Closed Bug 276979 Opened 20 years ago Closed 19 years ago

Unrooted JSObject in nsXPCWrappedJSClass::DelegatedQueryInterface crashes [@ js_LookupPropertyWithFlags ]

Categories

(Core :: XPConnect, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: tvdijen, Assigned: timeless)

References

()

Details

(Keywords: crash, fixed1.8)

Crash Data

Attachments

(1 file, 1 obsolete file)

Firefox just crashes when I visit http://www.hi.nl I tried it on the Unix platform aswell. It also crashes. Not sure what goes wrong, but a browser should not crash on bad input, no matter how nasty the website is coded! My browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
WFM, no crash in Firefox 20050103 and Mozilla 2005010206 trunk builds on Linux. (Firefox 1.0 on Linux crashes though.)
Severity: normal → critical
Keywords: crash
Summary: Firefox crashes → Firefox crashe son www.hi.nl
Summary: Firefox crashe son www.hi.nl → Firefox crashes on www.hi.nl
Summary: Firefox crashes on www.hi.nl → Firefox crashes on www.hi.nl [@ js_LookupPropertyWithFlags ]
Incident ID: 2910858 Stack Signature js_LookupPropertyWithFlags 855770ae Product ID Firefox10 Build ID 2004110711 Trigger Time 2005-01-04 07:36:08.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0002874a) URL visited http://www.hi.nl/ User Comments loading page Since Last Crash 1978872 sec Total Uptime 4456331 sec Trigger Reason Access violation Source File, Line No. d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2467 Stack Trace js_LookupPropertyWithFlags [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2467] js_LookupProperty [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2587] js_GetProperty [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2693] nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 243] nsXPCWrappedJSClass::DelegatedQueryInterface [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 589] nsXPCWrappedJS::QueryInterface [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 97] nsEventListenerManager::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1524] GlobalWindowImpl::HandleDOMEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp, line 927] nsXULDocument::HandleDOMEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp, line 1268] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2864] PresShell::HandleEventInternal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6059] PresShell::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5921] nsViewManager::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2280] nsViewManager::DispatchEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2066] HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 77] nsWindow::DispatchEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1067] nsWindow::DispatchKeyEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 2978] nsWindow::OnKeyDown [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 3017] nsWindow::WindowProc [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1349] USER32.dll + 0x3a50 (0x77d43a50) USER32.dll + 0x3b1f (0x77d43b1f) USER32.dll + 0x3d79 (0x77d43d79) USER32.dll + 0x3ddf (0x77d43ddf) nsAppShellService::Run [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] main [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 58] kernel32.dll + 0x2141a (0x77e8141a)
Assignee: firefox → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: firefox.general → pschwartau
Version: 1.0 Branch → 1.7 Branch
If this isn't an issue on trunk, is there a reason not to resolve this worksforme?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050406 Firefox/1.0+ I crashed with trunk build on following URL. http://www.newscientist.com/article.ns?id=mg18624944.600 http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB4910634X Stack Signature js_LookupPropertyWithFlags b75fe574 Product ID FirefoxTrunk Build ID 2005040506 Trigger Time 2005-04-07 06:47:27.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0002bdeb) URL visited User Comments Since Last Crash 96671 sec Total Uptime 96671 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2522 Stack Trace js_LookupPropertyWithFlags [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2522] js_LookupPropertyWithFlags [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2472] js_GetProperty [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2742] nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 255] nsXPCWrappedJSClass::GetArraySizeFromParam [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 692] nsXPCWrappedJS::Release [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 157] nsEventListenerManager::FlipCaptureBit [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1772] nsGlobalWindow::GetPrincipal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1027] nsXULDocument::DestroyForwardReferences [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 1571] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2319] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2311] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2311] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2311] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2311] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2311] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2311] nsXULElement::SetInlineStyleRule [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2311] nsEventStateManager::DispatchMouseEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2514] nsEventStateManager::NotifyMouseOver [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2625] nsEventStateManager::NotifyMouseOver [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2610] nsEventStateManager::GenerateMouseEnterExit [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2648] nsEventStateManager::PreHandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 470] ReflowEvent::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 6486] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp, line 6287] nsViewManager::ResizeView [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 2830] SortByZOrder [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp, line 1144] nsView::SetZIndex [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line 678] nsWindow::DispatchAppCommandEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1207] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5826] nsWindow::SetIcon [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6047] nsWindow::StandardWindowCreate [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1508] USER32.dll + 0x8709 (0x77cf8709) USER32.dll + 0x87eb (0x77cf87eb) USER32.dll + 0x89a5 (0x77cf89a5) USER32.dll + 0x89e8 (0x77cf89e8) nsAppShell::GetNativeEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 205] nsAutoCompleteController::~nsAutoCompleteController [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp, line 75] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 60] kernel32.dll + 0x16d4f (0x7c816d4f)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 1.7 Branch → Trunk
Masayuki, your crash occurs at a different location and with a sufficiently different stack that I doubt it is the same as the original bug. Do you have any extensions installed or can you reproduce this same crash and give steps on how to reproduce? I tried with a firefox 1.0.x and trunk debug winxp build from yesterday on both urls and can not reproduce either crash.
QA Contact: pschwartau → moz
err, make that ff 1.0 not 1.0.x
Oops... Sorry. You are right. I cannot reproduce on safe mode.
Tim, can you reproduce your original bug either with Firefox 1.0.2 or a recent Firefox trunk build?
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051009 Firefox/1.4.1 ID:2005100902 crash with latest branch TB10464972Y Incident ID: 10464972 Stack Signature js_LookupPropertyWithFlags e0c06551 Product ID Firefox15 Build ID 2005100805 Trigger Time 2005-10-10 04:42:13.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module js3250.dll + (0002d4be) URL visited http://www.hansrossel.com/reisgids/turkijePR.html User Comments crash while opening this page Since Last Crash 4391 sec Total Uptime 4391 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2592 Stack Trace js_LookupPropertyWithFlags [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2592] js_LookupProperty [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2519] js_GetProperty [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2804] nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 243] nsXPCWrappedJSClass::DelegatedQueryInterface [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 589] nsXPCWrappedJS::QueryInterface [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 97] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1779] nsXULDocument::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 1242] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2135] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132] nsEventStateManager::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2627] nsEventStateManager::NotifyMouseOut [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2696] nsEventStateManager::NotifyMouseOver [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2746] nsEventStateManager::GenerateMouseEnterExit [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2785] nsEventStateManager::PreHandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 522] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6361] PresShell::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6203] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246] HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5991] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6242] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434] USER32.dll + 0x3158f (0x77e4158f) USER32.dll + 0x31dc9 (0x77e41dc9) USER32.dll + 0x31e7e (0x77e41e7e) nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] KERNEL32.dll + 0x28989 (0x79628989)
forgot to add, yes this page crahes in -safe-mode too
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051008 Firefox/1.6a1 ID:2005100807 http://www.hansrossel.com/reisgids/turkijePR.html doesn't crash me on trunk, but it does on branch: - Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051010 Firefox/1.4.1 ID:2005101005
forget comment 10 , 11 and 12 , it's a recent regression filed Bug 311950 for it
I don't crash with 1.5 or trunk from yesterday on winxp. Tim, if you can't reproduce this with recent builds would you mark it works for me? Thanks.
Flags: testcase-
this crash report is from 1.8 branch (sorry, our product uses the branch...) things are /slightly/ different on trunk, but just as broken. EXCEPTION_RECORD: 0012f208 -- (.exr 12f208) ExceptionAddress: 00b4ceb3 (js3250!MarkGCThing+0x000000a5) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0000000a Attempt to read from address 0000000a FAULTING_THREAD: 000015f8 BUGCHECK_STR: 80000003 DEFAULT_BUCKET_ID: APPLICATION_FAULT PROCESS_NAME: HsEngine.exe ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached. CONTEXT: 0012f224 -- (.cxr 12f224) eax=00000006 ebx=34f51850 ecx=0012f500 edx=34f5184c esi=360a0414 edi=360a03a0 eip=00b4ceb3 esp=0012f4f0 ebp=0012f508 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210286 js3250!MarkGCThing+0xa5: 00b4ceb3 8b4804 mov ecx,[eax+0x4] ds:0023:0000000a=???????? Resetting default scope MANAGED_STACK: !dumpstack -EE succeeded Loaded Son of Strike data table version 5 from "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll" Current frame: ChildEBP RetAddr Caller,Callee LAST_CONTROL_TRANSFER: from 00b4ceae to 00b4ceb3 STACK_TEXT: 0012f508 00b4ceae 35df1628 360a03a0 360a0414 js3250!MarkGCThing+0xa5 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1146] 0012f534 00b4cf98 35df1628 34f516c8 34f50261 js3250!MarkGCThing+0xa0 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1141] 0012f544 00b31b54 35df1628 35515a68 00000000 js3250!js_MarkGCThing+0x1c [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1446] 0012f554 010ea9ed 35df1628 35515a68 01182c1c js3250!JS_MarkGCThing+0xf [c:\build\chs3\build\mozilla\js\src\jsapi.c @ 1838] 0012f578 010eb1db 360fed08 35df1628 00000000 gklayout!nsDOMClassInfo::MarkReachablePreservedWrappers+0xac [c:\build\chs3\build\mozilla\dom\src\base\nsdomclassinfo.cpp @ 4898] 0012f58c 00b17ab7 0167c460 360fed08 35df1628 gklayout!nsNodeSH::Mark+0x1f [c:\build\chs3\build\mozilla\dom\src\base\nsdomclassinfo.cpp @ 6195] 0012f5b4 00b5c9ab 35df1628 34f50e68 00000000 xpc3250!XPC_WN_Helper_Mark+0x3e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 989] 0012f5d4 00b4cec5 35df1628 34f50e68 00000000 js3250!js_Mark+0xc3 [c:\build\chs3\build\mozilla\js\src\jsobj.c @ 4127] 0012f600 00b4cf98 35df1628 34f50e68 34f50155 js3250!MarkGCThing+0xb7 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1146] 0012f610 00b4cfc6 35df1628 34f50e68 00000000 js3250!js_MarkGCThing+0x1c [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1446] 0012f620 00b400be 00a0f14c 0d3c09c8 0000007f js3250!gc_root_marker+0x2a [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1485] 0012f654 00b4d200 0000007f 00b4cf9c 35df1628 js3250!JS_DHashTableEnumerate+0x4f [c:\build\chs3\build\mozilla\js\src\jsdhash.c @ 620] 0012f6a4 00b4d9d1 35df1628 00000005 00b90b60 js3250!js_GC+0x1ca [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1702] 0012f6d0 00b5e890 35df1628 00000000 00000008 js3250!js_NewGCThing+0xf0 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 636] 0012f6f8 00b133a0 35df1628 00b28a08 03ff8e88 js3250!js_NewObject+0x71 [c:\build\chs3\build\mozilla\js\src\jsobj.c @ 1905] 0012f71c 00b14fb3 0012f820 03ff8e50 00000000 xpc3250!XPCWrappedNative::Init+0xa5 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 764] 0012f7b4 00b08239 0012f820 03ff8e50 03f545c8 xpc3250!XPCWrappedNative::GetNewOrUsed+0x315 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 391] 0012f7f4 00b01834 0012f820 0012f8c8 1411a240 xpc3250!XPCConvert::NativeInterface2JSObject+0x79 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcconvert.cpp @ 1107] 0012f894 00b0c3bd 00a15100 35df1628 0403e6c8 xpc3250!nsXPConnect::WrapNative+0x47 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\nsxpconnect.cpp @ 588] 0012f8cc 00b11219 35df1628 0403e6c8 00408d58 xpc3250!xpc_NewIDObject+0x60 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcjsid.cpp @ 993] 0012f910 00b115ab 04414f70 0403e6c8 00408d58 xpc3250!nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject+0xc3 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 267] 0012f9a4 00b0f6b7 00a8fd68 0407cc88 00408d58 xpc3250!nsXPCWrappedJSClass::DelegatedQueryInterface+0x129 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 590] 0012f9c4 0085463d 0407cc88 00408d58 0012fa2c xpc3250!nsXPCWrappedJS::QueryInterface+0x62 [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 97] 0012f9f4 00403fca 002ada4c 0407cc88 00408d58 xpcom_core!nsComponentManagerImpl::GetServiceByContractID+0x71 [c:\build\chs3\build\mozilla\xpcom\components\nscomponentmanager.cpp @ 2393] 0012fa48 004052f9 0012fcec 0012fab4 00000000 HsEngine!nsNativeAppSupportWin::GetCmdLineArgs+0x240 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 2099] 0012fabc 00405760 0012fcec 00000000 0012fb8c HsEngine!nsNativeAppSupportWin::HandleRequest+0x30 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 1810] 0012fb84 77d48734 00000000 0000004a 00000000 HsEngine!MessageWindow::WindowProc+0x2f [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 924] 0012fbb0 77d48816 00405731 00b3041c 0000004a USER32!InternalCallWinProc+0x28 0012fc18 77d4b4c0 00000000 00405731 00b3041c USER32!UserCallWinProcCheckWow+0x150 0012fc6c 77d5e7fe 005c7218 0000004a 00000000 USER32!DispatchClientMessage+0xa3 0012fc9c 7c90eae3 0012fcac 000000cc 000000cc USER32!__fnCOPYDATA+0x41 0012fcdc 00405730 77d4b473 00000030 5c3a4322 ntdll!KiUserCallbackDispatcher+0x13 0012fd74 77d493e9 77d493a8 0012fe08 00000000 HsEngine!nsSplashScreenWin::~nsSplashScreenWin+0x1b [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsnativeappsupportwin.cpp @ 450] 0012fda0 77d49402 0012fe08 00000000 00000100 USER32!NtUserPeekMessage+0xc 0012fdcc 012ad491 0012fe08 00000000 00000100 USER32!PeekMessageW+0xbc 0012fe24 012ad61a 0012fe40 00000000 00000000 gkwidget!PeekKeyAndIMEMessage+0x1f [c:\build\chs3\build\mozilla\widget\src\windows\nsappshell.cpp @ 91] 0012fe7c 01270e48 01595158 00402aa6 00abce28 gkwidget!nsAppShell::Run+0x65 [c:\build\chs3\build\mozilla\widget\src\windows\nsappshell.cpp @ 128] 0012fe84 00402aa6 00abce28 7c80b529 00000000 appcomps!nsAppStartup::Run+0xd [c:\build\chs3\build\mozilla\xpfe\components\startup\src\nsappstartup.cpp @ 208] 0012fee4 00402bae 00000003 002a45f0 00000000 HsEngine!main1+0x355 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1264] 0012ff08 00402be3 00000003 002a45f0 00152357 HsEngine!main+0xc5 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1765] 0012ff18 00407765 00400000 00000000 00152357 HsEngine!WinMain+0x18 [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1789] 0012ffc0 7c816d4f 80000001 0875ee34 7ffdf000 HsEngine!WinMainCRTStartup+0x185 [f:\vs70builds\3077\vc\crtbld\crt\src\crtexe.c @ 390] 0012fff0 00000000 004075e0 00000000 78746341 kernel32!BaseProcessStart+0x23 FOLLOWUP_IP: js3250!MarkGCThing+a5 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1146] 00b4ceb3 8b4804 mov ecx,[eax+0x4] SYMBOL_STACK_INDEX: 0 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: js3250!MarkGCThing+a5 MODULE_NAME: js3250 IMAGE_NAME: js3250.dll DEBUG_FLR_IMAGE_TIMESTAMP: 43676160 STACK_COMMAND: .cxr 12f224 ; kb FAILURE_BUCKET_ID: 80000003_js3250!MarkGCThing+a5 BUCKET_ID: 80000003_js3250!MarkGCThing+a5 Followup: MachineOwner --------- --- possibles: 311950 (probably poorly duped) 292210 278743 276979 --- 0 e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 587] 0001 (0001) 0:**** xpc3250!nsXPCWrappedJSClass::DelegatedQueryInterface+0x116 1 e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 243] 0001 (0001) 0:**** xpc3250!nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject+0xc 2 e [c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 271] 0001 (0001) 0:**** xpc3250!nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject+0xcd
Assignee: general → timeless
Component: JavaScript Engine → XPConnect
QA Contact: bob → pschwartau
Summary: Firefox crashes on www.hi.nl [@ js_LookupPropertyWithFlags ] → Unrooted JSObject in nsXPCWrappedJSClass::DelegatedQueryInterface crashes [@ js_LookupPropertyWithFlags ]
Attached patch protect the function and object (obsolete) — Splinter Review
*** Bug 278743 has been marked as a duplicate of this bug. ***
Attachment #201578 - Flags: superreview?(bzbarsky)
Attachment #201578 - Flags: review?(mrbkap)
Comment on attachment 201578 [details] [diff] [review] protect the function and object r=mrbkap
Attachment #201578 - Flags: review?(mrbkap) → review+
Attachment #201578 - Flags: superreview?(bzbarsky)
Attachment #201578 - Flags: superreview+
Attachment #201578 - Flags: review?(mrbkap)
Attachment #201578 - Flags: review+
Attachment #201578 - Flags: review?(mrbkap) → review+
Comment on attachment 201578 [details] [diff] [review] protect the function and object mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp 1.86
Attachment #201578 - Attachment is obsolete: true
Comment on attachment 201579 [details] [diff] [review] protect the function and object (1.8 branch, diff not made against cvs.mozilla.org versions, sorry) this fixes a gc rooting hole that can happen randomly
Attachment #201579 - Flags: approval1.8rc2?
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 201579 [details] [diff] [review] protect the function and object (1.8 branch, diff not made against cvs.mozilla.org versions, sorry) Brendan, can you give an extra sr here since you and blake have been fixing so many of these unroot js object bugs lately. You guys have a good idea of what these fixes should look like. Thanks.
Attachment #201579 - Flags: superreview?(brendan)
Comment on attachment 201579 [details] [diff] [review] protect the function and object (1.8 branch, diff not made against cvs.mozilla.org versions, sorry) mscott, this is a different module with its own rooting bugs and solutions. But I can certainly sr this stuff since it has also been around a long while and its local GC rooting solutions are known. /be
Attachment #201579 - Flags: superreview?(brendan) → superreview+
There are other bugs of this sort lurking. Taking this fix even late in the game is adds negligable risk. The only tradeoff is that the gain may be small or tiny in talkback terms. IOW, this is not a topcrash. But the patch is a good fix. /be
Flags: blocking1.8rc2?
Attachment #201579 - Flags: approval1.8rc2? → approval1.8rc2+
It looks like this was checked into the branch by timeless. As such, adding the fixed1.8 keyword to the bug.
Flags: blocking1.8rc2?
Keywords: fixed1.8
Crash Signature: [@ js_LookupPropertyWithFlags ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: