If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Someone forgot to call xptiWorkingSet::isValid, resulting in crashes [@ SearchTable]

RESOLVED WORKSFORME

Status

()

Core
XPCOM
--
critical
RESOLVED WORKSFORME
12 years ago
6 years ago

People

(Reporter: Daniel de Wildt, Unassigned)

Tracking

({crash, helpwanted})

Trunk
x86
All
crash, helpwanted
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid][tbird crash], crash signature, URL)

(Reporter)

Description

12 years ago
OOM checks in xptiWorkingSet::xptiWorkingSet are missing (see URL). I found this
one when searching for crashes matching criteria of meta bug 211260. 

talkback ID 8818658

SearchTable 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/ds/pldhash.c,
line 371]
PL_DHashTableOperate 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/ds/pldhash.c,
line 500]
xptiInterfaceInfoManager::GetInfoForName 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptinfo/src/xptiInterfaceInfoManager.cpp,
line 1749]
XPC_WN_Helper_NewResolve 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1414]
js_LookupPropertyWithFlags 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsobj.c,
line 2509]
js_LookupProperty 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsobj.c,
line 2607]
js_GetProperty 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsobj.c,
line 2713]
XPC_WN_JSOp_Safe_GetProperty 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1297]
js_Interpret 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 2829]
js_Execute 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c,
line 1176]
JS_ExecuteScript 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsapi.c,
line 3540]
nsXULDocument::ExecuteScript 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 3315]
nsXULDocument::ResumeWalk 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 2854]
nsXULDocument::CachedChromeStreamListener::OnStopRequest 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 4208]
nsCachedChromeChannel::HandleStopLoadEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/chrome/src/nsChromeProtocolHandler.cpp,
line 477]
0x778b0c24
nsMathMLChar::Stretch 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLChar.cpp,
line 1670]
`nsIDOMAttr::GetIID'::`2'::iid
(Reporter)

Comment 1

12 years ago
The OOM checks are done in "IsValid()". I assume that somewhere else this check
is missing.

"xptiInterfaceInfoManager::GetInfoForName" is uses mWorkingSet, which is a
member variable of xptiInterfaceInfoManager. "mWorkingSet.IsValid()" is called
in xptiInterfaceInfoManagers "IsValid()" and this is called in
"GetInterfaceInfoManagerNoAddRef()".
(Reporter)

Updated

12 years ago
Depends on: 309430

Comment 2

12 years ago
can you make a patch to fix the problem?

Comment 3

12 years ago
looks like a dup of bug 304680

Comment 4

12 years ago
rkaa: no it isn't.
Keywords: helpwanted

Comment 5

10 years ago
mass reassigning to nobody.
Assignee: dougt → nobody

Updated

8 years ago
Summary: OOM crash: Result of XPT_NewArena and PL_NewDHashTable are not checked [@xptiWorkingSet::xptiWorkingSet] → Someone forgot to call xptiWorkingSet::isValid, resulting in crashes [@ SearchTable]

Updated

8 years ago
Whiteboard: [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid]
is xptiInterfaceInfoManager::GetInfoForName required to be on the stack for this crash?  If not, is bp-da3454ad-51fd-4515-abcf-c48282110208 an example?
0	xul.dll	SearchTable	obj-firefox/xpcom/build/pldhash.c:432
1	xul.dll	xul.dll@0x182d7f	
2	xul.dll	PL_DHashTableOperate	obj-firefox/xpcom/build/pldhash.c:625
3	xul.dll	gfxWindowsPlatform::ResolveFontName	gfx/thebes/src/gfxWindowsPlatform.cpp:533
4	aclayers.dll	aclayers.dll@0x3e3fe	
5	xul.dll	gfxWindowsPlatform::InitBadUnderlineList	gfx/thebes/src/gfxWindowsPlatform.cpp:491
6	xul.dll	gfxWindowsPlatform::UpdateFontList	gfx/thebes/src/gfxWindowsPlatform.cpp:442
7	xul.dll	FontEntry::InitializeFontEmbeddingProcs	gfx/thebes/src/gfxWindowsFonts.cpp:405
8		@0x73cdffff	
9	xul.dll	gfxWindowsPlatform::gfxWindowsPlatform	gfx/thebes/src/gfxWindowsPlatform.cpp:133
10	xul.dll	gfxPlatform::Init	gfx/thebes/src/gfxPlatform.cpp:172 


FWIW, 80-90% of comments are non-English https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SearchTable&date=02%2F14%2F2011%2003%3A50%3A03&range_value=2&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=SearchTable (though probably not all stacks are this bug)
Keywords: crash
Whiteboard: [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid] → [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid][tbird crash]

Comment 7

7 years ago
wsmwk: yeah, SearchTable can crash because any of its consumers screwed up, but the fault is in the consumer. You need a bug relating to gfxWindowsPlatform::ResolveFontName.
filed Bug 633927 - crash [@ SearchTable] - [@ PL_DHashTableOperate] - [@ gfxWindowsPlatform::ResolveFontName]

Comment 9

7 years ago
This code has been significantly reworked since this bug was filed, and I believe that all the OOM conditions have been taken care of.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

6 years ago
Crash Signature: [@ SearchTable]
You need to log in before you can comment on or make changes to this bug.