Closed Bug 203947 Opened 22 years ago Closed 22 years ago

Creating '@mozilla.org/xmlextras/proxy/webserviceproxy;1' or '@mozilla.org/xmlextras/proxy/webservicepropertybagwrapper;1' crashes in xpcshell

Categories

(Core Graveyard :: Web Services, defect)

Product:
Core Graveyard
Component:
Web Services
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: harishd)

Details

(Keywords: crash)

Attachments

(1 file)

patch from rginda
1.36 KB, patch
harishd
: review+
hjtoi-bugzilla
: superreview+
sspitzer
: approval1.4b+
Details | Diff | Splinter Review
#1 0x40220495 in nsMemory::Clone (ptr=0x0, size=16) at /mnt/ibm/mozhack/mozilla/xpcom/glue/nsMemory.cpp:127 127 memcpy(newPtr, ptr, size); #0 0x403bfcf7 in memcpy () from /lib/libc.so.6 #1 0x40220495 in nsMemory::Clone (ptr=0x0, size=16) at /mnt/ibm/mozhack/mozilla/xpcom/glue/nsMemory.cpp:127 #2 0x4066e17e in WSPProxy::GetInterfaces (this=0x80e13c0, count=0xbfffd3e4, array=0xbfffd3ec) at /mnt/ibm/mozhack/mozilla/extensions/webservices/proxy/src/wspproxy.cpp:1234 #3 0x4052982d in XPCNativeSet::GetNewOrUsed (ccx=@0xbfffd660, classInfo=0x80e13c8) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/xpcwrappednativeinfo.cpp:564 #4 0x40530f49 in XPCWrappedNativeProto::GetNewOrUsed (ccx=@0xbfffd660, Scope=0x80da9f8, ClassInfo=0x80e13c8, ScriptableCreateInfo=0xbfffd5b8, ForceNoSharing=0) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/xpcwrappednativeproto.cpp:211 #5 0x4051e393 in XPCWrappedNative::GetNewOrUsed (ccx=@0xbfffd660, Object=0x80e13c0, Scope=0x80da9f8, Interface=0x80c3e10, resultWrapper=0xbfffd600) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:348 #6 0x404fc7fa in XPCConvert::NativeInterface2JSObject (ccx=@0xbfffd660, dest=0xbfffd7a0, src=0x80e13c0, iid=0xbfffd7b8, scope=0x8097db8, pErr=0xbfffd65c) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/xpcconvert.cpp:1058 #7 0x404dff58 in nsXPConnect::WrapNative (this=0x80a5ec0, aJSContext=0x80c1dd8, aScope=0x8097db8, aCOMObj=0x80e13c0, aIID=@0xbfffd7b8, _retval=0xbfffd7a0) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:570 #8 0x4050764f in nsJSCID::CreateInstance (this=0x80dfbe8, _retval=0xbfffda18) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/xpcjsid.cpp:799 #9 0x40202540 in XPTC_InvokeByIndex () from ./libxpcom.so #10 0x405232c9 in XPCWrappedNative::CallMethod (ccx=@0xbfffdad0, mode=CALL_METHOD) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2023 #11 0x4052f12e in XPC_WN_CallMethod (cx=0x80c1dd8, obj=0x8097db8, argc=0, argv=0x80dc318, vp=0xbfffdc10) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1284 #12 0x4006235b in js_Invoke (cx=0x80c1dd8, argc=0, flags=0) at /mnt/ibm/mozhack/mozilla/js/src/jsinterp.c:843 #13 0x400716b2 in js_Interpret (cx=0x80c1dd8, result=0xbffff6ac) at /mnt/ibm/mozhack/mozilla/js/src/jsinterp.c:2834 #14 0x40062b8a in js_Execute (cx=0x80c1dd8, chain=0x80974c0, script=0x80dc240, down=0x0, special=0, result=0xbffff6ac) at /mnt/ibm/mozhack/mozilla/js/src/jsinterp.c:1038 #15 0x4002fee7 in JS_ExecuteScript (cx=0x80c1dd8, obj=0x80974c0, script=0x80dc240, rval=0xbffff6ac) at /mnt/ibm/mozhack/mozilla/js/src/jsapi.c:3373 #16 0x0804b668 in Process (cx=0x80c1dd8, obj=0x80974c0, filename=0x0, filehandle=0x40313e40) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/shell/xpcshell.cpp:492 #17 0x0804bbf5 in ProcessArgs (cx=0x80c1dd8, obj=0x80974c0, argv=0xbffff848, argc=0) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/shell/xpcshell.cpp:640 #18 0x0804cb4e in main (argc=0, argv=0xbffff848) at /mnt/ibm/mozhack/mozilla/js/src/xpconnect/shell/xpcshell.cpp:973 #19 0x4036217d in __libc_start_main () from /lib/libc.so.6 mIID is null, which is its initial value. confirmed with people on irc, originally detected as a hang on raistlin-BeOS and a crash on boffo-linux-tinderbox.
whoops, steps to reproduce: ./run-mozilla.sh ./xpcshell Components.classes['@mozilla.org/xmlextras/proxy/webserviceproxy;1'].createInstance() <crash>
Summary: Components.classes['@mozilla.org/xmlextras/proxy/webserviceproxy;1'].createInstance() crashes in xpcshell → Components.classes['@mozilla.org/xmlextras/proxy/webserviceproxy;1'].createInstance() crashes in xpcshell
js> Components.classes['@mozilla.org/xmlextras/proxy/webservicepropertybagwrapper;1'].createInstance() Program received signal SIGSEGV, Segmentation fault. 0x403bfcf7 in memcpy () from /lib/libc.so.6 (gdb) where #0 0x403bfcf7 in memcpy () from /lib/libc.so.6 #1 0x40220495 in nsMemory::Clone (ptr=0x0, size=16) at /mnt/ibm/mozhack/mozilla/xpcom/glue/nsMemory.cpp:127 #2 0x4067982f in WSPPropertyBagWrapper::GetInterfaces (this=0x80e13e8, count=0xbfffd3e4, array=0xbfffd3ec) at /mnt/ibm/mozhack/mozilla/extensions/webservices/proxy/src/wsppropertybagwrapper.cpp:219
Summary: Components.classes['@mozilla.org/xmlextras/proxy/webserviceproxy;1'].createInstance() crashes in xpcshell → Creating '@mozilla.org/xmlextras/proxy/webserviceproxy;1' or '@mozilla.org/xmlextras/proxy/webservicepropertybagwrapper;1' crashes in xpcshell
Could be a side effect of bug 203434? Will investigate. Btw, I'll soon be replacing the the contractID @mozilla.org/xmlextras/proxy/webserviceproxy to @mozilla.org/webservices/proxy/webserviceproxy
Status: NEW → ASSIGNED
Attachment #122181 - Flags: superreview?(heikki)
Attachment #122181 - Flags: review?(harishd)
Comment on attachment 122181 [details] [diff] [review] patch from rginda r=harishd. But why is mIID null?
Attachment #122181 - Flags: review?(harishd) → review+
Comment on attachment 122181 [details] [diff] [review] patch from rginda This feels like a hacky fix. Please add assertions at least if !mIID so that we can track down the real issue later. sr=heikki
Attachment #122181 - Flags: superreview?(heikki) → superreview+
Comment on attachment 122181 [details] [diff] [review] patch from rginda This is a low risk guard against a xpcom component which is unsafe for xpconnect. any xpconnect based consumer wich tries to create this object *will crash* without this patch or some other patch to make getinterfaces safe To address heikki's concern: Yes, tt is really hacky, because the GetInterfaces code is really broken :) Here's a timeline of what happens for a xpconnect consumer: * jsobject calls createInstance \[xpconnect] |* xpcom creates the object \* xpconnect calls getinterfaces because it needs info about the object before it can finish wrapping the object. \ <crash here> in getinterfaces * jsobject gets the object and calls Init() \* Init() sets the mIID * jsobject calls getinterfaces just because it wants to show that \ <it would be safe here> in getinterfaces Questions/concerns about the xpconnect side of things are probably best addressed to dbradley. Questions about how to correclty implement nsIClassInfo should probably be addressed to jst/peterv.
Attachment #122181 - Flags: approval1.4b?
Comment on attachment 122181 [details] [diff] [review] patch from rginda a=sspitzer, but this could have waited for 1.5
Attachment #122181 - Flags: approval1.4b? → approval1.4b+
checked in
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: