Closed Bug 636776 Opened 9 years ago Closed 9 years ago

Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ][@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]

Categories

(Core :: Document Navigation, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+

People

(Reporter: scoobidiver, Assigned: smaug)

References

Details

(Keywords: crash, regression, Whiteboard: [hardblocker] [fixed by backout?])

Crash Data

It is a new crash signature that first appeared in 4.0b13pre/20110225 except twice in 4.0b11 but with a different crash address.

Signature	nsSHEntry::GetParent(nsISHEntry**)
UUID	f5404e55-a8f8-46ed-a674-3d5b32110225
Time 	2011-02-25 08:47:03.700974
Uptime	7789
Last Crash	13748324 seconds (more than 3 months) before submission
Install Age	7789 seconds (2.2 hours) since version was first installed.
Product	Firefox
Version	4.0b13pre
Build ID	20110225030357
Branch	2.0
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
CPU	x86
CPU Info	GenuineIntel family 6 model 37 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x4
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: 0042, AdapterDriverVersion: 8.15.10.2202

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsSHEntry::GetParent 	
1 	xul.dll 	nsDocShell::SetHistoryEntry 	docshell/base/nsDocShell.cpp:10445
2 	xul.dll 	nsDocShell::Embed 	docshell/base/nsDocShell.cpp:5785
3 	xul.dll 	nsDocShell::CreateContentViewer 	docshell/base/nsDocShell.cpp:7515
4 	xul.dll 	nsDSURIContentListener::DoContent 	docshell/base/nsDSURIContentListener.cpp:148
5 	xul.dll 	nsDocumentOpenInfo::TryContentListener 	uriloader/base/nsURILoader.cpp:757
6 	xul.dll 	nsDocumentOpenInfo::DispatchContent 	uriloader/base/nsURILoader.cpp:455
7 	xul.dll 	nsDocumentOpenInfo::OnStartRequest 	uriloader/base/nsURILoader.cpp:295
8 	xul.dll 	nsBaseChannel::OnStartRequest 	netwerk/base/src/nsBaseChannel.cpp:712
9 	xul.dll 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:441
10 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:397
11 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
12 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
13 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
14 	xul.dll 	xul.dll@0xb307ab 	
15 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
16 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
17 	mozcrt19.dll 	_VEC_memzero 	
18 	xul.dll 	xul.dll@0x35a88d 	
19 	firefox.exe 	firefox.exe@0x1bb7 	
20 	ntdll.dll 	ntdll.dll@0x1e0ec 	
21 	ntdll.dll 	ntdll.dll@0x637c7 	
22 	firefox.exe 	firefox.exe@0x186f 	
23 	firefox.exe 	firefox.exe@0x186f 	

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=4&range_unit=weeks&signature=nsSHEntry%3A%3AGetParent%28nsISHEntry**%29
The new crash address is 0x4, so a null deref..... but we have null-checks in GetRootSHEntry (which is what's on that line in SetHistoryEntry).  So what gives?
It is #3 top crasher in today's build.

There are different crash addresses: 0x4 (the major part), 0x48cadc0, 0x7074746c.

The regression window is large because of the blocked automatic update during the Beta 12 release:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1da3405c74fd&tochange=d7ef42d7782c
blocking2.0: --- → ?
Summary: Crash [@ nsSHEntry::GetParent(nsISHEntry**) ] → Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
Summary: Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] → Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
Assignee: nobody → Olli.Pettay
Most probably caused by Bug 632835.
And I think I know what the problem is.
I just saw this while scrolling a Facebook page. Could have been as it was ajaxily adding more content.
I'll back out Bug 632835, and investigate it more.
Blocks: 632835
Summary: Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] → Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ][@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
(In reply to comment #5)
> I'll back out Bug 632835, and investigate it more.

So can we resolve this as Fixed with that backout?
I'd wait still a day or so to see if the crashes are gone.
blocking2.0: ? → final+
Whiteboard: [hardblocker]
Whiteboard: [hardblocker] → [hardblocker] [fixed by backout?]
Have they gone away?
(click the "Table" tab in the URL in the previous comment)
That seems "gone enough" to resolve this as Fixed. If someone wants to Verify in a few days, that'd be great.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsSHEntry::GetParent(nsISHEntry**) ] [@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ] [@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] [@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
You need to log in before you can comment on or make changes to this bug.