Closed Bug 279678 Opened 20 years ago Closed 15 years ago

M17x FF10x crash [@ JS_GetFrameFunctionObject - nsScriptSecurityManager::GetPrincipalAndFrame]

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jay, Assigned: jst)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

crashing testcase from bug 295824
323 bytes, text/html
Details
This is a topcrasher for Firefox 1.0 and Mozilla 1.7.5. Here is a link to the latest Talkback data for the JS_GetFrameFunctionObject stack signature: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=JS_GetFrameFunctionObject&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid Here are a couple of incidents: Firefox 1.0: Incident ID: 3267458 Stack Signature JS_GetFrameFunctionObject 7d9b9074 Product ID Firefox10 Build ID 2004110711 Trigger Time 2005-01-24 14:56:05.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0000d8ab) URL visited any url User Comments Since Last Crash 31530 sec Total Uptime 3637959 sec Trigger Reason Access violation Source File, Line No. d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsdbgapi.c, line 770 Stack Trace JS_GetFrameFunctionObject [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsdbgapi.c, line 770] nsScriptSecurityManager::GetPrincipalAndFrame [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1857] nsScriptSecurityManager::GetSubjectPrincipal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1897] nsScriptSecurityManager::GetSubjectPrincipal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1583] nsContentUtils::IsCallerChrome [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsContentUtils.cpp, line 921] PresShell::HandleEventInternal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6027] PresShell::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5921] nsViewManager::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2280] nsViewManager::DispatchEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2066] HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 77] nsWindow::DispatchEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1067] nsWindow::DispatchFocus [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5451] nsWindow::ProcessMessage [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4216] nsWindow::WindowProc [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1349] USER32.dll + 0x8709 (0x77d18709) USER32.dll + 0x87eb (0x77d187eb) USER32.dll + 0xb368 (0x77d1b368) USER32.dll + 0xb3b4 (0x77d1b3b4) ntdll.dll + 0xeae3 (0x7c91eae3) USER32.dll + 0x93df (0x77d193df) PeekKeyAndIMEMessage [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 91] nsAppShell::Run [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 128] nsAppShellService::Run [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] main [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 58] kernel32.dll + 0x16d4f (0x7c816d4f) ----------------------------------------------- Mozilla 1.7.5: Incident ID: 3257094 Stack Signature JS_GetFrameFunctionObject 072bae2a Product ID Mozilla17 Build ID 2004121708 Trigger Time 2005-01-24 05:55:34.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module js3250.dll + (0000d89e) URL visited loading a java applett User Comments Since Last Crash 53 sec Total Uptime 32451 sec Trigger Reason Access violation Source File, Line No. d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsdbgapi.c, line 771 Stack Trace JS_GetFrameFunctionObject [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsdbgapi.c, line 771] nsScriptSecurityManager::GetFramePrincipal [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1826] nsScriptSecurityManager::GetPrincipalAndFrame [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1859] nsScriptSecurityManager::GetSubjectPrincipal [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1897] nsScriptSecurityManager::GetSubjectPrincipal [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1583] nsContentUtils::CanCallerAccess [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsContentUtils.cpp, line 626] nsRange::SetStart [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsRange.cpp, line 988] nsPlaintextEditor::GetAndInitDocEncoder [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp, line 1389] nsPlaintextEditor::OutputToString [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp, line 1431] nsTextControlFrame::GetValue [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/forms/src/nsTextControlFrame.cpp, line 3150] nsTextControlFrame::GetProperty [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/forms/src/nsTextControlFrame.cpp, line 2443] nsHTMLInputElement::GetValue [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 649] WLLT_OnSubmit [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/extensions/wallet/src/wallet.cpp, line 4010] nsWalletlibService::Notify [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/extensions/wallet/src/nsWalletService.cpp, line 249] nsHTMLFormElement::NotifySubmitObservers [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 1029] nsHTMLFormElement::SubmitSubmission [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 942] nsHTMLFormElement::FlushPendingSubmission [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 1255] nsHTMLInputElement::HandleDOMEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1625] PresShell::HandleDOMEventWithTarget [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6120] nsHTMLInputElement::MaybeSubmitForm [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 991] nsHTMLInputElement::HandleDOMEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1540] PresShell::HandleEventInternal [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6042] PresShell::HandleEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5934] nsViewManager::HandleEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2280] nsViewManager::DispatchEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2070] HandleEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 77] nsWindow::DispatchEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1071] nsWindow::DispatchWindowEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1088] nsWindow::DispatchKeyEvent [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 2979] nsWindow::OnChar [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 3165] nsWindow::ProcessMessage [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 3878] nsWindow::WindowProc [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1350] USER32.dll + 0x2a420 (0x77e3a420) USER32.dll + 0x4605 (0x77e14605) USER32.dll + 0xa7ba (0x77e1a7ba) nsAppShellService::Run [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 524] main1 [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1313] main [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1784] WinMain [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1810] WinMainCRTStartup() KERNEL32.DLL + 0x2893d (0x7c59893d)
*** Bug 295824 has been marked as a duplicate of this bug. ***
Here's one crashing testcase.
This is still a topcrasher with Firefox 1.0.x releases, but I don't see any crashes on the Trunk since 5/13...and this test case does not crash with Deer Park Alpha 1 (as Dan mentioned in bug 295824). I do crash with Firefox 1.0.4, but I don't think we are going to fix this on the Aviary branch. Should we mark this worksforme? Or just leave it open until we release Firefox 1.1?
Summary: M17 FF10 crash [@ JS_GetFrameFunctionObject - nsScriptSecurityManager::GetPrincipalAndFrame] → M17x FF10x crash [@ JS_GetFrameFunctionObject - nsScriptSecurityManager::GetPrincipalAndFrame]
So, will be this fixed in 1.0.5 release?
*** Bug 300229 has been marked as a duplicate of this bug. ***
*** Bug 300730 has been marked as a duplicate of this bug. ***
*** Bug 350280 has been marked as a duplicate of this bug. ***
bug 316159 comment 3 explains the general problem. and it shows that we have someone who can fix this. there's one other version of this bug that i left open. i think that 2 copies of this bug are more than enough until someone fixes one of them.
Assignee: dveditz → jst
So this is at least happening on 1.8 branch (see bug 366691). Is it also happening on trunk?
Flags: blocking1.9?
Version: 1.7 Branch → 1.8 Branch
QA Contact: caps
Not blocking on this, but if someone shows proof that this happens on the trunk (somewhat frequently), please renominate.
Flags: blocking1.9? → blocking1.9-
Keywords: testcase
Bug 316159 comment 3 indicates that at least some of the crashes were due to memory corruption from other components, and some of the dups finger malware. It's not clear what this bug is about, other than that it was a topcrash at one time. It's clearly not that any more; there are only a few crashes per day at each of these signatures.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Crash Signature: [@ JS_GetFrameFunctionObject - nsScriptSecurityManager::GetPrincipalAndFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: