Closed Bug 965267 Opened 10 years ago Closed 6 years ago

Null deref at GetCurrentJSStack during shutdown

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: mayhemer, Unassigned)

Details

Attachments

(1 file)

the patch to apply
14.47 KB, patch
Details | Diff | Splinter Review 
projects/gum (or m-c with [1] applied) with local patches (attached).  debug build.

I've changed interface of nsICacheEntry and rebuilt the whole tree (added an argument to a method).  One test I can reproduce the crash with has not been updated to reflect this IDL change.

During shutdown the cache entry being released via GC is trying to call its callback (that might be a bug on my side, however, crash in xpconnect is not expected anyway).  At GetCurrentJSStack() we crash since do_GetService(nsIXPConnect::GetCID()); fails and there is no null check.


 	KernelBase.dll!_DebugBreak@0()	Unknown
 	xul.dll!RealBreak() Line 461	C++
 	xul.dll!NS_DebugBreak(unsigned int aSeverity=3, const char * aStr=0x132d2210, const char * aExpr=0x132d21cc, const char * aFile=0x132f121c, int aLine=822) Line 382	C++
 	xul.dll!nsCOMPtr<nsIXPConnect>::operator->() Line 822	C++
>	xul.dll!mozilla::dom::GetCurrentJSStack() Line 178	C++
 	xul.dll!mozilla::dom::Exception::Exception(const nsACString_internal & aMessage={...}, tag_nsresult aResult=NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS, const nsACString_internal & aName={...}, nsIStackFrame * aLocation=0x00000000, nsISupports * aData=0x034e0960) Line 204	C++
 	xul.dll!XPCConvert::ConstructException(tag_nsresult rv=NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS, const char * message=0x043e3e60, const char * ifaceName=0x03586e48, const char * methodName=0x0130fca0, nsISupports * data=0x034e0960, nsIException * * exceptn=0x0050ef80, JSContext * cx=0x00000000, JS::Value * jsExceptionPtr=0x00000000) Line 1091	C++
 	xul.dll!XPCConvert::JSErrorToXPCException(const char * message=0x043b09d0, const char * ifaceName=0x03586e48, const char * methodName=0x0130fca0, const JSErrorReport * report=0x034d9ee0, nsIException * * exceptn=0x0050ef80) Line 1334	C++
 	xul.dll!XPCConvert::JSValToXPCException(JS::MutableHandle<JS::Value> s={...}, const char * ifaceName=0x03586e48, const char * methodName=0x0130fca0, nsIException * * exceptn=0x0050ef80) Line 1174	C++
 	xul.dll!nsXPCWrappedJSClass::CheckForException(XPCCallContext & ccx={...}, const char * aPropertyName=0x0130fca0, const char * anInterfaceName=0x03586e48, bool aForceReport=false) Line 827	C++
 	xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x043e36f8, unsigned short methodIndex=3, const XPTMethodDescriptor * info_=0x0130fc78, nsXPTCMiniVariant * nativeParams=0x0050f5d0) Line 1326	C++
 	xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const XPTMethodDescriptor * info=0x0130fc78, nsXPTCMiniVariant * params=0x0050f5d0) Line 520	C++
 	xul.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x043ce900, unsigned int methodIndex=3, unsigned int * args=0x0050f698, unsigned int * stackBytesToPop=0x0050f688) Line 85	C++
 	xul.dll!SharedStub() Line 113	C++
 	xul.dll!mozilla::net::CacheEntry::InvokeCallback(mozilla::net::CacheEntry::Callback & aCallback={...}) Line 599	C++
 	xul.dll!mozilla::net::CacheEntry::InvokeCallbacks(bool aReadOnly=false) Line 534	C++
 	xul.dll!mozilla::net::CacheEntry::InvokeCallbacks() Line 488	C++
 	xul.dll!mozilla::net::CacheEntry::OnHandleClosed(const mozilla::net::CacheEntryHandle * aHandle=0x043e4878) Line 789	C++
 	xul.dll!mozilla::net::CacheEntryHandle::~CacheEntryHandle() Line 68	C++
 	xul.dll!mozilla::net::CacheEntryHandle::`scalar deleting destructor'(unsigned int)	C++
 	xul.dll!mozilla::net::CacheEntryHandle::Release() Line 40	C++
 	xul.dll!ReleaseSliceNow(unsigned int aSlice=27, void * aData=0x035e5a80) Line 993	C++
 	xul.dll!mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool aLimited=false) Line 1065	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(mozilla::CycleCollectedJSRuntime::DeferredFinalizeType aType=FinalizeNow) Line 1116	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus aStatus=JSGC_END) Line 1143	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::GCCallback(JSRuntime * aRuntime=0x034fd7b8, JSGCStatus aStatus=JSGC_END, void * aData=0x034e7a48) Line 722	C++
 	mozjs.dll!Collect(JSRuntime * rt=0x034fd7b8, bool incremental=false, __int64 budget=0, js::JSGCInvocationKind gckind=GC_NORMAL, JS::gcreason::Reason reason=SHUTDOWN_CC) Line 4929	C++
 	mozjs.dll!js::GC(JSRuntime * rt=0x034fd7b8, js::JSGCInvocationKind gckind=GC_NORMAL, JS::gcreason::Reason reason=SHUTDOWN_CC) Line 4955	C++
 	mozjs.dll!JS::GCForReason(JSRuntime * rt=0x034fd7b8, JS::gcreason::Reason reason=SHUTDOWN_CC) Line 200	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::Collect(unsigned int aReason=50) Line 949	C++
 	xul.dll!nsCycleCollector::FixGrayBits(bool aForceGC=true) Line 3086	C++
 	xul.dll!nsCycleCollector::BeginCollection(ccType aCCType=ShutdownCC, nsICycleCollectorListener * aManualListener=0x00000000) Line 3308	C++
 	xul.dll!nsCycleCollector::Collect(ccType aCCType=ShutdownCC, js::SliceBudget & aBudget={...}, nsICycleCollectorListener * aManualListener=0x00000000) Line 3171	C++
 	xul.dll!nsCycleCollector::ShutdownCollect() Line 3127	C++
 	xul.dll!nsCycleCollector::Shutdown() Line 3362	C++
 	xul.dll!nsCycleCollector_shutdown() Line 3768	C++
 	xul.dll!mozilla::ShutdownXPCOM(nsIServiceManager * servMgr=0x00000000) Line 796	C++
 	xul.dll!NS_ShutdownXPCOM(nsIServiceManager * servMgr=0x00000000) Line 656	C++
 	xul.dll!XRE_XPCShellMain(int argc=24, char * * argv=0x0134f794, char * * envp=0x013430d0) Line 1602	C++
 	xpcshell.exe!NS_internal_main(int argc=31, char * * argv=0x0134f778, char * * envp=0x013430d0) Line 43	C++
 	xpcshell.exe!wmain(int argc=31, wchar_t * * argv=0x012713e0) Line 109	C++
 	xpcshell.exe!__tmainCRTStartup() Line 552	C
 	xpcshell.exe!wmainCRTStartup() Line 371	C
 	kernel32.dll!@BaseThreadInitThunk@12()	Unknown
 	ntdll.dll!___RtlUserThreadStart@8()	Unknown
 	ntdll.dll!__RtlUserThreadStart@8()	Unknown


[1] https://hg.mozilla.org/projects/gum/rev/8d742fe5672f
And the test to run is:

./mach xpcshell-test netwerk/test/unit/test_cache2-16-conditional-200.js
Yeah: http://mxr.mozilla.org/mozilla-central/source/dom/bindings/Exceptions.cpp#171

The bit about xpcshell not initializing nsContentUtils is incorrect FWIW. We should probably check whether nsContentUtils is initialized, not whether nsContentUtils::XPConnect is null.

Shutdown is kind of a live-wire. I tried recently to fix some of it up (in bug 913138), and failed.

Patches welcome.
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: