1305236 - Crash in mozilla::dom::exceptions::JSStackFrame::GetNativeSavedFrame

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[[:philipp]]

This bug was filed from the Socorro interface and is 
report bp-a7483e91-d869-40e2-bb08-74c5c2160923.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::dom::exceptions::JSStackFrame::GetNativeSavedFrame(JS::MutableHandle<JS::Value>) 	dom/bindings/Exceptions.cpp:642
1 	xul.dll 	nsXPCComponents_Utils::CallFunctionWithAsyncStack(JS::Handle<JS::Value>, nsIStackFrame*, nsAString_internal const&, JSContext*, JS::MutableHandle<JS::Value>) 	js/xpconnect/src/XPCComponents.cpp:2702
2 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/md/win32/xptcinvoke_asm_x86_msvc.asm:54
3 	xul.dll 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp:1361
4 	xul.dll 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1128
5 	xul.dll 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp:453
6 	xul.dll 	InternalCall 	js/src/vm/Interpreter.cpp:498
7 	xul.dll 	FinalizeArenas 	js/src/jsgc.cpp:542
8 	xul.dll 	JS::CallbackTracer::onObjectEdge(JSObject**) 	obj-firefox/dist/include/js/TracingAPI.h:141
9 	xul.dll 	DoCallback<JSObject*>(JS::CallbackTracer*, JSObject**, char const*) 	js/src/gc/Tracer.cpp:51
10 	xul.dll 	js::TraceManuallyBarrieredEdge<JSObject*>(JSTracer*, JSObject**, char const*) 	js/src/gc/Marking.cpp:443
11 	xul.dll 	JSFunction::trace(JSTracer*) 	js/src/jsfun.cpp:773
12 	xul.dll 	fun_trace 	js/src/jsfun.cpp:780
13 	xul.dll 	JSObject::traceChildren(JSTracer*) 	js/src/jsobj.cpp:3883
14 	xul.dll 	JS::DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) 	obj-firefox/dist/include/js/TraceKind.h:182
15 	xul.dll 	js::TraceChildren(JSTracer*, void*, JS::TraceKind) 	js/src/gc/Tracer.cpp:126
16 	xul.dll 	UnmarkGrayTracer::onChild(JS::GCCellPtr const&) 	js/src/gc/Marking.cpp:2748
17 	xul.dll 	js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&>(DoCallbackFunctor<JS::Value>, JS::Value const&, JS::CallbackTracer*&, char const*&) 	obj-firefox/dist/include/js/Value.h:1914
18 	xul.dll 	DispatchToTracer<JS::Value>(JSTracer*, JS::Value*, char const*) 	js/src/gc/Marking.cpp:655

this crash seems to be regressing in numbers since firefox 50 builds and is occurring in a codepath added in bug 1291928.
in early crash data from 50.0b1 this is making up 0.35% of all browser crashes.

Comment 1

[Hsin-Yi Tsai (she/her) [:hsinyi]]

(In reply to [:philipp] from comment #0)
> 
> this crash seems to be regressing in numbers since firefox 50 builds and is
> occurring in a codepath added in bug 1291928.
> in early crash data from 50.0b1 this is making up 0.35% of all browser
> crashes.

This seems a regression from bug 1291928, could you please take a look? Thanks!

Comment 2

[Jon Coppeard (:jonco)]

It seems like we're just missing a null check.

Comment 3

[Jon Coppeard (:jonco)]

Attachment: bug1305236-expose-crash

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

We need this on Aurora too?

Comment 5

[Terrence Cole [:terrence]]

I think Beta as well: we've uplifted since we put bug 1291928 on Aurora.

Comment 6

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/955340c5cf9e
Don't call ExposeObjectToActiveJS on null pointer r=smaug

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/955340c5cf9e

Comment 8

[Jon Coppeard (:jonco)]

Comment on attachment 8795289 [details] [diff] [review]
bug1305236-expose-crash

Approval Request Comment
[Feature/regressing bug #]: Bug 1291928.
[User impact if declined]: Possible crashes.
[Describe test coverage new/current, TreeHerder]: On m-c since 30th September.
[Risks and why]: Low
[String/UUID change made/needed]: None

Comment 9

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8795289 [details] [diff] [review]
bug1305236-expose-crash

Fixes a top crash on Beta50, Nightly52 doesn't show this crash report since the fix landed so that's good, Aurora51+, Beta50+

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/3a72e917e756

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/2b1c242aecce

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'mozilla::dom::exceptions::JSStackFrame::GetNativeSavedFrame':
 - nightly (version 52): 1 crash from 2016-09-19.
 - aurora  (version 51): 9 crashes from 2016-09-19.
 - beta    (version 50): 1116 crashes from 2016-09-20.
 - release (version 49): 1 crash from 2016-09-05.
 - esr     (version 45): 0 crashes from 2016-07-25.

Crash volume on the last weeks (Week N is from 10-17 to 10-23):
            W. N-1  W. N-2  W. N-3  W. N-4
 - nightly       0       0       0       1
 - aurora        0       4       2       2
 - beta         44     495     490      78
 - release       0       1       0       0
 - esr           0       0       0       0

Affected platform: Windows

Crash rank on the last 7 days:
           Browser     Content   Plugin
 - nightly
 - aurora  #1688
 - beta    #446
 - release
 - esr