Closed Bug 295101 Opened 19 years ago Closed 19 years ago

crash at select node -Trunk [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] [@JS_GetClass]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: Peter6, Assigned: dbradley)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(3 files)

Talkback data (stack trace)
2.36 KB, text/plain
Details
Fix crashes due to lack of marking code in the new XPCNativeWrapper implementation.
7.48 KB, patch
brendan
: review+
brendan
: superreview+
brendan
: approval1.8b2+
Details | Diff | Splinter Review
Don't leave *pobj2 dangling
926 bytes, patch
bzbarsky
: review+
bzbarsky
: superreview+
brendan
: approval1.8b2+
Details | Diff | Splinter Review 
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050521
Firefox/1.0+ ID:2005052113

1.Open FF
2.Open Domi
3.press "find node to inspect" 
4.crash

TB6032715H
repro steps are wrong

1.Open FF
2.Open DoMi
3.go to File->Inspect a Window and selectct the current page
4.press "find node to inspect" 
5.crash
*** Bug 295106 has been marked as a duplicate of this bug. ***
Component: DOM Inspector → XPConnect
Product: Other Applications → Core
Version: unspecified → Trunk
Assignee: dom-inspector → dbradley
QA Contact: timeless → pschwartau
Or if you want it in BuildID terms

WFM Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050521
Firefox/1.0+ ID:2005052104

CRASH Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050521
Firefox/1.0+ ID:2005052110
Keywords: crash
Confirmed on Mac OS X.
Only if I use the Tools menu to open the Inspector.

Opening the DomI with the keyboard shortcut (command+shift+I) works correctly. I
can select nodes to inspect from the front-most document or selected window.
But the highlight of a node (blinking border) doesn't work.
Brendan, when we're wrapping here the |scope| object that comes through has:

  (gdb) p obj->map->ops
  $3 = (JSObjectOps *) 0xa

The stack I see is:

#6  0xb7f3c1c9 in JS_GetClass (cx=0xb2af8ba8, obj=0xbfffdd68)
    at ../../../mozilla/js/src/jsapi.c:2039
#7  0xb79c2cde in GetScopeOfObject (cx=0xb2af8ba8, obj=0xbfffdd68)
    at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp:504
#8  0xb79c2e73 in XPCWrappedNativeScope::FindInJSObjectScope (ccx=@0xbfffdd10, 
    obj=0xbfffdd68, OKIfNotInitialized=0)
    at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp:572
#9  0xb798f31f in XPCConvert::NativeInterface2JSObject (ccx=@0xbfffdd10, 
    dest=0xbfffda40, src=0xb29f9c20, iid=0xbfffdb60, scope=0xbfffdd68, 
    allowNativeWrapper=1, pErr=0xbfffdb5c)
    at ../../../../../mozilla/js/src/xpconnect/src/xpcconvert.cpp:1052
#10 0xb798e299 in XPCConvert::NativeData2JS (ccx=@0xbfffdd10, d=0xbfffdaf8, 
    s=0xbfffdc50, type=@0xbfffdb03, iid=0xbfffdb60, scope=0xbfffdd68,
pErr=0xbfffdb5c)
    at ../../../../../mozilla/js/src/xpconnect/src/xpcconvert.cpp:466
#11 0xb79b5b05 in XPCWrappedNative::CallMethod (ccx=@0xbfffdd10, mode=CALL_METHOD)
    at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2181
#12 0xb79bf939 in XPC_WN_CallMethod (cx=0xb2af8ba8, obj=0x8518560, argc=1, 
    argv=0xb29f5244, vp=0xbfffdec0)

(coming off a setTimeout).

Any idea what could be going on here?  My first guess is that we're ending up
with an already-gc'd object somehow...
Severity: normal → critical
Keywords: crash
OS: Windows 2000 → All
Hardware: PC → All
Blocks: 295090
Note that installing session saver and opening about:config (bug 295106) seems
like a very quick and reliable way to reproduce...
Not sure if this fixes *this* crash, but it does fix a couple of crashes I
found when running with TOO_MUCH_GC enabled in the JS engine. Probably worth
landing just to see if this crash is due to the same problem or not.
Attachment #184287 - Flags: superreview?(bzbarsky)
Attachment #184287 - Flags: review?(bzbarsky)
Comment on attachment 184287 [details] [diff] [review]
Fix crashes due to lack of marking code in the new XPCNativeWrapper implementation.

r+sr+a=me, bz can specify further changes tomorrow, but please get this in for
the respins!  Thanks,

/be
Attachment #184287 - Flags: superreview?(bzbarsky)
Attachment #184287 - Flags: superreview+
Attachment #184287 - Flags: review?(bzbarsky)
Attachment #184287 - Flags: review+
Attachment #184287 - Flags: approval1.8b2+
Blocks: 295215
Blocks: 295195
Blocks: 295200
I checked in jst's patch at 7:07 pacific, so it should make the respins.  It
doesn't fix the crash in this bug for me (or the other bugs this blocks),
though.  :(

Bug 295200 has a nice simple testcase, fwiw.  I'll try debugging some more in an
hour or so.
It seems that the crash happens only if ShouldBypassNativeWrapper returns true.
 If I make it always return false, no crash.

Are we possibly calling functions with the wrong |this| object?  Could that
cause issues?
Attachment #184324 - Flags: superreview?(bzbarsky)
Attachment #184324 - Flags: review?(bzbarsky)
Comment on attachment 184324 [details] [diff] [review]
Don't leave *pobj2 dangling

r+sr=bzbarsky, brendan said a= on irc.
Attachment #184324 - Flags: superreview?(bzbarsky)
Attachment #184324 - Flags: superreview+
Attachment #184324 - Flags: review?(bzbarsky)
Attachment #184324 - Flags: review+
Attachment #184324 - Flags: approval1.8b2+
OK, that patch fixes this crash, and bug 295090, bug 295195, bug 295200, bug
295215.  And it's in.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Keywords: topcrash
Summary: crash at select node [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] → crash at select node -Trunk [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] [@JS_GetClass]
Crash Signature: [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] [@JS_GetClass]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: