Closed Bug 636776 Opened 14 years ago Closed 14 years ago

Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ][@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: scoobidiver, Assigned: smaug)

References

Details

(Keywords: crash, regression, Whiteboard: [hardblocker] [fixed by backout?])

Crash Data

It is a new crash signature that first appeared in 4.0b13pre/20110225 except twice in 4.0b11 but with a different crash address. Signature nsSHEntry::GetParent(nsISHEntry**) UUID f5404e55-a8f8-46ed-a674-3d5b32110225 Time 2011-02-25 08:47:03.700974 Uptime 7789 Last Crash 13748324 seconds (more than 3 months) before submission Install Age 7789 seconds (2.2 hours) since version was first installed. Product Firefox Version 4.0b13pre Build ID 20110225030357 Branch 2.0 OS Windows NT OS Version 6.1.7601 Service Pack 1 CPU x86 CPU Info GenuineIntel family 6 model 37 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x4 App Notes AdapterVendorID: 8086, AdapterDeviceID: 0042, AdapterDriverVersion: 8.15.10.2202 Frame Module Signature [Expand] Source 0 xul.dll nsSHEntry::GetParent 1 xul.dll nsDocShell::SetHistoryEntry docshell/base/nsDocShell.cpp:10445 2 xul.dll nsDocShell::Embed docshell/base/nsDocShell.cpp:5785 3 xul.dll nsDocShell::CreateContentViewer docshell/base/nsDocShell.cpp:7515 4 xul.dll nsDSURIContentListener::DoContent docshell/base/nsDSURIContentListener.cpp:148 5 xul.dll nsDocumentOpenInfo::TryContentListener uriloader/base/nsURILoader.cpp:757 6 xul.dll nsDocumentOpenInfo::DispatchContent uriloader/base/nsURILoader.cpp:455 7 xul.dll nsDocumentOpenInfo::OnStartRequest uriloader/base/nsURILoader.cpp:295 8 xul.dll nsBaseChannel::OnStartRequest netwerk/base/src/nsBaseChannel.cpp:712 9 xul.dll nsInputStreamPump::OnStateStart netwerk/base/src/nsInputStreamPump.cpp:441 10 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:397 11 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:112 12 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 13 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 14 xul.dll xul.dll@0xb307ab 15 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 16 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 17 mozcrt19.dll _VEC_memzero 18 xul.dll xul.dll@0x35a88d 19 firefox.exe firefox.exe@0x1bb7 20 ntdll.dll ntdll.dll@0x1e0ec 21 ntdll.dll ntdll.dll@0x637c7 22 firefox.exe firefox.exe@0x186f 23 firefox.exe firefox.exe@0x186f More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=4&range_unit=weeks&signature=nsSHEntry%3A%3AGetParent%28nsISHEntry**%29
The new crash address is 0x4, so a null deref..... but we have null-checks in GetRootSHEntry (which is what's on that line in SetHistoryEntry). So what gives?
It is #3 top crasher in today's build. There are different crash addresses: 0x4 (the major part), 0x48cadc0, 0x7074746c. The regression window is large because of the blocked automatic update during the Beta 12 release: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1da3405c74fd&tochange=d7ef42d7782c
blocking2.0: --- → ?
Summary: Crash [@ nsSHEntry::GetParent(nsISHEntry**) ] → Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
Summary: Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] → Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
Assignee: nobody → Olli.Pettay
Most probably caused by Bug 632835. And I think I know what the problem is.
I just saw this while scrolling a Facebook page. Could have been as it was ajaxily adding more content.
I'll back out Bug 632835, and investigate it more.
Blocks: 632835
Summary: Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] → Crash [@ nsSHEntry::GetParent(nsISHEntry**) ][@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ][@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ][@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
(In reply to comment #5) > I'll back out Bug 632835, and investigate it more. So can we resolve this as Fixed with that backout?
I'd wait still a day or so to see if the crashes are gone.
blocking2.0: ? → final+
Whiteboard: [hardblocker]
Whiteboard: [hardblocker] → [hardblocker] [fixed by backout?]
Have they gone away?
(click the "Table" tab in the URL in the previous comment)
That seems "gone enough" to resolve this as Fixed. If someone wants to Verify in a few days, that'd be great.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsSHEntry::GetParent(nsISHEntry**) ] [@ @0x0 | nsSHEntry::GetParent(nsISHEntry**) ] [@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] [@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
You need to log in before you can comment on or make changes to this bug.