The default bug view has changed. See this FAQ.

Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] [@ nsDocShell::SetDocCurrentStateObj ] (null pointer dereference)

VERIFIED FIXED

Status

()

Core
Document Navigation
--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: marcia, Assigned: Justin Lebar (not reading bugmail))

Tracking

({crash, regression})

Trunk
x86
Windows 7
crash, regression
Points:
---

Firefox Tracking Flags

(firefox6-)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Seen while reviewing trunk crash stats. Started showing up in Socorro using the 2011051000 build. 100 crashes yesterday.

Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9e31df64bfd7&tochange=e0f6db50231f

Possibly Bug 551225 made some changes?

https://crash-stats.mozilla.com/report/index/b06f9a35-946e-41a4-a4f1-e26b52110511

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsDocShell::SetDocCurrentStateObj 	docshell/base/nsDocShell.cpp:7750
1 	xul.dll 	nsDocShell::InternalLoad 	
2 	xul.dll 	NS_URIChainHasFlags 	obj-firefox/dist/include/nsNetUtil.h:1559
3 	xul.dll 	LeaveFunction 	js/src/jsparse.cpp:2841
4 	xul.dll 	xul.dll@0x468df 	
5 	xul.dll 	xul.dll@0xc951f 	
6 	xul.dll 	xul.dll@0x3da9df 	
7 	xul.dll 	xul.dll@0xce76f 	
8 	xul.dll 	NS_EscapeURL 	xpcom/io/nsEscape.cpp:476
9 	xul.dll 	xul.dll@0x51a6f 	
10 	mozcrt19.dll 	arena_dalloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4045
11 	xul.dll 	xul.dll@0x203a5f 	
12 	xul.dll 	nsTHashtable<nsBaseHashtableET<nsCStringHashKey,nsFactoryEntry*> >::s_MatchEntry 	obj-firefox/dist/include/nsTHashtable.h:375
13 	xul.dll 	nsComponentManagerImpl::GetServiceByContractID 	xpcom/components/nsComponentManager.cpp:1648
14 	xul.dll 	nsDocShell::QueryInterface 	docshell/base/nsDocShell.cpp:864
15 	xul.dll 	nsCOMPtr_base::assign_from_qi 	obj-firefox/xpcom/build/nsCOMPtr.cpp:98
16 	xul.dll 	nsDocShell::LoadURI 	docshell/base/nsDocShell.cpp:1424
(Assignee)

Updated

6 years ago
Summary: Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] → Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] (null pointer dereference)
(Assignee)

Comment 1

6 years ago
> Possibly Bug 551225 made some changes?

Ouch.  Yes, I think I messed this up.
(Assignee)

Updated

6 years ago
Blocks: 551225
(Assignee)

Updated

6 years ago
Assignee: nobody → justin.lebar+bug
(Assignee)

Comment 2

6 years ago
For reference, here's nsDocShell::SetDocCurrentStateObj before the patch in bug 551225.  Note that shEntry may be null!

nsresult
nsDocShell::SetDocCurrentStateObj(nsISHEntry *shEntry)
{
    nsresult rv;

    nsCOMPtr<nsIDocument> document = do_GetInterface(GetAsSupports(this));
    NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);

    nsAutoString stateData;
    if (shEntry) {
        rv = shEntry->GetStateData(stateData);
        NS_ENSURE_SUCCESS(rv, rv);

        // if shEntry is null, we just set the pending state object to the
        // empty string.
    }

    document->SetCurrentStateObject(stateData);
    return NS_OK;
}
(Reporter)

Updated

6 years ago
tracking-firefox6: --- → ?
Keywords: regression
(Assignee)

Comment 3

6 years ago
Created attachment 531673 [details] [diff] [review]
Patch v1
Attachment #531673 - Flags: review?(jonas)
(Assignee)

Comment 4

6 years ago
Not sure how the tracking-firefox6 flag got cleared, but setting it to "?" again.
I hit this often when using F1.
(Reporter)

Comment 6

6 years ago
Adding the Mac specific sig so it gets picked up in crash stats - 
[@ nsDocShell::SetDocCurrentStateObj ]
Summary: Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] (null pointer dereference) → Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] [@ nsDocShell::SetDocCurrentStateObj ] (null pointer dereference)
(Reporter)

Updated

6 years ago
Duplicate of this bug: 656390

Comment 8

6 years ago
As a note, this has been the #1 crash on trunk for multiple days in a row now.
(Assignee)

Comment 9

6 years ago
Jonas, review ping.
Attachment #531673 - Flags: review?(jonas) → review+
(Assignee)

Comment 10

6 years ago
http://hg.mozilla.org/mozilla-central/rev/d124391343a0
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 11

6 years ago
Checking crash stats, this looks good for Windows and Mac signatures as they seem to have fallen off since the 17th. There are a few Linux reports such as https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-e61e22110522 which have a build ID=20110520033417. That person is running with a number of extensions.
(Assignee)

Comment 12

6 years ago
Not totally sure how to read the crashstats page, but that person appears to be running a TM nightly, and the link in the backtrace [1] doesn't have the fix.

[1] https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-e61e22110522
(Reporter)

Comment 13

6 years ago
Sorry, I missed the nightly-tracemonkey part in the report and was just looking at the Build ID. I think we can verify this fixed based on crash-stats. Thanks for the quick turnaround on the fix.

(In reply to comment #12)
> Not totally sure how to read the crashstats page, but that person appears to
> be running a TM nightly, and the link in the backtrace [1] doesn't have the
> fix.
> 
> [1]
> https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-
> e61e22110522
Status: RESOLVED → VERIFIED
This is fixed in 6, no need to track it.
tracking-firefox6: ? → -
Crash Signature: [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] [@ nsDocShell::SetDocCurrentStateObj ]
You need to log in before you can comment on or make changes to this bug.