900987 - crash in nsScriptError::Init

Status: VERIFIED FIXED

Description

[Scoobidiver (away)]

It first showed up in 25.0a1/20130802 and is currently #1 top crasher in this build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=05d3797276d3&tochange=76a944fa6b25
It's likely a regression from bug 897945.

Signature 	zzz_AsmCodeRange_Begin | nsDependentCString::nsDependentCString(char const*) More Reports Search
UUID 	8778c765-1f50-4a37-8fc6-830bb2130802
Date Processed	2013-08-02 14:55:14.659597
Uptime	56
Last Crash	58 seconds before submission
Install Age 	1568 since version was first installed.
Install Time 	2013-08-02 14:20:01
Product 	Firefox
Version 	25.0a1
Build ID 	20130802030204
Release Channel 	nightly
OS 	Windows NT
OS Version 	6.1.7601 Service Pack 1
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 58 stepping 9 | 4
Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x0
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x683d, AdapterSubsysID: 042b1043, AdapterDriverVersion: 9.12.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 

Frame 	Module 	Signature 	Source
0 	msvcr100.dll 	zzz_AsmCodeRange_Begin 	f:\\dd\\vctools\\crt_bld\\SELF_X86\\crt\\src\\INTEL\\strlen.asm
1 	xul.dll 	nsDependentCString::nsDependentCString(char const *) 	obj-firefox/dist/include/nsTDependentString.h
2 	xul.dll 	nsScriptError::Init(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,unsigned int,unsigned int,unsigned int,char const *) 	js/xpconnect/src/nsScriptError.cpp
3 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp
4 	xul.dll 	XPC_WN_CallMethod(JSContext *,unsigned int,JS::Value *) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
5 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
6 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
7 	mozjs.dll 	js::detail::HashTable<js::HashMapEntry<js::ion::VMFunction const *,js::ion::IonCode *>,js::HashMap<js::ion::VMFunction const *,js::ion::IonCode *,js::DefaultHasher<js::ion::VMFunction const *>,js::RuntimeAllocPolicy>::MapHashPolicy,js::RuntimeAllocPolicy>::init(unsigned int) 	obj-firefox/dist/include/js/HashTable.h
8 	mozjs.dll 	js::ion::IonCompartment::initialize(JSContext *) 	js/src/ion/Ion.cpp
9 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
10 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
11 	mozjs.dll 	js_fun_apply(JSContext *,unsigned int,JS::Value *) 	js/src/jsfun.cpp
12 	xul.dll 	xpc::WrapperFactory::Rewrap(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<JSObject *>,unsigned int) 	js/xpconnect/wrappers/WrapperFactory.cpp
13 	mozjs.dll 	JSCompartment::wrap(JSContext *,JS::MutableHandle<JS::Value>,JS::Handle<JSObject *>) 	js/src/jscompartment.cpp
14 	mozjs.dll 	js::CrossCompartmentWrapper::get(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<int>,JS::MutableHandle<JS::Value>) 	js/src/jswrapper.cpp
15 	mozjs.dll 	js::Proxy::get(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<int>,JS::MutableHandle<JS::Value>) 	js/src/jsproxy.cpp
16 	mozjs.dll 	js::ObjectImpl::nativeLookup(js::ExclusiveContext *,int) 	js/src/vm/ObjectImpl.cpp
17 	mozjs.dll 	NameOperation 	js/src/vm/Interpreter.cpp
18 		@0x1a01b5e0

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=zzz_AsmCodeRange_Begin+|+nsDependentCString%3A%3AnsDependentCString%28char+const*%29
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=strlen+|+nsScriptError%3A%3AInit%28nsAString_internal+const%26%2C+nsAString_internal+const%26%2C+nsAString_internal+const%26%2C+unsigned+int%2C+unsigned+int%2C+unsigned+int%2C+char+const*%29

Comment 1

[Alice0775 White]

Steps To Reproduce:
1. Install https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/  and Restart brower
2. Install the following GM script

// ==UserScript==
// @name        CrashTest
// @namespace   http://www.yahoo.com
// @description Crash test
// @include     http://www.yahoo.com/*
// @grant       none
// @version     1
// ==/UserScript==
  GM_log("crash", 1);

3. Open http://www.yahoo.com/

Actual Results:
Crash

Comment 3

[Scoobidiver (away)]

There are currently 1378 crashes so either fix it before the merge or backout bug 897945's patch.

Comment 4

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

Created attachment 785359 [details] [diff] [review]
Patch v1

Comment 6

[Dan Weiss]

I managed to trigger the bug when running this Userscript on Youtube:

http://pastebin.com/Y6KEhapM

Comment 7

[Bob49]

Signature [@ zzz_AsmCodeRange_Begin | nsDependentCString::nsDependentCString(char const*) ]

recent reports:
https://crash-stats.mozilla.com/report/index/3226a945-6b2a-4643-8fe6-8dcaa2130804
https://crash-stats.mozilla.com/report/index/c766057e-d709-4599-9e8f-85ac02130804


bug between Firefox 25.0a1 and script "userscripts updater" Greasemonkey (XP et Vista)
Manual removal of the script "userscripts updater" or disable Greasemonkey through safe mode .... prevent new crashes !

Comment 8

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/559400867e92

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/559400867e92

Comment 10

[Mihai Morar, (:MihaiMorar)]

WFM following STR from Comment 1. In addition there are no more crashes in FF25 or later versions vis Soccoro.

BuildID: 20130908004001