Crash in [@ nsWrapperCache::GetWrapperMaybeDead] with Element_Binding::get_classList()
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
People
(Reporter: aryx, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, topcrash)
Crash Data
Crash volume for versions 109.0.x quadrupled compare to 108.0.x and 107.0.x to ~400 crashes in the database. No reports for 102esr.
A crash with the same signature had been fixed in bug 1515463.
Many other crashes have corrupted stacks, e.g. bp-11335e7f-d486-47c0-9bf1-4bdfc0230215
Crash report: https://crash-stats.mozilla.org/report/index/2a1fbad1-2989-4ad7-aa2b-83f5f0230215
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll nsWrapperCache::GetWrapperMaybeDead const dom/base/nsWrapperCache.h:133
0 xul.dll nsWrapperCache::GetWrapperPreserveColor const dom/base/nsWrapperCacheInlines.h:15
0 xul.dll nsWrapperCache::GetWrapper const dom/base/nsWrapperCacheInlines.h:28
1 xul.dll mozilla::dom::XULCommandEvent_Binding::Wrap dom/bindings/XULCommandEventBinding.cpp:727
2 xul.dll mozilla::dom::XULCommandEvent_Binding::Wrap dist/include/mozilla/dom/XULCommandEventBinding.h:39
2 xul.dll mozilla::dom::XULCommandEvent::WrapObjectInternal dom/events/XULCommandEvent.h:28
3 xul.dll mozilla::dom::binding_detail::DoGetOrCreateDOMReflector dom/bindings/BindingUtils.h:1084
3 xul.dll mozilla::dom::GetOrCreateDOMReflector dom/bindings/BindingUtils.h:1153
3 xul.dll mozilla::dom::GetOrCreateDOMReflectorHelper<mozilla::dom::Event, 0>::GetOrCreate dom/bindings/BindingUtils.h:1742
3 xul.dll mozilla::dom::GetOrCreateDOMReflector dom/bindings/BindingUtils.h:1750
|
||
Comment 1•3 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 content process crashes on beta
:edgar, could you consider increasing the severity of this top-crash bug?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 2•3 years ago
|
||
This looks like it could be a signature change, for nsWrapperCache::GetWrapperPreserveColor (bug 1389451), nsWrapperCache::GetWrapper or maybe GetOrCreateDOMReflector (bug 1808175). That said, the volume on the first two hasn't been that high recently, and according to the first comment, bug 1808175 apparently started going up in the 109 betas, which is around the same time as this did.
|
|
||
Comment 3•3 years ago
•
|
||
625 out of 692 (~90%) of these crashes in the last week have Element_Binding::get_classList on the stack (unlink the crash in comment 0). In the crashes I looked at, most of them had stacks that apparently died in JIT code, but here's one that didn't: bp-7e541978-6d49-47d0-bf08-e32430230221
Here's the top of the stack for that one:
Top 10 frames of crashing thread:
0 xul.dll nsWrapperCache::GetWrapperMaybeDead const dom/base/nsWrapperCache.h:133
0 xul.dll nsWrapperCache::GetWrapperPreserveColor const dom/base/nsWrapperCacheInlines.h:15
0 xul.dll nsWrapperCache::GetWrapper const dom/base/nsWrapperCacheInlines.h:28
1 xul.dll mozilla::dom::binding_detail::DoGetOrCreateDOMReflector dom/bindings/BindingUtils.h:1075
1 xul.dll mozilla::dom::GetOrCreateDOMReflector dom/bindings/BindingUtils.h:1153
1 xul.dll mozilla::dom::Element_Binding::get_classList dom/bindings/ElementBinding.cpp:1363
2 ? @0x1755b551
3 ? @0x175085e1
4 ? @0x17487fd3
5 ? @0x175086df
|
|
||
Updated•3 years ago
|
|
|
||
Comment 6•3 years ago
|
||
The URLs in the crashes seem to be dominated by "Outlook on the web". Of the dozen or so crashes with URLs in them, they are almost entirely the form "<some domain>/owa/#path=/mail/inbox", where the domain is some business or organization, and not Microsoft.
Mike, you might want to be aware of this crash given what kinds of sites it seems to be affecting, or maybe if you hear of a way to reproduce it that could be useful.
|
||
Comment 7•3 years ago
|
||
Thanks for letting me know. I'll keep an eye on my various channels, but I haven't heard anything so far.
|
|
||
Comment 8•3 years ago
|
||
The bug is marked as tracked for firefox110 (release) and tracked for firefox111 (beta). We have limited time to fix this, the soft freeze is in 14 days. However, the bug still isn't assigned.
:hsinyi, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit auto_nag documentation.
|
||
Comment 9•3 years ago
|
||
(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #8)
The bug is marked as tracked for firefox110 (release) and tracked for firefox111 (beta). We have limited time to fix this, the soft freeze is in 14 days. However, the bug still isn't assigned.
:hsinyi, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit auto_nag documentation.
We've been investigating this but haven't had clear ideas yet.
|
|
||
Updated•3 years ago
|
|
|
||
Comment 11•3 years ago
|
||
The current [@ JS::GetCompartment ] crashes look very similar. bp-f893d86e-b821-4108-bb9c-94eb60230224
|
|
||
Comment 12•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
|
||
Comment 13•3 years ago
|
||
This seems like it is a JIT issue, so I'm moving it over there.
|
|
||
Updated•3 years ago
|
|
|
||
Comment 14•3 years ago
|
||
Copying crash signatures from duplicate bugs.
|
|
||
Comment 15•3 years ago
|
||
Jandem has landed a patch for this in the dependent bug.
|
Assignee | |
Comment 16•3 years ago
|
||
Closing this because the crash data for the signatures in this bug seems to confirm this was indeed fixed by bug 1808352 (see crash data for 111 beta 7 and 8). The two reports for GetWrapperMaybeDead look unrelated to this bug.
|
||
Updated•3 years ago
|
Description
•