Closed Bug 1449794 Opened 7 years ago Closed 5 years ago

Crash in js::AssertObjectIsSavedFrameOrWrapper

Categories

(DevTools :: Debugger, defect, P3)

Product:
DevTools
Component:
Debugger
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: bkelly, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-a6b88944-1758-4ee4-a0ec-2b71d0180329. ============================================================= Top 10 frames of crashing thread: 0 xul.dll js::AssertObjectIsSavedFrameOrWrapper js/src/vm/SavedStacks-inl.h:26 1 xul.dll js::ErrorObject::create js/src/vm/ErrorObject.cpp:93 2 xul.dll js::CopyErrorObject js/src/jsexn.cpp:1080 3 xul.dll js::ErrorCopier::~ErrorCopier js/src/proxy/Wrapper.cpp:459 4 xul.dll js::DebuggerObject::getOwnPropertyNames js/src/vm/Debugger.cpp:10377 5 xul.dll js::DebuggerObject::getOwnPropertyNamesMethod js/src/vm/Debugger.cpp:9477 6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:468 7 xul.dll js::ForwardingProxyHandler::call js/src/proxy/Wrapper.cpp:176 8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:450 9 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp:2380 =============================================================
I have a user reports that they can reproduce this: Addon code that I've been using to trigger it: https://github.com/jamesgecko/tab-rasa/tree/crash - Have pause-on-break turned on in the debugger. Open the extension popup, click outside to close it, then open the extension again. The debugger crashes a few seconds later. - The addon is copying objects from the popup context to the background context. The crash may be related to dead object refs. Kris, do you know who should look at this?
Flags: needinfo?(kmaglione+bmo)
So, at the moment, if you try to wrap an object for a nuked compartment, we treat it as a success, but return a dead wrapper. It looks like what that ErrorCopier is doing is taking the stack from an Error object, trying to wrap it for the nuked popup window compartment it's stopped in, getting a dead wrapper, and passing that dead wrapper as the stack for a new error object. I'm not really sure what the best solution for that problem is... Probably ideally something like bailing out sooner if we're stopped in a nuked compartment. But possibly we shouldn't nuke a compartment the debugger is paused in, or possibly the error copier should check for dead wrappers there.
Flags: needinfo?(kmaglione+bmo)
Component: WebExtensions: Developer Tools → Developer Tools: Debugger
Product: Toolkit → Firefox
Priority: -- → P3
Product: Firefox → DevTools

Brian, i'm curious what you think of this?

Flags: needinfo?(bhackett1024)
Blocks: dbg-api

I don't have a great understanding of this code, but it seems like this immediate error could be handled in ErrorObject::create by just ignoring the stack argument if it is a dead wrapper.

Flags: needinfo?(bhackett1024)

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.