Firefox Crash @ strlen | AppendASCIItoUTF16(char const*, nsAString_internal&)

RESOLVED FIXED in Firefox 7

Status

()

Core
DOM
P1
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: marcia, Assigned: bz)

Tracking

({crash, regression})

Trunk
mozilla7
x86
Windows 7
crash, regression
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox7+ fixed)

Details

(Whiteboard: [qa-], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
Seen while looking at trunk crash stats. http://tinyurl.com/3dwbys9. Crashes started showing up on the trunk using the 2011062600 build. There is one lone crash in this stack in 4.0.1.

Possible pushlog regression: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ce10fd5d82c6&tochange=fc7d76664c79

https://crash-stats.mozilla.com/report/index/a13ff338-a910-46c6-9e67-729162110627

Frame 	Module 	Signature [Expand] 	Source
0 	mozcrt19.dll 	strlen 	strlen.asm:69
1 	xul.dll 	AppendASCIItoUTF16 	xpcom/string/src/nsReadableUtils.cpp:189
2 	xul.dll 	NS_ConvertASCIItoUTF16::NS_ConvertASCIItoUTF16 	obj-firefox/dist/include/nsString.h:121
3 	xul.dll 	nsContentUtils::GetLocalizedString 	content/base/src/nsContentUtils.cpp:2712
4 	xul.dll 	nsContentUtils::ReportToConsole 	content/base/src/nsContentUtils.cpp:2760
5 	xul.dll 	nsContentUtils::ReportToConsole 	content/base/src/nsContentUtils.cpp:2807
6 	xul.dll 	nsIDocument::WarnOnceAbout 	content/base/src/nsDocument.cpp:8180
7 	xul.dll 	nsDOMAttribute::GetTextContent 	content/base/src/nsDOMAttribute.cpp:639
8 	xul.dll 	nsIDOMNode_GetTextContent 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:7440
9 	mozjs.dll 	js::Shape::get 	js/src/jsscopeinlines.h:284
10 	mozjs.dll 	js_GetPropertyHelper 	js/src/jsobj.cpp:5350
11 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4066
12 	mozjs.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:224
13 	mozjs.dll 	js::ExternalExecute 	js/src/jsinterp.cpp:944
14 	mozjs.dll 	EvaluateUCScriptForPrincipalsCommon 	js/src/jsapi.cpp:4984
15 	mozjs.dll 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:5000
16 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1453
17 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:906
18 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:799
19 	xul.dll 	nsScriptLoader::ProcessScriptElement 	
20 	xul.dll 	nsScriptElement::MaybeProcessScript 	content/base/src/nsScriptElement.cpp:182
21 	xul.dll 	nsHTMLScriptElement::MaybeProcessScript 	content/html/content/src/nsHTMLScriptElement.cpp:586
22 	xul.dll 	nsHTMLScriptElement::DoneAddingChildren 	content/html/content/src/nsHTMLScriptElement.cpp:513
23 	xul.dll 	nsHtml5TreeOpExecutor::RunScript 	parser/html/nsHtml5TreeOpExecutor.cpp:730
24 	xul.dll 	nsHtml5TreeOpExecutor::RunFlushLoop 	parser/html/nsHtml5TreeOpExecutor.cpp:525
25 	xul.dll 	nsHtml5ExecutorFlusher::Run 	parser/html/nsHtml5StreamParser.cpp:156
26 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:617
27 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
28 	xul.dll 	xul.dll@0xb76f87 	
29 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
30 	xul.dll 	xul.dll@0x3726cf 	
31 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
32 	xul.dll 	mozilla::storage::AsyncExecuteStatements::AsyncExecuteStatements 	storage/src/mozStorageAsyncStatementExecution.cpp:242
33 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
34 		@0x761bffff 	
35 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:222
36 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3573
37 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
38 	firefox.exe 	firefox.exe@0x4043 	
39 	firefox.exe 	_RTC_Initialize 	
40 	mozcrt19.dll 	_initterm 	obj-firefox/memory/jemalloc/crtsrc/crt0dat.c:852
41 	firefox.exe 	firefox.exe@0x2087 	
42 	ntdll.dll 	WinSqmSetIfMaxDWORD 	
43 	ntdll.dll 	_RtlUserThreadStart 	
44 	firefox.exe 	firefox.exe@0x1cef 	
45 	firefox.exe 	firefox.exe@0x1cef
(Reporter)

Updated

6 years ago
Summary: Firefox Crash@ strlen | AppendASCIItoUTF16(char const*, nsAString_internal&) → Firefox Crash @ strlen | AppendASCIItoUTF16(char const*, nsAString_internal&)
http://mxr.mozilla.org/mozilla-central/source/content/base/public/nsIDocument.h#1529 has 31 entries

http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsDocument.cpp#8133 has 30 entries. This is a serious looking regression that should block
tracking-firefox7: --- → +
Component: XPCOM → DOM
QA Contact: xpcom → general
This was caused by bug 661327, and specifically eNormalize is in one array but not the other. We should be able to statically assert the correct length by adding a eLastDeprecatedWarning value, and then PR_STATIC_ASSERT(NS_ARRAY_LENGTH(kWarnings) == eLastDeprecatedWarning - 1).
Assignee: nobody → Ms2ger
Blocks: 661327
Keywords: regression
(Assignee)

Comment 3

6 years ago
Or just generate both arrays from a single header included in two ways.  That would have the fringe benefit of ensuring not only matching length but matching order.
(Assignee)

Comment 4

6 years ago
Stealing, since this is blocking some of my work.
Assignee: Ms2ger → bzbarsky
Priority: -- → P1
Created attachment 542590 [details] [diff] [review]
WIP
(Assignee)

Comment 6

6 years ago
Created attachment 542594 [details] [diff] [review]
Prevent mismatches between our enum and our strings.
Attachment #542594 - Flags: review?(jonas)
(Assignee)

Updated

6 years ago
Whiteboard: [need review]
(Assignee)

Comment 7

6 years ago
Created attachment 542602 [details] [diff] [review]
Prevent mismatches between our enum and our strings.
Attachment #542602 - Flags: review?(jonas)
(Assignee)

Updated

6 years ago
Attachment #542594 - Attachment is obsolete: true
Attachment #542594 - Flags: review?(jonas)
Attachment #542602 - Flags: review?(jonas) → review+
(Assignee)

Comment 8

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/59a6f5524476
Flags: in-testsuite-
Whiteboard: [need review]
Target Milestone: --- → mozilla7
(Assignee)

Comment 9

6 years ago
And http://hg.mozilla.org/integration/mozilla-inbound/rev/072083211e32 to fix build bustage on maemo.
http://hg.mozilla.org/mozilla-central/rev/59a6f5524476
http://hg.mozilla.org/mozilla-central/rev/072083211e32
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 11

6 years ago
No crashes on builds later than the 29th so far (people kept crashing yesterday with builds from previous days, though).

Comment 12

6 years ago
Kairo, how's this look on Aurora [7]?
(Reporter)

Comment 13

6 years ago
Crash stats look good on Aurora - last crash was with 20110629030813.

(In reply to comment #12)
> Kairo, how's this look on Aurora [7]?
status-firefox7: --- → fixed
Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0

Could you provide some testcases on how can i test if the issue was fixed?
Thanks.
qa- as no QA verification needed (check crashstats if you want to mark VERIFIED)
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.