Closed Bug 1101769 Opened 11 years ago Closed 11 years ago

crash in nsGlobalWindow::CallerGlobal()

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
36 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla36
Tracking Flags:
Tracking Status
firefox36 --- verified

People

(Reporter: jbecerra, Assigned: bholley)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Tests. v1
3.20 KB, patch
billm
: review+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-5f429575-9acb-4203-8bae-d877c2141112. ============================================================= This signature has been around for a while, but it spiked around 11/07 and it's been steady after that point. Most of the reports are coming from Windows 7 installations. There are several dupes. No comments in the reports. More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsGlobalWindow%3A%3ACallerGlobal%28%29 0 xul.dll nsGlobalWindow::CallerGlobal() dom/base/nsGlobalWindow.cpp 1 xul.dll nsGlobalWindow::CallerInnerWindow() dom/base/nsGlobalWindow.cpp 2 xul.dll nsGlobalWindow::PostMessageMoz(JSContext*, JS::Handle<JS::Value>, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) dom/base/nsGlobalWindow.cpp 3 xul.dll nsGlobalWindow::PostMessageMoz(JSContext*, JS::Handle<JS::Value>, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) dom/base/nsGlobalWindow.cpp 4 xul.dll nsGlobalWindow::PostMessageMoz(JSContext*, JS::Handle<JS::Value>, nsAString_internal const&, mozilla::dom::Optional<mozilla::dom::Sequence<JS::Value> > const&, mozilla::ErrorResult&) dom/base/nsGlobalWindow.cpp 5 xul.dll mozilla::dom::WindowBinding::postMessage obj-firefox/dom/bindings/WindowBinding.cpp 6 xul.dll mozilla::dom::WindowBinding::genericCrossOriginMethod obj-firefox/dom/bindings/WindowBinding.cpp 7 xul.dll js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp 8 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 9 xul.dll JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp 10 xul.dll mozilla::jsipc::WrapperAnswer::RecvCallOrConstruct(mozilla::jsipc::ObjectId const&, nsTArray<mozilla::jsipc::JSParam> const&, bool const&, mozilla::jsipc::ReturnStatus*, mozilla::jsipc::JSVariant*, nsTArray<mozilla::jsipc::JSParam>*) js/ipc/WrapperAnswer.cpp 11 xul.dll mozilla::jsipc::JavaScriptBase<mozilla::jsipc::PJavaScriptParent>::RecvCallOrConstruct(unsigned __int64 const&, nsTArray<mozilla::jsipc::JSParam> const&, bool const&, mozilla::jsipc::ReturnStatus*, mozilla::jsipc::JSVariant*, nsTArray<mozilla::jsipc::JSParam>*) js/ipc/JavaScriptBase.h 12 xul.dll mozilla::jsipc::PJavaScriptChild::OnMessageReceived(IPC::Message const&, IPC::Message*&) obj-firefox/ipc/ipdl/PJavaScriptChild.cpp 13 xul.dll mozilla::layers::PCompositorChild::OnMessageReceived(IPC::Message const&, IPC::Message*&) obj-firefox/ipc/ipdl/PCompositorChild.cpp 14 xul.dll mozilla::ipc::MessageChannel::DispatchSyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp 15 xul.dll mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp 16 xul.dll MessageLoop::DoWork() ipc/chromium/src/base/message_loop.cc 17 xul.dll mozilla::ipc::DoWorkRunnable::Run() ipc/glue/MessagePump.cpp 18 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 19 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 20 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 21 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 22 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 23 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 24 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp 25 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 26 xul.dll XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp 27 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 28 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 29 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 30 xul.dll XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp 31 plugin-container.exe content_process_main(int, char** const) ipc/contentproc/plugin-container.cpp 32 plugin-container.exe wmain toolkit/xre/nsWindowsWMain.cpp 33 plugin-container.exe __tmainCRTStartup f:/dd/vctools/crt/crtw32/startup/crt0.c:255 34 kernel32.dll BaseThreadInitThunk 35 ntdll.dll __RtlUserThreadStart 36 ntdll.dll _RtlUserThreadStart 0 xul.dll nsGlobalWindow::CallerGlobal() dom/base/nsGlobalWindow.cpp 1 xul.dll nsGlobalWindow::CallerInnerWindow() dom/base/nsGlobalWindow.cpp 2 xul.dll nsGlobalWindow::PostMessageMoz(JSContext*, JS::Handle<JS::Value>, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) dom/base/nsGlobalWindow.cpp 3 xul.dll nsGlobalWindow::PostMessageMoz(JSContext*, JS::Handle<JS::Value>, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) dom/base/nsGlobalWindow.cpp 4 xul.dll nsGlobalWindow::PostMessageMoz(JSContext*, JS::Handle<JS::Value>, nsAString_internal const&, mozilla::dom::Optional<mozilla::dom::Sequence<JS::Value> > const&, mozilla::ErrorResult&) dom/base/nsGlobalWindow.cpp 5 xul.dll mozilla::dom::WindowBinding::postMessage obj-firefox/dom/bindings/WindowBinding.cpp 6 xul.dll mozilla::dom::WindowBinding::genericCrossOriginMethod obj-firefox/dom/bindings/WindowBinding.cpp 7 xul.dll js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp 8 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 9 xul.dll JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp 10 xul.dll mozilla::jsipc::WrapperAnswer::RecvCallOrConstruct(mozilla::jsipc::ObjectId const&, nsTArray<mozilla::jsipc::JSParam> const&, bool const&, mozilla::jsipc::ReturnStatus*, mozilla::jsipc::JSVariant*, nsTArray<mozilla::jsipc::JSParam>*) js/ipc/WrapperAnswer.cpp 11 xul.dll mozilla::jsipc::JavaScriptBase<mozilla::jsipc::PJavaScriptParent>::RecvCallOrConstruct(unsigned __int64 const&, nsTArray<mozilla::jsipc::JSParam> const&, bool const&, mozilla::jsipc::ReturnStatus*, mozilla::jsipc::JSVariant*, nsTArray<mozilla::jsipc::JSParam>*) js/ipc/JavaScriptBase.h 12 xul.dll mozilla::jsipc::PJavaScriptChild::OnMessageReceived(IPC::Message const&, IPC::Message*&) obj-firefox/ipc/ipdl/PJavaScriptChild.cpp 13 xul.dll mozilla::layers::PCompositorChild::OnMessageReceived(IPC::Message const&, IPC::Message*&) obj-firefox/ipc/ipdl/PCompositorChild.cpp 14 xul.dll mozilla::ipc::MessageChannel::DispatchSyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp 15 xul.dll mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp 16 xul.dll MessageLoop::DoWork() ipc/chromium/src/base/message_loop.cc 17 xul.dll mozilla::ipc::DoWorkRunnable::Run() ipc/glue/MessagePump.cpp 18 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 19 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 20 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 21 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 22 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 23 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 24 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp 25 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 26 xul.dll XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp 27 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 28 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 29 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 30 xul.dll XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp 31 plugin-container.exe content_process_main(int, char** const) ipc/contentproc/plugin-container.cpp 32 plugin-container.exe wmain toolkit/xre/nsWindowsWMain.cpp 33 plugin-container.exe __tmainCRTStartup f:/dd/vctools/crt/crtw32/startup/crt0.c:255 34 kernel32.dll BaseThreadInitThunk 35 ntdll.dll __RtlUserThreadStart 36 ntdll.dll _RtlUserThreadStart
Flags: needinfo?(bobbyholley)
This is fun. WrapperAnswer::RecvCallOrConstruct just does direct JSAPI stuff to call postMessage; it knows nothing about the entry point stack... but the callee expects all script execution to come via things that know about entry points.
Yeah, the answer here is to rip out all of the AutoSafeJSContext usage from WrapperAnswer.cpp. I'll write up a patch.
Depends on: 1102521
Attached patch Tests. v1Splinter Review
Attachment #8526381 - Flags: review?(wmccloskey)
(In reply to Bobby Holley (:bholley) from comment #4) > Created attachment 8526381 [details] [diff] [review] > Tests. v1 Note that this test only catches the issue with part 1 of bug 1102521. Part 2 fixes it.
Flags: needinfo?(bobbyholley)
Attachment #8526381 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/90d9478a29e2
Assignee: nobody → bobbyholley
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: