Closed Bug 306319 Opened 19 years ago Closed 14 years ago

Someone forgot to call xptiWorkingSet::isValid, resulting in crashes [@ SearchTable]

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dewildt, Unassigned)

References

(
URL
)

Details

(Keywords: crash, helpwanted, Whiteboard: [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid][tbird crash])

Crash Data

OOM checks in xptiWorkingSet::xptiWorkingSet are missing (see URL). I found this one when searching for crashes matching criteria of meta bug 211260. talkback ID 8818658 SearchTable [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/ds/pldhash.c, line 371] PL_DHashTableOperate [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/ds/pldhash.c, line 500] xptiInterfaceInfoManager::GetInfoForName [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptinfo/src/xptiInterfaceInfoManager.cpp, line 1749] XPC_WN_Helper_NewResolve [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1414] js_LookupPropertyWithFlags [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2509] js_LookupProperty [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2607] js_GetProperty [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2713] XPC_WN_JSOp_Safe_GetProperty [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1297] js_Interpret [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 2829] js_Execute [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1176] JS_ExecuteScript [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3540] nsXULDocument::ExecuteScript [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 3315] nsXULDocument::ResumeWalk [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 2854] nsXULDocument::CachedChromeStreamListener::OnStopRequest [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 4208] nsCachedChromeChannel::HandleStopLoadEvent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/chrome/src/nsChromeProtocolHandler.cpp, line 477] 0x778b0c24 nsMathMLChar::Stretch [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLChar.cpp, line 1670] `nsIDOMAttr::GetIID'::`2'::iid
The OOM checks are done in "IsValid()". I assume that somewhere else this check is missing. "xptiInterfaceInfoManager::GetInfoForName" is uses mWorkingSet, which is a member variable of xptiInterfaceInfoManager. "mWorkingSet.IsValid()" is called in xptiInterfaceInfoManagers "IsValid()" and this is called in "GetInterfaceInfoManagerNoAddRef()".
Depends on: 309430
can you make a patch to fix the problem?
looks like a dup of bug 304680
rkaa: no it isn't.
Keywords: helpwanted
mass reassigning to nobody.
Assignee: dougt → nobody
Summary: OOM crash: Result of XPT_NewArena and PL_NewDHashTable are not checked [@xptiWorkingSet::xptiWorkingSet] → Someone forgot to call xptiWorkingSet::isValid, resulting in crashes [@ SearchTable]
Whiteboard: [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid]
is xptiInterfaceInfoManager::GetInfoForName required to be on the stack for this crash? If not, is bp-da3454ad-51fd-4515-abcf-c48282110208 an example? 0 xul.dll SearchTable obj-firefox/xpcom/build/pldhash.c:432 1 xul.dll xul.dll@0x182d7f 2 xul.dll PL_DHashTableOperate obj-firefox/xpcom/build/pldhash.c:625 3 xul.dll gfxWindowsPlatform::ResolveFontName gfx/thebes/src/gfxWindowsPlatform.cpp:533 4 aclayers.dll aclayers.dll@0x3e3fe 5 xul.dll gfxWindowsPlatform::InitBadUnderlineList gfx/thebes/src/gfxWindowsPlatform.cpp:491 6 xul.dll gfxWindowsPlatform::UpdateFontList gfx/thebes/src/gfxWindowsPlatform.cpp:442 7 xul.dll FontEntry::InitializeFontEmbeddingProcs gfx/thebes/src/gfxWindowsFonts.cpp:405 8 @0x73cdffff 9 xul.dll gfxWindowsPlatform::gfxWindowsPlatform gfx/thebes/src/gfxWindowsPlatform.cpp:133 10 xul.dll gfxPlatform::Init gfx/thebes/src/gfxPlatform.cpp:172 FWIW, 80-90% of comments are non-English https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SearchTable&date=02%2F14%2F2011%2003%3A50%3A03&range_value=2&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=SearchTable (though probably not all stacks are this bug)
Keywords: crash
Whiteboard: [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid] → [needs code sleuthing to figure out who forgot to call xptiWorkingSet::isValid][tbird crash]
wsmwk: yeah, SearchTable can crash because any of its consumers screwed up, but the fault is in the consumer. You need a bug relating to gfxWindowsPlatform::ResolveFontName.
filed Bug 633927 - crash [@ SearchTable] - [@ PL_DHashTableOperate] - [@ gfxWindowsPlatform::ResolveFontName]
This code has been significantly reworked since this bug was filed, and I believe that all the OOM conditions have been taken care of.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ SearchTable]
You need to log in before you can comment on or make changes to this bug.