547487 - Firefox crashes at [@ JapaneseContextAnalysis::GetConfidence(int)]

Status: RESOLVED FIXED

(Core :: Internationalization, defect)

Description

[John Ma]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

After I installed Flash 10.0r45, I always have crashes on some more complicated pages, like adobe.com and even some Chinese-language site-- using news.sina.com.cn and udn.com for examples across the strait. This happened even after I disabled the Shockwave Flash plugin in FF and updated my Java (now at 6r18).

Reproducible: Always

Steps to Reproduce:
1. Open the page.
Actual Results:  
FF 3.6 crashes and the normal crash reporter window comes out.


The crash log for adobe.com is at here: http://crash-stats.mozilla.com/report/index/e488192b-8c0e-4109-a3b8-e8afa2100220

Other sites are similar and I would not repeat.

Summary of the crash report: EXCEPTION_FLT_INVALID_OPERATION @ 0x1043e949 for JapaneseContextAnalysis::GetConfidence(int) at extensions/universalchardet/src/base/JpCntx.cpp:188

Comment 1

[timeless]

Signature	JapaneseContextAnalysis::GetConfidence(int)
UUID	e488192b-8c0e-4109-a3b8-e8afa2100220
Time 	2010-02-20 16:18:23.956587
Uptime	75
Last Crash	79 seconds before submission
Product	Firefox
Version	3.6
Build ID	20100115144158
Branch	1.9.2
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 6 model 14 stepping 8
Crash Reason	EXCEPTION_FLT_INVALID_OPERATION
Crash Address	0x1043e949
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	JapaneseContextAnalysis::GetConfidence 	extensions/universalchardet/src/base/JpCntx.cpp:188
1 	xul.dll 	nsEUCJPProber::GetConfidence 	extensions/universalchardet/src/base/nsEUCJPProber.cpp:94
2 	xul.dll 	nsMBCSGroupProber::GetConfidence 	extensions/universalchardet/src/base/nsMBCSGroupProber.cpp:189
3 	xul.dll 	nsUniversalDetector::DataEnd 	extensions/universalchardet/src/base/nsUniversalDetector.cpp:276
4 	xul.dll 	nsXPCOMDetector::Done 	extensions/universalchardet/src/xpcom/nsUdetXPCOMWrapper.cpp:117
5 	xul.dll 	nsDetectionAdaptor::Finish 	intl/chardet/src/nsDetectionAdaptor.cpp:168
6 	xul.dll 	nsParser::OnStopRequest

Comment 2

[Simon Montagu :smontagu]

Which option is selected under View | Character Encoding | Auto-Detect?

Comment 3

[John Ma]

Japanese.

Comment 4

[Simon Montagu :smontagu]

I can't reproduce the crash, but I do see by code inspection that a divide by zero is possible at JpCntx.cpp:188

Taking.

Comment 5

[Simon Montagu :smontagu]

Attachment: Patch

This is in effect a rewrite of my patch to bug 4313054, to prevent the possibility of a divide by zero when there are no hi-bytes in the input.

Comment 6

[Simon Montagu :smontagu]

http://hg.mozilla.org/mozilla-central/rev/e12168b7484b

Comment 7

[Simon Montagu :smontagu]

Comment on attachment 428240 [details] [diff] [review]
Patch

Asking branch approval after trunk baking. This is a very safe fix for a crash with divide by zero. It is a regression from bug 431054, so only 1.9.1 and 1.9.2 are affected

Comment 8

[Daniel Veditz [:dveditz]]

Comment on attachment 428240 [details] [diff] [review]
Patch

Approved for 1.9.2.2 and 1.9.1.9, a=dveditz for release-drivers

Comment 9

[Simon Montagu :smontagu]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/883f5519949b
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/3faa5eaead0a

Comment 10

[Carsten Book [:Tomcat]]

verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100319 Firefox/3.6.2  and the steps to reproduce from this bug !