Closed Bug 1276353 Opened 8 years ago Closed 8 years ago

Crashes in mozilla::jsipc::DOMInstanceOf

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox49 --- fixed

People

(Reporter: dbaron, Assigned: billm)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

patch
942 bytes, patch
mrbkap
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-abca1cad-d5e0-4fab-b17c-8fba32160527.
=============================================================

There have been crashes with signature mozilla::jsipc::DOMInstanceOf in the May 25 and May 26 nightlies.  They seem to be across a bunch of users, though each user seems to be crashing multiple times.  They're all on 32-bit Windows, which is actually unusual for nightly, and they all have a crash address of 0x8, which means a null dereference.

Query:
https://crash-stats.mozilla.com/signature/?product=Firefox&release_channel=nightly&date=%3E%3D2016-05-01&signature=mozilla%3A%3Ajsipc%3A%3ADOMInstanceOf
Any idea where I should direct this?  I don't see obvious code changes in this area recently.
Flags: needinfo?(bzbarsky)
Somewhat suspicious that all of the crashes were in an 11 minute window (2016-05-27 02:28 to 02:39, UTC), even though from multiple users.
Er, actually, I don't think it's multiple users.  It looks like a single user who crashed twice, updated nightly, and then crashed 11 more times.  I think I was confusing things with the previous crash I looked at.

So maybe not something we should worry about at this stage.
It's hard to say where inside the FORWARD macro we're crashing here, but presumably either proxy or OwnerOf(proxy) is null.

"proxy" comes from dom::InterfaceHasInstance, but that code hasn't changed since Firefox 33 either.

The other weird thing here is that the caller in InterfaceHasInstance is conditioned on IsWrappedCPOW and then does a CheckedUnwrap to get the "proxy".  IsWrappedCPOW used to do a CheckedUnwrap as well, and return false if that returned null.  But it was changed to an UncheckedUnwrap in bug 1057601... in Firefox 34.

My best bet is that for some reason we started having security wrappers around CPOWs that in fact _can't_ be unwrapped by CheckedUnwrap coming through this code, triggering the latent bug with a null "proxy".  But I'm not sure where that change would have been, and I'm not sure that matters.

Bill, what should dom::InterfaceHasInstance be doing when CheckedUnwrap on instance fails?  Should it just return false, or should it be doing an UncheckedUnwrap?

It's also possible, I guess, that OwnerOf(proxy) started returning null.  That seems less likely to me.
Flags: needinfo?(bzbarsky) → needinfo?(wmccloskey)
Attached patch patchSplinter Review 
I guess I missed this callsite in bug 1057601. We should be using UncheckedUnwrap here.
Flags: needinfo?(wmccloskey)
Attachment #8757507 - Flags: review?(mrbkap)
Assignee: nobody → wmccloskey
Attachment #8757507 - Flags: review?(mrbkap) → review+
https://hg.mozilla.org/mozilla-central/rev/577123ff73d3
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: