Last Comment Bug 656354 - Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] [@ nsDocShell::SetDocCurrentStateObj ] (null pointer dereference)
: Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ...
Status: VERIFIED FIXED
: crash, regression
Product: Core
Classification: Components
Component: Document Navigation (show other bugs)
: Trunk
: x86 Windows 7
: -- critical (vote)
: ---
Assigned To: Justin Lebar (not reading bugmail)
:
: Andrew Overholt [:overholt]
Mentors:
: 656390 (view as bug list)
Depends on:
Blocks: 551225
  Show dependency treegraph
 
Reported: 2011-05-11 10:20 PDT by Marcia Knous [:marcia - use ni]
Modified: 2011-06-09 14:58 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments
Patch v1 (1.24 KB, patch)
2011-05-11 10:33 PDT, Justin Lebar (not reading bugmail)
jonas: review+
Details | Diff | Splinter Review

Description Marcia Knous [:marcia - use ni] 2011-05-11 10:20:05 PDT
Seen while reviewing trunk crash stats. Started showing up in Socorro using the 2011051000 build. 100 crashes yesterday.

Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9e31df64bfd7&tochange=e0f6db50231f

Possibly Bug 551225 made some changes?

https://crash-stats.mozilla.com/report/index/b06f9a35-946e-41a4-a4f1-e26b52110511

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsDocShell::SetDocCurrentStateObj 	docshell/base/nsDocShell.cpp:7750
1 	xul.dll 	nsDocShell::InternalLoad 	
2 	xul.dll 	NS_URIChainHasFlags 	obj-firefox/dist/include/nsNetUtil.h:1559
3 	xul.dll 	LeaveFunction 	js/src/jsparse.cpp:2841
4 	xul.dll 	xul.dll@0x468df 	
5 	xul.dll 	xul.dll@0xc951f 	
6 	xul.dll 	xul.dll@0x3da9df 	
7 	xul.dll 	xul.dll@0xce76f 	
8 	xul.dll 	NS_EscapeURL 	xpcom/io/nsEscape.cpp:476
9 	xul.dll 	xul.dll@0x51a6f 	
10 	mozcrt19.dll 	arena_dalloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4045
11 	xul.dll 	xul.dll@0x203a5f 	
12 	xul.dll 	nsTHashtable<nsBaseHashtableET<nsCStringHashKey,nsFactoryEntry*> >::s_MatchEntry 	obj-firefox/dist/include/nsTHashtable.h:375
13 	xul.dll 	nsComponentManagerImpl::GetServiceByContractID 	xpcom/components/nsComponentManager.cpp:1648
14 	xul.dll 	nsDocShell::QueryInterface 	docshell/base/nsDocShell.cpp:864
15 	xul.dll 	nsCOMPtr_base::assign_from_qi 	obj-firefox/xpcom/build/nsCOMPtr.cpp:98
16 	xul.dll 	nsDocShell::LoadURI 	docshell/base/nsDocShell.cpp:1424
Comment 1 Justin Lebar (not reading bugmail) 2011-05-11 10:26:19 PDT
> Possibly Bug 551225 made some changes?

Ouch.  Yes, I think I messed this up.
Comment 2 Justin Lebar (not reading bugmail) 2011-05-11 10:30:13 PDT
For reference, here's nsDocShell::SetDocCurrentStateObj before the patch in bug 551225.  Note that shEntry may be null!

nsresult
nsDocShell::SetDocCurrentStateObj(nsISHEntry *shEntry)
{
    nsresult rv;

    nsCOMPtr<nsIDocument> document = do_GetInterface(GetAsSupports(this));
    NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);

    nsAutoString stateData;
    if (shEntry) {
        rv = shEntry->GetStateData(stateData);
        NS_ENSURE_SUCCESS(rv, rv);

        // if shEntry is null, we just set the pending state object to the
        // empty string.
    }

    document->SetCurrentStateObject(stateData);
    return NS_OK;
}
Comment 3 Justin Lebar (not reading bugmail) 2011-05-11 10:33:02 PDT
Created attachment 531673 [details] [diff] [review]
Patch v1
Comment 4 Justin Lebar (not reading bugmail) 2011-05-11 10:34:41 PDT
Not sure how the tracking-firefox6 flag got cleared, but setting it to "?" again.
Comment 5 Ben Hearsum (:bhearsum) 2011-05-11 11:18:23 PDT
I hit this often when using F1.
Comment 6 Marcia Knous [:marcia - use ni] 2011-05-11 12:55:19 PDT
Adding the Mac specific sig so it gets picked up in crash stats - 
[@ nsDocShell::SetDocCurrentStateObj ]
Comment 7 Marcia Knous [:marcia - use ni] 2011-05-11 13:13:58 PDT
*** Bug 656390 has been marked as a duplicate of this bug. ***
Comment 8 Robert Kaiser 2011-05-16 07:21:21 PDT
As a note, this has been the #1 crash on trunk for multiple days in a row now.
Comment 9 Justin Lebar (not reading bugmail) 2011-05-16 07:23:06 PDT
Jonas, review ping.
Comment 10 Justin Lebar (not reading bugmail) 2011-05-17 13:33:36 PDT
http://hg.mozilla.org/mozilla-central/rev/d124391343a0
Comment 11 Marcia Knous [:marcia - use ni] 2011-05-24 11:05:08 PDT
Checking crash stats, this looks good for Windows and Mac signatures as they seem to have fallen off since the 17th. There are a few Linux reports such as https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-e61e22110522 which have a build ID=20110520033417. That person is running with a number of extensions.
Comment 12 Justin Lebar (not reading bugmail) 2011-05-24 11:26:52 PDT
Not totally sure how to read the crashstats page, but that person appears to be running a TM nightly, and the link in the backtrace [1] doesn't have the fix.

[1] https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-e61e22110522
Comment 13 Marcia Knous [:marcia - use ni] 2011-05-24 11:33:26 PDT
Sorry, I missed the nightly-tracemonkey part in the report and was just looking at the Build ID. I think we can verify this fixed based on crash-stats. Thanks for the quick turnaround on the fix.

(In reply to comment #12)
> Not totally sure how to read the crashstats page, but that person appears to
> be running a TM nightly, and the link in the backtrace [1] doesn't have the
> fix.
> 
> [1]
> https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-
> e61e22110522
Comment 14 Johnny Stenback (:jst, jst@mozilla.com) 2011-05-24 14:59:50 PDT
This is fixed in 6, no need to track it.

Note You need to log in before you can comment on or make changes to this bug.