crash in nsIContent::IsHTML

VERIFIED FIXED in Firefox 20

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
5 months ago

People

(Reporter: scoobidiver, Assigned: peterv)

Tracking

({crash, regression})

20 Branch
mozilla21
All
Windows 7
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox20 verified, firefox21 verified)

Details

(crash signature)

Attachments

(1 attachment)

It first showed up in 20.0a1/20130106. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8ca3e1c469e&tochange=20d1a5916ef6
I suspect bug 824907.

Signature 	nsIContent::IsHTML(nsIAtom*) More Reports Search
UUID	4b217ab7-4816-494e-b648-7580a2130109
Date Processed	2013-01-09 07:08:17
Uptime	142
Last Crash	2.5 minutes before submission
Install Age	5.0 minutes since version was first installed.
Install Time	2013-01-09 07:03:25
Product	Firefox
Version	21.0a1
Build ID	20130108033457
Release Channel	nightly
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	GenuineIntel family 15 model 4 stepping 1
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xc
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2562, AdapterSubsysID: 25628086, AdapterDriverVersion: 6.14.10.4020
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x2562
Total Virtual Memory	2147352576
Available Virtual Memory	1822892032
System Memory Use Percentage	57
Available Page File	1947811840
Available Physical Memory	452120576

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsIContent::IsHTML 	obj-firefox/dist/include/nsIContent.h:281
1 	xul.dll 	mozilla::dom::HTMLTableElement::SetTHead 	obj-firefox/dist/include/mozilla/dom/HTMLTableElement.h:65
2 	xul.dll 	mozilla::dom::HTMLTableElementBinding::set_tHead 	obj-firefox/dom/bindings/HTMLTableElementBinding.cpp:174
3 	xul.dll 	mozilla::dom::HTMLTableElementBinding::genericSetter 	obj-firefox/dom/bindings/HTMLTableElementBinding.cpp:989
4 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:391
5 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:439
6 	mozjs.dll 	js::Shape::set 	js/src/jsscopeinlines.h:315
7 	mozjs.dll 	js::baseops::SetPropertyHelper 	js/src/jsobj.cpp:3686
8 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2307
9 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:340
10 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:406
11 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:439
12 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5806
13 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1432
14 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsIContent%3A%3AIsHTML%28nsIAtom*%29
Posted patch v1Splinter Review
Bleh.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attachment #699639 - Flags: review?(bzbarsky)
Blocks: 824907
Comment on attachment 699639 [details] [diff] [review]
v1

r=me

We need to get this on Aurora too, right?
Attachment #699639 - Flags: review?(bzbarsky) → review+
Comment on attachment 699639 [details] [diff] [review]
v1

https://hg.mozilla.org/integration/mozilla-inbound/rev/68c146972e78

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 824907
User impact if declined: null crash
Testing completed (on m-c, etc.): on inbound, has crashtest
Risk to taking this patch (and alternatives if risky): low-risk, just adding null-check
String or UUID changes made by this patch: none
Attachment #699639 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/68c146972e78
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Comment on attachment 699639 [details] [diff] [review]
v1

Null check crash fix, approving for Aurora 20.
Attachment #699639 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Duplicate of this bug: 830275
There are a few crashes after the fix from 2013-01-10, with this signature, [@ nsIContent::IsHTML(nsIAtom*)], in the Socorro reports from last month:  https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=4&range_unit=weeks&hang_type=any&process_type=any&signature=nsIContent%3A%3AIsHTML%28nsIAtom%2A%29

- 14 crashes on 19.0.2
- a few crashes on Firefox 20 beta: 1, 2, 4 and 5

Any suggestions?
Totally different stacks on those, as far as I can tell.
In this case, marking this as verified fixed on Firefox 20, based on comment 9.
In the Socorro reports from last month, there are some crashes with [@ nsIContent::IsHTML(nsIAtom*)] signature on Firefox 21:
- beta 6: 8 crashes;
- beta 4: 2 crashes;
- beta 3: 3 crashes;
- beta 1: 1 crash.

Could anyone please verify if those are related with this issue?
Scoobidiver, could you please look into whether the crashes Alexandra is seeing in crash-stats for Firefox 21 are related to this bug?
Flags: needinfo?(scoobidiver)
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12)
> Scoobidiver, could you please look into whether the crashes Alexandra is
> seeing in crash-stats for Firefox 21 are related to this bug?
None of crashes in 20.0.1 and 21.0 have mozilla::dom::HTMLTableElement::SetTHead in the stack trace so they are a different issue.
Status: RESOLVED → VERIFIED
Flags: needinfo?(scoobidiver)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.