Closed Bug 295101 Opened 20 years ago Closed 20 years ago

crash at select node -Trunk [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] [@JS_GetClass]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: Peter6, Assigned: dbradley)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(3 files)

Talkback data (stack trace)
2.36 KB, text/plain
Details
Fix crashes due to lack of marking code in the new XPCNativeWrapper implementation.
7.48 KB, patch
brendan
: review+
brendan
: superreview+
brendan
: approval1.8b2+
Details | Diff | Splinter Review
Don't leave *pobj2 dangling
926 bytes, patch
bzbarsky
: review+
bzbarsky
: superreview+
brendan
: approval1.8b2+
Details | Diff | Splinter Review
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050521 Firefox/1.0+ ID:2005052113 1.Open FF 2.Open Domi 3.press "find node to inspect" 4.crash TB6032715H
repro steps are wrong 1.Open FF 2.Open DoMi 3.go to File->Inspect a Window and selectct the current page 4.press "find node to inspect" 5.crash
*** Bug 295106 has been marked as a duplicate of this bug. ***
Component: DOM Inspector → XPConnect
Product: Other Applications → Core
Version: unspecified → Trunk
Assignee: dom-inspector → dbradley
QA Contact: timeless → pschwartau
Or if you want it in BuildID terms WFM Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050521 Firefox/1.0+ ID:2005052104 CRASH Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050521 Firefox/1.0+ ID:2005052110
Keywords: crash
Confirmed on Mac OS X. Only if I use the Tools menu to open the Inspector. Opening the DomI with the keyboard shortcut (command+shift+I) works correctly. I can select nodes to inspect from the front-most document or selected window. But the highlight of a node (blinking border) doesn't work.
Brendan, when we're wrapping here the |scope| object that comes through has: (gdb) p obj->map->ops $3 = (JSObjectOps *) 0xa The stack I see is: #6 0xb7f3c1c9 in JS_GetClass (cx=0xb2af8ba8, obj=0xbfffdd68) at ../../../mozilla/js/src/jsapi.c:2039 #7 0xb79c2cde in GetScopeOfObject (cx=0xb2af8ba8, obj=0xbfffdd68) at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp:504 #8 0xb79c2e73 in XPCWrappedNativeScope::FindInJSObjectScope (ccx=@0xbfffdd10, obj=0xbfffdd68, OKIfNotInitialized=0) at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp:572 #9 0xb798f31f in XPCConvert::NativeInterface2JSObject (ccx=@0xbfffdd10, dest=0xbfffda40, src=0xb29f9c20, iid=0xbfffdb60, scope=0xbfffdd68, allowNativeWrapper=1, pErr=0xbfffdb5c) at ../../../../../mozilla/js/src/xpconnect/src/xpcconvert.cpp:1052 #10 0xb798e299 in XPCConvert::NativeData2JS (ccx=@0xbfffdd10, d=0xbfffdaf8, s=0xbfffdc50, type=@0xbfffdb03, iid=0xbfffdb60, scope=0xbfffdd68, pErr=0xbfffdb5c) at ../../../../../mozilla/js/src/xpconnect/src/xpcconvert.cpp:466 #11 0xb79b5b05 in XPCWrappedNative::CallMethod (ccx=@0xbfffdd10, mode=CALL_METHOD) at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2181 #12 0xb79bf939 in XPC_WN_CallMethod (cx=0xb2af8ba8, obj=0x8518560, argc=1, argv=0xb29f5244, vp=0xbfffdec0) (coming off a setTimeout). Any idea what could be going on here? My first guess is that we're ending up with an already-gc'd object somehow...
Severity: normal → critical
Keywords: crash
OS: Windows 2000 → All
Hardware: PC → All
Blocks: 295090
Note that installing session saver and opening about:config (bug 295106) seems like a very quick and reliable way to reproduce...
Not sure if this fixes *this* crash, but it does fix a couple of crashes I found when running with TOO_MUCH_GC enabled in the JS engine. Probably worth landing just to see if this crash is due to the same problem or not.
Attachment #184287 - Flags: superreview?(bzbarsky)
Attachment #184287 - Flags: review?(bzbarsky)
Comment on attachment 184287 [details] [diff] [review] Fix crashes due to lack of marking code in the new XPCNativeWrapper implementation. r+sr+a=me, bz can specify further changes tomorrow, but please get this in for the respins! Thanks, /be
Attachment #184287 - Flags: superreview?(bzbarsky)
Attachment #184287 - Flags: superreview+
Attachment #184287 - Flags: review?(bzbarsky)
Attachment #184287 - Flags: review+
Attachment #184287 - Flags: approval1.8b2+
Blocks: 295215
Blocks: 295195
Blocks: 295200
I checked in jst's patch at 7:07 pacific, so it should make the respins. It doesn't fix the crash in this bug for me (or the other bugs this blocks), though. :( Bug 295200 has a nice simple testcase, fwiw. I'll try debugging some more in an hour or so.
It seems that the crash happens only if ShouldBypassNativeWrapper returns true. If I make it always return false, no crash. Are we possibly calling functions with the wrong |this| object? Could that cause issues?
Attachment #184324 - Flags: superreview?(bzbarsky)
Attachment #184324 - Flags: review?(bzbarsky)
Comment on attachment 184324 [details] [diff] [review] Don't leave *pobj2 dangling r+sr=bzbarsky, brendan said a= on irc.
Attachment #184324 - Flags: superreview?(bzbarsky)
Attachment #184324 - Flags: superreview+
Attachment #184324 - Flags: review?(bzbarsky)
Attachment #184324 - Flags: review+
Attachment #184324 - Flags: approval1.8b2+
OK, that patch fixes this crash, and bug 295090, bug 295195, bug 295200, bug 295215. And it's in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Keywords: topcrash
Summary: crash at select node [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] → crash at select node -Trunk [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] [@JS_GetClass]
Crash Signature: [@ XPCWrappedNativeScope::RemoveWrappedNativeProtos 32ac0b94 ] [@JS_GetClass]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: