Crash in [@ mozilla::dom::XULElement_Binding::Wrap]
Categories
(Core :: DOM: Bindings (WebIDL), defect)
Tracking
()
People
(Reporter: wsmwk, Unassigned, NeedInfo)
Details
(Keywords: crash)
Crash Data
(not my crash - just wandering crash-stats)
Crash report: https://crash-stats.mozilla.org/report/index/2cada655-57df-444f-8ac2-71fcf0210228
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::XULElement_Binding::Wrap dom/bindings/XULElementBinding.cpp:9936
1 xul.dll nsXULElement::WrapNode dom/xul/nsXULElement.cpp:1187
2 xul.dll nsINode::WrapObject dom/base/nsINode.cpp:2990
3 xul.dll mozilla::dom::MouseEvent_Binding::get_relatedTarget dom/bindings/MouseEventBinding.cpp:828
4 xul.dll mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3113
5 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:594
6 xul.dll JS::Call js/src/jsapi.cpp:2861
7 xul.dll xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get const js/xpconnect/wrappers/XrayWrapper.cpp:2076
8 xul.dll static js::Proxy::get js/src/proxy/Proxy.cpp:480
9 xul.dll static js::Proxy::get js/src/proxy/Proxy.cpp:480
Updated•3 years ago
|
Comment 1•2 years ago
|
||
The more complete stack trace at https://crash-stats.mozilla.org/report/index/155ad936-b86f-4470-a1e8-001180220126
suggests this is an attempt to get the relatedTarget from a mouse event in a child process.
Moving to events at least.
Comment 2•2 years ago
|
||
0 libxul.so dom::XULElement_Binding::Wrap(JSContext*, nsXULElement*, nsWrapperCache*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)
1 libxul.so nsXULElement::WrapNode(JSContext*, JS::Handle<JSObject*>) dom/xul/dom/xul/nsXULElement.cpp:1193
2 libxul.so nsINode::WrapObject(JSContext*, JS::Handle<JSObject*>)
3 libxul.so dom::MouseEvent_Binding::get_relatedTarget(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs)
4 libxul.so bool dom::binding_detail::GenericGetter<dom::binding_detail::NormalThisPolicy, dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) dom/bindings/dom/bindings/BindingUtils.cpp:3179
5 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)
6 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) js/src/js/src/vm/Interpreter.cpp:588
7 libxul.so JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)
8 libxul.so xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const js/xpconnect/wrappers/js/xpconnect/wrappers/XrayWrapper.cpp:2069
9 libxul.so js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)
10 libxul.so js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>)
11 libxul.so js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)
12 libxul.so js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jit/js/src/jit/BaselineIC.cpp:1233
Ø 13 None @0x00000da393076603
Ø 14 None @0x00000da39307056e
15 libxul.so EnterJit(JSContext*, js::RunState&, unsigned char*)
16 libxul.so Interpret(JSContext*, js::RunState&)
17 libxul.so js::RunScript(JSContext*, js::RunState&)
18 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)
19 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) js/src/js/src/vm/Interpreter.cpp:588
20 libxul.so JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)
21 libxul.so dom::EventListener::HandleEvent(dom::BindingCallContext&, JS::Handle<JS::Value>, dom::Event&, ErrorResult&)
22 libxul.so EventListenerManager::HandleEventSubType(EventListenerManager::Listener*, dom::Event*, dom::EventTarget*) dom/events/dom/events/EventListenerManager.cpp:1109
23 libxul.so EventListenerManager::HandleEventInternal(nsPresContext*, WidgetEvent*, dom::Event**, dom::EventTarget*, nsEventStatus*, bool)
24 libxul.so EventTargetChainItem::HandleEvent(EventChainPostVisitor&, ELMCreationDetector&) dom/events/dom/events/EventDispatcher.cpp:318
25 libxul.so EventTargetChainItem::HandleEventTargetChain(nsTArray<EventTargetChainItem>&, EventChainPostVisitor&, EventDispatchingCallback*, ELMCreationDetector&)
26 libxul.so EventDispatcher::Dispatch(nsISupports*, nsPresContext*, WidgetEvent*, dom::Event*, nsEventStatus*, EventDispatchingCallback*, nsTArray<dom::EventTarget*>*)
27 libxul.so EventStateManager::DispatchMouseOrPointerEvent(WidgetMouseEvent*, EventMessage, nsIContent*, nsIContent*) dom/events/dom/events/EventStateManager.cpp:4412
28 libxul.so EventStateManager::NotifyMouseOut(WidgetMouseEvent*, nsIContent*)
29 libxul.so EventStateManager::NotifyMouseOver(WidgetMouseEvent*, nsIContent*)
30 libxul.so EventStateManager::GenerateMouseEnterExit(WidgetMouseEvent*) dom/events/dom/events/EventStateManager.cpp:4767
31 libxul.so EventStateManager::PreHandleEvent(nsPresContext*, WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) dom/events/dom/events/EventStateManager.cpp:761
32 libxul.so PresShell::EventHandler::DispatchEvent(EventStateManager*, WidgetEvent*, bool, nsEventStatus*, nsIContent*) layout/base/layout/base/PresShell.cpp:8208
33 libxul.so PresShell::EventHandler::HandleEventWithCurrentEventInfo(WidgetEvent*, nsEventStatus*, bool, nsIContent*) layout/base/layout/base/PresShell.cpp:8177
34 libxul.so PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, WidgetGUIEvent*, nsEventStatus*, bool) layout/base/layout/base/PresShell.cpp:7095
35 libxul.so PresShell::HandleEvent(nsIFrame*, WidgetGUIEvent*, bool, nsEventStatus*) layout/base/layout/base/PresShell.cpp:6841
36 libxul.so nsViewManager::DispatchEvent(WidgetGUIEvent*, nsView*, nsEventStatus*)
37 libxul.so nsView::HandleEvent(WidgetGUIEvent*, bool) view/view/nsView.cpp:1136
38 libxul.so widget::PuppetWidget::DispatchEvent(WidgetGUIEvent*, nsEventStatus&) widget/widget/PuppetWidget.cpp:377
39 libxul.so layers::APZCCallbackHelper::DispatchWidgetEvent(WidgetGUIEvent&) gfx/layers/gfx/layers/apz/util/APZCCallbackHelper.cpp:508
40 libxul.so dom::BrowserChild::HandleRealMouseButtonEvent(WidgetMouseEvent const&, layers::ScrollableLayerGuid const&, unsigned long const&) dom/ipc/dom/ipc/BrowserChild.cpp:1757
41 libxul.so dom::BrowserChild::ProcessPendingCoalescedMouseDataAndDispatchEvents() [clone .part.0] dom/ipc/dom/ipc/BrowserChild.cpp:1585
42 libxul.so dom::BrowserChild::RecvRealMouseButtonEvent(WidgetMouseEvent const&, layers::ScrollableLayerGuid const&, unsigned long const&) dom/ipc/dom/ipc/BrowserChild.cpp:1701
43 libxul.so dom::PBrowserChild::OnMessageReceived(IPC::Message const&) ipc/ipdl/PBrowserChild.cpp:5326
44 libxul.so dom::PContentChild::OnMessageReceived(IPC::Message const&) ipc/ipdl/PContentChild.cpp:8340
45 libxul.so ipc::MessageChannel::DispatchAsyncMessage(ipc::ActorLifecycleProxy*, IPC::Message const&)
46 libxul.so ipc::MessageChannel::DispatchMessage(IPC::Message&&)
47 libxul.so ipc::MessageChannel::MessageTask::Run()
48 libxul.so TaskController::DoExecuteNextTaskOnlyMainThreadInternal(detail::BaseAutoLock<Mutex&> const&) xpcom/threads/xpcom/threads/TaskController.cpp:805
49 libxul.so TaskController::ExecuteNextTaskOnlyMainThreadInternal(detail::BaseAutoLock<Mutex&> const&) xpcom/threads/xpcom/threads/TaskController.cpp:641
50 libxul.so TaskController::ProcessPendingMTTask(bool)
51 libxul.so detail::RunnableFunction<TaskController::InitializeInternal()::{lambda()#1}>::Run() xpcom/threads/build-browser/dist/include/nsThreadUtils.h:529
52 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/xpcom/threads/nsThread.cpp:1152
53 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/xpcom/threads/nsThreadUtils.cpp:466
54 libxul.so ipc::MessagePump::Run(base::MessagePump::Delegate*)
55 libxul.so MessageLoop::Run() ipc/chromium/ipc/chromium/src/base/message_loop.cc:306
56 libxul.so nsBaseAppShell::Run() widget/widget/nsBaseAppShell.cpp:137
57 libxul.so XRE_RunAppShell() toolkit/xre/toolkit/xre/nsEmbedFunctions.cpp:923
58 libxul.so MessageLoop::Run() ipc/chromium/ipc/chromium/src/base/message_loop.cc:306
59 libxul.so XRE_InitChildProcess(int, char**, XREChildData const*)
60 firefox-esr content_process_main(Bootstrap*, int, char**) browser/app/ipc/contentproc/plugin-container.cpp:57
61 firefox-esr main
62 libc.so.6 __libc_start_main csu/libc-start.c:332
63 firefox-esr _start
Comment 3•2 years ago
|
||
As far as I checked quickly about the storage of related target, it and its original assigners grab it multiple times. And it can be nullptr
but this crashes around nullptr
. So it seems that this is a bug of bindings??
Updated•2 years ago
|
Comment 4•2 years ago
|
||
webidl side lets the relatedTarget be null.
edgar, does any of the binding side code hint to you what the issue might be?
This isn't very clear to me.
Description
•