Closed
Bug 820373
Opened 10 years ago
Closed 10 years ago
crash in mozilla::dom::TextEncoderBinding::encode @ mozilla::dom::MaybeWrapValue
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: scoobidiver, Assigned: emk)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
770 bytes,
patch
|
bzbarsky
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
It's #52 top browser crasher in 19.0a2. It first showed up in 19.0a1/20121115 and it's discontinuous across builds. Signature mozilla::dom::MaybeWrapValue(JSContext*, JSObject*, JS::Value*) More Reports Search UUID 633c0cb5-daac-4121-9573-8e2002121211 Date Processed 2012-12-11 10:52:58 Uptime 27737 Last Crash 7.7 hours before submission Install Age 8.9 hours since version was first installed. Install Time 2012-12-11 01:57:02 Product Firefox Version 20.0a1 Build ID 20121210030747 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 0x1002, AdapterDeviceID: 0x9460, AdapterSubsysID: 05021002, AdapterDriverVersion: 8.961.0.0 Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x0122, AdapterSubsysID2: 0000000c, AdapterDriverVersion2: 9.17.10.2867D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ EMCheckCompatibility True Adapter Vendor ID 0x1002 Adapter Device ID 0x9460 Total Virtual Memory 4294836224 Available Virtual Memory 530448384 System Memory Use Percentage 75 Available Page File 19421843456 Available Physical Memory 4215230464 Frame Module Signature Source 0 xul.dll mozilla::dom::MaybeWrapValue obj-firefox/dist/include/mozilla/dom/BindingUtils.h:379 1 xul.dll mozilla::dom::TextEncoderBinding::encode obj-firefox/dom/bindings/TextEncoderBinding.cpp:201 2 xul.dll mozilla::dom::TextEncoderBinding::genericMethod obj-firefox/dom/bindings/TextEncoderBinding.cpp:233 3 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:389 4 mozjs.dll js::Interpret js/src/jsinterp.cpp:2341 5 mozjs.dll js::RunScript js/src/jsinterp.cpp:338 6 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:404 7 mozjs.dll js::Invoke js/src/jsinterp.cpp:437 8 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5786 9 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1432 10 xul.dll nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:580 11 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85 12 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112 13 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:490 14 winmm.dll timeGetTime 15 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:565 16 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:627 17 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 18 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:208 19 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:182 20 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 21 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:232 22 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:291 23 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3824 24 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3891 25 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:4089 More reports at: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3AMaybeWrapValue%28JSContext*%2C+JSObject*%2C+JS%3A%3AValue*%29
|
||
Comment 1•10 years ago
|
||
This is a bug in the patch for bug 764234, as far as I can tell. Specifically, the IDL for TextEncoder.encode says it never returns null. But the implementation will return null without throwing if Uint8Array::Create fails. Which is bad for several reasons... At least that's my best guess for what's going on there.
Blocks: 764234
status-firefox18:
--- → affected
|
Assignee | |
Comment 2•10 years ago
|
||
Hm, our only non-test usage is sessionStore (bug 794091) and it has been landed on 2012-11-14.
|
|
Assignee | |
Comment 3•10 years ago
|
||
|
|
Assignee | |
Comment 4•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=d5a097acb6ff
|
|
||
Comment 5•10 years ago
|
||
Comment on attachment 691269 [details] [diff] [review] Add a null check to TextEncoder.encode() r=me
Attachment #691269 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Updated•10 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 6•10 years ago
|
||
Comment on attachment 691269 [details] [diff] [review] Add a null check to TextEncoder.encode() [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 764234 User impact if declined: Crash Testing completed (on m-c, etc.): Not yet Risk to taking this patch (and alternatives if risky): Very low String or UUID changes made by this patch: None
Attachment #691269 -
Flags: approval-mozilla-beta?
Attachment #691269 -
Flags: approval-mozilla-aurora?
|
||
Comment 7•10 years ago
|
||
Comment on attachment 691269 [details] [diff] [review] Add a null check to TextEncoder.encode() FF18 crash regression fix with a null check. Approving for branches.
Attachment #691269 -
Flags: approval-mozilla-beta?
Attachment #691269 -
Flags: approval-mozilla-beta+
Attachment #691269 -
Flags: approval-mozilla-aurora?
Attachment #691269 -
Flags: approval-mozilla-aurora+
|
||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/22f0a7ee5348 Should this have a test?
Flags: in-testsuite?
Keywords: checkin-needed
|
|
Assignee | |
Comment 9•10 years ago
|
||
I have no idea how to write a test blowing up Uint8Array::Create. Let's see whether the crashes ceased.
|
|
Assignee | |
Comment 10•10 years ago
|
||
Shouldn't close until we confirm this patch actually stop the crash.
Whiteboard: [leave open]
|
|
Assignee | |
Comment 12•10 years ago
|
||
No more new crashes on m-c. Landed on branches. https://hg.mozilla.org/releases/mozilla-aurora/rev/28932b500692 https://hg.mozilla.org/releases/mozilla-beta/rev/b02a32dfc7a7
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite? → in-testsuite-
Resolution: --- → FIXED
Whiteboard: [leave open]
|
|
||
Comment 13•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18/rev/b02a32dfc7a7
status-b2g18:
--- → fixed
Target Milestone: --- → mozilla20
|
||
Comment 14•10 years ago
|
||
Marking FF 18 and 19 as verified based on the fact that there are no post-fix crashes in Socorro: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=mozilla%3A%3Adom%3A%3AMaybeWrapValue%28JSContext%2A%2C%20JSObject%2A%2C%20JS%3A%3AValue%2A%29&reason_type=contains&date=01%2F06%2F2013%2014%3A13%3A51&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=mozilla%3A%3Adom%3A%3AMaybeWrapValue%28JSContext%2A%2C%20JSObject%2A%2C%20JS%3A%3AValue%2A%29#reports
|
|
||
Comment 15•10 years ago
|
||
There are no new crashes in Socorro with [@ mozilla::dom::MaybeWrapValue(JSContext*, JSObject*, JS::Value*)] signature. Marking FF 20 as verified.
|
||
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•