Closed Bug 250900 Opened 21 years ago Closed 20 years ago

nsIBrowserHistory corrupts URI strings [was: crash when a long malformed URL is entered in the Location Bar [@js_CloneFunctionObject]]

Categories

(Core Graveyard :: History: Global, defect, P3)

Product:
Core Graveyard
Component:
History: Global
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: filamento, Assigned: darin.moz)

References

(
URL
)

Details

(Keywords: crash, fixed-aviary1.0, fixed1.7.5, Whiteboard: [patch])

Crash Data

Attachments

(4 files, 4 obsolete files)

Call stack
(deleted), text/plain
Details
trace
(deleted), text/plain
Details
call stack for bad 4th call
(deleted), text/plain
Details
v3 patch
(deleted), patch
Biesinger
: review+
neil
: superreview+
mkaply
: approval-aviary+
mkaply
: approval1.7.5+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040710 Firefox/0.9.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040710 Firefox/0.9.0+ If you enter a malformed URL in the Location Bar of FireFox and press ENTER, FireFox will try to search for it in Google and will crash. The crash details are these: AppName: firefox.exe AppVer: 0.8.0.0 ModName: ntdll.dll ModVer: 5.1.2600.1106 Offset: 00002109 The malformed URL is this one: [[{[{[{[{[{[{´´`´`´`´´´`´`´`´´`´´´`´`´`´`´`´`´´`´´`´`´´``´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´` Reproducible: Always Steps to Reproduce: 1. Start FireFox 2. Enter this malformed URL: [[{[{[{[{[{[{´´`´`´`´´´`´`´`´´`´´´`´`´`´`´`´`´´`´´`´`´´``´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´`´` 3. Press the ENTER key. Actual Results: FireFox crashed. Expected Results: It should have searched for the URL in google and returned whatever results google gave. Crash info: AppName: firefox.exe AppVer: 0.8.0.0 ModName: ntdll.dll ModVer: 5.1.2600.1106 Offset: 00002109
Confirming.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Affects Semaonkey
Talkback TB306467H from Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040708 Firefox/0.9.0+
Component: Location Bar and Autocomplete → JavaScript Engine
Flags: blocking-aviary1.0RC1?
Product: Firefox → Browser
Summary: FireFox crash when a long malformed URL is entered in the Location Bar → crash when a long malformed URL is entered in the Location Bar [@js_CloneFunctionObject]
Version: unspecified → Trunk
ntdll.dll!RtlAllocateHeap() + 0x52d msvcr70.dll!_heap_alloc(unsigned int size=0x00000020) Line 212 C msvcr70.dll!_nh_malloc(unsigned int size=0x00000020, int nhFlag=0x00000000) Line 113 C msvcr70.dll!malloc(unsigned int size=0x00000020) Line 54 + 0xf C js3250.dll!JS_malloc(JSContext * cx=0x024802f8, unsigned int nbytes=0x00000020) Line 1464 + 0x7 C > js3250.dll!js_NewFunction(JSContext * cx=0x024802f8, JSObject * funobj=0x00000000, int (JSContext *, JSObject *, unsigned int, long *, long *)* native=0x00eb4002, unsigned int nargs=0x00000003, unsigned int flags=0x00000000, JSObject * parent=0x00000000, JSAtom * atom=0x0229f4a0) Line 1921 + 0xb C js3250.dll!JS_NewFunction(JSContext * cx=0x024802f8, int (JSContext *, JSObject *, unsigned int, long *, long *)* native=0x00eb4002, unsigned int nargs=0x00000003, unsigned int flags=0x00000000, JSObject * parent=0x00000000, const char * name=0x03364788) Line 2939 + 0x17 C xpc3250.dll!XPCNativeMember::Resolve(XPCCallContext & ccx={...}, XPCNativeInterface * iface=0x00000003) Line 151 + 0x1e C++ looks like it's time for purify (heap corruption?).
Assignee: bugs → general
QA Contact: davidpjames → pschwartau
[E] ABW: Array bounds write in memcpy {1 occurrence} Writing 105 bytes to 0x0e5925ef (71 bytes at 0x0e592611 illegal) Address 0x0e5925ef is 15 bytes into a 49 byte block at 0x0e5925e0 Address 0x0e5925ef points to a HeapAlloc'd block in heap 0x015d0000 Thread ID: 0x1668 Error location memcpy+0xc [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x041768b9] nsStandardURL::AppendSegmentToBuf(char *,UINT,char const*,URLSegment::nsStandardURL&,nsCString const*)+0x159 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402f1c9] nsStandardURL::BuildNormalizedSpec(char const*)+0xad9 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402fdb9] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] Allocation location HeapAlloc+0xc [C:\WINDOWS\System32\KERNEL32.dll ip=0x67e633c8] heap_alloc+0x4a [f:\vs70builds\9466\vc\crtbld\crt\src\malloc.c:211 ip=0x7c0010d3] nh_malloc+0x10 [C:\WINDOWS\System32\MSVCR70.dll:106 ip=0x7c00107b] nsStringHeader::Alloc(UINT)+0x35 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024c6715] nsCSubstring::MutatePrep(UINT,char * *,UINT *)+0x349 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024ca669] nsCSubstring::SetCapacity(UINT)+0x135 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc5d5] nsCSubstring::SetLength(UINT)+0x47 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc7c7] nsStandardURL::BuildNormalizedSpec(char const*)+0x703 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402f9e3] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] [E] ABR: Array bounds read in net_ToLowerCase(char *,UINT) {16 occurrences} Reading 1 byte from 0x0e592611 (1 byte at 0x0e592611 illegal) Address 0x0e592611 is 1 byte past the end of a 49 byte block at 0x0e5925e0 Address 0x0e592611 points to a HeapAlloc'd block in heap 0x015d0000 Thread ID: 0x1668 Error location net_ToLowerCase(char *,UINT)+0xcb [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040427bb] net_ToLowerCase(char *,UINT)+0x6e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0404275e] nsStandardURL::BuildNormalizedSpec(char const*)+0xb3d [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402fe1d] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] Allocation location HeapAlloc+0xc [C:\WINDOWS\System32\KERNEL32.dll ip=0x67e633c8] heap_alloc+0x4a [f:\vs70builds\9466\vc\crtbld\crt\src\malloc.c:211 ip=0x7c0010d3] nh_malloc+0x10 [C:\WINDOWS\System32\MSVCR70.dll:106 ip=0x7c00107b] nsStringHeader::Alloc(UINT)+0x35 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024c6715] nsCSubstring::MutatePrep(UINT,char * *,UINT *)+0x349 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024ca669] nsCSubstring::SetCapacity(UINT)+0x135 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc5d5] nsCSubstring::SetLength(UINT)+0x47 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc7c7] nsStandardURL::BuildNormalizedSpec(char const*)+0x703 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402f9e3] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] [E] IPR: Invalid pointer read in net_ToLowerCase(char *,UINT) {55 occurrences} Reading 1 byte from 0x0e592621 (1 byte at 0x0e592621 illegal) Address 0x0e592621 points into a HeapAlloc'd block in unallocated region of heap 0x015d0000 Thread ID: 0x1668 Error location net_ToLowerCase(char *,UINT)+0xcb [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040427bb] net_ToLowerCase(char *,UINT)+0x6e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0404275e] nsStandardURL::BuildNormalizedSpec(char const*)+0xb3d [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402fe1d] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] [E] IPR: Invalid pointer read in net_ToLowerCase(char *,UINT) {1 occurrence} Reading 1 byte from 0x0e592632 (1 byte at 0x0e592632 illegal) Address 0x0e592632 points into a HeapAlloc'd block in unallocated region of heap 0x015d0000 Thread ID: 0x1668 Error location net_ToLowerCase(char *,UINT)+0xe6 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040427d6] net_ToLowerCase(char *,UINT)+0x6e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0404275e] nsStandardURL::BuildNormalizedSpec(char const*)+0xb3d [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402fe1d] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] [E] IPW: Invalid pointer write in net_ToLowerCase(char *,UINT) {1 occurrence} Writing 1 byte to 0x0e592632 (1 byte at 0x0e592632 illegal) Address 0x0e592632 points into a HeapAlloc'd block in unallocated region of heap 0x015d0000 Thread ID: 0x1668 Error location net_ToLowerCase(char *,UINT)+0xf8 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040427e8] net_ToLowerCase(char *,UINT)+0x6e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0404275e] nsStandardURL::BuildNormalizedSpec(char const*)+0xb3d [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402fe1d] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] [E] IPW: Invalid pointer write in memcpy {1 occurrence} Writing 1 byte to 0x0e592658 (1 byte at 0x0e592658 illegal) Address 0x0e592658 points into a HeapAlloc'd block in unallocated region of heap 0x015d0000 Thread ID: 0x1668 Error location memcpy+0xc [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x041768b9] nsStandardURL::AppendSegmentToBuf(char *,UINT,char const*,URLSegment::nsStandardURL&,nsCString const*)+0x159 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402f1c9] nsStandardURL::BuildNormalizedSpec(char const*)+0xf33 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04030213] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] [E] IPR: Invalid pointer read in nsStandardURL::BuildNormalizedSpec(char const*) {1 occurrence} Reading 1 byte from 0x0e592658 (1 byte at 0x0e592658 illegal) Address 0x0e592658 points into a HeapAlloc'd block in unallocated region of heap 0x015d0000 Thread ID: 0x1668 Error location nsStandardURL::BuildNormalizedSpec(char const*)+0xf59 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04030239] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver *,nsIDOMEvent *)+0x343e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04d8d40e] nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent *)+0x360 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04d97e60] [E] IPW: Invalid pointer write in nsStandardURL::BuildNormalizedSpec(char const*) {1 occurrence} Writing 1 byte to 0x0e592659 (1 byte at 0x0e592659 illegal) Address 0x0e592659 points into a HeapAlloc'd block in unallocated region of heap 0x015d0000 Thread ID: 0x1668 Error location nsStandardURL::BuildNormalizedSpec(char const*)+0x1459 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04030739] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver *,nsIDOMEvent *)+0x343e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04d8d40e] nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent *)+0x360 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04d97e60] [E] ABR: Array bounds read in strlen {1 occurrence} Reading 42 bytes from 0x0e5925e8 (1 byte at 0x0e592611 illegal) Address 0x0e5925e8 is argument #1 of strlen Address 0x0e5925e8 is 8 bytes into a 49 byte block at 0x0e5925e0 Address 0x0e5925e8 points to a HeapAlloc'd block in heap 0x015d0000 Thread ID: 0x1668 Error location strlen+0xc [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04176a28] nsStandardURL::BuildNormalizedSpec(char const*)+0x1573 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04030853] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_InternalInvoke+0x27a [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df55ea] JS_CallFunctionValue+0x8b [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03d84ebb] nsJSContext::CallEventHandler(JSObject *,JSObject *,UINT,long *,long *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04e0b8ce] nsJSEventListener::HandleEvent(nsIDOMEvent *)+0xf9e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04ea523e] nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver *,nsIDOMEvent *)+0x343e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\gklayout.dll ip=0x04d8d40e] Allocation location HeapAlloc+0xc [C:\WINDOWS\System32\KERNEL32.dll ip=0x67e633c8] heap_alloc+0x4a [f:\vs70builds\9466\vc\crtbld\crt\src\malloc.c:211 ip=0x7c0010d3] nh_malloc+0x10 [C:\WINDOWS\System32\MSVCR70.dll:106 ip=0x7c00107b] nsStringHeader::Alloc(UINT)+0x35 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024c6715] nsCSubstring::MutatePrep(UINT,char * *,UINT *)+0x349 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024ca669] nsCSubstring::SetCapacity(UINT)+0x135 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc5d5] nsCSubstring::SetLength(UINT)+0x47 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc7c7] nsStandardURL::BuildNormalizedSpec(char const*)+0x703 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0402f9e3] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] js_Invoke+0x1942 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4862] js_fun_toString+0x1b69 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03de8319] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610] [E] EXU: Unhandled exception in realloc {1 occurrence} Exception code: 0xc0000005 [Error: access violation writing to 0x60b460b4] Exception address: RtlSizeHeap+0x5ef [C:\WINDOWS\System32\ntdll.dll ip=0x77f83905] Filter: WinMainCRTStartup+0x665 [f:\vs70builds\9466\vc\crtbld\crt\src\crtexe.c:411 ip=0x0044c822] Exception location RtlSizeHeap+0x5f0 [C:\WINDOWS\System32\ntdll.dll ip=0x77f83906] RtlConvertUlongToLargeInteger+0x6e [C:\WINDOWS\System32\ntdll.dll ip=0x77fb172e] RtlConvertUlongToLargeInteger+0x40 [C:\WINDOWS\System32\ntdll.dll ip=0x77fb1700] KiUserExceptionDispatcher+0xe [C:\WINDOWS\System32\ntdll.dll ip=0x77f75dba] RtlFreeHeap+0x28c [C:\WINDOWS\System32\ntdll.dll ip=0x77f58cca] RtlAllocateHeap+0xe90 [C:\WINDOWS\System32\ntdll.dll ip=0x77f58a3e] realloc+0x55 [f:\vs70builds\9466\vc\crtbld\crt\src\msize.c:272 ip=0x7c001ccb] nsStringHeader::Realloc(nsStringHeader *,UINT)+0x38 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024c67d8] nsCSubstring::MutatePrep(UINT,char * *,UINT *)+0x19c [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024ca4bc] nsCSubstring::SetCapacity(UINT)+0x135 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc5d5] nsCSubstring::SetLength(UINT)+0x47 [R:\mozilla\pure-i586-pc-msvc\dist\bin\xpcom.dll ip=0x024cc7c7] nsStandardURL::BuildNormalizedSpec(char const*)+0x15a4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04030884] nsStandardURL::SetSpec(nsACString const&)+0x249 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x040344d9] nsStandardURL::Init(UINT,int,nsACString const&,char const*,nsIURI *)+0x613 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0403d343] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x201 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04121b01] nsHttpHandler::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x5c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x0412195c] nsIOService::NewURI(nsACString const&,char const*,nsIURI *,nsIURI * *)+0x31e [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\necko.dll ip=0x04005dee] NS_NewURI(nsIURI * *,nsACString const&,char const*,nsIURI *,nsIIOService *)+0xed [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x098e623d] nsGlobalHistory::AddNewPageToDatabase(char const*,long long,nsIMdbRow * *)+0x3e4 [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09993ca3] nsGlobalHistory::MarkPageAsTyped(char const*)+0x19a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\appcomps.dll ip=0x09998efa] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x024bc263] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)+0x211c [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03ce5f5c] XPC_WN_CallMethod(JSContext *,JSObject *,UINT,long *,long *)+0x32a [R:\mozilla\pure-i586-pc-msvc\dist\bin\components\xpc3250.dll ip=0x03cf946a] js_Invoke+0x1846 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03df4766] js_Interpret+0x18af0 [R:\mozilla\pure-i586-pc-msvc\dist\bin\js3250.dll ip=0x03e0f610]
timeless, you know better than to assign this to the JS engine just because some JS code crashed on a corrupted heap, and in fact your purify results all point to nsStandardURL string storage mismanagement. C'mon, assign better. /be
Assignee: general → darin
Component: JavaScript Engine → Networking
He didn't assign it, I reassigned it from Aviary to JS after looking at my stack. He also told me later it shouldn't stay in JS land.
This bug also seems to disturb bugzilla, or mozilla? I�0…7m seeing the comments in a very large font, though view-text zoom is set to 100%, and restores this size, if I change it to some other value, and back to 100%. I�0…7ve loaded other bugs in other tabs, before and after loading this bug, and they are displaying normally. The font in this textarea is also unusually big, the font of the page source is big, doesn�0…7t matter if I use Ctrl+U or view-source:http//bugzilla.mozilla.org/show_bug.cgi?id=250900 Opera displays normally.
It seems that somehow the ending quote character is confusing Mozilla and making it crash. I've just tried typing a bunch of ending quotes in the URL bar in FireFox 0.9.1 and it also crashed: For example, you can try this URL: ´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´
timeless: sorry, I misread bugmail as it flew by! cst: thanks for setting me straight. Now you know the drill about heap corruption: don't blame the first bystander who tripped over the corpse ;-). /be
Keywords: crash
Target Milestone: --- → mozilla1.8alpha2
interesting that this crash doesn't occur in TestGtkEmbed, but it does occur in mozilla on Linux. changing OS to All.
OS: Windows XP → All
Target Milestone: mozilla1.8alpha2 → mozilla1.8beta
Attached file trace (deleted) —
In plain english it means that for a host-part > kMaxDNSNodeLen (63) there is a path where nsStandardURL::BuildNormalizedSpec is called with a raw string which triggers the "Not a UTF-8 string" assertion above, this is from the NS_ConvertUTF8toUTF16() call in nsIDNService::Normalize() which leads to nsIDNService::stringPrep() being called with a zero length string. The result is that nsIDNService::Normalize() succeeds and returns an empty string. This triggers a bug in nsStandardURL::BuildNormalizedSpec. The length of the return string is used to estimate the 'mSpec' buffer length but later nsStandardURL::BuildNormalizedSpec,line 549: if (mHost.mLen > 0) { i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost); but AppendSegmentToBuf actually uses mHost when the last arg is Empty() so we have a buffer overflow. The first 3 calls to nsStandardURL::BuildNormalizedSpec() above looks OK, I will attach the stack for the bad 4th call.
Attached file call stack for bad 4th call (deleted) —
nsGlobalHistory::MarkPageAsTyped should have done some conversion?
Attached patch Patch A rev. 1 - a wallpaper (obsolete) (deleted) — Splinter Review
I could be nice to have this even if the root cause is fixed...
Attached patch Patch B rev. 1 (obsolete) (deleted) — Splinter Review
This is unrelated to the crash at hand, but it was something I found while digging around. When utf16ToUcs4() in netwerk/dns/src/nsIDNService.cpp truncates the result it returns a 'outLen' that is 1 too much.
The code in nsStandardURL::BuildNormalizedSpec looks a bit fragile to me. It approximates a total size (approxLen), then does: mSpec.SetLength(approxLen + 32) char *buf; mSpec.BeginWriting(buf); after that 'buf' is written to using buf[i], without checking that it's within bounds. So an approximation that is more than 32 too low will lead to a buffer overflow. Is 'approxLen' really that exact?
Flags: blocking1.8a2?
OK, I did some digging, and it looks like nsGlobalHistory::MarkPageAsTyped is passed a string that is not UTF-8. This seems to be caused by the fact that nsIBrowserHistory uses |string| to represent URIs. That's very broken, and it should be using AUTF8String whenever passing around URI text. We can workaround this bug by patching nsStandardURL::SetSpec to reject input that is not UTF-8, but it seems to me that that doesn't belong there. Afterall, the API says that UTF-8 should be passed to nsStandardURL::SetSpec. Garbage in equals garbage out. I'd much rather fix the root cause of this problem, which is nsIBrowserHistory. I'll work on a patch...
Component: Networking → History: Global
Summary: crash when a long malformed URL is entered in the Location Bar [@js_CloneFunctionObject] → nsIBrowserHistory corrupts URI strings; use AUTF8String [was: crash when a long malformed URL is entered in the Location Bar [@js_CloneFunctionObject]]
nsIGlobalHistory has the same problem unfortunately, but since it is frozen there is very little we can do about it. thankfully, nsIGlobalHistory2 exists without these problems, and nsIGlobalHistory is deprecated in favor of using nsIGlobalHistory2. fixing nsIBrowserHistory should be straight-forward.
brendan: i was going to reassign it to networking but got distracted. anyway three cheers for frozen interfaces.
Flags: blocking-aviary1.0RC1? → blocking-aviary1.0RC1+
Reproducible on the 1.7 branch, marking blocking1.7.2+ per Brendan.
Status: NEW → ASSIGNED
Flags: blocking1.7.2+
A quick reasonable fix for this might be to make sure that consumers of nsIBrowserHistory (and nsGlobalHistory.cpp itself) use nsIURI::GetAsciiSpec instead of nsIURI::GetSpec before passing the URI as a |string| parameter.
Comment on attachment 153219 [details] [diff] [review] Patch A rev. 1 - a wallpaper I know you're explicitly trying to say length is greater than 0, but could you either cache length or use isempty? :)
Attachment #153219 - Flags: review?(darin)
Attachment #153220 - Flags: review?(darin)
Not going to hold PR but land it if you can.
Flags: blocking-aviary1.0PR-
Flags: blocking-aviary1.0PR+
Flags: blocking-aviary1.0+
Priority: -- → P3
Attached patch v2 patch (obsolete) (deleted) — Splinter Review
This patch fixes the callsites to use nsIURI::asciiSpec instead of nsIURI::spec when passing the URL string to a method that takes a |in string aURL| parameter. There might be other cases in the source tree where this same kind of fix is needed, but this patch fixes the current bug at least.
Attached patch v2.1 patch (obsolete) (deleted) — Splinter Review
more complete version of the patch covering: markPageAsTyped and removePagesFromHost it's important to note that this patch only avoids sending corrupted data to functions expecting UTF-8 strings. browser history does not support IDN correctly, and this patch doesn't help with that. to support IDN we either need to change nsIBrowserHistory to use AUTF8String or we need to use nsIIDNService to convert from ACE to UTF-16 prior to displaying hostnames to the user in the history window.
Attachment #155182 - Attachment is obsolete: true
Attachment #155183 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #155183 - Flags: review?(cbiesinger)
Flags: blocking1.8a2?
Whiteboard: [patch]
(In reply to comment #26) >to support IDN we either > need to change nsIBrowserHistory to use AUTF8String or we need to use > nsIIDNService to convert from ACE to UTF-16 prior to displaying hostnames to > the user in the history window. or we can make it use nsIURI, right?
> or we can make it use nsIURI, right? sure... that sounds good too.
Comment on attachment 155183 [details] [diff] [review] v2.1 patch xpfe/components/history/src/nsGlobalHistory.cpp - rv = aURI->GetSpec(URISpec); + rv = aURI->GetAsciiSpec(URISpec); .. rv = gRDFService->GetResource(URISpec, getter_AddRefs(url)); Why this change? GetResources takes an utf-8 string: http://lxr.mozilla.org/seamonkey/source/rdf/base/idl/nsIRDFService.idl#48 Or is URISpec used for other stuff too? rv = FindRow(kToken_URLColumn, URISpec.get(), getter_AddRefs(row)); wish I knew what mork takes... fwiw, this patch does not address the summary of this bug as written. can you file a bug on changing nsIBrowserHistory to use nsIURI? I thought I had asked bsmedberg to do that...
Attachment #155183 - Flags: review?(cbiesinger) → review+
> Why this change? GetResources takes an utf-8 string: sure, but the history database and the nsIBrowserHistory interface expect ASCII URL strings. to keep things consistent i've forced history to only deal with ASCII URL strings. > Or is URISpec used for other stuff too? > > rv = FindRow(kToken_URLColumn, URISpec.get(), getter_AddRefs(row)); > wish I knew what mork takes... I asked around, and it seems that mork doesn't really care. It just stores bytes. The point of these changes is to ensure that we always work with ASCII URL strings in history land. Ultimately, it would be nice if we actually stored UTF-8 instead, but that is a more involved change. > fwiw, this patch does not address the summary of this bug as written. well, i changed the summary... the original bug report was about the crash. i wanted to change the API, and i went down that path, but storing UTF-8 in mork and hence using UTF-8 resources in history land started to get complicated very quickly. i don't have the time to rewrite that much code unfortunately. so, i opted for the simple patch. > can you file a bug on changing nsIBrowserHistory to use nsIURI? I thought I had > asked bsmedberg to do that... sure, i'll file that bug. removing proposed solution from bug summary.
Summary: nsIBrowserHistory corrupts URI strings; use AUTF8String [was: crash when a long malformed URL is entered in the Location Bar [@js_CloneFunctionObject]] → nsIBrowserHistory corrupts URI strings [was: crash when a long malformed URL is entered in the Location Bar [@js_CloneFunctionObject]]
bug 254332 filed about making nsIBrowserHistory pass URL strings in a sane way.
Comment on attachment 155183 [details] [diff] [review] v2.1 patch So, was this patch supposed to break IDN in history?
> So, was this patch supposed to break IDN in history? are you saying that it used to work? hmm... best case i can imagine with current code is partial support for IDN in history, but yeah... after a quick testcase I see that non-ASCII text does indeed make its way into history. ok, maybe a better patch is needed then.
we could just make this interface take nsIURI, get the utf-8 spec off it, store that in the mork db, and hope for the best...
URL: [[{[{[{[{[{[{´´`´`´`´´´`´`´`´´`´´´`´`...[[{[{[{[{[{[{��`�`�`���`�`�`��`���`�`...
> we could just make this interface take nsIURI, get the utf-8 spec off it, store > that in the mork db, and hope for the best... I will try to do something like that. My concern is what happens when the UTF-8 URL string is taken out of mork and compared to other things. We have to fix-up all the APIs and callers, but maybe that won't be too bad. /me gives it a try...
hmm, does this interface expose stuff via other interfaces than nsIGlobalHistory and nsIBrowserHistory?
(In reply to comment #36) >hmm, does this interface expose stuff via other interfaces than >nsIGlobalHistory and nsIBrowserHistory? The global history component also implements rdf and autocomplete...
Attachment #155183 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #153219 - Attachment is obsolete: true
Attachment #153219 - Flags: review?(darin)
Attachment #153220 - Attachment is obsolete: true
Attachment #153220 - Flags: review?(darin)
Attached patch v3 patch (deleted) — Splinter Review
OK, biesi convinced me to go for the interface change. I did so, and in the process I stumbled upon a charset conversion bug in the XUL template code that started (or perhaps was) affecting the history code.
Attachment #155183 - Attachment is obsolete: true
Attachment #155330 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #155330 - Flags: review?(cbiesinger)
Attachment #155330 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview+
Blocks: 254671
Comment on attachment 155330 [details] [diff] [review] v3 patch you should probably announce this in some newsgroup, in case extensions use this interface... not sure which one, though... xpfe/components/history/src/nsGlobalHistory.cpp +nsGlobalHistory::RemovePageInternal(const char *aSpec) +{ + mdb_err err; + nsresult rv; +nsGlobalHistory::MarkPageAsTyped(nsIURI *aURI) { + nsresult rv; nit: move rv decl to where it is first used? + if (NS_FAILED(rv)) return rv; nit: return on a different line, to allow single-stepping to it/setting breakpoints at it? nevermind, doesn't seem to be the style of the file toolkit/components/history/src/nsGlobalHistory.cpp same rv nit len = PL_strlen(p); value = p; - + if (aProperty == kNC_Hostname) no need to add trailing whitespace :) browser/components/migration/src/nsIEProfileMigrator.cpp - nsCOMPtr<nsIURI> uri(do_CreateInstance("@mozilla.org/network/standard-url;1")); thanks! + nsAutoString urlTitle; urlTitle.AssignWithConversion(url); I know you just copied this, but would CopyUTF8toUTF16 be better? + ios->NewURI(nsDependentCString((const char *) data, nsnull, nsnull, + getter_AddRefs(uri)); I think you forgot a ) here, after data Thank you for making the patch! r=biesi
Attachment #155330 - Flags: review?(cbiesinger) → review+
fixed-on-trunk w/ suggested tweaks.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment on attachment 155330 [details] [diff] [review] v3 patch This would be a good patch to take on the 1.7 and aviary branches. It is moderately complex, but fairly straigtfoward. It makes history work with intl domain names, and it fixes a critical crash.
Attachment #155330 - Flags: approval1.7.3?
Attachment #155330 - Flags: approval-aviary?
Sell this to me. This is a big patch. Does the crash happen on 1.7? Or just the corruption?
*** Bug 254671 has been marked as a duplicate of this bug. ***
> Does the crash happen on 1.7? Or just the corruption? The heap is potentially corrupted. This can happen on the 1.7 and the aviary branches. We can protect against the heap corruption with a one line patch (see 256316). The patch in this bug makes history work properly with intl domain names as well as fix the heap corruption.
better to get big patches in earlier + for PR
Flags: blocking-aviary1.0PR- → blocking-aviary1.0PR+
Comment on attachment 155330 [details] [diff] [review] v3 patch let's do it a=mkaply for 1.7 and aviary
Attachment #155330 - Flags: approval1.7.3?
Attachment #155330 - Flags: approval1.7.3+
Attachment #155330 - Flags: approval-aviary?
Attachment #155330 - Flags: approval-aviary+
fixed-aviary1.0
Keywords: fixed-aviary1.0
fixed1.7.3
Keywords: fixed1.7.3
FYI the galeon folks had to make changes because of this. Should we have put this on the branch with the inteface change?
I haven't actually made the change yet, I'm waiting to see if it remains on the branch. FWIW, it causes more problems in the ephy 1.2 branch where each moz release is assigned a number, and everything has to be re-numbered when an API change is inserted in the middle.
Can't galeon & epiphany use QueryInterface to get around the problem? Or, if they need to implement the interface, implement both the new and the old interfaces. That said, yeah... I was aware of the possibility of the interface change causing trouble. I had hoped that this interface wouldn't be in use by embedders. I should have checked w/ galeon & epiphany. FWIW, I did post a comment concerning this interface change to n.p.m.embedding: http://groups.google.com/groups?q=nsIBrowserHistory&hl=en&lr=&ie=UTF-8&selm=mailman.1092086640.28020.mozilla-embedding%40mozilla.org&rnum=3 At the time of that message, I did not know for sure if this change would hit the stable branches, but I did mention the possibility of that happening.
Both Galeon and Epiphany implement the changed interface for >= 1.8a3, and would need to add extra #ifdef's around the change if it remains on the 1.7 branch. Thought for the day, what is the point in a stable branch if interfaces change on it?
> Thought for the day, what is the point in a stable branch if interfaces change > on it? Obvious answer: to fix bugs that increase stability on the branch. You implement a non-frozen interface, you take your changes. Sorry, but the only consideration for this case is whether this bug is important to fix for 1.7.x. Unfrozen API changes are fair game on any branch in order to fix stability bugs. /be
Crispin: Why don't you implement both interfaces? Why #ifdef when you can use QueryInterface to support both interfaces? The interface UUIDs changed, so you can support both interfaces even if the Mozilla you are using only uses one of them. As for interface changes on a stable branch, we generally try to avoid doing so as much as possible. However, there are exceptions such as this bug where a critical bug fix includes a change to a private interface.
Crash Signature: [@js_CloneFunctionObject]]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: