crash in nsWindowDataSource::GetWindowForResource

VERIFIED FIXED in mozilla33

Status

()

Core
Embedding: APIs
--
critical
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: Martijn Wargers (zombie), Assigned: smichaud)

Tracking

({crash, testcase})

Trunk
mozilla33
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

4 years ago
Created attachment 8449327 [details]
crash.html

See testcase, you need to have the SpecialPowers extension installed to see the crash: http://people.mozilla.org/~mwargers/extensions/specialpowers/specialpowers_working.xpi

This bug was filed from the Socorro interface and is 
report bp-78abf109-b162-46d0-805a-ad0b32140702.
=============================================================
0 	libsystem_c.dylib 	libsystem_c.dylib@0x1732 	
1 	XUL 	nsWindowDataSource::GetWindowForResource(char const*, nsIDOMWindow**) 	obj-firefox/x86_64/dist/include/nsCharTraits.h
2 	XUL 	_ZThn24_N18nsWindowDataSource20GetWindowForResourceEPKcPP12nsIDOMWindow 	xpfe/components/windowds/nsWindowDataSource.cpp
3 	XUL 	NS_InvokeByIndex 	xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp
4 	XUL 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
5 	XUL 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
6 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
7 	XUL 	js_fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
8 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
9 	XUL 	js_fun_call(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
10 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
(Reporter)

Comment 1

4 years ago
Ok, the testcase seems to only crash locally when clicking the button.
(Assignee)

Comment 2

4 years ago
When I run this testcase on a recent m-c nightly, after having installed your SpecialPowers extension, I see the following error in the Web Console (and I don't crash):

TypeError: SpecialPowers.cc is undefined
(Reporter)

Comment 3

4 years ago
Sorry, try this specialpowers extension instead. This is more recent and should work:
http://people.mozilla.org/~mwargers/extensions/specialpowers/specialpowers_20140612.xpi
(Assignee)

Comment 4

4 years ago
Now I see this error, testing with yesterday's m-c nightly :-(

NS_ERROR_XPC_BAD_IID: Component returned failure code: 0x80570018 (NS_ERROR_XPC_BAD_IID) [nsIJSCID.getService]

By the way, your "new" Special Powers extension showed up (in Tools : Add-ons) as "Special Powers 2010.07.23".
(Assignee)

Updated

4 years ago
Flags: needinfo?(martijn.martijn)
(Reporter)

Comment 5

4 years ago
Created attachment 8451829 [details]
testcase

Sorry, there was a stupid mistake in the previous testcase.
Attachment #8449327 - Attachment is obsolete: true
Flags: needinfo?(martijn.martijn)
(Assignee)

Comment 6

4 years ago
Thanks, Martijn.  Your testcase now works like a charm!

This bug is a null deference, here:
https://hg.mozilla.org/mozilla-central/annotate/085eea991bb9/xpcom/string/nsCharTraits.h#l498

(This is a true null dereference, not a spurious one as per bug 1018360 comment #0.)
(Assignee)

Comment 7

4 years ago
Created attachment 8451915 [details]
Crash stack (ASan)
(Assignee)

Comment 8

4 years ago
> var win = windowManagerDS.getWindowForResource(null);

This (from Martijn's testcase) should throw a JavaScript error, rather than crash.  Let me see if I can come up with a patch.
(Assignee)

Comment 9

4 years ago
The bug is in ancient code -- it goes back to the earliest days of bonsai.mozilla.org!  Patches of similar vintage were categorized as Core : Embddding : APIs.
Component: Widget: Cocoa → Embedding: APIs
(Assignee)

Updated

4 years ago
OS: Mac OS X → All
Created attachment 8451981 [details] [diff] [review]
Fix

>> var win = windowManagerDS.getWindowForResource(null);
>
> This (from Martijn's testcase) should throw a JavaScript error,
> rather than crash.

This patch fixes the problem for me.

Benjamin, you're the Embedding module owner, so I'm asking you to review.
Assignee: nobody → smichaud
Attachment #8451981 - Flags: review?(benjamin)

Comment 11

4 years ago
Comment on attachment 8451981 [details] [diff] [review]
Fix

Please do not use NS_ENSURE_* in any new code.

r=me if you change this to 

if (NS_WARN_IF(!aResourceString)) {
    return NS_ERROR_INVALID_ARG;
}
Attachment #8451981 - Flags: review?(benjamin) → review+
https://hg.mozilla.org/mozilla-central/rev/b62115e8c780
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
QA Whiteboard: [good first verify]

Comment 14

4 years ago
I was able to reproduce this bug on Nightly 33.0a1 (2014-07-02), using Mac OSX 10.9.5.

Verified fixed on Windows 7 x64, Mac OSX 10.9.5 and Ubuntu 14.04 x86 using Nightly 35.0a1 (2014-10-12).

This fix can be marked as verified.

[bugday-20141015]
(Reporter)

Comment 15

4 years ago
Thanks vasilicamihasca!
Status: RESOLVED → VERIFIED
QA Whiteboard: [good first verify]
You need to log in before you can comment on or make changes to this bug.