Closed Bug 1077587 Opened 5 years ago Closed 5 years ago

[e10s] Accessing gBrowser.sessionHistory hangs or brings down the browser.

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
e10s m3+ ---

People

(Reporter: mconley, Assigned: billm)

References

Details

Attachments

(1 file)

STR:

0) Set browser.tabs.remote.autostart to true and restart the browser
1) With devtools.chrome.enabled and devtools.debugger.remote-enabled, open up the Browser Console (Menu > Developer Tools > Browser Console)
2) Type in gBrowser.sessionHistory
3) Press enter

On OSX, the browser immediately shuts down, without even a crash report. On Windows, the whole thing hangs and I have to terminate it manually.
Here's the stack - I'm failing at MOZ_CRASH("Bad CPOW Id"); in JavaScriptShared.h's ObjectId constructor. "serialNumber" is 0.

* thread #1: tid = 0x2a24c, 0x000000010230240a XUL`mozilla::jsipc::ObjectId::ObjectId(this=0x00007fff5fbe4698, serialNumber=0, hasXrayWaiver=false) + 218 at JavaScriptShared.h:31, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010230240a XUL`mozilla::jsipc::ObjectId::ObjectId(this=0x00007fff5fbe4698, serialNumber=0, hasXrayWaiver=false) + 218 at JavaScriptShared.h:31
    frame #1: 0x00000001022f41bc XUL`mozilla::jsipc::ObjectId::ObjectId(this=0x00007fff5fbe4698, serialNumber=0, hasXrayWaiver=false) + 44 at JavaScriptShared.h:32
    frame #2: 0x00000001022f3c34 XUL`mozilla::jsipc::ObjectId::deserialize(data=0) + 84 at JavaScriptShared.h:51
    frame #3: 0x00000001022ef1c3 XUL`mozilla::jsipc::WrapperOwner::fromLocalObjectVariant(this=0x000000010063c3a0, cx=0x00000001006ac690, objVar=<unavailable>) + 51 at WrapperOwner.cpp:983
    frame #4: 0x00000001022eed6d XUL`mozilla::jsipc::WrapperOwner::fromObjectVariant(this=0x000000010063c3a0, cx=0x00000001006ac690, objVar=0x00007fff5fbe47b8) + 157 at WrapperOwner.cpp:942
    frame #5: 0x00000001022f613e XUL`mozilla::jsipc::JavaScriptBase<mozilla::jsipc::PJavaScriptParent>::fromObjectVariant(this=0x000000010063c3a0, cx=0x00000001006ac690, objVar=<unavailable>) + 78 at JavaScriptBase.h:229
    frame #6: 0x00000001022f7af7 XUL`_ZTv0_n40_N7mozilla5jsipc14JavaScriptBaseINS0_17PJavaScriptParentEE17fromObjectVariantEP9JSContextNS0_13ObjectVariantE(this=0x000000010063c3e8, cx=0x00000001006ac690, objVar=<unavailable>) + 39 at Unified_cpp_js_ipc0.cpp:230
    frame #7: 0x00000001022e2192 XUL`mozilla::jsipc::JavaScriptShared::toDescriptor(this=0x000000010063c3e8, cx=0x00000001006ac690, in=0x00007fff5fbe49e0, out=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4980) + 322 at JavaScriptShared.cpp:480
    frame #8: 0x00000001022eab2a XUL`mozilla::jsipc::WrapperOwner::getOwnPropertyDescriptor(this=0x000000010063c3a0, cx=0x00000001006ac690, proxy=JS::HandleObject at 0x00007fff5fbe4a78, id=JS::HandleId at 0x00007fff5fbe4a70, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4a68) + 410 at WrapperOwner.cpp:192
    frame #9: 0x00000001022ea971 XUL`CPOWProxyHandler::getOwnPropertyDescriptor(this=0x00000001097a3ba8, cx=0x00000001006ac690, proxy=JS::HandleObject at 0x00007fff5fbe4ae0, id=JS::HandleId at 0x00007fff5fbe4ad8, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4ad0) const + 145 at WrapperOwner.cpp:169
    frame #10: 0x0000000106db7e4a XUL`js::Proxy::getOwnPropertyDescriptor(cx=0x00000001006ac690, proxy=JS::HandleObject at 0x00007fff5fbe4bd8, id=JS::HandleId at 0x00007fff5fbe4bd0, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4bc8) + 394 at Proxy.cpp:139
    frame #11: 0x0000000106c6e739 XUL`js::GetOwnPropertyDescriptor(cx=0x00000001006ac690, obj=JS::HandleObject at 0x00007fff5fbe4d78, id=JS::HandleId at 0x00007fff5fbe4d70, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4d68) + 105 at jsobj.cpp:376
    frame #12: 0x0000000106db1203 XUL`js::DirectProxyHandler::getOwnPropertyDescriptor(this=0x0000000109b304a8, cx=0x00000001006ac690, proxy=JS::HandleObject at 0x00007fff5fbe4e38, id=JS::HandleId at 0x00007fff5fbe4e30, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4e28) const + 259 at DirectProxyHandler.cpp:32
    frame #13: 0x0000000106db10a4 XUL`js::CrossCompartmentWrapper::getOwnPropertyDescriptor(this=0x0000000109b304a8, cx=0x00000001006ac690, wrapper=JS::HandleObject at 0x00007fff5fbe4ec8, id=JS::HandleId at 0x00007fff5fbe4ec0, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4eb8) const + 132 at CrossCompartmentWrapper.cpp:62
    frame #14: 0x0000000106db7e4a XUL`js::Proxy::getOwnPropertyDescriptor(cx=0x00000001006ac690, proxy=JS::HandleObject at 0x00007fff5fbe4fb8, id=JS::HandleId at 0x00007fff5fbe4fb0, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe4fa8) + 394 at Proxy.cpp:139
    frame #15: 0x0000000106c6e739 XUL`js::GetOwnPropertyDescriptor(cx=0x00000001006ac690, obj=JS::HandleObject at 0x00007fff5fbe5158, id=JS::HandleId at 0x00007fff5fbe5150, desc=MutableHandle<JSPropertyDescriptor> at 0x00007fff5fbe5148) + 105 at jsobj.cpp:376
    frame #16: 0x0000000106e3d507 XUL`DebuggerObject_getOwnPropertyDescriptor(cx=0x00000001006ac690, argc=1, vp=0x00007fff5fbe5af0) + 727 at Debugger.cpp:5413
    frame #17: 0x0000000106e66005 XUL`js::CallJSNative(cx=0x00000001006ac690, native=0x0000000106e3d230, args=0x00007fff5fbe59c0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 165 at jscntxtinlines.h:231
    frame #18: 0x0000000106e22aee XUL`js::Invoke(cx=0x00000001006ac690, args=CallArgs at 0x00007fff5fbe59c0, construct=NO_CONSTRUCT) + 1118 at Interpreter.cpp:481
    frame #19: 0x0000000106dea492 XUL`js::Invoke(cx=0x00000001006ac690, thisv=0x00000001153b2af8, fval=0x00007fff5fbe5c08, argc=1, argv=0x00000001153b2b00, rval=JS::MutableHandleValue at 0x00007fff5fbe5b40) + 834 at Interpreter.cpp:537
    frame #20: 0x0000000106db396c XUL`js::DirectProxyHandler::call(this=0x0000000109b304a8, cx=0x00000001006ac690, proxy=JS::HandleObject at 0x00007fff5fbe5c28, args=0x00007fff5fbe5ed0) const + 316 at DirectProxyHandler.cpp:78
    frame #21: 0x0000000106db375c XUL`js::CrossCompartmentWrapper::call(this=0x0000000109b304a8, cx=0x00000001006ac690, wrapper=JS::HandleObject at 0x00007fff5fbe5d60, args=0x00007fff5fbe5ed0) const + 572 at CrossCompartmentWrapper.cpp:267
    frame #22: 0x0000000106dba4b0 XUL`js::Proxy::call(cx=0x00000001006ac690, proxy=JS::HandleObject at 0x00007fff5fbe5e48, args=0x00007fff5fbe5ed0) + 368 at Proxy.cpp:413
    frame #23: 0x0000000106dbcbc3 XUL`js::proxy_Call(cx=0x00000001006ac690, argc=1, vp=0x00000001153b2af0) + 243 at Proxy.cpp:815
    frame #24: 0x0000000106e66005 XUL`js::CallJSNative(cx=0x00000001006ac690, native=0x0000000106dbcad0, args=0x00007fff5fbe64d0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 165 at jscntxtinlines.h:231
    frame #25: 0x0000000106e22a04 XUL`js::Invoke(cx=0x00000001006ac690, args=CallArgs at 0x00007fff5fbe64d0, construct=NO_CONSTRUCT) + 884 at Interpreter.cpp:474
    frame #26: 0x0000000106e17f81 XUL`Interpret(cx=0x00000001006ac690, state=0x00007fff5fbe9508) + 51729 at Interpreter.cpp:2551
    frame #27: 0x0000000106e0b50b XUL`js::RunScript(cx=0x00000001006ac690, state=0x00007fff5fbe9508) + 667 at Interpreter.cpp:431
    frame #28: 0x0000000106e22c0e XUL`js::Invoke(cx=0x00000001006ac690, args=CallArgs at 0x00007fff5fbe95c0, construct=NO_CONSTRUCT) + 1406 at Interpreter.cpp:500
    frame #29: 0x0000000106dea492 XUL`js::Invoke(cx=0x00000001006ac690, thisv=0x00007fff5fbe99c0, fval=0x00007fff5fbe99f0, argc=3, argv=0x00007fff5fbe9b48, rval=JS::MutableHandleValue at 0x00007fff5fbe9740) + 834 at Interpreter.cpp:537
    frame #30: 0x0000000106860471 XUL`js::jit::DoCallFallback(cx=0x00000001006ac690, frame=0x00007fff5fbe9be0, stub_=0x000000011d3df9c8, argc=3, vp=0x00007fff5fbe9b38, res=JS::MutableHandleValue at 0x00007fff5fbe9a80) + 1985 at BaselineIC.cpp:8658
    frame #31: 0x000000010078cc2b
Any idea what this is, billm?
Flags: needinfo?(wmccloskey)
Not sure, but it sounds like an STR for bug 1075543. I'll take it.
Assignee: nobody → wmccloskey
Flags: needinfo?(wmccloskey)
Attached patch fix-objid-crashSplinter Review
The problem is that we have this early return path when a property descriptor's obj field is null. In that case, we're not filling out the PPropertyDescriptor to send over IPDL. That's causing the object field in the PPropertyDescriptor to be 0, which is invalid. I've changed things around so that we handle the null object field case better. Note that Rooted<JSPropertyDescriptor> automatically initializes all the fields of the descriptor to 0.

I also happened to notice that AnswerGetOwnPropertyDescriptor is not calling the right JSAPI function!
Attachment #8500686 - Flags: review?(mrbkap)
I can confirm that this patch fixes the sessionHistory issue I ran into in comment 0.
Attachment #8500686 - Flags: review?(mrbkap) → review+
Duplicate of this bug: 1079673
https://hg.mozilla.org/mozilla-central/rev/8f34e100ffea
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 36
Component: General → JavaScript Engine
Product: Firefox → Core
Target Milestone: Firefox 36 → ---
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.