Closed Bug 1264857 Opened 9 years ago Closed 6 years ago

crash in @0x0 | xpc::XrayWrapper<T>::getPrototype

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox48 --- affected

People

(Reporter: n.nethercote, Unassigned, NeedInfo)

Details

(Keywords: crash, Whiteboard: btpp-followup-2016-04-29)

Crash Data

This bug was filed from the Socorro interface and is report bp-25e4c7d6-7f76-4686-b78e-868af2160414. ============================================================= A new crash that showed up for the first time in Nightly 20160414030247. 50 occurrences across 5 installations. We're trying to execute code at address 0x0. The stack trace looks like this: > 0 @0x0 > 1 xul.dll xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::getPrototype(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/xpconnect/wrappers/XrayWrapper.cpp > 2 xul.dll js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/proxy/Proxy.cpp > 3 xul.dll js::proxy_GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/proxy/Proxy.cpp > 4 xul.dll js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject.h > 5 xul.dll js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) js/src/jsobj.h > 6 xul.dll js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp > 7 xul.dll js::jit::DoGetPropFallback js/src/jit/SharedIC.cpp > 8 @0x1437585c > 9 @0x14370954 > 10 xul.dll EnterBaseline js/src/jit/BaselineJIT.cpp
I looked at the minidump. Here is the disassembly: > 2312: if (expando) { > 668F7315 cmp dword ptr [esp+20h],ebx > 668F7319 jne `js::irregexp::RegExpEmpty::GetInstance'::`2'::`dynamic atexit destructor for 'instance''+640F1h (66E85D71h) > 2313: JSAutoCompartment ac(cx, expando); > 2314: v = JS_GetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE); > 2315: } > 2316: if (v.isUndefined()) > 668F731F cmp dword ptr [esp+3Ch],edi > 668F7323 jne `js::irregexp::RegExpEmpty::GetInstance'::`2'::`dynamic atexit destructor for 'instance''+64125h (66E85DA5h) > 2317: > 668F7329 push dword ptr [protop] > 668F732C lea eax,[esp+30h] > 668F7330 mov ecx,esi > 668F7332 push eax > 668F7333 call mozilla::dom::XrayGetNativeProto (66AEC926h) > 668F7338 pop ecx > 2318: return getPrototypeHelper(cx, wrapper, target, protop); > 2319: The cursor points to the "pop ecx" near the end, which I think means the crash occurred on the "call" just prior. I'm not sure how XrayGetNativeProto() gets in there -- perhaps the getPrototypeHelper() call somehow invokes that indirectly and inlining makes it appear directly?
bz, efaust: any ideas? I have no idea what recent change might have caused this. 50 crashes in a single build is a pretty sizeable spike for Nightly.
Flags: needinfo?(efaustbmo)
Flags: needinfo?(bzbarsky)
> I'm not sure how XrayGetNativeProto() gets in there It's called by DOMXrayTraits::getPrototype which is indeed called by getPrototypeHelper when our Traits is DOMXrayTraits as in this case. What's not clear to me is what exactly we're crashing on... Is this really a null-deref or is breakpad lying to us?
Flags: needinfo?(bzbarsky)
> What's not clear to me is what exactly we're crashing on... Is this really a > null-deref or is breakpad lying to us? Every crash is an EXCEPTION_ACCESS_VIOLATION_EXEC with a crash address of 0x0, and 0x0 appears in the stack trace as well, so I'm inclined to believe we're trying to execute at 0x0. Up to 85 crashes now.
Whiteboard: btpp-followup-2016-04-29

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.