If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Non-reproducible crash when opening website [@ nsUTF8Prober::HandleData]

RESOLVED DUPLICATE of bug 479759

Status

()

Core
Internationalization
--
critical
RESOLVED DUPLICATE of bug 479759
9 years ago
6 years ago

People

(Reporter: mcsmurf, Assigned: smontagu)

Tracking

({crash})

Trunk
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

9 years ago
I crashed within the charset detection code when going to the url http://www.tagesschau.de. Unfortunately I cannot reproduce this bug. I had the "Universal" setting for the auto-detection of the charset. The page itself seems to be ISO-8859-1.

In Frame 1 aBuf ended like this "Die US-Republikaner haben Senator McCain offiziell zu ihrem Pr???" (yes, the debugger displayed question marks there), on the website the sentence was "Die US-Republikaner haben Senator McCain offiziell zu ihrem Präsidentschaftskandidaten bestimmt". I saved the webpage locally, so I can attach it if needed (it's a news page, so content changes often).

Stack:
ChildEBP RetAddr  
0012f918 0225332c universalchardet!nsUTF8Prober::HandleData(char * aBuf = 0x0225262b "3???", unsigned int aLen = 0x1219f448)+0x14 [f:\mozilla\tree-hg\src\mozilla\extensions\universalchardet\src\base\nsutf8prober.cpp @ 53]
0012f940 0225262b universalchardet!nsMBCSGroupProber::HandleData(char * aBuf = 0x1219f448 "n_ffffff.gif" width="17" height="17" alt="intern" /><span>Republikaner schicken McCain gegen Obama in den Ring</span></a></h2>.<div class="teaserImg"><a href="/ausland/republikaner124.html"  title="Republikaner schicken McCain gegen Obama in den Ring" class="storyref" > <img src="/multimedia/bilder/mccainpalin100_v-klein4x3.jpg" alt="John McCain und Sarah Palin (Foto: REUTERS)" /></a></div>.<p>Die US-Republikaner haben Senator McCain offiziell zu ihrem Pr???", unsigned int aLen = 0xbb8)+0xa6 [f:\mozilla\tree-hg\src\mozilla\extensions\universalchardet\src\base\nsmbcsgroupprober.cpp @ 160]
0012f960 0225206a universalchardet!nsUniversalDetector::HandleData(char * aBuf = 0x1219f448 "n_ffffff.gif" width="17" height="17" alt="intern" /><span>Republikaner schicken McCain gegen Obama in den Ring</span></a></h2>.<div class="teaserImg"><a href="/ausland/republikaner124.html"  title="Republikaner schicken McCain gegen Obama in den Ring" class="storyref" > <img src="/multimedia/bilder/mccainpalin100_v-klein4x3.jpg" alt="John McCain und Sarah Palin (Foto: REUTERS)" /></a></div>.<p>Die US-Republikaner haben Senator McCain offiziell zu ihrem Pr???", unsigned int aLen = 0xbb8)+0x21a [f:\mozilla\tree-hg\src\mozilla\extensions\universalchardet\src\base\nsuniversaldetector.cpp @ 227]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\components\chardet.dll
0012f97c 010940da universalchardet!nsXPCOMDetector::DoIt(char * aBuf = 0x1219f448 "n_ffffff.gif" width="17" height="17" alt="intern" /><span>Republikaner schicken McCain gegen Obama in den Ring</span></a></h2>.<div class="teaserImg"><a href="/ausland/republikaner124.html"  title="Republikaner schicken McCain gegen Obama in den Ring" class="storyref" > <img src="/multimedia/bilder/mccainpalin100_v-klein4x3.jpg" alt="John McCain und Sarah Palin (Foto: REUTERS)" /></a></div>.<p>Die US-Republikaner haben Senator McCain offiziell zu ihrem Pr???", unsigned int aLen = 0xbb8, int * oDontFeedMe = 0x1146e2a0)+0x26 [f:\mozilla\tree-hg\src\mozilla\extensions\universalchardet\src\xpcom\nsudetxpcomwrapper.cpp @ 90]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\components\gkparser.dll
0012f994 011d679e chardet!nsDetectionAdaptor::RawBuffer(char * buffer = 0x0111bce6 "???", unsigned int * buffer_length = 0x002d0c68)+0x25 [f:\mozilla\tree-hg\src\mozilla\intl\chardet\src\nsdetectionadaptor.cpp @ 157]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\xpcom_core.dll
0012fa78 0028ffb2 gkparser!ParserWriteFunc(class nsIInputStream * in = 0x134c0578, void * closure = 0x0012fadc, char * fromRawSegment = 0x1219f448 "n_ffffff.gif" width="17" height="17" alt="intern" /><span>Republikaner schicken McCain gegen Obama in den Ring</span></a></h2>.<div class="teaserImg"><a href="/ausland/republikaner124.html"  title="Republikaner schicken McCain gegen Obama in den Ring" class="storyref" > <img src="/multimedia/bilder/mccainpalin100_v-klein4x3.jpg" alt="John McCain und Sarah Palin (Foto: REUTERS)" /></a></div>.<p>Die US-Republikaner haben Senator McCain offiziell zu ihrem Pr???", unsigned int toOffset = 0, unsigned int count = 0xbb8, unsigned int * writeCount = 0x0012faf8)+0x1f8 [f:\mozilla\tree-hg\src\mozilla\parser\htmlparser\src\nsparser.cpp @ 2238]
0012faa0 011d68f6 xpcom_core!nsStringInputStream::ReadSegments(<function> * writer = 0x011d65a6, void * closure = 0x0012fadc, unsigned int aCount = 0xbb8, unsigned int * result = 0x0012faf8)+0x38 [f:\mozilla\tree-hg\src\mozilla\xpcom\io\nsstringstream.cpp @ 277]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\components\docshell.dll
0012faf0 01119bf5 gkparser!nsParser::OnDataAvailable(class nsIRequest * request = 0x0ab10d24, class nsISupports * aContext = 0x00000000, class nsIInputStream * pIStream = 0x134c0578, unsigned int sourceOffset = 0x1c8e, unsigned int aLength = 0xbb8)+0xa1 [f:\mozilla\tree-hg\src\mozilla\parser\htmlparser\src\nsparser.cpp @ 2286]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\components\necko.dll
0012fb10 01c7f684 docshell!nsDocumentOpenInfo::OnDataAvailable(class nsIRequest * request = 0x0ab10d24, class nsISupports * aCtxt = 0x00000000, class nsIInputStream * inStr = 0x134c0578, unsigned int sourceOffset = 0x1c8e, unsigned int count = 0xbb8)+0x24 [f:\mozilla\tree-hg\src\mozilla\uriloader\base\nsuriloader.cpp @ 308]
0012fb48 01c7f959 necko!nsHTTPCompressConv::do_OnDataAvailable(class nsIRequest * request = 0x0ab10d24, class nsISupports * context = 0x00000000, unsigned int offset = 0x1c8e, char * buffer = 0x1219f448 "n_ffffff.gif" width="17" height="17" alt="intern" /><span>Republikaner schicken McCain gegen Obama in den Ring</span></a></h2>.<div class="teaserImg"><a href="/ausland/republikaner124.html"  title="Republikaner schicken McCain gegen Obama in den Ring" class="storyref" > <img src="/multimedia/bilder/mccainpalin100_v-klein4x3.jpg" alt="John McCain und Sarah Palin (Foto: REUTERS)" /></a></div>.<p>Die US-Republikaner haben Senator McCain offiziell zu ihrem Pr???", unsigned int count = 0xbb8)+0x5f [f:\mozilla\tree-hg\src\mozilla\netwerk\streamconv\converters\nshttpcompressconv.cpp @ 379]
0012fb74 01c6916d necko!nsHTTPCompressConv::OnDataAvailable(class nsIRequest * request = 0x0ab10d24, class nsISupports * aContext = 0x00000000, class nsIInputStream * iStr = 0x0b357ba8, unsigned int aSourceOffset = 0x1c8e, unsigned int aCount = 0x4ec)+0x2bc [f:\mozilla\tree-hg\src\mozilla\netwerk\streamconv\converters\nshttpcompressconv.cpp @ 320]
0012fbac 01ca4f6a necko!nsStreamListenerTee::OnDataAvailable(class nsIRequest * request = 0x0ab10d24, class nsISupports * context = 0x00000000, class nsIInputStream * input = 0x116e4f28, unsigned int offset = 0x1c8e, unsigned int count = 0x4ec)+0xd6 [f:\mozilla\tree-hg\src\mozilla\netwerk\base\src\nsstreamlistenertee.cpp @ 97]
0012fbd8 01c5ed65 necko!nsHttpChannel::OnDataAvailable(class nsIRequest * request = 0x1416bb00, class nsISupports * ctxt = 0x00000000, class nsIInputStream * input = 0x116e4f28, unsigned int offset = 0x1c8e, unsigned int count = 0x4ec)+0xcf [f:\mozilla\tree-hg\src\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp @ 4573]
0012fc1c 01c5eeb2 necko!nsInputStreamPump::OnStateTransfer(void)+0xcf [f:\mozilla\tree-hg\src\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 508]
0012fc2c 0029b1a7 necko!nsInputStreamPump::OnInputStreamReady(class nsIAsyncInputStream * stream = 0x116e4f28)+0x34 [f:\mozilla\tree-hg\src\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 399]
0012fc3c 002a8615 xpcom_core!nsInputStreamReadyEvent::Run(void)+0x1c [f:\mozilla\tree-hg\src\mozilla\xpcom\io\nsstreamutils.cpp @ 112]
0012fc5c 0027b42b xpcom_core!nsThread::ProcessNextEvent(int mayWait = 1, int * result = 0x0012fc78)+0xc3 [f:\mozilla\tree-hg\src\mozilla\xpcom\threads\nsthread.cpp @ 511]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\components\gkwidget.dll
0012fc70 017bd22e xpcom_core!NS_ProcessNextEvent_P(class nsIThread * thread = 0x00000001, int mayWait = 1)+0x20 [f:\mozilla\tree-hg\obj-suite\mozilla\xpcom\build\nsthreadutils.cpp @ 227]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\components\tkitcmps.dll
0012fc84 02131966 gkwidget!nsBaseAppShell::Run(void)+0x2a [f:\mozilla\tree-hg\src\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 170]
*** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\xul.dll
0012fc90 10007abf tkitcmps!nsAppStartup::Run(void)+0x1e [f:\mozilla\tree-hg\src\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 183]
(Assignee)

Comment 1

9 years ago
Please do attach the saved version, in the hope that someone can reproduce.

Comment 2

9 years ago
Crashed.
Firefox 3.1b4pre Crash Report [@ nsUTF8Prober::HandleData(char const*, unsigned int) ]
ID: 6db4dceb-a72a-4cd4-9f1f-10d272090306
Signature: nsUTF8Prober::HandleData(char const*, unsigned int)

http://crash-stats.mozilla.com/report/index/6db4dceb-a72a-4cd4-9f1f-10d272090306?p=1

Comment 3

9 years ago
I've experienced this crash (or very similar one) with Far Manager (www.farmanager.com) that recently started using UCD library from Firefox sources. The problem was caused by nsMBCSGroupProber::HandleData passing invalid buffer length (1 byte longer) to subsequent HandleData calls. It was caught by AppVerifier. Here is the patch I posted for the issue:



From 3e305cdcdaa5f07d8168b86ad62f71c2a9a328b3 Mon Sep 17 00:00:00 2001
From: Alexey Pakhunov <alexeypa@gmail.com>
Date: Fri, 13 Mar 2009 22:45:13 -0700
Subject: [PATCH 1/2] nsMBCSGroupProber::HandleData passed invalid buffer length to HandleData that was caught by AppVerifier.

---
 unicode_far/UCD/nsMBCSGroupProber.cpp |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/unicode_far/UCD/nsMBCSGroupProber.cpp b/unicode_far/UCD/nsMBCSGroupProber.cpp
index ffb80cf..608974e 100644
--- a/unicode_far/UCD/nsMBCSGroupProber.cpp
+++ b/unicode_far/UCD/nsMBCSGroupProber.cpp
@@ -156,7 +156,7 @@ nsProbingState nsMBCSGroupProber::HandleData(const char* aBuf, PRUint32 aLen)
     {
       if (!mIsActive[i])
         continue;
-      st = mProbers[i]->HandleData(aBuf + start, aLen + 1 - start);
+      st = mProbers[i]->HandleData(aBuf + start, aLen - start);
       if (st == eFoundIt)
       {
         mBestGuess = i;
-- 
1.6.2.1217.gd7bc3
(Assignee)

Comment 4

9 years ago
Alexey: good catch. I made the same fix in bug 479759, so if this is the same crash it should be fixed on trunk.
Depends on: 479759
Duplicate of this bug: 490102

Comment 6

8 years ago
Is this still reproduced?

Comment 7

8 years ago
Works fine with Minefield and Shiretoko.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090730 Minefield/3.6a1pre ID:20090730062258

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090730 Firefox/3.5.3pre ID:20090730044055

Comment 8

8 years ago
I think this bug is already fixed by bug 479759.

This is last four weeks crash report on
"nsUTF8Prober::HandleData(char const*, unsigned int)".

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=nsUTF8Prober%3A%3AHandleData%28char%20const*%2C%20unsigned%20int%29&date=&range_value=4&range_unit=weeks&do_query=1&signature=nsUTF8Prober%3A%3AHandleData%28char%20const*%2C%20unsigned%20int%29

It contains only Fx3.0.10 or older.
(Assignee)

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 479759
Crash Signature: [@ nsUTF8Prober::HandleData]
You need to log in before you can comment on or make changes to this bug.