If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

crash in nsHtml5Tokenizer::stateLoop due to null backing array in strBuf (longStrBuf null also)

RESOLVED DUPLICATE of bug 696651

Status

()

Core
HTML: Parser
--
critical
RESOLVED DUPLICATE of bug 696651
6 years ago
6 years ago

People

(Reporter: Robert Kaiser, Assigned: hsivonen)

Tracking

(Blocks: 1 bug, {crash, regression})

Trunk
crash, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

6 years ago
This bug was filed from the Socorro interface and is 
report bp-29d65527-27f5-4d73-9f78-420882111017 .
============================================================= 

Top frames:

0 	xul.dll 	nsHtml5Tokenizer::stateLoop 	parser/html/nsHtml5Tokenizer.cpp:1772
1 	xul.dll 	nsHtml5Tokenizer::tokenizeBuffer 	parser/html/nsHtml5Tokenizer.cpp:391
2 	xul.dll 	nsHtml5Parser::Parse 	parser/html/nsHtml5Parser.cpp:322
3 	xul.dll 	nsHTMLDocument::WriteCommon 	content/html/document/src/nsHTMLDocument.cpp:1954
4 	xul.dll 	nsHTMLDocument::Write 	content/html/document/src/nsHTMLDocument.cpp:1967
5 	xul.dll 	nsIDOMHTMLDocument_Write 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:18041
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:629
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3997
8 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:624
9 	mozjs.dll 	js::ExecuteKernel 	js/src/jsinterp.cpp:783
10 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:822
11 	mozjs.dll 	EvaluateUCScriptForPrincipalsCommon 	js/src/jsapi.cpp:5028
12 	mozjs.dll 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:5040
13 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1495
14 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:9264
15 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:9717
16 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
17 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
19 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
20 	xul.dll 	xul.dll@0xbca617 	
21 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
22 	xul.dll 	_SEH_epilog4 	
23 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
24 	xul.dll 	nsThreadManager::GetCurrentThread 	xpcom/threads/nsThreadManager.cpp:218
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
26 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:261
27 	GROOVEEX.DLL 	GROOVEEX.DLL@0x28746d 	
28 	GROOVEEX.DLL 	GROOVEEX.DLL@0x282e6b 	
29 	GROOVEEX.DLL 	GROOVEEX.DLL@0x30642d 	
30 	GROOVEEX.DLL 	GROOVEEX.DLL@0x282e31 	
31 	GROOVEEX.DLL 	GROOVEEX.DLL@0x282e2f 	
32 	GROOVEEX.DLL 	GROOVEEX.DLL@0x30642d 	
33 	xul.dll 	nsCMSMessage::GetEncryptionCert 	security/manager/ssl/src/nsCMS.cpp:228
34 	GROOVEEX.DLL 	GROOVEEX.DLL@0x282e44 	
35 	GROOVEEX.DLL 	GROOVEEX.DLL@0x282e45 	
36 	GROOVEEX.DLL 	GROOVEEX.DLL@0x282e33


This first appeared on 2011-10-15 and exploded yesterday. Is this grooveex.dll or us being at fault?

Comment 1

6 years ago
I see related crashes from http://douban.fm/rotate_ad?cid=0 and a variety of other urls from douban. This is not related to grooveex.dll as far as I know. Seen on Linux, Windows and Mac.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x05db5a57 in nsHtml5Tokenizer::clearStrBufAndAppend (this=0x1fc19bc0, c=98) at nsHtml5Tokenizer.h:162
162	      strBuf[0] = c;
(gdb) p strBuf
$1 = {
  arr = 0x0, 
  length = 0
}
(gdb) bt
#0  0x05db5a57 in nsHtml5Tokenizer::clearStrBufAndAppend (this=0x1fc19bc0, c=98) at nsHtml5Tokenizer.h:162
#1  0x05db24f0 in nsHtml5Tokenizer::stateLoop (this=0x1fc19bc0, state=10, c=98, pos=1551, buf=0xe12e08, reconsume=false, returnState=2, endPos=1556) at /work/mozilla/builds/nightly/mozilla/parser/html/nsHtml5Tokenizer.cpp:1772
#2  0x05db5593 in nsHtml5Tokenizer::tokenizeBuffer (this=0x1fc19bc0, buffer=0xbfffbaa4) at /work/mozilla/builds/nightly/mozilla/parser/html/nsHtml5Tokenizer.cpp:391
#3  0x05d72c56 in nsHtml5Parser::Parse (this=0x1fc19960, aSourceBuffer=@0xbfffbc44, aKey=0x0, aContentType=@0xbfffbbb0, aLastCall=false, aMode=eDTDMode_autodetect) at /work/mozilla/builds/nightly/mozilla/parser/html/nsHtml5Parser.cpp:322
#4  0x05a90b6b in nsHTMLDocument::WriteCommon (this=0x230d4a00, cx=0x22fa8280, aText=@0xbfffbc44, aNewlineTerminate=false) at /work/mozilla/builds/nightly/mozilla/content/html/document/src/nsHTMLDocument.cpp:1954
#5  0x05a90c47 in nsHTMLDocument::Write (this=0x230d4a00, aText=@0xbfffbc44, cx=0x22fa8280) at /work/mozilla/builds/nightly/mozilla/content/html/document/src/nsHTMLDocument.cpp:1967
Blocks: 532972
Keywords: regression
OS: Windows 7 → All
(Assignee)

Comment 2

6 years ago
I can reproduce the crash on 64-bit Linux. This sure looks weird, but whatever grooveex.dll is, it's not to blame here.
Summary: crash in nsHtml5Tokenizer::stateLoop coming from grooveex.dll → crash in nsHtml5Tokenizer::stateLoop due to null backing array in strBuf (longStrBuf null also)
Adding the Mac signature. One comment says "douban.com , when tring to enter groups or others services... it always happens."
Crash Signature: [@ nsHtml5Tokenizer::stateLoop(int, wchar_t, int, wchar_t*, bool, int, int)] → [@ nsHtml5Tokenizer::stateLoop(int, wchar_t, int, wchar_t*, bool, int, int)] [@ nsHtml5Tokenizer::stateLoop ]
(Assignee)

Comment 4

6 years ago
This is a manifestation of the same problem as bug 696651 which has a patch.
Assignee: nobody → hsivonen
Status: NEW → RESOLVED
Crash Signature: [@ nsHtml5Tokenizer::stateLoop(int, wchar_t, int, wchar_t*, bool, int, int)] [@ nsHtml5Tokenizer::stateLoop ]
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 696651
You need to log in before you can comment on or make changes to this bug.