Closed
Bug 883083
Opened 11 years ago
Closed 11 years ago
Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(convResult)), 1)))
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 851982
People
(Reporter: cbook, Unassigned)
Details
(4 keywords)
Attachments
(2 files)
Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(convResult)), 1))), at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:819 found loading http://hk.dmz-plus.com/ and also on a local copy, working on a testcase. Seems to crash debug builds only so far. Will provide testcase and regression range
|
Reporter | |
Comment 1•11 years ago
|
||
reduced the testcase, also marking as sg just in case
Group: core-security
|
|
Reporter | |
Comment 2•11 years ago
|
||
|
|
Reporter | |
Comment 3•11 years ago
|
||
Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(convResult)), 1))), at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:819 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 [Switching to process 28926 thread 0xb367] nsHtml5StreamParser::WriteStreamBytes (this=0x115bc2da0, aFromSegment=0x115b7a820 "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-2022-jp\">\n \033$B\"#\033(J<a href=\"http://iiaccess.net/\" target=\"_blank\">(?\033$B\"O\033(J?)\033$B%$%$!&%\"%/%;%9\033(J</a><br>\n", aCount=176, aWriteCount=0x14bf8cba8) at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:819 819 MOZ_ASSERT(NS_SUCCEEDED(convResult)); (gdb) bt #0 nsHtml5StreamParser::WriteStreamBytes (this=0x115bc2da0, aFromSegment=0x115b7a820 "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-2022-jp\">\n \033$B\"#\033(J<a href=\"http://iiaccess.net/\" target=\"_blank\">(?\033$B\"O\033(J?)\033$B%$%$!&%\"%/%;%9\033(J</a><br>\n", aCount=176, aWriteCount=0x14bf8cba8) at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:819 #1 0x0000000102ce7b8a in nsHtml5StreamParser::WriteSniffingBufferAndCurrentSegment (this=0x115bc2da0, aFromSegment=0x115b7a820 "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-2022-jp\">\n \033$B\"#\033(J<a href=\"http://iiaccess.net/\" target=\"_blank\">(?\033$B\"O\033(J?)\033$B%$%$!&%\"%/%;%9\033(J</a><br>\n", aCount=176, aWriteCount=0x14bf8cba8) at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:323 #2 0x0000000102cea165 in nsHtml5StreamParser::SniffStreamBytes (this=0x115bc2da0, aFromSegment=0x115b7a820 "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-2022-jp\">\n \033$B\"#\033(J<a href=\"http://iiaccess.net/\" target=\"_blank\">(?\033$B\"O\033(J?)\033$B%$%$!&%\"%/%;%9\033(J</a><br>\n", aCount=176, aWriteCount=0x14bf8cba8) at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:771 #3 0x0000000102ceb9d9 in nsHtml5StreamParser::DoDataAvailable (this=0x115bc2da0, aBuffer=0x115b7a820 "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-2022-jp\">\n \033$B\"#\033(J<a href=\"http://iiaccess.net/\" target=\"_blank\">(?\033$B\"O\033(J?)\033$B%$%$!&%\"%/%;%9\033(J</a><br>\n", aLength=176) at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:1049 #4 0x0000000102ceecee in nsHtml5DataAvailable::Run (this=0x125817e40) at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:1093 #5 0x000000010434a716 in nsThread::ProcessNextEvent (this=0x115b73130, mayWait=true, result=0x14bf8cdde) at /debug-builds/mozilla-central/mozilla-central/xpcom/threads/nsThread.cpp:626 #6 0x00000001042aae19 in NS_ProcessNextEvent (thread=0x115b73130, mayWait=true) at nsThreadUtils.cpp:238 #7 0x0000000104349107 in nsThread::ThreadFunc (arg=0x115b73130) at /debug-builds/mozilla-central/mozilla-central/xpcom/threads/nsThread.cpp:264 #8 0x00000001012375b5 in _pt_root () #9 0x00007fff8d4f77a2 in _pthread_start () #10 0x00007fff8d4e41e1 in thread_start ()
Keywords: testcase
Version: unspecified → Trunk
|
|
Reporter | |
Comment 4•11 years ago
|
||
super reduced testcase without external link etc
|
|
Reporter | |
Updated•11 years ago
|
Summary: Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(convResult)), 1))), at /debug-builds/mozilla-central/mozilla-central/parser/html/nsHtml5StreamParser.cpp:819 → Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(convResult)), 1)))
|
|
Reporter | |
Comment 5•11 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #4) > Created attachment 763089 [details] > super reduced testcase - crashes on load > > super reduced testcase without external link etc at least still crash when executed locally, loading via bmo does not crash somehow
|
||
Comment 6•11 years ago
|
||
assert fires on linux x86_64 as well from the test run locally. Tomcat, did you check Windows?
|
|
Reporter | |
Comment 7•11 years ago
|
||
confirmed, also seen on windows
Operating system: Windows NT
6.1.7601 Service Pack 1
CPU: x86
GenuineIntel family 6 model 37 stepping 1
1 CPU
Crash reason: EXCEPTION_BREAKPOINT
Crash address: 0x65c9a8d6
Thread 17 (crashed)
0 xul.dll!nsHtml5StreamParser::WriteStreamBytes(unsigned char const *,unsigned int,unsigned int *) [nsHtml5StreamParser.cpp : 822 + 0x2f]
eip = 0x65c9a8d6 esp = 0x06bdf830 ebp = 0x06bdf86c ebx = 0x055f5698
esi = 0x00000000 edi = 0x00000000 eax = 0x00000000 ecx = 0x9187dcea
edx = 0x6ee6f4d8 efl = 0x00000216
Found by: given as instruction pointer in context
1 xul.dll!nsHtml5StreamParser::WriteSniffingBufferAndCurrentSegment(unsigned char const *,unsigned int,unsigned int *) [nsHtml5StreamParser.cpp : 326 + 0x13]
eip = 0x65c99107 esp = 0x06bdf874 ebp = 0x06bdf894
Found by: call frame info
2 xul.dll!nsHtml5StreamParser::SniffStreamBytes(unsigned char const *,unsigned int,unsigned int *) [nsHtml5StreamParser.cpp : 757 + 0x16]
eip = 0x65c9a53f esp = 0x06bdf89c ebp = 0x06bdf940
Found by: call frame info
3 xul.dll!nsHtml5StreamParser::DoDataAvailable(unsigned char const *,unsigned int) [nsHtml5StreamParser.cpp : 1081 + 0x13]
eip = 0x65c9b800 esp = 0x06bdf948 ebp = 0x06bdf970
Found by: call frame info
4 xul.dll!nsHtml5StreamParser::CopySegmentsToParser(nsIInputStream *,void *,char const *,unsigned int,unsigned int,unsigned int *) [nsHtml5StreamParser.cpp : 1190 + 0xf]
eip = 0x65c9bd5a esp = 0x06bdf978 ebp = 0x06bdf984
Found by: call frame info
5 xul.dll!nsInputStreamTee::WriteSegmentFun(nsIInputStream *,void *,char const *,unsigned int,unsigned int,unsigned int *) [nsInputStreamTee.cpp : 198 + 0x22]
eip = 0x66b8a74f esp = 0x06bdf98c ebp = 0x06bdf9b0
Found by: call frame info
6 xul.dll!nsPipeInputStream::ReadSegments(tag_nsresult (*)(nsIInputStream *,void *,char const *,unsigned int,unsigned int,unsigned int *),void *,unsigned int,unsigned int *) [nsPipe3.cpp : 775 + 0x1c]
eip = 0x66b91be9 esp = 0x06bdf9b8 ebp = 0x06bdf9e4
Found by: call frame info
7 xul.dll!nsInputStreamTee::ReadSegments(tag_nsresult (*)(nsIInputStream *,void *,char const *,unsigned int,unsigned int,unsigned int *),void *,unsigned int,unsigned int *) [nsInputStreamTee.cpp : 251 + 0x2c]
eip = 0x66b8ac08 esp = 0x06bdf9ec ebp = 0x06bdfa04
Found by: call frame info
8 xul.dll!nsHtml5StreamParser::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) [nsHtml5StreamParser.cpp : 1170 + 0x1e]
eip = 0x65c9bbbe esp = 0x06bdfa0c ebp = 0x06bdfa70
Found by: call frame info
9 xul.dll!nsDocumentOpenInfo::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) [nsURILoader.cpp : 303 + 0x33]
eip = 0x660733f3 esp = 0x06bdfa78 ebp = 0x06bdfa9c
Found by: call frame info
10 xul.dll!nsStreamListenerTee::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) [nsStreamListenerTee.cpp : 93 + 0x38]
eip = 0x64ed3dde esp = 0x06bdfaa4 ebp = 0x06bdfafc
Found by: call frame info
11 xul.dll!mozilla::net::nsHttpChannel::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) [nsHttpChannel.cpp : 5229 + 0x63]
eip = 0x64fb2204 esp = 0x06bdfb04 ebp = 0x06bdfb78
Found by: call frame info
12 xul.dll!nsInputStreamPump::OnStateTransfer() [nsInputStreamPump.cpp : 508 + 0x46]
eip = 0x64ea1139 esp = 0x06bdfb80 ebp = 0x06bdfbf8
Found by: call frame info
13 xul.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) [nsInputStreamPump.cpp : 381 + 0xa]
eip = 0x64ea0bc2 esp = 0x06bdfc00 ebp = 0x06bdfc1c
Found by: call frame info
14 xul.dll!nsInputStreamReadyEvent::Run() [nsStreamUtils.cpp : 82 + 0x27]
eip = 0x66b95a7a esp = 0x06bdfc24 ebp = 0x06bdfc30
Found by: call frame info
15 xul.dll!nsThread::ProcessNextEvent(bool,bool *) [nsThread.cpp : 626 + 0x18]
eip = 0x66bb3b1b esp = 0x06bdfc38 ebp = 0x06bdfcb0
Found by: call frame info
16 xul.dll!NS_ProcessNextEvent(nsIThread *,bool) [nsThreadUtils.cpp : 238 + 0x16]
eip = 0x66b44a24 esp = 0x06bdfcb8 ebp = 0x06bdfccc
Found by: call frame info
17 xul.dll!nsThread::ThreadFunc(void *) [nsThread.cpp : 264 + 0xa]
eip = 0x66bb2924 esp = 0x06bdfcd4 ebp = 0x06bdfd04
Found by: call frame info
18 nss3.dll!_PR_NativeRunThread [pruthr.c : 397 + 0xe]
eip = 0x6eb352eb esp = 0x06bdfd0c ebp = 0x06bdfd14
Found by: call frame info
19 nss3.dll!pr_root [w95thred.c : 90 + 0xe]
eip = 0x6eb3b769 esp = 0x06bdfd1c ebp = 0x06bdfd24
Found by: call frame info
20 MSVCR100D.dll + 0x4a272
eip = 0x6ed5a273 esp = 0x06bdfd2c ebp = 0x06bdfd60
Found by: call frame info
21 MSVCR100D.dll + 0x4a203
eip = 0x6ed5a204 esp = 0x06bdfd68 ebp = 0x06bdfd6c
Found by: previous frame's frame pointer
22 kernel32.dll + 0x4ed6b
eip = 0x760bed6c esp = 0x06bdfd74 ebp = 0x06bdfd78
Found by: previous frame's frame pointer
23 ntdll.dll + 0x6377a
eip = 0x7762377b esp = 0x06bdfd80 ebp = 0x06bdfdb8
Found by: previous frame's frame pointer
24 ntdll.dll + 0x6374d
eip = 0x7762374e esp = 0x06bdfdc0 ebp = 0x06bdfdd0
Found by: previous frame's frame pointerOS: Mac OS X → All
|
|
||
Comment 8•11 years ago
|
||
Found regression between 20121210134422-20121211210657 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4dfe323a663d&tochange=553a3bcf1fe7 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/12/2012-12-11-mozilla-central-debug/firefox-20.0a1.en-US.debug-linux-x86_64.tar.bz2 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/12/2012-12-12-mozilla-central-debug/firefox-20.0a1.en-US.debug-linux-x86_64.tar.bz2 The first bad revision is: changeset: 115519:85211b40ba37 user: Masatoshi Kimura <VYV03354@nifty.ne.jp> date: Mon Dec 10 09:11:15 2012 -0500 summary: Bug 638379 - Part 3: Remove workaround for unreliable inputErrorBehavior. r=hsivonen any reason to keep this hidden?
Keywords: regression
Version: Trunk → 20 Branch
|
|
Reporter | |
Comment 9•11 years ago
|
||
(In reply to Bob Clary [:bc:] from comment #8) > Found regression between 20121210134422-20121211210657 > Pushlog: > http://hg.mozilla.org/mozilla-central/ > pushloghtml?fromchange=4dfe323a663d&tochange=553a3bcf1fe7 > http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/12/2012-12-11- > mozilla-central-debug/firefox-20.0a1.en-US.debug-linux-x86_64.tar.bz2 > http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/12/2012-12-12- > mozilla-central-debug/firefox-20.0a1.en-US.debug-linux-x86_64.tar.bz2 > > The first bad revision is: > changeset: 115519:85211b40ba37 > user: Masatoshi Kimura <VYV03354@nifty.ne.jp> > date: Mon Dec 10 09:11:15 2012 -0500 > summary: Bug 638379 - Part 3: Remove workaround for unreliable > inputErrorBehavior. r=hsivonen > > any reason to keep this hidden? no :) we can open this up, was more because was not sure if sec bug or not
|
||
Comment 10•11 years ago
|
||
Looks like a bug in the iso-2022-jp decoder.
Component: HTML: Parser → Internationalization
Version: 20 Branch → Trunk
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•