crash in mozilla::dom::HTMLMediaElement::LookupMediaElementURITable

RESOLVED DUPLICATE of bug 761485

Status

()

Core
Audio/Video
--
critical
RESOLVED DUPLICATE of bug 761485
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Unassigned)

Tracking

({crash, regression, topcrash})

22 Branch
crash, regression, topcrash
Points:
---

Firefox Tracking Flags

(firefox21 unaffected, firefox22 affected, firefox23 affected, firefox24 affected)

Details

(Whiteboard: [native-crash], crash signature)

(Reporter)

Description

5 years ago
It's #3 browser crasher in 22.0b3 on Mac OS X.
It first showed up in 23.0a1/20130402 and 22.0a2/20130405 but are discontinuous across builds.

Signature 	mozilla::dom::HTMLMediaElement::LookupMediaElementURITable(nsIURI*) More Reports Search
UUID	21f43ca5-2dda-4418-86c1-afacd2130531
Date Processed	2013-05-31 21:13:31
Uptime	17148
Last Crash	more than 3 months before submission
Install Age	4.8 hours since version was first installed.
Install Time	2013-05-31 16:27:22
Product	Firefox
Version	22.0
Build ID	20130528181031
Release Channel	beta
OS	Mac OS X
OS Version	10.6.8 10K549
Build Architecture	amd64
Build Architecture Info	family 6 model 23 stepping 10
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x40
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x 863GL Context? GL Context+ GL Layers? GL Layers+ 
Processor Notes 	sp-processor01_phx1_mozilla_com_15876:2012; exploitability tool: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x 863

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::dom::HTMLMediaElement::LookupMediaElementURITable 	obj-firefox/x86_64/dist/include/nsINodeInfo.h:186
1 	XUL 	mozilla::dom::HTMLMediaElement::LoadResource 	content/html/content/src/HTMLMediaElement.cpp:1070
2 	XUL 	nsIOService::NewURI 	obj-firefox/x86_64/dist/include/nsTSubstring.h:85
3 	XUL 	nsACString_internal::SetLength 	xpcom/string/src/nsTSubstring.cpp:532
4 	XUL 	nsContentUtils::NewURIWithDocumentCharset 	obj-firefox/x86_64/dist/include/nsTSubstring.h:85
5 	XUL 	XUL@0x6e7f00 	
6 	XUL 	mozilla::dom::HTMLMediaElement::NewURIFromString 	obj-firefox/x86_64/dist/include/nsCOMPtr.h:410
7 	XUL 	mozilla::dom::HTMLMediaElement::LoadFromSourceChildren 	content/html/content/src/HTMLMediaElement.cpp:923
8 	XUL 	nsEventListenerManager::HandleEventInternal 	dom/base/nsPIDOMWindow.h:772
9 	libmozglue.dylib 	arena_malloc 	memory/mozjemalloc/jemalloc.c:1714
10 		@0x124bc8568 	
11 	XUL 	matchPrefEntry 	modules/libpref/src/prefapi.cpp:71
12 	XUL 	_ZZN7mozilla5imageL14get_header_strEPcS1_mE3hex 	
13 	XUL 	nsAString_internal::SetLength 	xpcom/string/src/nsTSubstring.cpp:532
14 	XUL 	mozilla::dom::Element::GetAttr const 	obj-firefox/x86_64/dist/include/nsTSubstring.h:503
15 	XUL 	mozilla::dom::HTMLMediaElement::UpdatePreloadAction 	obj-firefox/x86_64/dist/include/mozilla/Preferences.h:115
16 	XUL 	mozilla::dom::HTMLMediaElement::SelectResource 	content/html/content/src/HTMLMediaElement.cpp:807
17 	libmozglue.dylib 	ozone_size 	memory/mozjemalloc/jemalloc.c:6995
18 		@0x7fff5fbfd7b0 	
19 	libobjc.A.dylib 	_internal_object_dispose 	
20 	CoreFoundation 	-[NSObject dealloc] 	
21 	XUL 	_ZZL6EncodeP9JSContextN2JS6HandleIP14JSLinearStringEEPKtS7_NS1_13MutableHandleIN 	
22 	XUL 	mozilla::dom::HTMLMediaElement::SelectResourceWrapper 	content/html/content/src/HTMLMediaElement.cpp:745
23 	XUL 	mozilla::dom::nsSyncSection::Run 	content/html/content/src/HTMLMediaElement.cpp:669
24 	XUL 	nsBaseAppShell::RunSyncSectionsInternal 	widget/xpwidgets/nsBaseAppShell.cpp:352
25 	XUL 	nsBaseAppShell::AfterProcessNextEvent 	widget/xpwidgets/nsBaseAppShell.h:89
26 	XUL 	nsAppShell::AfterProcessNextEvent 	widget/cocoa/nsAppShell.mm:858
27 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:640
28 	XUL 	NS_ProcessPendingEvents 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:188
29 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/xpwidgets/nsBaseAppShell.cpp:97
30 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/cocoa/nsAppShell.mm:387
31 	CoreFoundation 	CFSetApplyFunction 	
32 	CoreFoundation 	__CFRunLoopDoSources0 	
33 	CoreFoundation 	__CFRunLoopDoSources0 	
34 	CoreFoundation 	__CFRunLoopRun 	
35 	libSystem.B.dylib 	OSAtomicCompareAndSwap32 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3AHTMLMediaElement%3A%3ALookupMediaElementURITable%28nsIURI*%29
There's a bunch of null-derefs here.  Is it possible that entry->mElements[i] is null?
Component: DOM → Video/Audio
Or worse yet is a garbage pointer?
(Reporter)

Comment 3

5 years ago
It seems a signature morphing of bug 761485.
(Reporter)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 761485
You need to log in before you can comment on or make changes to this bug.