Closed Bug 695041 Opened 14 years ago Closed 14 years ago

crash in nsHtml5Tokenizer::stateLoop due to null backing array in strBuf (longStrBuf null also)

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 696651

People

(Reporter: kairo, Assigned: hsivonen)

References

(
URL
)

Details

(Keywords: crash, regression)

This bug was filed from the Socorro interface and is report bp-29d65527-27f5-4d73-9f78-420882111017 . ============================================================= Top frames: 0 xul.dll nsHtml5Tokenizer::stateLoop parser/html/nsHtml5Tokenizer.cpp:1772 1 xul.dll nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:391 2 xul.dll nsHtml5Parser::Parse parser/html/nsHtml5Parser.cpp:322 3 xul.dll nsHTMLDocument::WriteCommon content/html/document/src/nsHTMLDocument.cpp:1954 4 xul.dll nsHTMLDocument::Write content/html/document/src/nsHTMLDocument.cpp:1967 5 xul.dll nsIDOMHTMLDocument_Write obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:18041 6 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:629 7 mozjs.dll js::Interpret js/src/jsinterp.cpp:3997 8 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:624 9 mozjs.dll js::ExecuteKernel js/src/jsinterp.cpp:783 10 mozjs.dll js::Execute js/src/jsinterp.cpp:822 11 mozjs.dll EvaluateUCScriptForPrincipalsCommon js/src/jsapi.cpp:5028 12 mozjs.dll JS_EvaluateUCScriptForPrincipalsVersion js/src/jsapi.cpp:5040 13 xul.dll nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1495 14 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:9264 15 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:9717 16 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424 17 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 18 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 19 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 20 xul.dll xul.dll@0xbca617 21 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 22 xul.dll _SEH_epilog4 23 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175 24 xul.dll nsThreadManager::GetCurrentThread xpcom/threads/nsThreadManager.cpp:218 25 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189 26 xul.dll nsAppShell::Run widget/src/windows/nsAppShell.cpp:261 27 GROOVEEX.DLL GROOVEEX.DLL@0x28746d 28 GROOVEEX.DLL GROOVEEX.DLL@0x282e6b 29 GROOVEEX.DLL GROOVEEX.DLL@0x30642d 30 GROOVEEX.DLL GROOVEEX.DLL@0x282e31 31 GROOVEEX.DLL GROOVEEX.DLL@0x282e2f 32 GROOVEEX.DLL GROOVEEX.DLL@0x30642d 33 xul.dll nsCMSMessage::GetEncryptionCert security/manager/ssl/src/nsCMS.cpp:228 34 GROOVEEX.DLL GROOVEEX.DLL@0x282e44 35 GROOVEEX.DLL GROOVEEX.DLL@0x282e45 36 GROOVEEX.DLL GROOVEEX.DLL@0x282e33 This first appeared on 2011-10-15 and exploded yesterday. Is this grooveex.dll or us being at fault?
I see related crashes from http://douban.fm/rotate_ad?cid=0 and a variety of other urls from douban. This is not related to grooveex.dll as far as I know. Seen on Linux, Windows and Mac. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x05db5a57 in nsHtml5Tokenizer::clearStrBufAndAppend (this=0x1fc19bc0, c=98) at nsHtml5Tokenizer.h:162 162 strBuf[0] = c; (gdb) p strBuf $1 = { arr = 0x0, length = 0 } (gdb) bt #0 0x05db5a57 in nsHtml5Tokenizer::clearStrBufAndAppend (this=0x1fc19bc0, c=98) at nsHtml5Tokenizer.h:162 #1 0x05db24f0 in nsHtml5Tokenizer::stateLoop (this=0x1fc19bc0, state=10, c=98, pos=1551, buf=0xe12e08, reconsume=false, returnState=2, endPos=1556) at /work/mozilla/builds/nightly/mozilla/parser/html/nsHtml5Tokenizer.cpp:1772 #2 0x05db5593 in nsHtml5Tokenizer::tokenizeBuffer (this=0x1fc19bc0, buffer=0xbfffbaa4) at /work/mozilla/builds/nightly/mozilla/parser/html/nsHtml5Tokenizer.cpp:391 #3 0x05d72c56 in nsHtml5Parser::Parse (this=0x1fc19960, aSourceBuffer=@0xbfffbc44, aKey=0x0, aContentType=@0xbfffbbb0, aLastCall=false, aMode=eDTDMode_autodetect) at /work/mozilla/builds/nightly/mozilla/parser/html/nsHtml5Parser.cpp:322 #4 0x05a90b6b in nsHTMLDocument::WriteCommon (this=0x230d4a00, cx=0x22fa8280, aText=@0xbfffbc44, aNewlineTerminate=false) at /work/mozilla/builds/nightly/mozilla/content/html/document/src/nsHTMLDocument.cpp:1954 #5 0x05a90c47 in nsHTMLDocument::Write (this=0x230d4a00, aText=@0xbfffbc44, cx=0x22fa8280) at /work/mozilla/builds/nightly/mozilla/content/html/document/src/nsHTMLDocument.cpp:1967
Keywords: regression
OS: Windows 7 → All
I can reproduce the crash on 64-bit Linux. This sure looks weird, but whatever grooveex.dll is, it's not to blame here.
URL: http://douban.fm/rotate_ad?cid=0
Summary: crash in nsHtml5Tokenizer::stateLoop coming from grooveex.dll → crash in nsHtml5Tokenizer::stateLoop due to null backing array in strBuf (longStrBuf null also)
Adding the Mac signature. One comment says "douban.com , when tring to enter groups or others services... it always happens."
Crash Signature: [@ nsHtml5Tokenizer::stateLoop(int, wchar_t, int, wchar_t*, bool, int, int)] → [@ nsHtml5Tokenizer::stateLoop(int, wchar_t, int, wchar_t*, bool, int, int)] [@ nsHtml5Tokenizer::stateLoop ]
This is a manifestation of the same problem as bug 696651 which has a patch.
Assignee: nobody → hsivonen
Status: NEW → RESOLVED
Crash Signature: [@ nsHtml5Tokenizer::stateLoop(int, wchar_t, int, wchar_t*, bool, int, int)] [@ nsHtml5Tokenizer::stateLoop ]
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.