832599 - crash in nsDependentJSString::init @ JS_GetStringCharsZAndLength

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect)

Description

[Scoobidiver (away)]

With that stack trace, it first showed up in 21.0a1/20130117. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8be4bc4fba8&tochange=712eca11a04e
It's likely a regression from bug 824864.

Signature 	JS_GetStringCharsZAndLength(JSContext*, JSString*, unsigned int*) More Reports Search
UUID	2eaf8504-4fb0-473d-83e3-625642130119
Date Processed	2013-01-19 10:25:01
Uptime	2438
Last Crash	1.0 days before submission
Install Age	11.3 hours since version was first installed.
Install Time	2013-01-18 23:08:13
Product	Firefox
Version	21.0a1
Build ID	20130118030915
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 15 model 4 stepping 3
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x2
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x5b64, AdapterSubsysID: 01021002, AdapterDriverVersion: 8.56.1.16
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
Processor Notes 	sp-processor01.phx1.mozilla.com_15787:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x5b64
Total Virtual Memory	2147352576
Available Virtual Memory	1736257536
System Memory Use Percentage	31
Available Page File	3306057728
Available Physical Memory	1475751936

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JS_GetStringCharsZAndLength 	js/src/jsapi.cpp:6084
1 	xul.dll 	nsDependentJSString::init 	dom/base/nsJSUtils.h:105
2 	xul.dll 	nsDependentJSString::init 	dom/base/nsJSUtils.h:117
3 	xul.dll 	nsJSThunk::EvaluateScript 	dom/src/jsurl/nsJSProtocolHandler.cpp:351
4 	xul.dll 	nsJSChannel::EvaluateScript 	dom/src/jsurl/nsJSProtocolHandler.cpp:731
5 	xul.dll 	nsRunnableMethodImpl<void 	obj-firefox/dist/include/nsThreadUtils.h:367
6 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:627
7 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
8 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:208
9 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:182
10 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
11 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:232
12 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:288
13 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3823
14 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3890
15 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:4093
16 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp:195
17 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:105
18 	firefox.exe 	__tmainCRTStartup 	crtexe.c:552
19 	kernel32.dll 	BaseThreadInitThunk 	
20 	ntdll.dll 	__RtlUserThreadStart 	
21 	ntdll.dll 	_RtlUserThreadStart 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JS_GetStringCharsZAndLength%28JSContext*%2C+JSString*%2C+unsigned+int*%29

Comment 1

[Bobby Holley (:bholley)]

I think this is a dupe of bug 832435. Patch there will be landing shortly.

Comment 2

[Scoobidiver (away)]

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=JS_GetStringCharsZAndLength%28JSContext*%2C+JSString*%2C+unsigned+long*%29

Comment 3

[Andrew McCreight [:mccr8]]

Bobby: This is still happening in builds as recent as today (1/26), so your other patch doesn't seem to have fixed this.  These crashes are all null-derefs, because presumably v isn't a string, so we get NULL when we try to convert it to one.  Is JS_WrapValue going to return a string if given a string?  I would guess no...

Comment 4

[Bobby Holley (:bholley)]

(In reply to Andrew McCreight [:mccr8] from comment #3)
> Bobby: This is still happening in builds as recent as today (1/26), so your
> other patch doesn't seem to have fixed this. 

This might have also been bug 833856. Is it still happening even after that landed?

> Is JS_WrapValue going to return a string if given a
> string?  I would guess no...

Not sure I grok this.

Comment 5

[Scoobidiver (away)]

(In reply to Bobby Holley (:bholley) from comment #4)
> This might have also been bug 833856. Is it still happening even after that
> landed?
There aren't any crashes in 21.0a1/20130128. If it's confirmed, the working range would be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f18b12139151&tochange=80fed51ae074
The fix of bug 833856 belongs to it.

Comment 6

[Andrew McCreight [:mccr8]]

Okay, maybe it is fine now.

Comment 7

[Andrew McCreight [:mccr8]]

> Not sure I grok this.

I meant, maybe the thing it returns is a wrapper, which may not be something tagged as a string?  Though I guess it would probably still be a string, so never mind...

Comment 8

[Bobby Holley (:bholley)]

(In reply to Andrew McCreight [:mccr8] from comment #7)
> > Not sure I grok this.
> 
> I meant, maybe the thing it returns is a wrapper, which may not be something
> tagged as a string?  Though I guess it would probably still be a string, so
> never mind...

Yeah IIUC we never get JSObject CCWs that wrap strings.

Comment 9

[Scoobidiver (away)]

(In reply to Scoobidiver from comment #5)
> There aren't any crashes in 21.0a1/20130128. If it's confirmed
It is.