Crash running browser_privatebrowsing_placestitle.js [@ CalculateUTF8Size::write] [@ AppendUTF16toUTF8]

RESOLVED WORKSFORME

Status

()

Toolkit
Places
RESOLVED WORKSFORME
8 years ago
5 years ago

People

(Reporter: Benjamin Smedberg, Assigned: sicking)

Tracking

({crash, intermittent-failure})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

8 years ago
Crash while running/after running browser_privatebrowser_placestitle.js:

http://tinderbox.mozilla.org/showlog.cgi?tree=Firefox&errorparser=unittest&logfile=1268332433.1268335163.14015.gz&buildtime=1268332433&buildname=WINNT%205.2%20mozilla-central%20debug%20test%20mochitest-other&fulltext=1

Running chrome://mochikit/content/browser/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_placestitle.js...
Chrome file doesn't exist: e:\builds\moz2_slave\mozilla-central-win32-debug-unittest-mochitest-other\build\mochitest\browser\browser\components\privatebrowsing\test\browser\head.js
pldhash: for the table at address 096B13C8, the given entrySize of 48 probably favors chaining over double hashing.
++DOCSHELL 096B1360 == 14
++DOMWINDOW == 93 (092ED050) [serial = 874] [outer = 00000000]
++DOMWINDOW == 94 (0949B050) [serial = 875] [outer = 092ED020]
++DOMWINDOW == 95 (04872CA0) [serial = 876] [outer = 092ED020]
WARNING: Attempting to register as a history observer twice!: file e:/builds/moz2_slave/mozilla-central-win32-debug/build/toolkit/components/places/src/nsNavHistoryResult.cpp, line 4173
TEST-PASS | chrome://mochikit/content/browser/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_placestitle.js | The page should be loaded without any cookie for the first time
pldhash: for the table at address 09852D10, the given entrySize of 48 probably favors chaining over double hashing.
...
WARNING: Attempting to register as a history observer twice!: file e:/builds/moz2_slave/mozilla-central-win32-debug/build/toolkit/components/places/src/nsNavHistoryResult.cpp, line 4173
TEST-PASS | chrome://mochikit/content/browser/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_placestitle.js | The page should be loaded with a cookie for the second time
WARNING: Attempting to register as a history observer twice!: file e:/builds/moz2_slave/mozilla-central-win32-debug/build/toolkit/components/places/src/nsNavHistoryResult.cpp, line 4173
WARNING: Attempting to register as a history observer twice!: file e:/builds/moz2_slave/mozilla-central-win32-debug/build/toolkit/components/places/src/nsNavHistoryResult.cpp, line 4173
...
NEXT ERROR PROCESS-CRASH | automation.py | application crashed (minidump found)
Operating system: Windows NT
                  5.2.3790 Service Pack 2
CPU: x86
     GenuineIntel family 6 model 15 stepping 8
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x5

NEXT ERROR Thread 0 (crashed)
 0  xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int) [nsUTF8Utils.h:85fe77e1b558 : 604 + 0x3]
    eip = 0x11007b65   esp = 0x0012d480   ebp = 0x0012d490   ebx = 0x00000000
    esi = 0x019a34d8   edi = 0x00000000   eax = 0x00000005   ecx = 0x09a7ee20
    edx = 0x00000005   efl = 0x00210287
    Found by: given as instruction pointer in context
 1  xul.dll!nsCharSinkTraits<CalculateUTF8Size>::write(CalculateUTF8Size &,unsigned short const *,unsigned int) [nsCharTraits.h:85fe77e1b558 : 812 + 0xf]
    eip = 0x11007b23   esp = 0x0012d498   ebp = 0x0012d4a0
    Found by: call frame info
 2  xul.dll!copy_string<nsReadingIterator<unsigned short>,CalculateUTF8Size>(nsReadingIterator<unsigned short> const &,nsReadingIterator<unsigned short> const &,CalculateUTF8Size &) [nsAlgorithm.h:85fe77e1b558 : 93 + 0x26]
    eip = 0x110070ca   esp = 0x0012d4a8   ebp = 0x0012d4b4
    Found by: call frame info
 3  xul.dll!AppendUTF16toUTF8(nsAString_internal const &,nsACString_internal &) [nsReadableUtils.cpp:85fe77e1b558 : 200 + 0x22]
    eip = 0x110058f1   esp = 0x0012d4bc   ebp = 0x0012d4f4
    Found by: call frame info
 4  xul.dll!NS_ConvertUTF16toUTF8::NS_ConvertUTF16toUTF8(nsAString_internal const &) [nsString.h:85fe77e1b558 : 158 + 0xc]
    eip = 0x10011acc   esp = 0x0012d4fc   ebp = 0x0012d508
    Found by: call frame info
 5  xul.dll!nsNavHistoryQueryResultNode::OnTitleChanged(nsIURI *,nsAString_internal const &) [nsNavHistoryResult.cpp:85fe77e1b558 : 2941 + 0xb]
    eip = 0x10e242a2   esp = 0x0012d510   ebp = 0x0012d57c
    Found by: call frame info
 6  xul.dll!nsNavHistoryResult::OnTitleChanged(nsIURI *,nsAString_internal const &) [nsNavHistoryResult.cpp:85fe77e1b558 : 4644 + 0x91]
    eip = 0x10e29ca8   esp = 0x0012d584   ebp = 0x0012d59c
    Found by: call frame info
 7  xul.dll!nsNavHistory::SetPageTitleInternal(nsIURI *,nsAString_internal const &) [nsNavHistory.cpp:85fe77e1b558 : 7165 + 0x131]
    eip = 0x10dddab1   esp = 0x0012d5a4   ebp = 0x0012d6f4
    Found by: call frame info
 8  xul.dll!nsNavHistory::CommitLazyMessages(int) [nsNavHistory.cpp:85fe77e1b558 : 6014 + 0x1a]
    eip = 0x10dd97a4   esp = 0x0012d6fc   ebp = 0x0012d728
    Found by: call frame info
 9  xul.dll!nsNavHistory::LazyTimerCallback(nsITimer *,void *) [nsNavHistory.cpp:85fe77e1b558 : 5997 + 0x9]
    eip = 0x10dd96be   esp = 0x0012d730   ebp = 0x0012d738
    Found by: call frame info
10  xul.dll!nsTimerImpl::Fire() [nsTimerImpl.cpp:85fe77e1b558 : 427 + 0xd]
    eip = 0x1105170e   esp = 0x0012d740   ebp = 0x0012d78c
    Found by: call frame info
11  xul.dll!nsTimerEvent::Run() [nsTimerImpl.cpp:85fe77e1b558 : 519 + 0xe]
    eip = 0x110518f1   esp = 0x0012d794   ebp = 0x0012d7a4
    Found by: call frame info
12  xul.dll!nsThread::ProcessNextEvent(int,int *) [nsThread.cpp:85fe77e1b558 : 527 + 0x18]
    eip = 0x1103e4ba   esp = 0x0012d7ac   ebp = 0x0012d7e0
    Found by: call frame info
sicking has been touching the Unicode conversion code recently...

Updated

8 years ago
Keywords: crash

Updated

8 years ago
Summary: Crash running browser_privatebrowsing_placestitle.js → Crash running browser_privatebrowsing_placestitle.js [@ CalculateUTF8Size::write]
Happened on try server as well.
http://tinderbox.mozilla.org/showlog.cgi?log=MozillaTry/1268890603.1268900454.30118.gz
Assignee: nobody → jonas
blocking2.0: --- → beta1+

Updated

8 years ago
Whiteboard: [orange]
blocking2.0: beta1+ → beta2+

Comment 3

8 years ago
WINNT 5.2 mozilla-central opt test mochitest-other on 2010/06/25 17:39:52

Opt crash [@ AppendUTF16toUTF8]

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1277512792.1277514649.29535.gz&fulltext=1#err8
Summary: Crash running browser_privatebrowsing_placestitle.js [@ CalculateUTF8Size::write] → Crash running browser_privatebrowsing_placestitle.js [@ CalculateUTF8Size::write] [@ AppendUTF16toUTF8]
Comment hidden (Treeherder Robot)
Moving to final+ --> ehsan, should this be in Firefox::Private Browsing?
blocking2.0: beta2+ → betaN+

Comment 6

7 years ago
(In reply to comment #5)
ehsan, should this be in Firefox::Private Browsing?

Not really.  This is probably places code doing something weird, which happens to be triggered by this test.
the changes in http://hg.mozilla.org/mozilla-central/rev/c5520407a4ad regarding AppendUTF16ToUTF8 could be related. indeed a lot of stuff changed around february/march in these files, and some unchecked iterator could cause this kind of crash.
Does anyone have steps to reproduce this?
My concern here is that the UTF code is handed invalid an invalid string reference. Could the aPageTitle be a dangling reference or point to invalid data?

Comment 10

7 years ago
(In reply to comment #9)
> My concern here is that the UTF code is handed invalid an invalid string
> reference. Could the aPageTitle be a dangling reference or point to invalid
> data?

The title is coming from <http://mxr.mozilla.org/mozilla-central/source/browser/components/privatebrowsing/test/browser/title.sjs#53>.  So unless there's a bug in places which corrupts the value, it shouldn't happen.
Ok, still need steps to reproduce then.
For what it's worth, I'm not finding any reports on crash-stats for CalculateUTF8Size::write for the last week for FF4.x and only 3 for the past week on all releases.

There are quite a few more for AppendUTF16toUTF8, but none that matches the stack in comment 0.

I don't see that we can block on this, please renominate if you disagree.
blocking2.0: betaN+ → ---
There is some (13) crash at this signature in the last 2 weeks on 4.0 and 3.6, but none of them shares the stack with this bug: http://tinyurl.com/66vfwsk
Specifically I can't find any crash originating from Places.

Sicking, is it still worth to keep this open?
Crash Signature: [@ CalculateUTF8Size::write] [@ AppendUTF16toUTF8]
Unless there are more crashes, I'm not convinced that it's worth keeping this open any more.
Crash Signature: [@ CalculateUTF8Size::write] [@ AppendUTF16toUTF8] → [@ CalculateUTF8Size::write] [@ AppendUTF16toUTF8]

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
Keywords: intermittent-failure
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.