Closed Bug 752340 Opened 12 years ago Closed 12 years ago

js::FunctionProxyClass needs a finalizer

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox13 --- unaffected
firefox14 --- unaffected
firefox15 + verified
firefox16 + verified
firefox-esr10 --- unaffected

People

(Reporter: bc, Assigned: mccr8)

References

(
URL
)

Details

(5 keywords, Whiteboard: [sg:critical][advisory-tracking-] regressed around 5/5)

Crash Data

Attachments

(5 files, 1 obsolete file)

summary of results
5.74 KB, text/html
Details
bisection blame changesets
1.52 KB, text/plain
Details
Testcase mochitest
2.52 KB, patch
Details | Diff | Splinter Review
use finalizer for FunctionProxyClass
1.07 KB, patch
jorendorff
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
check that swap preserves finalizerness
1.24 KB, patch
mccr8
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
1. http://de.futbol24.com/national/Algeria/Algerian-Cup/2011-2012/
   http://www.futbol24.com/team/Germany/1FC-Koln/
2. Shutdown
3. Crash | Assert

s-s due to 0xda in edx/crash address on Windows. This could be XPConnect or Plugins even but I'm putting in JS for now due to the GC related issues.

Mac Nightly [@ XPCWrappedNative::GetUsedOnly ] 
bp-8a6c1947-5971-49fb-b457-f1cc42120506
bp-76602895-fcb6-4a2f-8b97-763312120506
 
Linux Nightly

[@ XPCWrappedNative::GetUsedOnly ] 
bp-33368303-f3fd-4146-b816-dd52e2120506

[@ js::IsIncrementalBarrierNeededOnObject ] 
bp-aa6a4d60-b85e-4626-bfb2-d7e742120506

Windows/Mac/Linux Debug

Assertion failure: allocated(), at ../../../dist/include/gc/Heap.h:596
Operating system: Linux
                  0.0.0 Linux 2.6.32-220.13.1.el6.x86_64 #1 SMP Thu Mar 29 11:46:40 EDT 2012 x86_64
CPU: amd64
     family 6 model 37 stepping 1
     2 CPUs

Crash reason:  SIGABRT
Crash address: 0x1ff000053a8

Thread 0 (crashed)
 0  libpthread-2.12.so + 0xf36b
    rbx = 0x0000000000000001   r12 = 0x0000000000000000
    r13 = 0x00007fe3b62c60bd   r14 = 0x0000000000000000
    r15 = 0x0000000000000000   rip = 0x0000003f0a20f36b
    rsp = 0x00007fff6e056188   rbp = 0x00007fff6e0561a0
    Found by: given as instruction pointer in context
 1  libxul.so!js::gc::ArenaHeader::getThingSize [Heap.h : 596 + 0x21]
    rip = 0x00007fe3b54236d3   rsp = 0x00007fff6e056190
    Found by: stack scanning
 2  libxul.so!js::gc::AssertValidColor [Heap.h : 917 + 0xe]
    rip = 0x00007fe3b72c1049   rsp = 0x00007fff6e0561b0
    Found by: stack scanning
 3  libxul.so!nsGenericElement::InitCCCallbacks [nsGenericElement.cpp : 4949 + 0x1]
    rip = 0x00007fe3b59c1336   rsp = 0x00007fff6e0561e0
    Found by: stack scanning
 4  0x7fff6e0561ff
    rip = 0x00007fff6e056200   rsp = 0x00007fff6e0561e8
    rbp = 0x00007fe3b59c1336
    Found by: call frame info
 5  libxul.so!js::gc::Cell::isMarked [Heap.h : 947 + 0x10]
    rip = 0x00007fe3b72c10a0   rsp = 0x00007fff6e0561f0
    Found by: stack scanning
 6  libxul.so!js::GCThingIsMarkedGray [jsfriendapi.cpp : 464 + 0x10]
    rip = 0x00007fe3b72c2715   rsp = 0x00007fff6e056210
    Found by: stack scanning
 7  libxul.so!xpc_IsGrayGCThing [xpcpublic.h : 163 + 0xb]
    rip = 0x00007fe3b5909b60   rsp = 0x00007fff6e056230
    Found by: stack scanning
 8  libxul.so!nsWrapperCache::IsBlack [nsWrapperCacheInlines.h : 57 + 0xb]
    rip = 0x00007fe3b5909b95   rsp = 0x00007fff6e056250
    Found by: stack scanning
 9  libxul.so!nsGenericElement::CanSkip [nsGenericElement.cpp : 4874 + 0xf]
    rip = 0x00007fe3b59c100f   rsp = 0x00007fff6e056280
    Found by: stack scanning


also Windows Debug hit what appears to be deleted memory

Windows
Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 37 stepping 1
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdadadada

Thread 0 (crashed)
 0  xul.dll!js::GetObjectClass(JSObject const *) [jsfriendapi.h : 366 + 0x7]
    eip = 0x01b2a1ca   esp = 0x0012cee0   ebp = 0x0012cee0   ebx = 0x00000001
    esi = 0x00000080   edi = 0x0022afd8   eax = 0x0e1a4f10   ecx = 0x0e1a4fb0
    edx = 0xdadadada   efl = 0x00210202
    Found by: given as instruction pointer in context
 1  xul.dll!DebugCheckWrapperClass(JSObject *) [xpcpublic.h : 101 + 0x8]
    eip = 0x01b2a41c   esp = 0x0012cee8   ebp = 0x0012ceec
    Found by: call frame info
 2  xul.dll!XPCWrappedNative::GetUsedOnly(XPCCallContext &,nsISupports *,XPCWrappedNativeScope *,XPCNativeInterface *,XPCWrappedNative * *) [XPCWrappedNative.cpp : 864 + 0xe]
    eip = 0x023961a9   esp = 0x0012cef4   ebp = 0x0012cf2c
    Found by: call frame info
 3  xul.dll!nsXPConnect::GetWrappedNativeOfNativeObject(JSContext *,JSObject *,nsISupports *,nsID const &,nsIXPConnectWrappedNative * *) [nsXPConnect.cpp : 1526 + 0x29]
    eip = 0x02347d8c   esp = 0x0012cf34   ebp = 0x0012d018
    Found by: call frame info
 4  xul.dll!nsJSNPRuntime::OnPluginDestroy(_NPP *) [nsJSNPRuntime.cpp : 2048 + 0x5c]
    eip = 0x026a3d0d   esp = 0x0012d020   ebp = 0x0012d0e8
    Found by: call frame info
 5  xul.dll!nsNPAPIPluginInstance::Stop() [nsNPAPIPluginInstance.cpp : 249 + 0xb]
    eip = 0x02683334   esp = 0x0012d0f0   ebp = 0x0012d164
    Found by: call frame info
 6  xul.dll!nsPluginHost::StopPluginInstance(nsNPAPIPluginInstance *) [nsPluginHost.cpp : 3175 + 0x7]
    eip = 0x0269a569   esp = 0x0012d16c   ebp = 0x0012d1a4
    Found by: call frame info
On http://www.futbol24.com/Live/ I saw additional windows crashes with the 0xda pattern as well as one new one for Mac

###!!! ASSERTION: Forgot to check if this is a wrapper?: 'IS_WRAPPER_CLASS(js::GetObjectClass(obj))', file /work/mozilla/builds/nightly/mozilla/js/xpconnect/src/xpcpublic.h, line 101
Assertion failure: slot < (((GetObjectClass(obj))->flags >> 8) & (((uint32_t)1 << (8)) - 1)), at /work/mozilla/builds/nightly/mozilla/js/src/jsfriendapi.h:439

perating system: Mac OS X
                  10.6.8 10K549
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0x0

Thread 0 (crashed)
 0  XUL!js::GetReservedSlot [jsfriendapi.h : 439 + 0x3e]
    rbx = 0x0000000101842560   r12 = 0x000000010291b270
    r13 = 0x00007fff5fbf7450   r14 = 0x00000001288e8f10
    r15 = 0x0000000101809730   rip = 0x0000000103a19c3e
    rsp = 0x00007fff5fbf7110   rbp = 0x00007fff5fbf7120
    Found by: given as instruction pointer in context
 1  XUL!XPCWrappedNative::GetUsedOnly [XPCWrappedNative.cpp : 864 + 0x21]
    rbx = 0x0000000101842560   r12 = 0x000000010291b270
    r13 = 0x00007fff5fbf7450   r14 = 0x00000001288e8f10
    r15 = 0x0000000101809730   rip = 0x000000010297829c
    rsp = 0x00007fff5fbf7130   rbp = 0x00007fff5fbf71d0
    Found by: call frame info
 2  XUL!nsXPConnect::GetWrappedNativeOfNativeObject [nsXPConnect.cpp : 1526 + 0x29]
    rbx = 0x0000000101842560   r12 = 0x000000010291b270
    r13 = 0x00007fff5fbf7450   r14 = 0x00000001288e8f10
    r15 = 0x0000000101809730   rip = 0x000000010291b497
    rsp = 0x00007fff5fbf71e0   rbp = 0x00007fff5fbf7360
    Found by: call frame info
 3  XUL!nsJSNPRuntime::OnPluginDestroy [nsJSNPRuntime.cpp : 2048 + 0x79]
    rbx = 0x0000000101842560   r12 = 0x000000010291b270
    r13 = 0x00007fff5fbf7450   r14 = 0x00000001288e8f10
    r15 = 0x0000000101809730   rip = 0x0000000102ce0f64
    rsp = 0x00007fff5fbf7370   rbp = 0x00007fff5fbf74f0
    Found by: call frame info
 4  XUL!nsNPAPIPluginInstance::Stop [nsNPAPIPluginInstance.cpp : 249 + 0xc]
    rbx = 0x000000011c243e50   r12 = 0x0000000101fed58e
    r13 = 0x0000000000000001   r14 = 0x0000000101809730
    r15 = 0x0000000101809730   rip = 0x0000000102cc3214
    rsp = 0x00007fff5fbf7500   rbp = 0x00007fff5fbf7550
    Found by: call frame info
The breakpad exploitable tool rates this additional signature as highly exploitable:

http://de.futbol24.com/national/Algeria/Division-2/2011-2012/

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 37 stepping 1
     2 CPUs

Crash reason:  EXCEPTION_ACCESS_VIOLATION_EXEC
Crash address: 0x2f6b726f

Thread 0 (crashed)
 0  0x2f6b726f
    eip = 0x2f6b726f   esp = 0x0035ce08   ebp = 0x0035ce20   ebx = 0x00000001
    esi = 0x00000080   edi = 0x00000000   eax = 0x0035ce68   ecx = 0x71c6169c
    edx = 0x2f6b726f   efl = 0x00210206
    Found by: given as instruction pointer in context
 1  mozjs.dll!js::gc::MarkChildren(JSTracer *,JSObject *) [Marking.cpp : 676 + 0xb]
    eip = 0x727faeff   esp = 0x0035ce28   ebp = 0x0035ce2c
    Found by: previous frame's frame pointer
 2  mozjs.dll!js::TraceChildren(JSTracer *,void *,JSGCTraceKind) [Marking.cpp : 1163 + 0xc]
    eip = 0x727fd38b   esp = 0x0035ce34   ebp = 0x0035ce40
    Found by: call frame info
 3  mozjs.dll!JS_TraceChildren [jsapi.cpp : 2495 + 0x10]
    eip = 0x72544154   esp = 0x0035ce48   ebp = 0x0035ce54
    Found by: call frame info
 4  xul.dll!xpc_UnmarkGrayGCThingRecursive(void *,JSGCTraceKind) [nsXPConnect.cpp : 701 + 0x11]
    eip = 0x7072432d   esp = 0x0035ce5c   ebp = 0x0035ce90
    Found by: call frame info
 5  xul.dll!xpc_UnmarkGrayObject(JSObject *) [xpcpublic.h : 182 + 0xa]
    eip = 0x6ff0a4b4   esp = 0x0035ce98   ebp = 0x0035cea0
    Found by: call frame info
 6  xul.dll!nsWrapperCache::GetWrapper() [nsWrapperCacheInlines.h : 49 + 0x8]
    eip = 0x6ff0a47d   esp = 0x0035cea8   ebp = 0x0035ceb4
    Found by: call frame info
 7  xul.dll!XPCWrappedNative::GetUsedOnly(XPCCallContext &,nsISupports *,XPCWrappedNativeScope *,XPCNativeInterface *,XPCWrappedNative * *) [XPCWrappedNative.cpp : 863 + 0x7]
    eip = 0x70776197   esp = 0x0035cebc   ebp = 0x0035cef0
    Found by: call frame info
Attached file summary of results 
I've included the list of futbol24 related urls where these crashes have occurred. A number have 0xda in the crashing address.
Severity: normal → critical
Crash Signature: [@ XPCWrappedNative::GetUsedOnly ] [@ js::IsIncrementalBarrierNeededOnObject ] → [@ CallQueryInterface(nsISupports*, nsWrapperCache**) ] [@ IS_WRAPPER_CLASS ] [@ JS::Value::isUndefined ] [@ XPCWrappedNative::GetUsedOnly ] [@ js::GetObjectClass(JSObject const*) ] [@ js::GetReservedSlot(JSObject const* unsigned int) ] [@ js::IsInc…
Why "regression"? do you have a broad (or specific!) range of versions that do and don't crash?
Keywords: regressionwindow-wanted, sec-critical, testcase-wanted
Whiteboard: [sg:critical]
I'm going to send this to DOM. I got it to crash by loading the page, waiting about 5 seconds, and then hitting reload. In all the crashes I saw, the JSObject attached to a DOM node via the wrapper cache has already been garbage collected. It seems like maybe there's some object that should clear the wrapper cache when it's finalized, and somehow that's not happening.
regression since it is a) nightly only and b) it started with 5/5 nightly builds. (Sorry I forgot to mention that).
status-firefox-esr10: --- → unaffected
status-firefox13: --- → unaffected
status-firefox14: --- → unaffected
status-firefox15: --- → affected
tracking-firefox15: --- → +
Keywords: regressionwindow-wanted
Whiteboard: [sg:critical] → [sg:critical] regressed around 5/5
Moving to DOM per comment 5.
Assignee: general → nobody
Component: JavaScript Engine → DOM
QA Contact: general → general
very possibly the same as bug 752286. See  bug 752286 comment 1

According to Scoobidiver, the regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2db9df42823d&tochange=9ebf3dc839c5

possibly either bug 748701 or bug 751641.
I bisected on Linux 32bit and after dealing with the busted builds, it blamed these changesets. These don't include the bugs Scoobidiver implicated though. :-(
Going back to Scoobidiver's regression range

Josh Aas \u2014 Bug 751641: Fix bug in which we add a Java MIME type to all plugins. r=jst

Jared Wein — Bug 748701 - Crash in nsObjectLoadingContent::IsPluginEnabledForType. r=joshmoz

Robert O'Callahan — Bug 653994. Avoid trying to paint plugin widgets in the case where a plugin fails to subclass our window. r=bsmedberg
Two of the three in comment 10 involve Josh (not to mention the plugin involvement) so I nominate him to find someone to fix this regression.
Assignee: nobody → joshmoz
For the signature XPCWrappedNative::GetUsedOnly in the past week:

Windows 7: 68.182%, 45 crashes
Windows XP: 25.758%, 17 crashes
Windows Unknown: 4.545%, 3 crashes
Windows Vista: 1.515%, 1 crash

x86: 63.636%, 42 crashes
amd64: 36.364%, 24 crashes

Firefox 15.0a1: 66.667%, 44 crashes
Firefox 16.0a1: 10.606%, 7 crashes
Firefox 12.0: 7.576%, 5 crashes
Firefox 11.0: 3.030% 2 crashes
Firefox 13.0b7: 3.030% 2 crashes
Thunderbird 12.0.1: 3.030% 2 crashes
Firefox 13.0b6: 3.030% 2 crashes
Firefox 12.0b6: 1.515% 1 crash
Firefox 11.0b3: 1.515% 1 crash

Comments from the past four weeks:

* Det såg svårt ut de lilla jag såg o jag förståg inte mycket av spelet.. men hann fixa över 20. NET.API iaf.. ;)

* Frequently responds looking up web site before saying can't find it. I reload the page a few times and eventually the page loads OK

* outlook,gimp and explorer is open when i close a preview of print the Nightly crashes

* Trying to print a page
Benjamin is looking into this.

I was able to reproduce the crash with a debug build on Mac OS X.
Assignee: joshmoz → benjamin
Reproed the assertion and/or a crash on Windows debug build:

 	xul.dll!js::GetObjectClass(obj=0x10877c90)  Line 323	C++
 	xul.dll!DebugCheckWrapperClass(obj=0x10877c90)  Line 69	C++
>	xul.dll!XPCWrappedNative::GetUsedOnly(ccx={...}, Object=0x0e2f0d60, Scope=0x0a51d700, Interface=0x068fe1a0, resultWrapper=0x002cca2c)  Line 832	C++
 	xul.dll!nsXPConnect::GetWrappedNativeOfNativeObject(aJSContext=0x0a581588, aScope=0x07c0c040, aCOMObj=0x0e2f0d60, aIID={...}, _retval=0x002ccb2c)  Line 1489	C++
 	xul.dll!nsObjectLoadingContent::NotifyContentObjectWrapper()  Line 2265	C++
 	xul.dll!nsObjectLoadingContent::InstantiatePluginInstance(aMimeType=0x0ebdada0, aURI=0x0e2eae78)  Line 707	C++
 	xul.dll!nsPluginStreamListenerPeer::OnStartRequest(request=0x0e2eb074, aContext=0x00000000)  Line 605	C++
 	xul.dll!nsObjectLoadingContent::OnStartRequest(aRequest=0x0e2eb074, aContext=0x00000000)  Line 969	C++
 	xul.dll!nsHttpChannel::CallOnStartRequest()  Line 767	C++

It's pretty clear that nsWrapperCache::GetWrapper is returning a GCed object. Earlier when SetWrapper was called, the object has the correct js::Class and appears to be alive:

+		this	0x0e2f0d64 {mIsDoneAddingChildren=true }	nsWrapperCache * const
+		js::GetObjectClass(aWrapper)	0x0a957564 {name=0x08a98b80 "HTMLObjectElement" flags=0x0000012d addProperty=0x5b2ca660 ...}	js::Class *
		aWrapper	0x10877c90	JSObject *

At the point of the crash the object has obviously been GCed.

Still working on why the normal finalizer wouldn't be clearing the cache properly.
According to bz and IRC discussion, this appears to be fallout from compartment-per-global. The stack which shows the problem so far is:

 	xul.dll!nsWrapperCache::SetWrapper(aWrapper=0x0fe8b060)  Line 101	C++
>	xul.dll!XPCWrappedNative::ReparentWrapperIfFound(ccx={...}, aOldScope=0x0db85140, aNewScope=0x0a110e70, aNewParent=0x07f31180, aCOMObj=0x08394790, aWrapper=0x0036872c)  Line 1698	C++
 	xul.dll!nsXPConnect::ReparentWrappedNativeIfFound(aJSContext=0x0a8a0e38, aScope=0x10617360, aNewParent=0x07f31180, aCOMObj=0x08394790, _retval=0x0036872c)  Line 1520	C++
 	xul.dll!nsNodeUtils::CloneAndAdopt(aNode=0x08394790, aClone=false, aDeep=true, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...}, aParent=0x00000000, aResult=0x00368830)  Line 535	C++
 	xul.dll!nsNodeUtils::CloneAndAdopt(aNode=0x0d498ce8, aClone=false, aDeep=true, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...}, aParent=0x00000000, aResult=0x003688f0)  Line 559	C++
 	xul.dll!nsNodeUtils::CloneAndAdopt(aNode=0x0d498ce8, aClone=false, aDeep=true, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...}, aResult=0x00000000)  Line 272	C++
 	xul.dll!nsNodeUtils::Adopt(aNode=0x0d498ce8, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...})  Line 174	C++
 	xul.dll!nsDocument::AdoptNode(aAdoptedNode=0x0d498d30, aResult=0x00368aa0)  Line 6156	C++
 	xul.dll!nsHTMLDocument::AdoptNode(source=0x0d498d30, _retval=0x00368aa0)  Line 90	C++
 	xul.dll!AdoptNodeIntoOwnerDoc(aParent=0x0d603540, aNode=0x0d498ce8)  Line 3713	C++
 	xul.dll!nsINode::ReplaceOrInsertBefore(aReplace=false, aNewChild=0x0d498ce8, aRefChild=0x00000000)  Line 4260	C++
 	xul.dll!nsINode::ReplaceOrInsertBefore(aReplace=false, aNewChild=0x0d498ce8, aRefChild=0x00000000, aReturn=0x00368d64)  Line 1438	C++
 	xul.dll!nsINode::InsertBefore(aNewChild=0x0d498ce8, aRefChild=0x00000000, aReturn=0x00368d64)  Line 477	C++
 	xul.dll!nsINode::AppendChild(aNewChild=0x0d498ce8, aReturn=0x00368d64)  Line 487	C++
 	xul.dll!nsIDOMNode_AppendChild(cx=0x0a688008, argc=0x00000001, vp=0x07730500)  Line 5502	C++

In this call to SetWrapper, the "allocKind" of the JSObject is FINALIZE_OBJECT8_BACKGROUND. For normal nsHTMLObjectElement wrappers it is FINALIZE_OBJECT2. So the JS engine is not calling the finalizer (which clears the wrapper cache) because of the incorrect GC kind.
All line numbers are from rev 0aa7fc75cad5, by the way.

The previous wrapper object for this node is a js::FunctionProxyClass. GetProxyHandler says that this is ajs::CrossCompartmentWrapper::singleton. I'm going to try and make a more minimal testcase for this and then hand it to bholley.
If we assert in SetWrapper that the object has a finalizer, would that catch where the proxy is getting set as the wrapper? This seems like a reasonable thing to assert anyway, since we need a finalizer to clear the wrapper cache eventually.

Also, we should be asserting in the JS engine that you never swap an object with a background finalize kind with an object that doesn't have a background finalize kind. However, that assertion would trip later than the first one in this case.
mccr8 is looking into something similar in bug 752764 and bug 760887. I'll bet this is related.
I added that assertion in a local build and it never tripped: although I don't have access to that machine this week.
Here's the testcase in mochitest form for checkin: it doesn't trigger the crash until you reload/unload the testcase, but it also discovered a bug about the scripting plugin prototype not being installed correctly, which is probably directly related ;-) Giving the bug to somebody else now!
Assignee: benjamin → continuation
Jesse, are there any changes that could be made to the DOM fuzzer so it could catch things like this in the future?
The first bad revision is:
changeset:   92954:bed8c4e3dfdf
user:        Luke Wagner <luke@mozilla.com>
date:        Thu May 03 09:10:12 2012 +0200
summary:     Bug 650353 - Implement Compartment-Per-Global in XPConnect. r=mrbkap
Blocks: cpg
Keywords: testcase-wantedtestcase
Blocks: 752286
It looks like this is actually a JS problem with a one line fix.  FunctionProxyClass doesn't have a finalizer, but it probably should.  billm helped me dig through this.  I have no idea why this is suddenly a problem.  Maybe some XPConnect thing became a function where it wasn't before.

Bug 769059 has a test case :johns found that is slightly less finicky.  I'll upload it here at some point.
In a followup bug, I should add assertions about wrappers having finalizers, and that transplanted things have a finalizer iff the thing they are being finalized to has one.
Component: DOM → JavaScript Engine
QA Contact: general → general
Summary: Plugin related crash on shutdown - Crash [@ XPCWrappedNative::GetUsedOnly ] | Crash [@ js::IsIncrementalBarrierNeededOnObject ] | Assertion failure: allocated() → js::FunctionProxyClass needs a finalizer
Comment on attachment 637342 [details] [diff] [review]
use finalizer for FunctionProxyClass

Bill suggested you might have an idea of why it is the way it is, jorendorff.
Attachment #637342 - Flags: review?(jorendorff)
This is the kind of assertion that Bill suggested.  With this patch applied, but not the fix, all of these various test cases people have come up with fail immediately with this assertion.

I'll do some try runs to see if the assertion fails with and without the proxy patch.
Attachment #638030 - Flags: review?(wmccloskey)
Comment on attachment 638030 [details] [diff] [review]
check that swap preserves finalizerness

Review of attachment 638030 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsgc.cpp
@@ +200,5 @@
>  #undef OFFSET
>  
>  #ifdef DEBUG
> +bool
> +IsAllocKindFinalized(AllocKind ak)

There's already IsBackgroundAllocKind, which is the negation of this, so let's use it.

::: js/src/jsobj.cpp
@@ +3566,5 @@
>  bool
>  JSObject::swap(JSContext *cx, JSObject *other)
>  {
> +    // Ensure swap doesn't cause a finalizer to not be run.
> +    MOZ_ASSERT(IsAllocKindFinalized(getAllocKind()) ==

JS_ASSERT
Attachment #638030 - Flags: review?(wmccloskey) → review+
Updated to address review comments.  Carrying forward billm's r+.  Thanks for the suggestions.  I looked around for AllocKind functions, but I somehow failed to find IsBackgroundAllocKind.
Attachment #638030 - Attachment is obsolete: true
Attachment #638051 - Flags: review+
Comment on attachment 637342 [details] [diff] [review]
use finalizer for FunctionProxyClass

Review of attachment 637342 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with a test; bsmedberg's mochitest would fit the bill.

It bothers me a little that ObjectProxyClass has a convert hook and FunctionProxyClass doesn't. But maybe it's impossible to observe.
Attachment #637342 - Flags: review?(jorendorff) → review+
Looking into the test failure in this mochitest, it seems that moving the plugin into a subdocument makes it impossible to access any functions exported by plugin. The plugin remains running and does not reinstantiate (as expected).
I'm going to use johns's test case from bug 769059 as a crash test, as it seems to be a little less flakey about failing.

The last test of bsmedberg's mochitest still fails with this patch, but all the multitude of crashes in this bug and the dupes seem to be fixed.
Are you going to file a separate bug about the incorrect plugin behavior, then? It appears that when reparenting happens it isn't taking into account the plugin proto object.
Sure, I can do that.  That does sound like another CPG regression.  Does it need to be security sensitive?
No
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #37)
> Are you going to file a separate bug about the incorrect plugin behavior,
> then? It appears that when reparenting happens it isn't taking into account
> the plugin proto object.

Filed as bug 771202.
Comment on attachment 637342 [details] [diff] [review]
use finalizer for FunctionProxyClass

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 650353
User impact if declined: crashes, potential exploits
Testing completed (on m-c, etc.): it has been on m-c for a few days
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: none
Attachment #637342 - Flags: approval-mozilla-aurora?
Comment on attachment 638051 [details] [diff] [review]
check that swap preserves finalizerness

(see above)

These assertion changes will help us catch potential future regressions of this nature (which will be sec-crit) on Aurora (as unlikely as that is) and will only affect debug builds.
Attachment #638051 - Flags: approval-mozilla-aurora?
Blocks: 771202
No longer blocks: 771202
Comment on attachment 637342 [details] [diff] [review]
use finalizer for FunctionProxyClass

[Triage Comment]
Low risk sg:crit fix for cpg in FF15. Approved.
Attachment #637342 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #638051 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
No longer blocks: 752286
Regression after branching for Firefox 15 so it doesn't need an advisory.
Whiteboard: [sg:critical] regressed around 5/5 → [sg:critical][advisory-tracking-] regressed around 5/5
Keywords: verifyme
2012-05-05 Firefox 15 Nightly debug: crash
2012-08-17 Firefox 15 Beta debug: no crash 
2012-08-17 Firefox 16 Aurora debug: no crash
Status: RESOLVED → VERIFIED
status-firefox15: fixedverified
status-firefox16: fixedverified
Keywords: verifyme
QA Contact: anthony.s.hughes
Group: core-security
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: