Closed Bug 296467 Opened 20 years ago Closed 20 years ago

crash hitting ctrl+h

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bryner, Assigned: jst)

References

Details

(4 keywords, Whiteboard: needed anywhere we take 294795, need branch landing)

Attachments

(1 file)

Pass fp->argv[-2] instead of fp->fun->object to checkAccess()
1.18 KB, patch
brendan
: review+
brendan
: superreview+
dveditz
: approval-aviary1.0.5+
dveditz
: approval1.7.9+
brendan
: approval1.8b3+
Details | Diff | Splinter Review 
Just updated my Firefox debug build on Windows.  Start up the browser, hit
ctrl+H.  Result: crash.  Here's the stack:

S_GetClass(JSContext * 0x02863860, JSObject * 0x00000000) line 2040 + 3 bytes
nsScriptSecurityManager::CheckObjectAccess(JSContext * 0x02863860, JSObject *
0x00000000, long 16806116, JSAccessMode JSACC_READ, long * 0x00126b3c) line 458
+ 20 bytes
InitExceptionObject(JSContext * 0x02863860, JSObject * 0x02a18490, JSString *
0x02a18498, JSString * 0x02a184a0, unsigned int 0) line 429 + 27 bytes
js_ErrorToException(JSContext * 0x02863860, const char * 0x0329e338,
JSErrorReport * 0x00126be8) line 1023 + 25 bytes
ReportError(JSContext * 0x02863860, const char * 0x0329e338, JSErrorReport *
0x00126be8) line 687 + 17 bytes
js_ReportErrorNumberVA(JSContext * 0x02863860, unsigned int 0, const
JSErrorFormatString * (void *, const char *, const unsigned int)* 0x10001ece
_js_GetErrorMessage, void * 0x00000000, const unsigned int 39, int 1, char *
0x00126c54) line 983 + 17 bytes
JS_ReportErrorNumber(JSContext * 0x02863860, const JSErrorFormatString * (void
*, const char *, const unsigned int)* 0x10001ece _js_GetErrorMessage, void *
0x00000000, const unsigned int 39) line 4130 + 29 bytes
js_ValueToNonNullObject(JSContext * 0x02863860, long 0) line 3732 + 31 bytes
js_Interpret(JSContext * 0x02863860, unsigned char * 0x02fcfc04, long *
0x001276a8) line 3295 + 139 bytes
js_Invoke(JSContext * 0x02863860, unsigned int 0, unsigned int 2) line 1198 + 19
bytes
js_InternalInvoke(JSContext * 0x02863860, JSObject * 0x02a18038, long 43025552,
unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x001280dc) line 1275
+ 20 bytes
js_InternalGetOrSet(JSContext * 0x02863860, JSObject * 0x02a18038, long
42881264, long 43025552, int 4, unsigned int 0, long * 0x00000000, long *
0x001280dc) line 1318 + 31 bytes
js_GetProperty(JSContext * 0x02863860, JSObject * 0x02a18038, long 42881264,
long * 0x001280dc) line 2805 + 51 bytes
js_Interpret(JSContext * 0x02863860, unsigned char * 0x02fb7081, long *
0x0012828c) line 3295 + 1641 bytes
js_Invoke(JSContext * 0x02863860, unsigned int 0, unsigned int 2) line 1198 + 19
bytes
js_InternalInvoke(JSContext * 0x02863860, JSObject * 0x02a18038, long 44139616,
unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x001283bc) line 1275
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x02863860, JSObject * 0x02a18038, long
44139616, unsigned int 0, long * 0x00000000, long * 0x001283bc) line 3858 + 31 bytes
nsXBLProtoImplAnonymousMethod::Execute(nsIContent * 0x02bbb3d0) line 334 + 26 bytes
nsXBLPrototypeBinding::BindingAttached(nsIContent * 0x02bbb3d0) line 390 + 18 bytes
nsXBLBinding::ExecuteAttachedHandler() line 769
nsElementSH::PostCreate(nsElementSH * const 0x02adb2d8,
nsIXPConnectWrappedNative * 0x031192e8, JSContext * 0x02863860, JSObject *
0x02a18038) line 5912
XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x02bbb3ec,
XPCWrappedNativeScope * 0x0288c180, XPCNativeInterface * 0x02aff430,
XPCWrappedNative * * 0x00128628) line 456
XPCConvert::NativeInterface2JSObject(XPCCallContext & {...},
nsIXPConnectJSObjectHolder * * 0x001286c0, nsISupports * 0x02bbb3ec, const nsID
* 0x0012890c, JSObject * 0x02eb0160, int 1, unsigned int * 0x001289c8) line 1064
+ 30 bytes
XPCConvert::NativeData2JS(XPCCallContext & {...}, long * 0x001287f0, const void
* 0x00128898, const nsXPTType & {...}, const nsID * 0x0012890c, JSObject *
0x02eb0160, unsigned int * 0x001289c8) line 468 + 51 bytes
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2194 + 50 bytes
XPC_WN_CallMethod(JSContext * 0x02863860, JSObject * 0x02eb0160, unsigned int 1,
long * 0x0329b0e0, long * 0x00128b58) line 1348 + 14 bytes
js_Invoke(JSContext * 0x02863860, unsigned int 1, unsigned int 0) line 1178 + 23
bytes
js_Interpret(JSContext * 0x02863860, unsigned char * 0x029fbe0c, long *
0x0012960c) line 3468 + 15 bytes
js_Invoke(JSContext * 0x02863860, unsigned int 1, unsigned int 0) line 1198 + 19
bytes
js_Interpret(JSContext * 0x02863860, unsigned char * 0x03119b77, long *
0x0012a070) line 3468 + 15 bytes
js_Invoke(JSContext * 0x02863860, unsigned int 1, unsigned int 2) line 1198 + 19
bytes
js_InternalInvoke(JSContext * 0x02863860, JSObject * 0x02a17fe0, long 44138488,
unsigned int 0, unsigned int 1, long * 0x0012a25c, long * 0x0012a258) line 1275
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x02863860, JSObject * 0x02a17fe0, long
44138488, unsigned int 1, long * 0x0012a25c, long * 0x0012a258) line 3858 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x02a17fe0, JSObject * 0x02a17ff8,
unsigned int 1, long * 0x0012a25c, long * 0x0012a258) line 1386 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03118840, nsIDOMEvent
* 0x030fd550) line 175 + 51 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * 0x030fd0d8,
nsIDOMEvent * 0x030fd550) line 500
nsXBLWindowHandler::WalkHandlersInternal(nsIDOMEvent * 0x030fd550, nsIAtom *
0x00f54ea8, nsXBLPrototypeHandler * 0x0318ab00) line 304 + 24 bytes
nsXBLWindowKeyHandler::WalkHandlers(nsXBLWindowKeyHandler * const 0x02b952e0,
nsIDOMEvent * 0x030fd550, nsIAtom * 0x00f54ea8) line 197
nsXBLWindowKeyHandler::KeyPress(nsXBLWindowKeyHandler * const 0x02b952e0,
nsIDOMEvent * 0x030fd550) line 250
DispatchToInterface(nsIDOMEvent * 0x030fd550, nsIDOMEventListener * 0x02b952e0,
unsigned int (nsIDOMEvent *)* 0x020c31c0 `vcall'(nsIDOMEvent *), const nsID &
{...}, int * 0x0012abb8) line 136 + 11 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02b66958,
nsPresContext * 0x03161038, nsEvent * 0x0012f114, nsIDOMEvent * * 0x0012e8f8,
nsIDOMEventTarget * 0x02881808, unsigned int 514, nsEventStatus * 0x0012ef10)
line 1662 + 35 bytes
nsXULDocument::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line 1239
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2216 + 63 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2210 + 57 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2210 + 57 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2210 + 57 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2210 + 57 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2210 + 57 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2210 + 57 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line
2210 + 57 bytes
nsXULElement::HandleChromeEvent(nsXULElement * const 0x0295b754, nsPresContext *
0x03161038, nsEvent * 0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514,
nsEventStatus * 0x0012ef10) line 2868 + 35 bytes
nsGlobalWindow::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line 946
nsDocument::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent * 0x0012f114,
nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus * 0x0012ef10) line 3974
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2157 + 46 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsHTMLFormElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 690 + 28 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 514, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsGenericElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x0012e8f8, unsigned int 519, nsEventStatus *
0x0012ef10) line 2149 + 57 bytes
nsHTMLInputElement::HandleDOMEvent(nsPresContext * 0x03161038, nsEvent *
0x0012f114, nsIDOMEvent * * 0x00000000, unsigned int 513, nsEventStatus *
0x0012ef10) line 1380 + 31 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f114, nsIView * 0x031466a0,
unsigned int 1, nsEventStatus * 0x0012ef10) line 6349 + 61 bytes
PresShell::HandleEvent(PresShell * const 0x0323a574, nsIView * 0x031466a0,
nsGUIEvent * 0x0012f114, nsEventStatus * 0x0012ef10, int 1, int & 1) line 6167 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x031466a0, nsGUIEvent * 0x0012f114, int 0)
line 2457
nsViewManager::DispatchEvent(nsViewManager * const 0x0324e280, nsGUIEvent *
0x0012f114, nsEventStatus * 0x0012f064) line 2224 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f114) line 174
nsWindow::DispatchEvent(nsWindow * const 0x03286a54, nsGUIEvent * 0x0012f114,
nsEventStatus & nsEventStatus_eIgnore) line 1180 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f114) line 1201
nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 104, unsigned int 0,
long 0, unsigned int 0) line 3491 + 15 bytes
nsWindow::OnChar(unsigned int 0, unsigned int 0) line 3736 + 31 bytes
nsWindow::OnKeyDown(unsigned int 72, unsigned int 35, long 2293761) line 3583 +
16 bytes
nsWindow::ProcessMessage(unsigned int 256, unsigned int 72, long 2293761, long *
0x0012f6b0) line 4490 + 38 bytes
nsWindow::WindowProc(HWND__ * 0x00c306b4, unsigned int 256, unsigned int 72,
long 2293761) line 1472 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x00fb8f20) line 135
nsAppStartup::Run(nsAppStartup * const 0x01003d50) line 145
XRE_main(int 1, char * * 0x003e8500, const nsXREAppData * 0x0041f01c kAppData)
line 2059 + 35 bytes
main(int 1, char * * 0x003e8500) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
This makes us pass fp->argv[-2] instead of fp->fun->object to checkAccess()
since the latter is likely null now (since bug 294795 was fixed). fp->argv[-2]
seems like the more correct object to pass here regardless, though. This also
fixes the thunrerbird tinderbox orange.
Attachment #185239 - Flags: superreview?(brendan)
Attachment #185239 - Flags: review?(shaver)
I went ahead and checked this in to get the Thunderbird tinderbox to be less
orange. Please review after the fact and I'll happily back this out if this
isn't the right fix.
Comment on attachment 185239 [details] [diff] [review]
Pass fp->argv[-2] instead of fp->fun->object to checkAccess()

r+a=me, thanks for fixing this jst!

/be
Attachment #185239 - Flags: superreview?(brendan)
Attachment #185239 - Flags: superreview+
Attachment #185239 - Flags: review?(shaver)
Attachment #185239 - Flags: review+
Attachment #185239 - Flags: approval1.8b3+
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050602
Firefox/1.0+ ID:2005060223

confirmed fixed

No crash anymore
Fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
For the record, this was caused by bug 294795.
Depends on: 294795
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
Keywords: regression
Whiteboard: needed anywhere we take 294795
Attachment #185239 - Flags: approval1.7.9?
Attachment #185239 - Flags: approval-aviary1.0.5?
moving back to nominated status, pending bug 289940 decision.
Flags: blocking1.7.9?
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Oops, wrong bug.
Flags: blocking1.7.9?
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Comment on attachment 185239 [details] [diff] [review]
Pass fp->argv[-2] instead of fp->fun->object to checkAccess()

a=dveditz for branches
Attachment #185239 - Flags: approval1.7.9?
Attachment #185239 - Flags: approval1.7.9+
Attachment #185239 - Flags: approval-aviary1.0.5?
Attachment #185239 - Flags: approval-aviary1.0.5+
jst:  Let's get this checked in on the branches (since bug 294795 is already
in). Thanks.
Whiteboard: needed anywhere we take 294795 → needed anywhere we take 294795, need branch landing
Fix landed on both branches now.
Keywords: fixed-aviary1.0.5, fixed1.7.9
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: