Open Bug 1200742 Opened 9 years ago Updated 2 years ago

Using a <browser forcemessagemanager="true"> inside a content docshell results in a broken message manager and crash in debug builds

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Type:
defect

Tracking

()

People

(Reporter: mossop, Unassigned)

Details

Attachments

(1 file)

testcase
4.61 KB, patch
Details | Diff | Splinter Review 
In an in-content XUL page, like the add-ons manager, using <browser forcemessagemanager="true"> doesn't work correctly. While a messageManager property exists and seems usable on the browser element attempts to get the content side of the message manager fail.

I try to retrieve it with: browser.contentWindow.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIDocShell).QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIContentFrameMessageManager)

In a debug build this crashes with an assertion:

Assertion failure: !(clasp->flags & (1<<((8 + 8)+1))), at /Users/dave/mozilla/source/trunk/js/src/jsapi.cpp:2059
#0	0x0000000107f5f47f in JS_NewObjectWithGivenProto(JSContext*, JSClass const*, JS::Handle<JSObject*>) at /Users/dave/mozilla/source/trunk/js/src/jsapi.cpp:2059
#1	0x0000000102742e9f in XPCWrappedNative::Init(XPCNativeScriptableCreateInfo const*) at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCWrappedNative.cpp:793
#2	0x00000001027423c4 in XPCWrappedNative::GetNewOrUsed(xpcObjectHelper&, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCWrappedNative.cpp:454
#3	0x00000001026d0074 in XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>, nsIXPConnectJSObjectHolder**, xpcObjectHelper&, nsID const*, XPCNativeInterface**, bool, nsresult*) at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCConvert.cpp:824
#4	0x00000001026cf6e8 in XPCConvert::NativeData2JS(JS::MutableHandle<JS::Value>, void const*, nsXPTType const&, nsID const*, nsresult*) at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCConvert.cpp:342
#5	0x0000000102778f8a in CallMethodHelper::GatherAndConvertResults() at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCWrappedNative.cpp:1631
#6	0x000000010276709e in CallMethodHelper::Call() at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCWrappedNative.cpp:1426
#7	0x000000010274587e in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCWrappedNative.cpp:1382
#8	0x00000001027479bc in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) at /Users/dave/mozilla/source/trunk/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1145
#9	0x000000010788e118 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) at /Users/dave/mozilla/source/trunk/js/src/jscntxtinlines.h:235
#10	0x000000010781cfaf in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /Users/dave/mozilla/source/trunk/js/src/vm/Interpreter.cpp:763
#11	0x0000000107837946 in Interpret(JSContext*, js::RunState&) at /Users/dave/mozilla/source/trunk/js/src/vm/Interpreter.cpp:3067
#12	0x0000000107829d44 in js::RunScript(JSContext*, js::RunState&) at /Users/dave/mozilla/source/trunk/js/src/vm/Interpreter.cpp:704
#13	0x000000010781d084 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /Users/dave/mozilla/source/trunk/js/src/vm/Interpreter.cpp:781
#14	0x000000010780177d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) at /Users/dave/mozilla/source/trunk/js/src/vm/Interpreter.cpp:818
#15	0x0000000108108b9b in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const at /Users/dave/mozilla/source/trunk/js/src/proxy/DirectProxyHandler.cpp:77
#16	0x00000001081089a4 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const at /Users/dave/mozilla/source/trunk/js/src/proxy/CrossCompartmentWrapper.cpp:289
#17	0x000000010810f271 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) at /Users/dave/mozilla/source/trunk/js/src/proxy/Proxy.cpp:412
#18	0x0000000108110c44 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) at /Users/dave/mozilla/source/trunk/js/src/proxy/Proxy.cpp:718
#19	0x000000010788e118 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) at /Users/dave/mozilla/source/trunk/js/src/jscntxtinlines.h:235
#20	0x000000010781ce7c in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /Users/dave/mozilla/source/trunk/js/src/vm/Interpreter.cpp:751
#21	0x000000010780177d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) at /Users/dave/mozilla/source/trunk/js/src/vm/Interpreter.cpp:818
#22	0x0000000107bb99b1 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) at /Users/dave/mozilla/source/trunk/js/src/jit/BaselineIC.cpp:9361

In non-debug you get back an xpcom object but it seems to be broken, any attempts to call sendAsyncMessage or sendSyncMessage (probably others too) just throw NS_ERROR_ILLEGAL_VALUE and without actually calling the underlying C++ implementations of those methods.
Attached patch testcaseSplinter Review 
This includes a testcase that demonstrates the problem.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: