Closed Bug 760118 Opened 12 years ago Closed 12 years ago

crash in JSCompartment::wrap @ xpc::WrapperFactory::PrepareForWrapping

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
15 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox15 --- verified

People

(Reporter: scoobidiver, Unassigned)

References

Details

(4 keywords, Whiteboard: [native-crash])

Crash Data

It first appeared in 15.0a1/20120530144327 and is currently #1 top crasher in one of today's nightlies. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=79262a88881d&tochange=e89ed404ebe5
It's likely a regression from bug 752038.

Signature 	xpc::WrapperFactory::PrepareForWrapping(JSContext*, JSObject*, JSObject*, unsigned int) More Reports Search
UUID	aacace80-c87e-431c-89f1-cbfe72120531
Date Processed	2012-05-31 11:58:18
Uptime	1012
Last Crash	26.1 minutes before submission
Install Age	2.2 hours since version was first installed.
Install Time	2012-05-31 09:39:41
Product	Firefox
Version	15.0a1
Build ID	20120530144327
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 1671103c, AdapterDriverVersion: 8.15.10.2372
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Total Virtual Memory	4294836224
Available Virtual Memory	3571265536
System Memory Use Percentage	81
Available Page File	3174137856
Available Physical Memory	790507520

Frame 	Module 	Signature 	Source
0 	xul.dll 	xpc::WrapperFactory::PrepareForWrapping 	js/xpconnect/wrappers/WrapperFactory.cpp:170
1 	mozjs.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:176
2 	mozjs.dll 	JS_CopyPropertiesFrom 	js/src/jsobj.cpp:3153
3 	xul.dll 	XPCWrappedNative::ReparentWrapperIfFound 	js/xpconnect/src/XPCWrappedNative.cpp:1614
4 	xul.dll 	MoveWrapper 	js/xpconnect/src/nsXPConnect.cpp:1610
5 	xul.dll 	nsXPConnect::MoveWrappers 	js/xpconnect/src/nsXPConnect.cpp:1670
6 	xul.dll 	nsContentUtils::ReparentContentWrappersInScope 	content/base/src/nsContentUtils.cpp:1639
7 	xul.dll 	nsHTMLDocument::Open 	content/html/document/src/nsHTMLDocument.cpp:1501
8 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
9 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2356
10 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1500
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=xpc%3A%3AWrapperFactory%3A%3APrepareForWrapping%28JSContext*%2C+JSObject*%2C+JSObject*%2C+unsigned+int%29
https://crash-stats.mozilla.com/report/list?signature=xpc%3A%3AWrapperFactory%3A%3APrepareForWrapping
Hm, looks like the private is null, which means that the object was transplanted but that we haven't forgotten about it like we should. Maybe bug 752764, maybe something else.

Some STR would be helpful if they're easy to get.
One comment says: "Crash every time I play Farmville, very frustrating I will probably canel the app if you can not fix it."
[Triage Comment]
Adding qawanted to see if we can get some STR with Farmville here, will re-visit tracking nom once we have a better sense of the origin.
Keywords: qawanted
Here are some addon correlations I got manually:

Windows NT
  xpc::WrapperFactory::PrepareForWrapping(JSContext*, JSObject*, JSObject*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (136 crashes)
     10% (14/136) vs.   1% (25/2092) crossriderapp2258@crossrider.com
     99% (135/136) vs.  93% (1943/2092) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150)
      7% (10/136) vs.   1% (21/2092) ffxtlbr@incredibar.com
      8% (11/136) vs.   2% (40/2092) {635abd67-4fe9-1b23-4f01-e679fa7484c1} (Yahoo! Toolbar, https://addons.mozilla.org/addon/2032)
     33% (45/136) vs.  27% (563/2092) uriloader@pdf.js
      6% (8/136) vs.   0% (8/2092) 39ffxtbr@MapsGalaxy_39.com
      6% (8/136) vs.   0% (8/2092) {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} (AOL Toolbar, https://addons.mozilla.org/addon/2114)
      6% (8/136) vs.   1% (11/2092) 64ffxtbr@TelevisionFanatic.com
      7% (9/136) vs.   2% (33/2092) netvideohunter@netvideohunter.com (NetVideoHunter Video Downloader, https://addons.mozilla.org/addon/7447)
I was just able to reproduce this on a Windows 7 machine, https://crash-stats.mozilla.com/report/index/bp-65017bad-de85-4178-9be8-d86bb2120601 using the latest nightly.

I did add a few of the extensions above and left Farmville playing in a open tab. I will see if those steps are reproducible.
This is reproducible for me, with the following set of extensions installed:

        Ad Muncher Browser Extensions
        2.0
        true
        {3ED591BC-7CC7-495B-A526-B2431356EDC1}

        Ant Video Downloader
        2.4.7
        true
        anttoolbar@ant.com

        avast! WebRep
        7.0.1426
        true
        wrc@avast.com

        Browser Button
        0.81.3
        true
        crossriderapp5179@crossrider.com

        Crossbrowser
        1.03
        true
        crossbrowser@kolibri-italia.com

        Google+Facebook
        0.81.80
        true
        crossriderapp519@crossrider.com

        PDF Viewer
        0.2.536
        true
        uriloader@pdf.js

        Test Pilot
        1.2.1
        true
        testpilot@labs.mozilla.com

        Yahoo! Toolbar
        2.4.8.20120412011105
        true
        {635abd67-4fe9-1b23-4f01-e679fa7484c1}

        Roboform Toolbar for Firefox
        7.6.0
        false
        {22119944-ED35-4ab1-910B-E619EA06A115}

The person who crashed in Comment 2 had one of the CrossRider addons installed, but not the exact ones I have.

STR:
1. Load Farmville.
2. Leave game sitting idle for a while
3. Eventually crash.
Keywords: qawantedreproducible
I get this easily using evernote.. just trying to edit and move notes through the web interface
Looks like this also might be reproducible with the patches from bug 745025. I'll try to look at this soon.
(In reply to Patrick McManus [:mcmanus] from comment #7)
> I get this easily using evernote.. just trying to edit and move notes
> through the web interface

Huzzah, I can reproduce! Thanks patrick. Looking at it now.
(In reply to Bobby Holley (:bholley) from comment #8)
> Looks like this also might be reproducible with the patches from bug 745025.
> I'll try to look at this soon.

Running the tests locally, I get some assertions that might indicate it's not related to this bug. Looking into it.
Ok, this seems to be the same issue as bug 752764. It appears to be fixed with my patches from bug 758415, which is what I expected given my analysis of the issue.

Marking the dep.
Depends on: 758415
FYI - I've got a consistent reproduction of this bug with the following reproduction steps:

1. Go to http://evernote.com/
2. Login with an existing evernote account with notes already created
3. Read a few of the notes

Result - Crash occurs

https://crash-stats.mozilla.com/report/index/bp-7fd86967-215d-47ea-af24-5d80c2120605
Regression window(m-c) with STR in comment #13
Good:
http://hg.mozilla.org/mozilla-central/rev/f6d082275253
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120530012752
Bad:
http://hg.mozilla.org/mozilla-central/rev/b5af439f1717
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120530042453
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f6d082275253&tochange=b5af439f1717

Regression window(m-c)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/98410387837c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120529094953
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/8ffcc3efc77e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120529150154
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=98410387837c&tochange=8ffcc3efc77e

In local build:
Last good: d88590f8a245
First bad: 3bfee91d5f09

Suspected : 3bfee91d5f09	Bobby Holley — Bug 752038 - Avoid getting confused by PreCreate giving a different answer when we wrap objects cross-compartment during reparenting. r=mrbkap
The actual regression is bug 739796. Bug 758415 fixes it, but is waiting on a dependent bug. Hopefully that will be sorted out soon.
Blocks: 739796
(In reply to Bobby Holley (:bholley) from comment #15)
> The actual regression is bug 739796. Bug 758415 fixes it, but is waiting on
> a dependent bug. Hopefully that will be sorted out soon.

This crash is on 15, bug 758415 has now landed on 16 (will see in the next days if it helps, I surely hope so), what's the plan here for 15 (currently on aurora)?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #16)

> This crash is on 15, bug 758415 has now landed on 16 (will see in the next
> days if it helps, I surely hope so), what's the plan here for 15 (currently
> on aurora)?

It is currently waiting on aurora approval. I expect to land it in the next day or two.
I am closing as fixed per comment 15 and crash stats (latest crash in 16.0a1/20120607025755).
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox15: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
Whiteboard: [native-crash]
Bug 758415 is approved for aurora and also tracked for 15 so I'm removing the tracking request here.
status-firefox15: affected → ---
tracking-firefox15: ? → ---
status-firefox15: --- → fixed
Able to see the crash on Nightly 2012-06-01 using the STR in comment 13.
Verified fixed on FF 15b3 on Win 7/64, Ubuntu 12.04 and Mac OS X 10.6
Status: RESOLVED → VERIFIED
status-firefox15: fixedverified
You need to log in before you can comment on or make changes to this bug.