crash in nsDocShell::InternalLoad

VERIFIED FIXED in Firefox 20

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: scoobidiver, Assigned: Benjamin)

Tracking

({crash, regression, topcrash})

20 Branch
mozilla20
All
Windows 7
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox19 unaffected, firefox20 verified)

Details

(crash signature)

Attachments

(1 attachment)

Reporter

Description

7 years ago
It first showed up in 20.0a1/20121210 and is currently #3 top crasher in this build. The regression range is
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4e83d0987a31&tochange=725eb8792d27
It might be a regression from bug 787134.

Signature 	nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, wchar_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsIDocShell**, nsIRequest**) More Reports Search
UUID	97a55bed-822c-4692-91e7-3fd9a2121210
Date Processed	2012-12-10 18:31:44
Uptime	823
Last Crash	9.1 weeks before submission
Install Age	2.3 hours since version was first installed.
Install Time	2012-12-10 16:16:34
Product	Firefox
Version	20.0a1
Build ID	20121210030747
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 4 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x40
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9460, AdapterSubsysID: 22811787, AdapterDriverVersion: 8.961.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9460
Total Virtual Memory	4294836224
Available Virtual Memory	3486474240
System Memory Use Percentage	41
Available Page File	6122147840
Available Physical Memory	2529824768

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsDocShell::InternalLoad 	docshell/base/nsDocShell.cpp:9003
1 	xul.dll 	nsDocShell::LoadHistoryEntry 	docshell/base/nsDocShell.cpp:10609
2 	xul.dll 	nsDocShell::LoadURI 	docshell/base/nsDocShell.cpp:1398
3 	xul.dll 	nsSHistory::InitiateLoad 	docshell/shistory/src/nsSHistory.cpp:1751
4 	xul.dll 	nsSHistory::LoadEntry 	docshell/shistory/src/nsSHistory.cpp:1618
5 	xul.dll 	nsSHistory::GoBack 	docshell/shistory/src/nsSHistory.cpp:839
6 	xul.dll 	nsDocShell::GoBack 	docshell/base/nsDocShell.cpp:3942
7 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
8 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
9 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:389
10 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2341
11 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:338
12 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:404
13 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
14 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5786
15 	xul.dll 	mozilla::dom::EventHandlerNonNull::Call 	obj-firefox/dom/bindings/EventHandlerBinding.cpp:46
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsDocShell%3A%3AInternalLoad%28nsIURI*%2C+nsIURI*%2C+nsISupports*%2C+unsigned+int%2C+wchar_t+const*%2C+char+const*%2C+nsAString_internal+const%26%2C+nsIInputStream*%2C+nsIInputStream*%2C+unsigned+int%2C+nsISHEntry*%2C+bool%2C+nsIDocShell**%2C+nsIRequest**%29
Looks like a null-deref on this line:

  9003      mTiming->NotifyUnloadAccepted(mCurrentURI);

The actual code is:

9002 if (timeBeforeUnload) {
9003   mTiming->NotifyUnloadAccepted(mCurrentURI);
9004 } 

and the if condition just got changed in bug 818559.  It used to null-check mTiming.

I believe the new code is wrong: there's a call into arbitrary script between when timeBeforeUnload is set and when it's checked there, so mTiming can well be null at this point...

Scoobidiver, thank you for filing these crash regressions!
Assignee: nobody → benjamin
Blocks: 818559
Grr. Why did I miss that.
Assignee

Comment 3

7 years ago
I didn't realize scripts could be so evil.
Attachment #690494 - Flags: review?(bugs)
Attachment #690494 - Flags: feedback?(bzbarsky)
Sorry, I backed out Bug 818559 already.
Comment on attachment 690494 [details] [diff] [review]
null-check again

Scripts can be arbitrarily evil.  ;)

r=me
Attachment #690494 - Flags: review?(bugs)
Attachment #690494 - Flags: review+
Attachment #690494 - Flags: feedback?(bzbarsky)
Attachment #690494 - Flags: feedback+
r+ from me too :)
Assignee

Comment 7

7 years ago
https://hg.mozilla.org/mozilla-central/rev/ab7c54f6472f
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Reporter

Updated

7 years ago
Target Milestone: --- → mozilla20
Checking the crashstats, I see 8 crashes on FF 21 and 5 on FF 20. Any thoughts?
Paul, are the crashes happening at the same place what this bug is about?
Could you provide links to the crash-stats you're looking at?
Those all look like different bugs than this.
Blocks: 854864
Assignee

Updated

6 years ago
No longer blocks: 854864
Verified fixed based on comment 11. Continue tracking this signature in bug 854864.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.