Closed
Bug 752340
Opened 12 years ago
Closed 12 years ago
js::FunctionProxyClass needs a finalizer
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla16
Tracking | Status | |
---|---|---|
firefox13 | --- | unaffected |
firefox14 | --- | unaffected |
firefox15 | + | verified |
firefox16 | + | verified |
firefox-esr10 | --- | unaffected |
People
(Reporter: bc, Assigned: mccr8)
References
()
Details
(5 keywords, Whiteboard: [sg:critical][advisory-tracking-] regressed around 5/5)
Crash Data
Attachments
(5 files, 1 obsolete file)
5.74 KB,
text/html
|
Details | |
1.52 KB,
text/plain
|
Details | |
2.52 KB,
patch
|
Details | Diff | Splinter Review | |
1.07 KB,
patch
|
jorendorff
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1.24 KB,
patch
|
mccr8
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1. http://de.futbol24.com/national/Algeria/Algerian-Cup/2011-2012/ http://www.futbol24.com/team/Germany/1FC-Koln/ 2. Shutdown 3. Crash | Assert s-s due to 0xda in edx/crash address on Windows. This could be XPConnect or Plugins even but I'm putting in JS for now due to the GC related issues. Mac Nightly [@ XPCWrappedNative::GetUsedOnly ] bp-8a6c1947-5971-49fb-b457-f1cc42120506 bp-76602895-fcb6-4a2f-8b97-763312120506 Linux Nightly [@ XPCWrappedNative::GetUsedOnly ] bp-33368303-f3fd-4146-b816-dd52e2120506 [@ js::IsIncrementalBarrierNeededOnObject ] bp-aa6a4d60-b85e-4626-bfb2-d7e742120506 Windows/Mac/Linux Debug Assertion failure: allocated(), at ../../../dist/include/gc/Heap.h:596 Operating system: Linux 0.0.0 Linux 2.6.32-220.13.1.el6.x86_64 #1 SMP Thu Mar 29 11:46:40 EDT 2012 x86_64 CPU: amd64 family 6 model 37 stepping 1 2 CPUs Crash reason: SIGABRT Crash address: 0x1ff000053a8 Thread 0 (crashed) 0 libpthread-2.12.so + 0xf36b rbx = 0x0000000000000001 r12 = 0x0000000000000000 r13 = 0x00007fe3b62c60bd r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x0000003f0a20f36b rsp = 0x00007fff6e056188 rbp = 0x00007fff6e0561a0 Found by: given as instruction pointer in context 1 libxul.so!js::gc::ArenaHeader::getThingSize [Heap.h : 596 + 0x21] rip = 0x00007fe3b54236d3 rsp = 0x00007fff6e056190 Found by: stack scanning 2 libxul.so!js::gc::AssertValidColor [Heap.h : 917 + 0xe] rip = 0x00007fe3b72c1049 rsp = 0x00007fff6e0561b0 Found by: stack scanning 3 libxul.so!nsGenericElement::InitCCCallbacks [nsGenericElement.cpp : 4949 + 0x1] rip = 0x00007fe3b59c1336 rsp = 0x00007fff6e0561e0 Found by: stack scanning 4 0x7fff6e0561ff rip = 0x00007fff6e056200 rsp = 0x00007fff6e0561e8 rbp = 0x00007fe3b59c1336 Found by: call frame info 5 libxul.so!js::gc::Cell::isMarked [Heap.h : 947 + 0x10] rip = 0x00007fe3b72c10a0 rsp = 0x00007fff6e0561f0 Found by: stack scanning 6 libxul.so!js::GCThingIsMarkedGray [jsfriendapi.cpp : 464 + 0x10] rip = 0x00007fe3b72c2715 rsp = 0x00007fff6e056210 Found by: stack scanning 7 libxul.so!xpc_IsGrayGCThing [xpcpublic.h : 163 + 0xb] rip = 0x00007fe3b5909b60 rsp = 0x00007fff6e056230 Found by: stack scanning 8 libxul.so!nsWrapperCache::IsBlack [nsWrapperCacheInlines.h : 57 + 0xb] rip = 0x00007fe3b5909b95 rsp = 0x00007fff6e056250 Found by: stack scanning 9 libxul.so!nsGenericElement::CanSkip [nsGenericElement.cpp : 4874 + 0xf] rip = 0x00007fe3b59c100f rsp = 0x00007fff6e056280 Found by: stack scanning also Windows Debug hit what appears to be deleted memory Windows Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 37 stepping 1 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xffffffffdadadada Thread 0 (crashed) 0 xul.dll!js::GetObjectClass(JSObject const *) [jsfriendapi.h : 366 + 0x7] eip = 0x01b2a1ca esp = 0x0012cee0 ebp = 0x0012cee0 ebx = 0x00000001 esi = 0x00000080 edi = 0x0022afd8 eax = 0x0e1a4f10 ecx = 0x0e1a4fb0 edx = 0xdadadada efl = 0x00210202 Found by: given as instruction pointer in context 1 xul.dll!DebugCheckWrapperClass(JSObject *) [xpcpublic.h : 101 + 0x8] eip = 0x01b2a41c esp = 0x0012cee8 ebp = 0x0012ceec Found by: call frame info 2 xul.dll!XPCWrappedNative::GetUsedOnly(XPCCallContext &,nsISupports *,XPCWrappedNativeScope *,XPCNativeInterface *,XPCWrappedNative * *) [XPCWrappedNative.cpp : 864 + 0xe] eip = 0x023961a9 esp = 0x0012cef4 ebp = 0x0012cf2c Found by: call frame info 3 xul.dll!nsXPConnect::GetWrappedNativeOfNativeObject(JSContext *,JSObject *,nsISupports *,nsID const &,nsIXPConnectWrappedNative * *) [nsXPConnect.cpp : 1526 + 0x29] eip = 0x02347d8c esp = 0x0012cf34 ebp = 0x0012d018 Found by: call frame info 4 xul.dll!nsJSNPRuntime::OnPluginDestroy(_NPP *) [nsJSNPRuntime.cpp : 2048 + 0x5c] eip = 0x026a3d0d esp = 0x0012d020 ebp = 0x0012d0e8 Found by: call frame info 5 xul.dll!nsNPAPIPluginInstance::Stop() [nsNPAPIPluginInstance.cpp : 249 + 0xb] eip = 0x02683334 esp = 0x0012d0f0 ebp = 0x0012d164 Found by: call frame info 6 xul.dll!nsPluginHost::StopPluginInstance(nsNPAPIPluginInstance *) [nsPluginHost.cpp : 3175 + 0x7] eip = 0x0269a569 esp = 0x0012d16c ebp = 0x0012d1a4 Found by: call frame info
Reporter | ||
Comment 1•12 years ago
|
||
On http://www.futbol24.com/Live/ I saw additional windows crashes with the 0xda pattern as well as one new one for Mac ###!!! ASSERTION: Forgot to check if this is a wrapper?: 'IS_WRAPPER_CLASS(js::GetObjectClass(obj))', file /work/mozilla/builds/nightly/mozilla/js/xpconnect/src/xpcpublic.h, line 101 Assertion failure: slot < (((GetObjectClass(obj))->flags >> 8) & (((uint32_t)1 << (8)) - 1)), at /work/mozilla/builds/nightly/mozilla/js/src/jsfriendapi.h:439 perating system: Mac OS X 10.6.8 10K549 CPU: amd64 family 6 model 23 stepping 10 2 CPUs Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash address: 0x0 Thread 0 (crashed) 0 XUL!js::GetReservedSlot [jsfriendapi.h : 439 + 0x3e] rbx = 0x0000000101842560 r12 = 0x000000010291b270 r13 = 0x00007fff5fbf7450 r14 = 0x00000001288e8f10 r15 = 0x0000000101809730 rip = 0x0000000103a19c3e rsp = 0x00007fff5fbf7110 rbp = 0x00007fff5fbf7120 Found by: given as instruction pointer in context 1 XUL!XPCWrappedNative::GetUsedOnly [XPCWrappedNative.cpp : 864 + 0x21] rbx = 0x0000000101842560 r12 = 0x000000010291b270 r13 = 0x00007fff5fbf7450 r14 = 0x00000001288e8f10 r15 = 0x0000000101809730 rip = 0x000000010297829c rsp = 0x00007fff5fbf7130 rbp = 0x00007fff5fbf71d0 Found by: call frame info 2 XUL!nsXPConnect::GetWrappedNativeOfNativeObject [nsXPConnect.cpp : 1526 + 0x29] rbx = 0x0000000101842560 r12 = 0x000000010291b270 r13 = 0x00007fff5fbf7450 r14 = 0x00000001288e8f10 r15 = 0x0000000101809730 rip = 0x000000010291b497 rsp = 0x00007fff5fbf71e0 rbp = 0x00007fff5fbf7360 Found by: call frame info 3 XUL!nsJSNPRuntime::OnPluginDestroy [nsJSNPRuntime.cpp : 2048 + 0x79] rbx = 0x0000000101842560 r12 = 0x000000010291b270 r13 = 0x00007fff5fbf7450 r14 = 0x00000001288e8f10 r15 = 0x0000000101809730 rip = 0x0000000102ce0f64 rsp = 0x00007fff5fbf7370 rbp = 0x00007fff5fbf74f0 Found by: call frame info 4 XUL!nsNPAPIPluginInstance::Stop [nsNPAPIPluginInstance.cpp : 249 + 0xc] rbx = 0x000000011c243e50 r12 = 0x0000000101fed58e r13 = 0x0000000000000001 r14 = 0x0000000101809730 r15 = 0x0000000101809730 rip = 0x0000000102cc3214 rsp = 0x00007fff5fbf7500 rbp = 0x00007fff5fbf7550 Found by: call frame info
Reporter | ||
Comment 2•12 years ago
|
||
The breakpad exploitable tool rates this additional signature as highly exploitable: http://de.futbol24.com/national/Algeria/Division-2/2011-2012/ Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 37 stepping 1 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_EXEC Crash address: 0x2f6b726f Thread 0 (crashed) 0 0x2f6b726f eip = 0x2f6b726f esp = 0x0035ce08 ebp = 0x0035ce20 ebx = 0x00000001 esi = 0x00000080 edi = 0x00000000 eax = 0x0035ce68 ecx = 0x71c6169c edx = 0x2f6b726f efl = 0x00210206 Found by: given as instruction pointer in context 1 mozjs.dll!js::gc::MarkChildren(JSTracer *,JSObject *) [Marking.cpp : 676 + 0xb] eip = 0x727faeff esp = 0x0035ce28 ebp = 0x0035ce2c Found by: previous frame's frame pointer 2 mozjs.dll!js::TraceChildren(JSTracer *,void *,JSGCTraceKind) [Marking.cpp : 1163 + 0xc] eip = 0x727fd38b esp = 0x0035ce34 ebp = 0x0035ce40 Found by: call frame info 3 mozjs.dll!JS_TraceChildren [jsapi.cpp : 2495 + 0x10] eip = 0x72544154 esp = 0x0035ce48 ebp = 0x0035ce54 Found by: call frame info 4 xul.dll!xpc_UnmarkGrayGCThingRecursive(void *,JSGCTraceKind) [nsXPConnect.cpp : 701 + 0x11] eip = 0x7072432d esp = 0x0035ce5c ebp = 0x0035ce90 Found by: call frame info 5 xul.dll!xpc_UnmarkGrayObject(JSObject *) [xpcpublic.h : 182 + 0xa] eip = 0x6ff0a4b4 esp = 0x0035ce98 ebp = 0x0035cea0 Found by: call frame info 6 xul.dll!nsWrapperCache::GetWrapper() [nsWrapperCacheInlines.h : 49 + 0x8] eip = 0x6ff0a47d esp = 0x0035cea8 ebp = 0x0035ceb4 Found by: call frame info 7 xul.dll!XPCWrappedNative::GetUsedOnly(XPCCallContext &,nsISupports *,XPCWrappedNativeScope *,XPCNativeInterface *,XPCWrappedNative * *) [XPCWrappedNative.cpp : 863 + 0x7] eip = 0x70776197 esp = 0x0035cebc ebp = 0x0035cef0 Found by: call frame info
Reporter | ||
Comment 3•12 years ago
|
||
I've included the list of futbol24 related urls where these crashes have occurred. A number have 0xda in the crashing address.
Reporter | ||
Updated•12 years ago
|
Severity: normal → critical
Crash Signature: [@ XPCWrappedNative::GetUsedOnly ]
[@ js::IsIncrementalBarrierNeededOnObject ] → [@ CallQueryInterface(nsISupports*, nsWrapperCache**) ]
[@ IS_WRAPPER_CLASS ]
[@ JS::Value::isUndefined ]
[@ XPCWrappedNative::GetUsedOnly ]
[@ js::GetObjectClass(JSObject const*) ]
[@ js::GetReservedSlot(JSObject const* unsigned int) ]
[@ js::IsInc…
Comment 4•12 years ago
|
||
Why "regression"? do you have a broad (or specific!) range of versions that do and don't crash?
Whiteboard: [sg:critical]
I'm going to send this to DOM. I got it to crash by loading the page, waiting about 5 seconds, and then hitting reload. In all the crashes I saw, the JSObject attached to a DOM node via the wrapper cache has already been garbage collected. It seems like maybe there's some object that should clear the wrapper cache when it's finalized, and somehow that's not happening.
Reporter | ||
Comment 6•12 years ago
|
||
regression since it is a) nightly only and b) it started with 5/5 nightly builds. (Sorry I forgot to mention that).
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → affected
tracking-firefox15:
--- → +
Keywords: regressionwindow-wanted
Whiteboard: [sg:critical] → [sg:critical] regressed around 5/5
Comment 7•12 years ago
|
||
Moving to DOM per comment 5.
Assignee: general → nobody
Component: JavaScript Engine → DOM
QA Contact: general → general
Reporter | ||
Comment 8•12 years ago
|
||
very possibly the same as bug 752286. See bug 752286 comment 1 According to Scoobidiver, the regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2db9df42823d&tochange=9ebf3dc839c5 possibly either bug 748701 or bug 751641.
Reporter | ||
Comment 9•12 years ago
|
||
I bisected on Linux 32bit and after dealing with the busted builds, it blamed these changesets. These don't include the bugs Scoobidiver implicated though. :-(
Reporter | ||
Comment 10•12 years ago
|
||
Going back to Scoobidiver's regression range Josh Aas \u2014 Bug 751641: Fix bug in which we add a Java MIME type to all plugins. r=jst Jared Wein — Bug 748701 - Crash in nsObjectLoadingContent::IsPluginEnabledForType. r=joshmoz Robert O'Callahan — Bug 653994. Avoid trying to paint plugin widgets in the case where a plugin fails to subclass our window. r=bsmedberg
Updated•12 years ago
|
status-firefox16:
--- → affected
tracking-firefox16:
--- → +
Comment 11•12 years ago
|
||
Two of the three in comment 10 involve Josh (not to mention the plugin involvement) so I nominate him to find someone to fix this regression.
Assignee: nobody → joshmoz
Comment 12•12 years ago
|
||
For the signature XPCWrappedNative::GetUsedOnly in the past week: Windows 7: 68.182%, 45 crashes Windows XP: 25.758%, 17 crashes Windows Unknown: 4.545%, 3 crashes Windows Vista: 1.515%, 1 crash x86: 63.636%, 42 crashes amd64: 36.364%, 24 crashes Firefox 15.0a1: 66.667%, 44 crashes Firefox 16.0a1: 10.606%, 7 crashes Firefox 12.0: 7.576%, 5 crashes Firefox 11.0: 3.030% 2 crashes Firefox 13.0b7: 3.030% 2 crashes Thunderbird 12.0.1: 3.030% 2 crashes Firefox 13.0b6: 3.030% 2 crashes Firefox 12.0b6: 1.515% 1 crash Firefox 11.0b3: 1.515% 1 crash Comments from the past four weeks: * Det såg svårt ut de lilla jag såg o jag förståg inte mycket av spelet.. men hann fixa över 20. NET.API iaf.. ;) * Frequently responds looking up web site before saying can't find it. I reload the page a few times and eventually the page loads OK * outlook,gimp and explorer is open when i close a preview of print the Nightly crashes * Trying to print a page
Comment 13•12 years ago
|
||
Benjamin is looking into this. I was able to reproduce the crash with a debug build on Mac OS X.
Assignee: joshmoz → benjamin
Comment 14•12 years ago
|
||
Reproed the assertion and/or a crash on Windows debug build:
xul.dll!js::GetObjectClass(obj=0x10877c90) Line 323 C++
xul.dll!DebugCheckWrapperClass(obj=0x10877c90) Line 69 C++
> xul.dll!XPCWrappedNative::GetUsedOnly(ccx={...}, Object=0x0e2f0d60, Scope=0x0a51d700, Interface=0x068fe1a0, resultWrapper=0x002cca2c) Line 832 C++
xul.dll!nsXPConnect::GetWrappedNativeOfNativeObject(aJSContext=0x0a581588, aScope=0x07c0c040, aCOMObj=0x0e2f0d60, aIID={...}, _retval=0x002ccb2c) Line 1489 C++
xul.dll!nsObjectLoadingContent::NotifyContentObjectWrapper() Line 2265 C++
xul.dll!nsObjectLoadingContent::InstantiatePluginInstance(aMimeType=0x0ebdada0, aURI=0x0e2eae78) Line 707 C++
xul.dll!nsPluginStreamListenerPeer::OnStartRequest(request=0x0e2eb074, aContext=0x00000000) Line 605 C++
xul.dll!nsObjectLoadingContent::OnStartRequest(aRequest=0x0e2eb074, aContext=0x00000000) Line 969 C++
xul.dll!nsHttpChannel::CallOnStartRequest() Line 767 C++
It's pretty clear that nsWrapperCache::GetWrapper is returning a GCed object. Earlier when SetWrapper was called, the object has the correct js::Class and appears to be alive:
+ this 0x0e2f0d64 {mIsDoneAddingChildren=true } nsWrapperCache * const
+ js::GetObjectClass(aWrapper) 0x0a957564 {name=0x08a98b80 "HTMLObjectElement" flags=0x0000012d addProperty=0x5b2ca660 ...} js::Class *
aWrapper 0x10877c90 JSObject *
At the point of the crash the object has obviously been GCed.
Still working on why the normal finalizer wouldn't be clearing the cache properly.
Comment 15•12 years ago
|
||
According to bz and IRC discussion, this appears to be fallout from compartment-per-global. The stack which shows the problem so far is:
xul.dll!nsWrapperCache::SetWrapper(aWrapper=0x0fe8b060) Line 101 C++
> xul.dll!XPCWrappedNative::ReparentWrapperIfFound(ccx={...}, aOldScope=0x0db85140, aNewScope=0x0a110e70, aNewParent=0x07f31180, aCOMObj=0x08394790, aWrapper=0x0036872c) Line 1698 C++
xul.dll!nsXPConnect::ReparentWrappedNativeIfFound(aJSContext=0x0a8a0e38, aScope=0x10617360, aNewParent=0x07f31180, aCOMObj=0x08394790, _retval=0x0036872c) Line 1520 C++
xul.dll!nsNodeUtils::CloneAndAdopt(aNode=0x08394790, aClone=false, aDeep=true, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...}, aParent=0x00000000, aResult=0x00368830) Line 535 C++
xul.dll!nsNodeUtils::CloneAndAdopt(aNode=0x0d498ce8, aClone=false, aDeep=true, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...}, aParent=0x00000000, aResult=0x003688f0) Line 559 C++
xul.dll!nsNodeUtils::CloneAndAdopt(aNode=0x0d498ce8, aClone=false, aDeep=true, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...}, aResult=0x00000000) Line 272 C++
xul.dll!nsNodeUtils::Adopt(aNode=0x0d498ce8, aNewNodeInfoManager=0x0a0f6690, aCx=0x0a8a0e38, aNewScope=0x07f31180, aNodesWithProperties={...}) Line 174 C++
xul.dll!nsDocument::AdoptNode(aAdoptedNode=0x0d498d30, aResult=0x00368aa0) Line 6156 C++
xul.dll!nsHTMLDocument::AdoptNode(source=0x0d498d30, _retval=0x00368aa0) Line 90 C++
xul.dll!AdoptNodeIntoOwnerDoc(aParent=0x0d603540, aNode=0x0d498ce8) Line 3713 C++
xul.dll!nsINode::ReplaceOrInsertBefore(aReplace=false, aNewChild=0x0d498ce8, aRefChild=0x00000000) Line 4260 C++
xul.dll!nsINode::ReplaceOrInsertBefore(aReplace=false, aNewChild=0x0d498ce8, aRefChild=0x00000000, aReturn=0x00368d64) Line 1438 C++
xul.dll!nsINode::InsertBefore(aNewChild=0x0d498ce8, aRefChild=0x00000000, aReturn=0x00368d64) Line 477 C++
xul.dll!nsINode::AppendChild(aNewChild=0x0d498ce8, aReturn=0x00368d64) Line 487 C++
xul.dll!nsIDOMNode_AppendChild(cx=0x0a688008, argc=0x00000001, vp=0x07730500) Line 5502 C++
In this call to SetWrapper, the "allocKind" of the JSObject is FINALIZE_OBJECT8_BACKGROUND. For normal nsHTMLObjectElement wrappers it is FINALIZE_OBJECT2. So the JS engine is not calling the finalizer (which clears the wrapper cache) because of the incorrect GC kind.
Comment 16•12 years ago
|
||
All line numbers are from rev 0aa7fc75cad5, by the way. The previous wrapper object for this node is a js::FunctionProxyClass. GetProxyHandler says that this is ajs::CrossCompartmentWrapper::singleton. I'm going to try and make a more minimal testcase for this and then hand it to bholley.
If we assert in SetWrapper that the object has a finalizer, would that catch where the proxy is getting set as the wrapper? This seems like a reasonable thing to assert anyway, since we need a finalizer to clear the wrapper cache eventually. Also, we should be asserting in the JS engine that you never swap an object with a background finalize kind with an object that doesn't have a background finalize kind. However, that assertion would trip later than the first one in this case.
Comment 18•12 years ago
|
||
mccr8 is looking into something similar in bug 752764 and bug 760887. I'll bet this is related.
Comment 19•12 years ago
|
||
I added that assertion in a local build and it never tripped: although I don't have access to that machine this week.
Comment 20•12 years ago
|
||
Here's the testcase in mochitest form for checkin: it doesn't trigger the crash until you reload/unload the testcase, but it also discovered a bug about the scripting plugin prototype not being installed correctly, which is probably directly related ;-) Giving the bug to somebody else now!
Updated•12 years ago
|
Assignee: benjamin → continuation
Jesse, are there any changes that could be made to the DOM fuzzer so it could catch things like this in the future?
Oops. See above, Jesse.
Reporter | ||
Comment 23•12 years ago
|
||
The first bad revision is: changeset: 92954:bed8c4e3dfdf user: Luke Wagner <luke@mozilla.com> date: Thu May 03 09:10:12 2012 +0200 summary: Bug 650353 - Implement Compartment-Per-Global in XPConnect. r=mrbkap
Blocks: cpg
Assignee | ||
Updated•12 years ago
|
Keywords: testcase-wanted → testcase
Assignee | ||
Comment 25•12 years ago
|
||
It looks like this is actually a JS problem with a one line fix. FunctionProxyClass doesn't have a finalizer, but it probably should. billm helped me dig through this. I have no idea why this is suddenly a problem. Maybe some XPConnect thing became a function where it wasn't before. Bug 769059 has a test case :johns found that is slightly less finicky. I'll upload it here at some point.
Assignee | ||
Comment 26•12 years ago
|
||
In a followup bug, I should add assertions about wrappers having finalizers, and that transplanted things have a finalizer iff the thing they are being finalized to has one.
Component: DOM → JavaScript Engine
QA Contact: general → general
Summary: Plugin related crash on shutdown - Crash [@ XPCWrappedNative::GetUsedOnly ] | Crash [@ js::IsIncrementalBarrierNeededOnObject ] | Assertion failure: allocated() → js::FunctionProxyClass needs a finalizer
Assignee | ||
Comment 27•12 years ago
|
||
Comment on attachment 637342 [details] [diff] [review] use finalizer for FunctionProxyClass Bill suggested you might have an idea of why it is the way it is, jorendorff.
Attachment #637342 -
Flags: review?(jorendorff)
Assignee | ||
Comment 30•12 years ago
|
||
This is the kind of assertion that Bill suggested. With this patch applied, but not the fix, all of these various test cases people have come up with fail immediately with this assertion. I'll do some try runs to see if the assertion fails with and without the proxy patch.
Attachment #638030 -
Flags: review?(wmccloskey)
Comment on attachment 638030 [details] [diff] [review] check that swap preserves finalizerness Review of attachment 638030 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsgc.cpp @@ +200,5 @@ > #undef OFFSET > > #ifdef DEBUG > +bool > +IsAllocKindFinalized(AllocKind ak) There's already IsBackgroundAllocKind, which is the negation of this, so let's use it. ::: js/src/jsobj.cpp @@ +3566,5 @@ > bool > JSObject::swap(JSContext *cx, JSObject *other) > { > + // Ensure swap doesn't cause a finalizer to not be run. > + MOZ_ASSERT(IsAllocKindFinalized(getAllocKind()) == JS_ASSERT
Attachment #638030 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 32•12 years ago
|
||
Updated to address review comments. Carrying forward billm's r+. Thanks for the suggestions. I looked around for AllocKind functions, but I somehow failed to find IsBackgroundAllocKind.
Attachment #638030 -
Attachment is obsolete: true
Attachment #638051 -
Flags: review+
Comment 34•12 years ago
|
||
Comment on attachment 637342 [details] [diff] [review] use finalizer for FunctionProxyClass Review of attachment 637342 [details] [diff] [review]: ----------------------------------------------------------------- r=me with a test; bsmedberg's mochitest would fit the bill. It bothers me a little that ObjectProxyClass has a convert hook and FunctionProxyClass doesn't. But maybe it's impossible to observe.
Attachment #637342 -
Flags: review?(jorendorff) → review+
Comment 35•12 years ago
|
||
Looking into the test failure in this mochitest, it seems that moving the plugin into a subdocument makes it impossible to access any functions exported by plugin. The plugin remains running and does not reinstantiate (as expected).
Assignee | ||
Comment 36•12 years ago
|
||
I'm going to use johns's test case from bug 769059 as a crash test, as it seems to be a little less flakey about failing. The last test of bsmedberg's mochitest still fails with this patch, but all the multitude of crashes in this bug and the dupes seem to be fixed.
Comment 37•12 years ago
|
||
Are you going to file a separate bug about the incorrect plugin behavior, then? It appears that when reparenting happens it isn't taking into account the plugin proto object.
Assignee | ||
Comment 38•12 years ago
|
||
Sure, I can do that. That does sound like another CPG regression. Does it need to be security sensitive?
Comment 39•12 years ago
|
||
No
Assignee | ||
Comment 40•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/093f6da3e4e1 https://hg.mozilla.org/integration/mozilla-inbound/rev/2e39a01b8998
Target Milestone: --- → mozilla16
Comment 41•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/093f6da3e4e1 https://hg.mozilla.org/mozilla-central/rev/2e39a01b8998
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 42•12 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #37) > Are you going to file a separate bug about the incorrect plugin behavior, > then? It appears that when reparenting happens it isn't taking into account > the plugin proto object. Filed as bug 771202.
Assignee | ||
Comment 43•12 years ago
|
||
Comment on attachment 637342 [details] [diff] [review] use finalizer for FunctionProxyClass [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 650353 User impact if declined: crashes, potential exploits Testing completed (on m-c, etc.): it has been on m-c for a few days Risk to taking this patch (and alternatives if risky): low String or UUID changes made by this patch: none
Attachment #637342 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 44•12 years ago
|
||
Comment on attachment 638051 [details] [diff] [review] check that swap preserves finalizerness (see above) These assertion changes will help us catch potential future regressions of this nature (which will be sec-crit) on Aurora (as unlikely as that is) and will only affect debug builds.
Attachment #638051 -
Flags: approval-mozilla-aurora?
Comment 45•12 years ago
|
||
Comment on attachment 637342 [details] [diff] [review] use finalizer for FunctionProxyClass [Triage Comment] Low risk sg:crit fix for cpg in FF15. Approved.
Attachment #637342 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•12 years ago
|
Attachment #638051 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 46•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/950cc1107152 https://hg.mozilla.org/releases/mozilla-aurora/rev/c885126e2982
Comment 48•12 years ago
|
||
Regression after branching for Firefox 15 so it doesn't need an advisory.
Whiteboard: [sg:critical] regressed around 5/5 → [sg:critical][advisory-tracking-] regressed around 5/5
Comment 49•12 years ago
|
||
2012-05-05 Firefox 15 Nightly debug: crash 2012-08-17 Firefox 15 Beta debug: no crash 2012-08-17 Firefox 16 Aurora debug: no crash
Updated•12 years ago
|
Group: core-security
Assignee | ||
Updated•12 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•