Closed Bug 656354 Opened 9 years ago Closed 9 years ago

Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] [@ nsDocShell::SetDocCurrentStateObj ] (null pointer dereference)

Categories

(Core :: DOM: Navigation, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox6 - ---

People

(Reporter: marcia, Assigned: justin.lebar+bug)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Seen while reviewing trunk crash stats. Started showing up in Socorro using the 2011051000 build. 100 crashes yesterday.

Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9e31df64bfd7&tochange=e0f6db50231f

Possibly Bug 551225 made some changes?

https://crash-stats.mozilla.com/report/index/b06f9a35-946e-41a4-a4f1-e26b52110511

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsDocShell::SetDocCurrentStateObj 	docshell/base/nsDocShell.cpp:7750
1 	xul.dll 	nsDocShell::InternalLoad 	
2 	xul.dll 	NS_URIChainHasFlags 	obj-firefox/dist/include/nsNetUtil.h:1559
3 	xul.dll 	LeaveFunction 	js/src/jsparse.cpp:2841
4 	xul.dll 	xul.dll@0x468df 	
5 	xul.dll 	xul.dll@0xc951f 	
6 	xul.dll 	xul.dll@0x3da9df 	
7 	xul.dll 	xul.dll@0xce76f 	
8 	xul.dll 	NS_EscapeURL 	xpcom/io/nsEscape.cpp:476
9 	xul.dll 	xul.dll@0x51a6f 	
10 	mozcrt19.dll 	arena_dalloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4045
11 	xul.dll 	xul.dll@0x203a5f 	
12 	xul.dll 	nsTHashtable<nsBaseHashtableET<nsCStringHashKey,nsFactoryEntry*> >::s_MatchEntry 	obj-firefox/dist/include/nsTHashtable.h:375
13 	xul.dll 	nsComponentManagerImpl::GetServiceByContractID 	xpcom/components/nsComponentManager.cpp:1648
14 	xul.dll 	nsDocShell::QueryInterface 	docshell/base/nsDocShell.cpp:864
15 	xul.dll 	nsCOMPtr_base::assign_from_qi 	obj-firefox/xpcom/build/nsCOMPtr.cpp:98
16 	xul.dll 	nsDocShell::LoadURI 	docshell/base/nsDocShell.cpp:1424
Summary: Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] → Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] (null pointer dereference)
> Possibly Bug 551225 made some changes?

Ouch.  Yes, I think I messed this up.
Blocks: 551225
Assignee: nobody → justin.lebar+bug
For reference, here's nsDocShell::SetDocCurrentStateObj before the patch in bug 551225.  Note that shEntry may be null!

nsresult
nsDocShell::SetDocCurrentStateObj(nsISHEntry *shEntry)
{
    nsresult rv;

    nsCOMPtr<nsIDocument> document = do_GetInterface(GetAsSupports(this));
    NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);

    nsAutoString stateData;
    if (shEntry) {
        rv = shEntry->GetStateData(stateData);
        NS_ENSURE_SUCCESS(rv, rv);

        // if shEntry is null, we just set the pending state object to the
        // empty string.
    }

    document->SetCurrentStateObject(stateData);
    return NS_OK;
}
Keywords: regression
Attached patch Patch v1Splinter Review
Attachment #531673 - Flags: review?(jonas)
Not sure how the tracking-firefox6 flag got cleared, but setting it to "?" again.
I hit this often when using F1.
Adding the Mac specific sig so it gets picked up in crash stats - 
[@ nsDocShell::SetDocCurrentStateObj ]
Summary: Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] (null pointer dereference) → Firefox 6.0a1 Crash Report [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] [@ nsDocShell::SetDocCurrentStateObj ] (null pointer dereference)
Duplicate of this bug: 656390
As a note, this has been the #1 crash on trunk for multiple days in a row now.
Jonas, review ping.
http://hg.mozilla.org/mozilla-central/rev/d124391343a0
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Checking crash stats, this looks good for Windows and Mac signatures as they seem to have fallen off since the 17th. There are a few Linux reports such as https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-e61e22110522 which have a build ID=20110520033417. That person is running with a number of extensions.
Not totally sure how to read the crashstats page, but that person appears to be running a TM nightly, and the link in the backtrace [1] doesn't have the fix.

[1] https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-e61e22110522
Sorry, I missed the nightly-tracemonkey part in the report and was just looking at the Build ID. I think we can verify this fixed based on crash-stats. Thanks for the quick turnaround on the fix.

(In reply to comment #12)
> Not totally sure how to read the crashstats page, but that person appears to
> be running a TM nightly, and the link in the backtrace [1] doesn't have the
> fix.
> 
> [1]
> https://crash-stats.mozilla.com/report/index/b75ff76b-8c8f-45a8-b96d-
> e61e22110522
Status: RESOLVED → VERIFIED
This is fixed in 6, no need to track it.
Crash Signature: [@ nsDocShell::SetDocCurrentStateObj(nsISHEntry*) ] [@ nsDocShell::SetDocCurrentStateObj ]
You need to log in before you can comment on or make changes to this bug.