Closed
Bug 1428515
Opened 6 years ago
Closed 6 years ago
Intermittent dom/plugins/test/mochitest/test_npruntime_identifiers.html | application crashed [@ JS::ExposeObjectToActiveJS]
Categories
(Core Graveyard :: Plug-ins, defect, P5)
Core Graveyard
Plug-ins
Tracking
(firefox-esr52 unaffected, firefox57 wontfix, firefox58 wontfix, firefox59 fixed)
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox57 | --- | wontfix |
| firefox58 | --- | wontfix |
| firefox59 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: jonco)
References
Details
(Keywords: crash, intermittent-failure)
Crash Data
Attachments
(1 file)
|
2.49 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Filed by: aiakab [at] mozilla.com https://treeherder.mozilla.org/logviewer.html#?job_id=154500293&repo=mozilla-central https://queue.taskcluster.net/v1/task/OFts-8rzQXiq_EW7r5eSJg/runs/0/artifacts/public/logs/live_backing.log
| Comment hidden (Intermittent Failures Robot) |
|
Assignee | |
Comment 2•6 years ago
|
||
nsJSNPRuntime::OnPluginDestroy() seems to be accessing an object that is about to be finalized.
|
|
Assignee | |
Comment 3•6 years ago
|
||
This was caused by the incremental finalisation of foreground finalised objects in bug 1352430. The sNPObjWrappers table can contain entries for dead JSObjects that have not yet been finalised. We need to take care not to trigger mJSObj's read barrier for such entries since that will attempt to expose the object to JS and cause this assertion. The patch does this by calling unbarrieredGetPtr() which avoids the barrier. Note converting a TenuredHeap to bool and testing equality against a pointer don't trigger the barrier.
Assignee: nobody → jcoppeard
Attachment #8941889 -
Flags: review?(bzbarsky)
|
||
Comment 4•6 years ago
|
||
It looks like this was previously filed as bug 1425751.
Blocks: 1425751
status-firefox57:
--- → wontfix
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox-esr52:
--- → unaffected
|
||
Comment 5•6 years ago
|
||
Comment on attachment 8941889 [details] [diff] [review] bug1428515-plugin-wrappers Most of comment 3 should be in the commit message here. r=me with that.
Attachment #8941889 -
Flags: review?(bzbarsky) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d119babafa27 Check for dying JSObjects when accessing plugin wrapper table r=bz
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d119babafa27
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
| Comment hidden (Intermittent Failures Robot) |
|
||
Comment 9•6 years ago
|
||
Too late for 58, unfortunately.
|
||
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•