Crash in gfxSkipCharsIterator::SetOffsets on some articles on http://www.heise.de/tp/

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
11 years ago
11 years ago

People

(Reporter: jiha.bugzilla, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a7pre) Gecko/2007073122 Mnenhy/0.7.5.0 SeaMonkey/2.0a1pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a7pre) Gecko/200707312222 Mnenhy/0.7.5.0 SeaMonkey/2.0a1pre (self compiled from cvs; cvs checkout start: 2007-07-31 22:31:11 CEST (+0200))

The crash does not occur always. Maybe it depends on dynamically generated content.

Reproducible: Sometimes

Steps to Reproduce:
1. Visit http://www.heise.de/tp/r4/artikel/25/25842/1.html or http://www.heise.de/tp/r4/artikel/25/25854/1.html
2. If crash does not occur immediately try to resize the browser window.
3. If crash still does not occur try to reload. 
Actual Results:  
Crash with
0xb58136f3 in gfxSkipCharsIterator::SetOffsets (this=0xbf8670fc, aOffset=934, aInOriginalString=1) at /media/hdb2/mozilla/moz-cvs-Arbeitskopie/mozilla/gfx/thebes/src/gfxSkipChars.cpp:129



I also reproduced the crash with an official Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a7pre) Gecko/2007080104 Minefield/3.0a7pre. Breakpad Report should be found at:
http://crash-stats.mozilla.com/report/index/dc3620b8-4041-11dc-9bc4-001a4bd43ed6?date=2007-08-01-15

See also http://crash-stats.mozilla.com/report/list?range_unit=weeks&query_search=signature&query_type=contains&signature=gfxSkipCharsIterator%3A%3ASetOffsets%28unsigned+int%2Cint%29&query=gfxSkipCharsIterator%3A%3ASetOffsets&range_value=1

Maybe this has something to do with bug 385270 and/or bug 386584 .

However those crashes refer to gfxSkipChars.cpp, line 92.

I checked http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=mozilla%2Fgfx%2Fthebes%2Fsrc%2FgfxSkipChars.cpp&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=all&mindate=2007-06-20&maxdate=&cvsroot=%2Fcvsroot to see if this line 92 maybe became line 129 due to recent patches but it does not look like that.
(Reporter)

Comment 1

11 years ago
Created attachment 274780 [details]
stacktrace, SeaMonkey 20070801-debug-build

Adding stacktrace made with a SeaMonkey 20070801-debug-build.

Furthermore I found out that the crash does not occur with a 20070723_firefox-3.0a7pre.en-US.linux-i686.

I'll try to narrow the regression range.
(Reporter)

Comment 2

11 years ago
Last good here:
cvs checkout start: Mo 2007-07-30 15:24:16 CEST (+0200)

First bad:
cvs checkout start: Tue 2007-07-31 18:36:29 CEST (+0200)

However I can not figure out a suspicious checkin at
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-07-30+06%3A00%3A00&maxdate=2007-07-31+09%3A45%3A00&cvsroot=%2Fcvsroot
I get the same stacktrace with suiterunner debug build 20070801 using Windows XP.

The problematic access is mSkipChars->mList[mListPrefixLength];

According to the VS2005 Debugger, mListPrefixLength has the value 84803983, but mSkipChars.mListLength has the value 6.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
(In reply to comment #2)
> Last good here:
> cvs checkout start: Mo 2007-07-30 15:24:16 CEST (+0200)
> 
> First bad:
> cvs checkout start: Tue 2007-07-31 18:36:29 CEST (+0200)
Could be the backout of bug 385270. If that's the case, the crash should also appear in builds from before the initial checkin of that bug (20070723).
(Reporter)

Comment 5

11 years ago
(In reply to comment #4)

> Could be the backout of bug 385270. If that's the case, the crash should also
> appear in builds from before the initial checkin of that bug (20070723).

I checked builds with:
cvs checkout start: Fr 2007-07-20 01:00:12 CEST (+0200)
cvs checkout start: Fr 2007-07-20 14:49:34 CEST (+0200)
cvs checkout start: Mo 2007-07-23 13:45:44 CEST (+0200)
cvs checkout start: Mo 2007-07-23 19:31:51 CEST (+0200)
cvs checkout start: Mo 2007-07-23 23:50:17 CEST (+0200)

All of them don't show the crash.
Dupe of 385526?

Comment 7

11 years ago
Does this still happen on trunk now that bug 385526 is fixed?
(Reporter)

Comment 8

11 years ago
Actually I cannot reproduce this anymore. Even with the above mentioned 'bad' builds. Maybe something was changed at the site (e.g. some dynamically embedded ads). 

Marking this bug WORKSFORME
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.