Last Comment Bug 547487 - Firefox crashes at [@ JapaneseContextAnalysis::GetConfidence(int)]
: Firefox crashes at [@ JapaneseContextAnalysis::GetConfidence(int)]
Status: RESOLVED FIXED
: crash, verified1.9.2
Product: Core
Classification: Components
Component: Internationalization (show other bugs)
: 1.9.2 Branch
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Simon Montagu :smontagu
:
: Makoto Kato [:m_kato]
Mentors:
http://www.adobe.com
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-20 16:41 PST by John Ma
Modified: 2011-06-09 14:58 PDT (History)
3 users (show)
smontagu: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2-fixed
.9-fixed


Attachments
Patch (16.73 KB, patch)
2010-02-22 09:15 PST, Simon Montagu :smontagu
VYV03354: review+
dveditz: approval1.9.2.2+
dveditz: approval1.9.1.9+
Details | Diff | Splinter Review

Description John Ma 2010-02-20 16:41:03 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

After I installed Flash 10.0r45, I always have crashes on some more complicated pages, like adobe.com and even some Chinese-language site-- using news.sina.com.cn and udn.com for examples across the strait. This happened even after I disabled the Shockwave Flash plugin in FF and updated my Java (now at 6r18).

Reproducible: Always

Steps to Reproduce:
1. Open the page.
Actual Results:  
FF 3.6 crashes and the normal crash reporter window comes out.


The crash log for adobe.com is at here: http://crash-stats.mozilla.com/report/index/e488192b-8c0e-4109-a3b8-e8afa2100220

Other sites are similar and I would not repeat.

Summary of the crash report: EXCEPTION_FLT_INVALID_OPERATION @ 0x1043e949 for JapaneseContextAnalysis::GetConfidence(int) at extensions/universalchardet/src/base/JpCntx.cpp:188
Comment 1 timeless 2010-02-21 00:48:13 PST
Signature	JapaneseContextAnalysis::GetConfidence(int)
UUID	e488192b-8c0e-4109-a3b8-e8afa2100220
Time 	2010-02-20 16:18:23.956587
Uptime	75
Last Crash	79 seconds before submission
Product	Firefox
Version	3.6
Build ID	20100115144158
Branch	1.9.2
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 6 model 14 stepping 8
Crash Reason	EXCEPTION_FLT_INVALID_OPERATION
Crash Address	0x1043e949
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	JapaneseContextAnalysis::GetConfidence 	extensions/universalchardet/src/base/JpCntx.cpp:188
1 	xul.dll 	nsEUCJPProber::GetConfidence 	extensions/universalchardet/src/base/nsEUCJPProber.cpp:94
2 	xul.dll 	nsMBCSGroupProber::GetConfidence 	extensions/universalchardet/src/base/nsMBCSGroupProber.cpp:189
3 	xul.dll 	nsUniversalDetector::DataEnd 	extensions/universalchardet/src/base/nsUniversalDetector.cpp:276
4 	xul.dll 	nsXPCOMDetector::Done 	extensions/universalchardet/src/xpcom/nsUdetXPCOMWrapper.cpp:117
5 	xul.dll 	nsDetectionAdaptor::Finish 	intl/chardet/src/nsDetectionAdaptor.cpp:168
6 	xul.dll 	nsParser::OnStopRequest
Comment 2 Simon Montagu :smontagu 2010-02-21 02:32:47 PST
Which option is selected under View | Character Encoding | Auto-Detect?
Comment 3 John Ma 2010-02-21 06:32:50 PST
Japanese.
Comment 4 Simon Montagu :smontagu 2010-02-21 12:57:35 PST
I can't reproduce the crash, but I do see by code inspection that a divide by zero is possible at JpCntx.cpp:188

Taking.
Comment 5 Simon Montagu :smontagu 2010-02-22 09:15:47 PST
Created attachment 428240 [details] [diff] [review]
Patch

This is in effect a rewrite of my patch to bug 4313054, to prevent the possibility of a divide by zero when there are no hi-bytes in the input.
Comment 6 Simon Montagu :smontagu 2010-02-23 01:50:50 PST
http://hg.mozilla.org/mozilla-central/rev/e12168b7484b
Comment 7 Simon Montagu :smontagu 2010-03-02 01:35:41 PST
Comment on attachment 428240 [details] [diff] [review]
Patch

Asking branch approval after trunk baking. This is a very safe fix for a crash with divide by zero. It is a regression from bug 431054, so only 1.9.1 and 1.9.2 are affected
Comment 8 Daniel Veditz [:dveditz] 2010-03-03 12:59:21 PST
Comment on attachment 428240 [details] [diff] [review]
Patch

Approved for 1.9.2.2 and 1.9.1.9, a=dveditz for release-drivers
Comment 10 Carsten Book [:Tomcat] 2010-03-22 09:36:15 PDT
verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100319 Firefox/3.6.2  and the steps to reproduce from this bug !

Note You need to log in before you can comment on or make changes to this bug.