Closed Bug 820067 Opened 12 years ago Closed 12 years ago

crash in nsDocShell::InternalLoad

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
20 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- verified

People

(Reporter: scoobidiver, Assigned: Benjamin)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

null-check again
1.90 KB, patch
bzbarsky
: review+
bzbarsky
: feedback+
Details | Diff | Splinter Review
It first showed up in 20.0a1/20121210 and is currently #3 top crasher in this build. The regression range is http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4e83d0987a31&tochange=725eb8792d27 It might be a regression from bug 787134. Signature nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, wchar_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsIDocShell**, nsIRequest**) More Reports Search UUID 97a55bed-822c-4692-91e7-3fd9a2121210 Date Processed 2012-12-10 18:31:44 Uptime 823 Last Crash 9.1 weeks before submission Install Age 2.3 hours since version was first installed. Install Time 2012-12-10 16:16:34 Product Firefox Version 20.0a1 Build ID 20121210030747 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info AuthenticAMD family 16 model 4 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x40 App Notes AdapterVendorID: 0x1002, AdapterDeviceID: 0x9460, AdapterSubsysID: 22811787, AdapterDriverVersion: 8.961.0.0 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ EMCheckCompatibility True Adapter Vendor ID 0x1002 Adapter Device ID 0x9460 Total Virtual Memory 4294836224 Available Virtual Memory 3486474240 System Memory Use Percentage 41 Available Page File 6122147840 Available Physical Memory 2529824768 Frame Module Signature Source 0 xul.dll nsDocShell::InternalLoad docshell/base/nsDocShell.cpp:9003 1 xul.dll nsDocShell::LoadHistoryEntry docshell/base/nsDocShell.cpp:10609 2 xul.dll nsDocShell::LoadURI docshell/base/nsDocShell.cpp:1398 3 xul.dll nsSHistory::InitiateLoad docshell/shistory/src/nsSHistory.cpp:1751 4 xul.dll nsSHistory::LoadEntry docshell/shistory/src/nsSHistory.cpp:1618 5 xul.dll nsSHistory::GoBack docshell/shistory/src/nsSHistory.cpp:839 6 xul.dll nsDocShell::GoBack docshell/base/nsDocShell.cpp:3942 7 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70 8 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488 9 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:389 10 mozjs.dll js::Interpret js/src/jsinterp.cpp:2341 11 mozjs.dll js::RunScript js/src/jsinterp.cpp:338 12 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:404 13 mozjs.dll js::Invoke js/src/jsinterp.cpp:437 14 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5786 15 xul.dll mozilla::dom::EventHandlerNonNull::Call obj-firefox/dom/bindings/EventHandlerBinding.cpp:46 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsDocShell%3A%3AInternalLoad%28nsIURI*%2C+nsIURI*%2C+nsISupports*%2C+unsigned+int%2C+wchar_t+const*%2C+char+const*%2C+nsAString_internal+const%26%2C+nsIInputStream*%2C+nsIInputStream*%2C+unsigned+int%2C+nsISHEntry*%2C+bool%2C+nsIDocShell**%2C+nsIRequest**%29
Looks like a null-deref on this line: 9003 mTiming->NotifyUnloadAccepted(mCurrentURI); The actual code is: 9002 if (timeBeforeUnload) { 9003 mTiming->NotifyUnloadAccepted(mCurrentURI); 9004 } and the if condition just got changed in bug 818559. It used to null-check mTiming. I believe the new code is wrong: there's a call into arbitrary script between when timeBeforeUnload is set and when it's checked there, so mTiming can well be null at this point... Scoobidiver, thank you for filing these crash regressions!
Assignee: nobody → benjamin
Blocks: 818559
Grr. Why did I miss that.
Attached patch null-check againSplinter Review
I didn't realize scripts could be so evil.
Attachment #690494 - Flags: review?(bugs)
Attachment #690494 - Flags: feedback?(bzbarsky)
Sorry, I backed out Bug 818559 already.
Comment on attachment 690494 [details] [diff] [review] null-check again Scripts can be arbitrarily evil. ;) r=me
Attachment #690494 - Flags: review?(bugs)
Attachment #690494 - Flags: review+
Attachment #690494 - Flags: feedback?(bzbarsky)
Attachment #690494 - Flags: feedback+
r+ from me too :)
https://hg.mozilla.org/mozilla-central/rev/ab7c54f6472f
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
status-firefox20: affectedfixed
tracking-firefox20: ? → ---
Target Milestone: --- → mozilla20
Checking the crashstats, I see 8 crashes on FF 21 and 5 on FF 20. Any thoughts?
Paul, are the crashes happening at the same place what this bug is about? Could you provide links to the crash-stats you're looking at?
Those all look like different bugs than this.
Blocks: 854864
No longer blocks: 854864
Verified fixed based on comment 11. Continue tracking this signature in bug 854864.
Status: RESOLVED → VERIFIED
status-firefox20: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: