Closed Bug 956067 Opened 11 years ago Closed 10 years ago

Infinite recursion and startup crash in GetDynamicChildren in docshell/shistory/src/nsSHistory.cpp

Categories

(Firefox for Metro Graveyard :: General, defect, P2)

Product:
Firefox for Metro Graveyard
Component:
General
Platform:
x86_64
Windows 8.1
Type:
defect

Tracking

(firefox28 verified, firefox29 verified)

Status:
RESOLVED DUPLICATE of bug 957150
Milestone:
Firefox 29
Tracking Flags:
Tracking Status
firefox28 --- verified
firefox29 --- verified

People

(Reporter: jimm, Assigned: spohl)

References

Details

(Keywords: crash)

Crash Data

I was getting a lot of these this week on my test tablet. Deleting session restore fixes it. Best steps to reproduce were to load up gmail, drag-shutdown the browser, then relaunch to load gmail automatically.

If you combine all the signatures this is our current #1 top crash for metrofx.
Crash Signature: , double const*)] → , double const*)] [@ AssignRangeAlgorithm<int, 1>::implementation<unsigned __int64, unsigned __int64, unsigned int, unsigned int>(unsigned __int64*, unsigned int, unsigned int, unsigned __int64 const*)]
Crash Signature: , double const*)] [@ AssignRangeAlgorithm<int, 1>::implementation<unsigned __int64, unsigned __int64, unsigned int, unsigned int>(unsigned __int64*, unsigned int, unsigned int, unsigned __int64 const*)] → , double const*)] [@ AssignRangeAlgorithm<int, 1>::implementation<unsigned __int64, unsigned __int64, unsigned int, unsigned int>(unsigned __int64*, unsigned int, unsigned int, unsigned __int64 const*)] [@ memcpy | nsTArray_Impl<unsigned __int64, nsTArr…
Depends on: 951402
No longer blocks: metrov1backlog
Whiteboard: [triage]
Crash Signature: , nsTArrayInfallibleAllocator>::AssignRange<unsigned __int64>(unsigned int, unsigned int, unsigned __int64 const*)] → , nsTArrayInfallibleAllocator>::AssignRange<unsigned __int64>(unsigned int, unsigned int, unsigned __int64 const*)] [memcpy | GetDynamicChildren(nsISHContainer*, nsTArray<unsigned __int64>&, bool)] [nsTArray_Impl<unsigned __int64, nsTArrayInfallibleAllo…
Summary: Various stack overflow crashes manipulating arrays on startup in docshell/shistory/src/nsSHistory.cpp → Infinite recursion and startup crash in GetDynamicChildren in docshell/shistory/src/nsSHistory.cpp
Whiteboard: [beta28]
Crash Signature: , nsTArrayInfallibleAllocator>::AssignRange<unsigned __int64>(unsigned int, unsigned int, unsigned __int64 const*)] [memcpy | GetDynamicChildren(nsISHContainer*, nsTArray<unsigned __int64>&, bool)] [nsTArray_Impl<unsigned __int64 → , nsTArrayInfallibleAllocator>::AssignRange<unsigned __int64>(unsigned int, unsigned int, unsigned __int64 const*)] [@ memcpy | GetDynamicChildren(nsISHContainer*, nsTArray<unsigned __int64>&, bool)] [@ nsTArray_Impl<unsigned __int64
Blocks: metrov1backlog
Whiteboard: [beta28] → [beta28] [defect] p=0
No longer depends on: 951402
Crash Signature: , nsTArrayInfallibleAllocator>::AppendElements<unsigned __int64>(unsigned __int64 const*, unsigned int)] → , nsTArrayInfallibleAllocator>::AppendElements<unsigned __int64>(unsigned __int64 const*, unsigned int)] [@ nsSHEntry::QueryInterface(nsID const&, void**)] [@ memcpy | AssignRangeAlgorithm<int, 1>::implementation<unsigned __int64, unsigned __int64, unsi…
Whiteboard: [beta28] [defect] p=0 → [beta28] [defect] p=8
We haven't seen one of these since the 15th. Too early to claim this as fixed by some other session store landing, but looks promising.
Assignee: nobody → spohl.mozilla.bugs
Blocks: metrov1it23
No longer blocks: metrov1backlog
Status: NEW → ASSIGNED
Priority: -- → P2
QA Contact: jbecerra
I must have mid-aired with Jim's comment 1 when I assigned this bug to me. So far, I've been unable to reproduce as well.
I suspect this was fixed by bug 957150, which fixed some bugs in the creation of nsSHEntry objects that could have caused cyclic references.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Depends on: 957150
Resolution: --- → DUPLICATE
status-firefox28: --- → fixed
status-firefox29: --- → fixed
Target Milestone: --- → Firefox 29
Whiteboard: [beta28] [defect] p=8 → [beta28] [defect] p=8 [qa-]
No longer blocks: metrov1it23
Whiteboard: [beta28] [defect] p=8 [qa-]
Jim, can you please verify this is resolved for you now?
Flags: needinfo?(jmathies)
don't see it on crashstats, looks fixed.
Flags: needinfo?(jmathies)
(In reply to Jim Mathies [:jimm] from comment #5)
> don't see it on crashstats, looks fixed.

Assuming verified fixed based on this.
status-firefox28: fixedverified
status-firefox29: fixedverified
Blocks: 978143
No longer blocks: 978143
You need to log in before you can comment on or make changes to this bug.