Closed Bug 820373 Opened 8 years ago Closed 8 years ago

crash in mozilla::dom::TextEncoderBinding::encode @ mozilla::dom::MaybeWrapValue

Categories

(Core :: DOM: Core & HTML, defect)

19 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla20
Tracking Status
firefox18 --- verified
firefox19 --- verified
firefox20 --- verified
b2g18 --- fixed

People

(Reporter: scoobidiver, Assigned: emk)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

It's #52 top browser crasher in 19.0a2.
It first showed up in 19.0a1/20121115 and it's discontinuous across builds.

Signature 	mozilla::dom::MaybeWrapValue(JSContext*, JSObject*, JS::Value*) More Reports Search
UUID	633c0cb5-daac-4121-9573-8e2002121211
Date Processed	2012-12-11 10:52:58
Uptime	27737
Last Crash	7.7 hours before submission
Install Age	8.9 hours since version was first installed.
Install Time	2012-12-11 01:57:02
Product	Firefox
Version	20.0a1
Build ID	20121210030747
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9460, AdapterSubsysID: 05021002, AdapterDriverVersion: 8.961.0.0
Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x0122, AdapterSubsysID2: 0000000c, AdapterDriverVersion2: 9.17.10.2867D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9460
Total Virtual Memory	4294836224
Available Virtual Memory	530448384
System Memory Use Percentage	75
Available Page File	19421843456
Available Physical Memory	4215230464

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::dom::MaybeWrapValue 	obj-firefox/dist/include/mozilla/dom/BindingUtils.h:379
1 	xul.dll 	mozilla::dom::TextEncoderBinding::encode 	obj-firefox/dom/bindings/TextEncoderBinding.cpp:201
2 	xul.dll 	mozilla::dom::TextEncoderBinding::genericMethod 	obj-firefox/dom/bindings/TextEncoderBinding.cpp:233
3 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:389
4 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2341
5 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:338
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:404
7 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
8 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5786
9 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1432
10 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
11 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
12 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
13 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:490
14 	winmm.dll 	timeGetTime 	
15 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:565
16 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:627
17 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
18 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:208
19 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:182
20 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
21 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:232
22 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:291
23 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3824
24 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3891
25 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:4089

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3AMaybeWrapValue%28JSContext*%2C+JSObject*%2C+JS%3A%3AValue*%29
This is a bug in the patch for bug 764234, as far as I can tell.  Specifically, the IDL for TextEncoder.encode says it never returns null.  But the implementation will return null without throwing if Uint8Array::Create fails.  Which is bad for several reasons...

At least that's my best guess for what's going on there.
Hm, our only non-test usage is sessionStore (bug 794091) and it has been landed on 2012-11-14.
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
Attachment #691269 - Flags: review?(bzbarsky)
Comment on attachment 691269 [details] [diff] [review]
Add a null check to TextEncoder.encode()

r=me
Attachment #691269 - Flags: review?(bzbarsky) → review+
Keywords: checkin-needed
Comment on attachment 691269 [details] [diff] [review]
Add a null check to TextEncoder.encode()

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 764234
User impact if declined: Crash
Testing completed (on m-c, etc.): Not yet
Risk to taking this patch (and alternatives if risky): Very low
String or UUID changes made by this patch: None
Attachment #691269 - Flags: approval-mozilla-beta?
Attachment #691269 - Flags: approval-mozilla-aurora?
Comment on attachment 691269 [details] [diff] [review]
Add a null check to TextEncoder.encode()

FF18 crash regression fix with a null check. Approving for branches.
Attachment #691269 - Flags: approval-mozilla-beta?
Attachment #691269 - Flags: approval-mozilla-beta+
Attachment #691269 - Flags: approval-mozilla-aurora?
Attachment #691269 - Flags: approval-mozilla-aurora+
I have no idea how to write a test blowing up Uint8Array::Create. Let's see whether the crashes ceased.
Shouldn't close until we confirm this patch actually stop the crash.
Whiteboard: [leave open]
No more new crashes on m-c. Landed on branches.
https://hg.mozilla.org/releases/mozilla-aurora/rev/28932b500692
https://hg.mozilla.org/releases/mozilla-beta/rev/b02a32dfc7a7
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: in-testsuite? → in-testsuite-
Resolution: --- → FIXED
Whiteboard: [leave open]
There are no new crashes in Socorro with [@ mozilla::dom::MaybeWrapValue(JSContext*, JSObject*, JS::Value*)] signature. Marking FF 20 as verified.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.