Closed
Bug 1264857
Opened 9 years ago
Closed 6 years ago
crash in @0x0 | xpc::XrayWrapper<T>::getPrototype
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox48 | --- | affected |
People
(Reporter: n.nethercote, Unassigned, NeedInfo)
Details
(Keywords: crash, Whiteboard: btpp-followup-2016-04-29)
Crash Data
This bug was filed from the Socorro interface and is
report bp-25e4c7d6-7f76-4686-b78e-868af2160414.
=============================================================
A new crash that showed up for the first time in Nightly 20160414030247. 50 occurrences across 5 installations.
We're trying to execute code at address 0x0. The stack trace looks like this:
> 0 @0x0
> 1 xul.dll xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::getPrototype(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/xpconnect/wrappers/XrayWrapper.cpp
> 2 xul.dll js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/proxy/Proxy.cpp
> 3 xul.dll js::proxy_GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/proxy/Proxy.cpp
> 4 xul.dll js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject.h
> 5 xul.dll js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) js/src/jsobj.h
> 6 xul.dll js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp
> 7 xul.dll js::jit::DoGetPropFallback js/src/jit/SharedIC.cpp
> 8 @0x1437585c
> 9 @0x14370954
> 10 xul.dll EnterBaseline js/src/jit/BaselineJIT.cpp
Reporter | ||
Comment 1•9 years ago
|
||
I looked at the minidump. Here is the disassembly:
> 2312: if (expando) {
> 668F7315 cmp dword ptr [esp+20h],ebx
> 668F7319 jne `js::irregexp::RegExpEmpty::GetInstance'::`2'::`dynamic atexit destructor for 'instance''+640F1h (66E85D71h)
> 2313: JSAutoCompartment ac(cx, expando);
> 2314: v = JS_GetReservedSlot(expando, JSSLOT_EXPANDO_PROTOTYPE);
> 2315: }
> 2316: if (v.isUndefined())
> 668F731F cmp dword ptr [esp+3Ch],edi
> 668F7323 jne `js::irregexp::RegExpEmpty::GetInstance'::`2'::`dynamic atexit destructor for 'instance''+64125h (66E85DA5h)
> 2317:
> 668F7329 push dword ptr [protop]
> 668F732C lea eax,[esp+30h]
> 668F7330 mov ecx,esi
> 668F7332 push eax
> 668F7333 call mozilla::dom::XrayGetNativeProto (66AEC926h)
> 668F7338 pop ecx
> 2318: return getPrototypeHelper(cx, wrapper, target, protop);
> 2319:
The cursor points to the "pop ecx" near the end, which I think means the crash occurred on the "call" just prior. I'm not sure how XrayGetNativeProto() gets in there -- perhaps the getPrototypeHelper() call somehow invokes that indirectly and inlining makes it appear directly?
Reporter | ||
Comment 2•9 years ago
|
||
bz, efaust: any ideas? I have no idea what recent change might have caused this. 50 crashes in a single build is a pretty sizeable spike for Nightly.
Flags: needinfo?(efaustbmo)
Flags: needinfo?(bzbarsky)
Comment 3•9 years ago
|
||
> I'm not sure how XrayGetNativeProto() gets in there
It's called by DOMXrayTraits::getPrototype which is indeed called by getPrototypeHelper when our Traits is DOMXrayTraits as in this case.
What's not clear to me is what exactly we're crashing on... Is this really a null-deref or is breakpad lying to us?
Flags: needinfo?(bzbarsky)
Reporter | ||
Comment 4•9 years ago
|
||
> What's not clear to me is what exactly we're crashing on... Is this really a
> null-deref or is breakpad lying to us?
Every crash is an EXCEPTION_ACCESS_VIOLATION_EXEC with a crash address of 0x0, and 0x0 appears in the stack trace as well, so I'm inclined to believe we're trying to execute at 0x0.
Up to 85 crashes now.
Updated•8 years ago
|
Whiteboard: btpp-followup-2016-04-29
Comment 5•6 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•