Closed Bug 315304 Opened 19 years ago Closed 19 years ago

Crash [@ XPCNativeSet::FindMember]

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bc, Assigned: dveditz)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file, 1 obsolete file)

with comment changes dougt requested
6.99 KB, patch
dveditz
: review+
dveditz
: superreview+
mtschrep
: approval1.8rc2+
Details | Diff | Splinter Review
Crash in testcase from bug 290162 Firefox 1.5/20051105/winxp. Marking sensitive just in case. + this 0xfdfdfdfd name 0x00f8d86c + pMember 0x0012ded4 + pInterfaceIndex 0x0012deb2 ".????ø?????????s????ø????????????ø??ñ????°" i 0x003f4c50 count 0x0012de98 + iface 0x3001f8e6 XPCNativeSet::FindMember(long 0x00f8d86c, XPCNativeMember * * 0x0012ded4, unsigned short * 0x0012deb2) line 390 + 5 bytes XPCNativeSet::FindMember(long 0x00f8d86c, XPCNativeMember * * 0x0012ded4, XPCNativeInterface * * 0x0012ded8) line 428 + 20 bytes XPCNativeSet::FindMember(long 0x00f8d86c, XPCNativeMember * * 0x0012e008, XPCNativeInterface * * 0x0012e004, XPCNativeSet * 0x03d362b8, int * 0x0012e010) line 445 + 20 bytes XPCCallContext::SetName(long 0x00f8d86c) line 194 + 85 bytes XPCCallContext::XPCCallContext(XPCContext::LangType LANG_JS, JSContext * 0x032ef7a8, JSObject * 0x03c34c30, JSObject * 0x00000000, long 0x00f8d86c, unsigned int 0xffffffff, long * 0x00000000, long * 0x00000000) line 161 XPC_NW_NewResolve(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x00f8d86c, unsigned int 0x00000005, JSObject * * 0x0012e0d8) line 731 js_LookupPropertyWithFlags(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x011a0aa0, unsigned int 0x00000005, JSObject * * 0x0012e1a4, JSProperty * * 0x0012e194) line 2675 + 78 bytes js_LookupProperty(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x011a0aa0, JSObject * * 0x0012e1a4, JSProperty * * 0x0012e194) line 2580 + 27 bytes js_GetProperty(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x011a0aa0, long * 0x0012eab0) line 2865 + 25 bytes js_Interpret(JSContext * 0x032ef7a8, unsigned char * 0x039bd874, long * 0x0012ec64) line 3349 + 1642 bytes js_Invoke(JSContext * 0x032ef7a8, unsigned int 0x00000001, unsigned int 0x00000002) line 1197 + 19 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x0394e300, nsXPCWrappedJS * 0x03b83348, unsigned short 0x0003, const nsXPTMethodInfo * 0x0326a838, nsXPTCMiniVariant * 0x0012efb4) line 1369 + 22 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03b83348, unsigned short 0x0003, const nsXPTMethodInfo * 0x0326a838, nsXPTCMiniVariant * 0x0012efb4) line 462 PrepareAndDispatch(nsXPTCStubBase * 0x03b83348, unsigned int 0x00000003, unsigned int * 0x0012f064, unsigned int * 0x0012f054) line 117 + 31 bytes SharedStub() line 147 nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03b83510, nsIDOMEvent * 0x03a82c78, nsIDOMEventTarget * 0x03bd8eb8, unsigned int 0x00000000, unsigned int 0x00000002) line 1685 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x039aadf0, nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, nsIDOMEventTarget * 0x03bd8eb8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 1789 nsXULElement::HandleDOMEvent(nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 2153 nsXULElement::HandleChromeEvent(nsXULElement * const 0x039aa324, nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 2833 + 35 bytes nsGlobalWindow::HandleDOMEvent(nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 1574 nsDocument::HandleDOMEvent(nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000007, nsEventStatus * 0x0012f6d8) line 4013 nsEventStateManager::DispatchNewEvent(nsEventStateManager * const 0x03deda50, nsISupports * 0x03dd3140, nsIDOMEvent * 0x03a82c78, int * 0x0012f77c) line 4554 + 49 bytes nsDocument::DispatchEvent(nsDocument * const 0x03dd3170, nsIDOMEvent * 0x03a82c78, int * 0x0012f77c) line 4097 + 72 bytes nsDocument::SetTitle(nsDocument * const 0x03dd3144, const nsAString_internal & {...}) line 3146 nsHTMLDocument::SetTitle(nsHTMLDocument * const 0x03dd3144, const nsAString_internal & {...}) line 990 HTMLContentSink::DidBuildModel(HTMLContentSink * const 0x03e58c88) line 2154 CNavDTD::DidBuildModel(CNavDTD * const 0x03d3bcb0, unsigned int 0x00000000, int 0x00000001, nsIParser * 0x03e58ac0, nsIContentSink * 0x03e58c88) line 605 nsParser::DidBuildModel(unsigned int 0x00000000) line 1318 + 46 bytes nsParser::ResumeParse(int 0x00000001, int 0x00000001, int 0x00000001) line 2053 nsParser::ContinueInterruptedParsing(nsParser * const 0x03e58ac0) line 1472 + 19 bytes nsContentSink::ScriptAvailable(nsContentSink * const 0x03e58c3c, unsigned int 0x80040111, nsIScriptElement * 0x03d1d4e4, int 0x00000000, int 0x00000001, nsIURI * 0x03d1d698, int 0x00000001, const nsAString_internal & {...}) line 249 nsScriptLoaderObserverProxy::ScriptAvailable(nsScriptLoaderObserverProxy * const 0x03e58da0, unsigned int 0x80040111, nsIScriptElement * 0x03d1d4e4, int 0x00000000, int 0x00000001, nsIURI * 0x03d1d698, int 0x00000001, const nsAString_internal & {...}) line 119 + 51 bytes nsScriptLoader::FireScriptAvailable(unsigned int 0x80040111, nsScriptLoadRequest * 0x03d1d630, const nsString & {...}) line 680 nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x03d8defc, nsIStreamLoader * 0x03d202a0, nsISupports * 0x03d1d630, unsigned int 0x00000000, unsigned int 0x0000012b, const unsigned char * 0x03e5eb38) line 966 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03d202a4, nsIRequest * 0x03d1f948, nsISupports * 0x03d1d630, unsigned int 0x00000000) line 137 nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03d82e88, nsIRequest * 0x03d1f948, nsISupports * 0x03d1d630, unsigned int 0x00000000) line 66 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03d1f950, nsIRequest * 0x03c7a330, nsISupports * 0x00000000, unsigned int 0x00000000) line 4091 nsInputStreamPump::OnStateStop() line 507 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03c7a334, nsIAsyncInputStream * 0x03c7a0f8) line 343 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03ce843c) line 120 PL_HandleEvent(PLEvent * 0x03ce843c) line 688 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00f42ef0) line 623 + 9 bytes _md_EventReceiverProc(HWND__ * 0x002701d4, unsigned int 0x0000c15f, unsigned int 0x00000000, long 0x00f42ef0) line 1408 + 9 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x011fafd0) line 135 nsAppStartup::Run(nsAppStartup * const 0x011faf30) line 150 + 26 bytes XRE_main(int 0x00000002, char * * 0x003f6ef8, const nsXREAppData * 0x0042201c kAppData) line 2313 + 35 bytes main(int 0x00000002, char * * 0x003f6ef8) line 61 + 18 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c816d4f()
Crashes 1.0.7 as well (1.0.7 stack: TB11542408). Probably a regression caused by the fix for bug 291178. The InstallTrigger call goes through and that entire script runs. It's crashing later in a call to the nsIWebProgressListener -- no doubt we've molested the document object passed to call(). 0xfd is used by the windows debug malloc to mark "no man's land" around the allocated data. We've clearly corrupted memory.
Assignee: xpi-engine → dveditz
Flags: blocking1.8rc2?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Attachment #202101 - Flags: superreview?(brendan)
Attachment #202101 - Flags: review?(dougt)
Attachment #202101 - Flags: approval1.8rc2?
Pete: if you want to review this instead of dougt that'd be great. This fixes a regression from your patch for bug 291178 (itself a regression fix).
Status: NEW → ASSIGNED
Whiteboard: [sg:critical?]
Dan, what is the user impact of this bug?
Comment on attachment 202101 [details] [diff] [review] Don't stomp on foreign objects passed through .call() I have asked dan to simply add a comment explaining why we need getTriggerNative: (10:31:12) dveditz: GetInstancePrivate is a helper function that does something like jsInstanceof(), and if it passes then calls getprivate 10:31 (10:31:55) dveditz: the problem is that we need to know the difference between an object of the correct type with no private created yet, and one of the wrong type
Attachment #202101 - Flags: review?(dougt) → review+
Comment on attachment 202101 [details] [diff] [review] Don't stomp on foreign objects passed through .call() sr=me. /be
Attachment #202101 - Flags: superreview?(brendan) → superreview+
Attachment #202101 - Attachment is obsolete: true
Attachment #202123 - Flags: superreview?(brendan)
Attachment #202123 - Flags: review+
Attachment #202123 - Flags: approval1.8rc2?
Attachment #202101 - Flags: approval1.8rc2?
Comment on attachment 202123 [details] [diff] [review] with comment changes dougt requested carrying over reviews. Note I also removed comment about "stomping" on anything lest it provide clues to any bonsai readers.
Attachment #202123 - Flags: superreview?(brendan) → superreview+
Comment on attachment 202123 [details] [diff] [review] with comment changes dougt requested Per meeting this am taking this for respin since it is reproduced with a public testcase
Attachment #202123 - Flags: approval1.8rc2? → approval1.8rc2+
Fix checked into trunk and 1.8 branch
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
verified with the 2005-11-07-12-mozilla1.8 respin on Windows XP
Keywords: fixed1.8verified1.8
(In reply to comment #11) ditto.
flag pixie dust
Flags: blocking1.8rc2? → blocking1.8rc2+
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Flags: testcase+
Keywords: fixed-aviary1.0.8, fixed1.7.13
verified fixed using Mozilla 1.7.13 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216. No crash with either testcase cited in the bug. verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216 Firefox/1.0.8. No crash with either testcase cited in the bug. Adding relevant keywords.
Keywords: fixed-aviary1.0.8, fixed1.7.13verified-aviary1.0.8, verified1.7.13
Group: security
Flags: in-testsuite+ → in-testsuite?
Crash Signature: [@ XPCNativeSet::FindMember]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: