490102 - new crash [@ nsUTF8Prober::HandleData(char const*, unsigned int) ] following bug 479759

Status: RESOLVED DUPLICATE of bug 453631

(Core :: Internationalization, defect)

Description

[Samuel Sidler (old account; do not CC)]

Looking at crash-stats, it appears there's a new topcrash on the 1.9.0 branch (in pre builds only, so far). From the stack, it looks like it was caused by bug 479759.

That bug landed on 1.9.1 as well, so requesting blocking there, even though I don't see it in the top100.

Filing as security sensitive, because it looks possibly exploitable.

From bp-116b8707-de8f-4130-94d5-2f2152090423:

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsUTF8Prober::HandleData 	mozilla/extensions/universalchardet/src/base/nsUTF8Prober.cpp:53
1 	xul.dll 	nsMBCSGroupProber::HandleData 	mozilla/extensions/universalchardet/src/base/nsMBCSGroupProber.cpp:160
2 	xul.dll 	nsUniversalDetector::HandleData 	mozilla/extensions/universalchardet/src/base/nsUniversalDetector.cpp:226
3 	xul.dll 	nsXPCOMDetector::DoIt 	mozilla/extensions/universalchardet/src/xpcom/nsUdetXPCOMWrapper.cpp:89
4 	xul.dll 	nsDetectionAdaptor::RawBuffer 	mozilla/intl/chardet/src/nsDetectionAdaptor.cpp:156
5 	xul.dll 	xul.dll@0x2bd65c

Comment 1

[Samuel Sidler (old account; do not CC)]

crash-stats finally loaded the 1.9.1 stuff and it showed that crashes there only happened with Firefox 3.1b3. That points to the crash being fixed on 1.9.1 by bug 479759, per bug 453631 comment 4. (Or it means we don't have enough pre users to raise the crash up.)

What's weird on 1.9.0, is that the crash didn't appear before 3.0.10pre builds, starting with 2009041505. I guess it's more likely bug 479413 since bug 479759 hadn't yet landed on 1.9.0 on 4/15?

Comment 2

[Daniel Veditz [:dveditz]]

> What's weird on 1.9.0, is that the crash didn't appear before 3.0.10pre builds,

Is that true? when I do a 1.9 branch search the most _recent_ build with that crash I see is 2009021910

http://crash-stats.mozilla.com/report/list?product=Firefox&branch=1.9&query_search=signature&query_type=startswith&query=nsUTF8Prober%3A%3AHandleData&date=&range_value=4&range_unit=days&do_query=1&signature=nsUTF8Prober%3A%3AHandleData(char%20const*%2C%20unsigned%20int)

I have a lot of trouble with crash-stats, am I looking in the wrong place?

Comment 3

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

It shows up in the 3.0.10pre topcrashes:
http://crash-stats.mozilla.com/query/query?do_query=1&product=Firefox&version=Firefox%3A3.0.10pre&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=

Comment 4

[Samuel Sidler (old account; do not CC)]

This URL shows it happened more recently: http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.0.10pre&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsUTF8Prober%3A%3AHandleData(char%20const*%2C%20unsigned%20int)

I did a few queries and didn't see the older ones, but apparently you got crash-stats to show older ones, so apparently this isn't new and it's probably just bug 453631.

Comment 5

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

(In reply to comment #1)
> What's weird on 1.9.0, is that the crash didn't appear before 3.0.10pre builds,
> starting with 2009041505. I guess it's more likely bug 479413 since bug 479759
> hadn't yet landed on 1.9.0 on 4/15?

I don't think bug 479413 is particularly related.

For the record, bug 479759 landed on CVS at 2009-04-22 04:31.

Comment 6

[Samuel Sidler (old account; do not CC)]

Yeah. This isn't a regression and might very well be fixed by bug 479759. My crash-stats queries didn't show anything older and I didn't keep trying until I got results and simply assumed this was new. We can probably close it as a dupe of bug 453631.