTransfer()  Line 434 + 0x41	C++
 	necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * 
stream=0x02bb5350)  Line 337 + 0xb	C++
 	xpcom.dll!nsOutputStreamReadyEvent::EventHandler(PLEvent * 
plevent=0x02a82504)  Line 119	C++
 	xpcom.dll!PL_HandleEvent(PLEvent * self=0x02a82504)  Line 692 + 0xa
	C
 	xpcom.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x00e0ed78)  Line 
627 + 0x9	C
 	xpcom.dll!_md_EventReceiverProc(HWND__ * hwnd=0x000a07f6, unsigned int 
uMsg=0x0000c127, unsigned int wParam=0x00000000, long lParam=0x00e0ed78)  Line 
1433 + 0x9	C

shaver asked:

<shaver> is destEnd before dest
destEnd<dest 0x00000001 int

'yes'

in nsUTF16ToUnicode::Convert,
	aSrc[0]	0x0a '&#9226;'	const char
	aSrc[1]	0x00	const char

so
      else if(aSrc[0] && !aSrc[1]) {  // 0xhh 0x00 (hh != 00)
        mState = 0;
        mEndian = kLittleEndian;
      }

There's sanity checking for state=1 and state=2 but not 0

I was loading gmail... (i think)

-	aSrc,7	0x0203dfa8 "
"	const char *
	[0x0]	0x0a '&#9226;'	const char
	[0x1]	0x00	const char
	[0x2]	0x00	const char
	[0x3]	0x80 '€'	const char
	[0x4]	0x01 '&#9217;'	const char
	[0x5]	0x00	const char
	[0x6]	0x00	const char

aSrcLength is 1, which would have flagged for the aState=2 case...

I fished url out of:
((*(nsACString*)(&(*(nsCSubstring*)(&(*((nsStandardURL*)
0x0282e2c8)).mSpec))))).mData

which came from
request->mOriginalURI->mRawPtr	0x0282e2c8
in >	necko.dll!nsHTTPCompressConv::do_OnDataAvailable(nsIRequest * 
request=0x035977d8, nsISupports * aContext=0x00000000, unsigned int 
aSourceOffset=0x00000000, char * buffer=0x02f6eec8, unsigned int 
aCount=0x00000021)  Line 368 + 0x2b	C++
Depends on: 244178
Dupe of bug 244178 (or other way around really, but bug 244178 already has a
fix...).

*** This bug has been marked as a duplicate of 244178 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
No longer depends on: 244178
Status: RESOLVED → VERIFIED
Sorry for the delay. We may have to add an additional sanity checking here
nonetheless. I was playing with a patch before I got on the road. I'll revisit
it when I get back home. 

reopening not fixed with these instructions:
1. run mozilla
2. edit prefs>navigator>inernet search
3. (*) advanced
4. ok
5. view>show>sidebar
6. tabs>search (or whatever to get the search sidebar open)
7. select [x] dmoz.org [x] google [x] askjeeves
8. search "hello"
9. click search
10. (wait for results) view by search engine: askjeeves
11. (wait for flash) click back twice (or once, here it crashed after the first
back).

Stacktrace:
memcpy(unsigned char * 0x037bded0, unsigned char * 0x0394dee8, unsigned long
0xffffffe0) line 171
UTF16ConvertToUnicode(unsigned char & 0x00, unsigned char & 0x00, const char *
0x0394dee8, int * 0x0012f0ec, unsigned short * 0x037bded0, int * 0x0012f0e8)
line 96 + 17 bytes
nsUTF16ToUnicode::Convert(nsUTF16ToUnicode * const 0x035ab1c0, const char *
0x0394dee8, int * 0x0012f0ec, unsigned short * 0x037bded0, int * 0x0012f0e8)
line 258 + 35 bytes
nsConverterInputStream::Fill(unsigned int * 0x03ee7384) line 205 + 100 bytes
nsConverterInputStream::Read(nsConverterInputStream * const 0x03ee7368, unsigned
short * 0x0394df10, unsigned int 0x00000100, unsigned int * 0x03fda264) line 98
+ 15 bytes
nsCSSScanner::Read(unsigned int & 0x00000000) line 304 + 35 bytes
nsCSSScanner::Next(unsigned int & 0x00000000, nsCSSToken & {...}) line 432 + 12
bytes
CSSParserImpl::GetToken(unsigned int & 0x00000000, int 0x00000001) line 845 + 25
bytes
CSSParserImpl::Parse(CSSParserImpl * const 0x0255a480, nsIUnicharInputStream *
0x03ee7368, nsIURI * 0x038effa8, nsICSSStyleSheet * & 0x00000000) line 573 + 14
bytes
CSSLoaderImpl::ParseSheet(nsIUnicharInputStream * 0x03ee7368, SheetLoadData *
0x03f29c88, int & 0x00000000) line 1457 + 60 bytes
SheetLoadData::OnStreamComplete(SheetLoadData * const 0x03f29c88,
nsIUnicharStreamLoader * 0x035ab158, nsISupports * 0x00000000, unsigned int
0x00000000, nsIUnicharInputStream * 0x03ee7368) line 823 + 23 bytes
nsUnicharStreamLoader::OnStopRequest(nsUnicharStreamLoader * const 0x035ab15c,
nsIRequest * 0x040227d0, nsISupports * 0x00000000, unsigned int 0x00000000) line 196
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x040227d8, nsIRequest *
0x035ab208, nsISupports * 0x00000000, unsigned int 0x00000000) line 3620
nsInputStreamPump::OnStateStop() line 506
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x035ab20c,
nsIAsyncInputStream * 0x038be3cc) line 340 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x038be534) line 119
PL_HandleEvent(PLEvent * 0x038be534) line 692 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00edc378) line 627 + 9 bytes
nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00edf270) line
391 + 12 bytes
nsWindow::DispatchPendingEvents() line 3624
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long
0x00670061, long * 0x0012fc28) line 3938
nsWindow::WindowProc(HWND__ * 0x0009054a, unsigned int 0x00000200, unsigned int
0x00000000, long 0x00670061) line 1342 + 27 bytes
USER32! 77e01ef0()
USER32! 77e0204c()
USER32! 77e021af()
nsAppShellService::Run(nsAppShellService * const 0x00f74f90) line 524
main1(int 0x00000001, char * * 0x00262410, nsISupports * 0x00ee3f50) line 1334 +
32 bytes
main(int 0x00000001, char * * 0x00262410) line 1811 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e81af6()

Assertions before crash:
Security Error: Content at wyciwyg://0/chrome://communicator/content/search/inte
rnetresults.xul?internetsearch:engine=engine://D%253A%255Cmozilla%255Ctree6%255C
mozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%255Cbin%255Csearchplugins%255Cdmoz
.src&engine=engine://D%253A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i686-pc-cy
gwin-debug%255Cdist%255Cbin%255Csearchplugins%255Cgoogle.src&engine=engine://D%2
53A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%255C
bin%255Csearchplugins%255Cjeeves.src&text=test may not load or link to chrome://
communicator/content/search/internetresults.xul?internetsearch:engine=engine://D
%253A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%25
5Cbin%255Csearchplugins%255Cdmoz.src&engine=engine://D%253A%255Cmozilla%255Ctree
6%255Cmozilla%255Cobj-i686-pc-cygwin-debug%255Cdist%255Cbin%255Csearchplugins%25
5Cgoogle.src&engine=engine://D%253A%255Cmozilla%255Ctree6%255Cmozilla%255Cobj-i6
86-pc-cygwin-debug%255Cdist%255Cbin%255Csearchplugins%255Cjeeves.src&text=test.
###!!! ASSERTION: Could not convert external JavaScript to Unicode!: 'NS_SUCCEED
ED(rv)', file d:/mozilla/tree6/mozilla/content/base/src/nsScriptLoader.cpp, line
 878
###!!! ASSERTION: Could not convert external JavaScript to Unicode!: 'NS_SUCCEED
ED(rv)', file d:/mozilla/tree6/mozilla/content/base/src/nsScriptLoader.cpp, line
 878
###!!! ASSERTION: Could not convert external JavaScript to Unicode!: 'NS_SUCCEED
ED(rv)', file d:/mozilla/tree6/mozilla/content/base/src/nsScriptLoader.cpp, line
 878
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Decoder returned an error but filled the output buffer! Should
 not happen.: '0 < mUnicharData->GetBufferSize() - mUnicharDataLength', file d:/
mozilla/tree6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 214
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
###!!! ASSERTION: Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT
 before this point!: 'srcConsumed <= mByteData->GetLength()', file d:/mozilla/tr
ee6/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 223
###!!! ASSERTION: Too few bytes in input: '*aSrcLength >= 2', file d:/mozilla/tr
ee6/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp, line 221
Status: VERIFIED → UNCONFIRMED
OS: Windows XP → All
Resolution: DUPLICATE → ---
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Frank, is this still an issue with current trunk build?
Seems to work fine with a current trunk build. WFM or do you have a bug to dupe to in hand?
(In reply to comment #5)
> Seems to work fine with a current trunk build. WFM or do you have a bug to dupe
> to in hand?

No, not really. Marking WFM then.
Status: NEW → RESOLVED
Closed: 20 years ago18 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ memcpy]
You need to log in before you can comment on or make changes to this bug.