Last Comment Bug 315304 - Crash [@ XPCNativeSet::FindMember]
: Crash [@ XPCNativeSet::FindMember]
Status: RESOLVED FIXED
[sg:critical?]
: crash, regression, verified1.7.13, verified1.8
Product: Core Graveyard
Classification: Graveyard
Component: Installer: XPInstall Engine (show other bugs)
: 1.8 Branch
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
:
Mentors:
https://bugzilla.mozilla.org/attachme...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-06 12:26 PST by Bob Clary [:bc:]
Modified: 2015-12-11 07:21 PST (History)
1 user (show)
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
mscott: blocking1.8rc2+
bob: in‑testsuite?
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Don't stomp on foreign objects passed through .call() (6.91 KB, patch)
2005-11-07 08:32 PST, Daniel Veditz [:dveditz]
doug.turner: review+
brendan: superreview+
Details | Diff | Splinter Review
with comment changes dougt requested (6.99 KB, patch)
2005-11-07 11:14 PST, Daniel Veditz [:dveditz]
dveditz: review+
dveditz: superreview+
mtschrep: approval1.8rc2+
Details | Diff | Splinter Review

Description Bob Clary [:bc:] 2005-11-06 12:26:05 PST
Crash in testcase from bug 290162 Firefox 1.5/20051105/winxp. Marking sensitive just in case.

+	this	0xfdfdfdfd
	name	0x00f8d86c
+	pMember	0x0012ded4
+	pInterfaceIndex	0x0012deb2 ".????ø?????????s????ø????????????ø??ñ????°"
	i	0x003f4c50
	count	0x0012de98
+	iface	0x3001f8e6


XPCNativeSet::FindMember(long 0x00f8d86c, XPCNativeMember * * 0x0012ded4, unsigned short * 0x0012deb2) line 390 + 5 bytes
XPCNativeSet::FindMember(long 0x00f8d86c, XPCNativeMember * * 0x0012ded4, XPCNativeInterface * * 0x0012ded8) line 428 + 20 bytes
XPCNativeSet::FindMember(long 0x00f8d86c, XPCNativeMember * * 0x0012e008, XPCNativeInterface * * 0x0012e004, XPCNativeSet * 0x03d362b8, int * 0x0012e010) line 445 + 20 bytes
XPCCallContext::SetName(long 0x00f8d86c) line 194 + 85 bytes
XPCCallContext::XPCCallContext(XPCContext::LangType LANG_JS, JSContext * 0x032ef7a8, JSObject * 0x03c34c30, JSObject * 0x00000000, long 0x00f8d86c, unsigned int 0xffffffff, long * 0x00000000, long * 0x00000000) line 161
XPC_NW_NewResolve(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x00f8d86c, unsigned int 0x00000005, JSObject * * 0x0012e0d8) line 731
js_LookupPropertyWithFlags(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x011a0aa0, unsigned int 0x00000005, JSObject * * 0x0012e1a4, JSProperty * * 0x0012e194) line 2675 + 78 bytes
js_LookupProperty(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x011a0aa0, JSObject * * 0x0012e1a4, JSProperty * * 0x0012e194) line 2580 + 27 bytes
js_GetProperty(JSContext * 0x032ef7a8, JSObject * 0x012e84b8, long 0x011a0aa0, long * 0x0012eab0) line 2865 + 25 bytes
js_Interpret(JSContext * 0x032ef7a8, unsigned char * 0x039bd874, long * 0x0012ec64) line 3349 + 1642 bytes
js_Invoke(JSContext * 0x032ef7a8, unsigned int 0x00000001, unsigned int 0x00000002) line 1197 + 19 bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x0394e300, nsXPCWrappedJS * 0x03b83348, unsigned short 0x0003, const nsXPTMethodInfo * 0x0326a838, nsXPTCMiniVariant * 0x0012efb4) line 1369 + 22 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03b83348, unsigned short 0x0003, const nsXPTMethodInfo * 0x0326a838, nsXPTCMiniVariant * 0x0012efb4) line 462
PrepareAndDispatch(nsXPTCStubBase * 0x03b83348, unsigned int 0x00000003, unsigned int * 0x0012f064, unsigned int * 0x0012f054) line 117 + 31 bytes
SharedStub() line 147
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03b83510, nsIDOMEvent * 0x03a82c78, nsIDOMEventTarget * 0x03bd8eb8, unsigned int 0x00000000, unsigned int 0x00000002) line 1685 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x039aadf0, nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, nsIDOMEventTarget * 0x03bd8eb8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 1789
nsXULElement::HandleDOMEvent(nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 2153
nsXULElement::HandleChromeEvent(nsXULElement * const 0x039aa324, nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 2833 + 35 bytes
nsGlobalWindow::HandleDOMEvent(nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000002, nsEventStatus * 0x0012f6d8) line 1574
nsDocument::HandleDOMEvent(nsPresContext * 0x03e49390, nsEvent * 0x03de9328, nsIDOMEvent * * 0x0012f6f8, unsigned int 0x00000007, nsEventStatus * 0x0012f6d8) line 4013
nsEventStateManager::DispatchNewEvent(nsEventStateManager * const 0x03deda50, nsISupports * 0x03dd3140, nsIDOMEvent * 0x03a82c78, int * 0x0012f77c) line 4554 + 49 bytes
nsDocument::DispatchEvent(nsDocument * const 0x03dd3170, nsIDOMEvent * 0x03a82c78, int * 0x0012f77c) line 4097 + 72 bytes
nsDocument::SetTitle(nsDocument * const 0x03dd3144, const nsAString_internal & {...}) line 3146
nsHTMLDocument::SetTitle(nsHTMLDocument * const 0x03dd3144, const nsAString_internal & {...}) line 990
HTMLContentSink::DidBuildModel(HTMLContentSink * const 0x03e58c88) line 2154
CNavDTD::DidBuildModel(CNavDTD * const 0x03d3bcb0, unsigned int 0x00000000, int 0x00000001, nsIParser * 0x03e58ac0, nsIContentSink * 0x03e58c88) line 605
nsParser::DidBuildModel(unsigned int 0x00000000) line 1318 + 46 bytes
nsParser::ResumeParse(int 0x00000001, int 0x00000001, int 0x00000001) line 2053
nsParser::ContinueInterruptedParsing(nsParser * const 0x03e58ac0) line 1472 + 19 bytes
nsContentSink::ScriptAvailable(nsContentSink * const 0x03e58c3c, unsigned int 0x80040111, nsIScriptElement * 0x03d1d4e4, int 0x00000000, int 0x00000001, nsIURI * 0x03d1d698, int 0x00000001, const nsAString_internal & {...}) line 249
nsScriptLoaderObserverProxy::ScriptAvailable(nsScriptLoaderObserverProxy * const 0x03e58da0, unsigned int 0x80040111, nsIScriptElement * 0x03d1d4e4, int 0x00000000, int 0x00000001, nsIURI * 0x03d1d698, int 0x00000001, const nsAString_internal & {...}) line 119 + 51 bytes
nsScriptLoader::FireScriptAvailable(unsigned int 0x80040111, nsScriptLoadRequest * 0x03d1d630, const nsString & {...}) line 680
nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x03d8defc, nsIStreamLoader * 0x03d202a0, nsISupports * 0x03d1d630, unsigned int 0x00000000, unsigned int 0x0000012b, const unsigned char * 0x03e5eb38) line 966
nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03d202a4, nsIRequest * 0x03d1f948, nsISupports * 0x03d1d630, unsigned int 0x00000000) line 137
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03d82e88, nsIRequest * 0x03d1f948, nsISupports * 0x03d1d630, unsigned int 0x00000000) line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03d1f950, nsIRequest * 0x03c7a330, nsISupports * 0x00000000, unsigned int 0x00000000) line 4091
nsInputStreamPump::OnStateStop() line 507
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03c7a334, nsIAsyncInputStream * 0x03c7a0f8) line 343 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03ce843c) line 120
PL_HandleEvent(PLEvent * 0x03ce843c) line 688 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00f42ef0) line 623 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x002701d4, unsigned int 0x0000c15f, unsigned int 0x00000000, long 0x00f42ef0) line 1408 + 9 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x011fafd0) line 135
nsAppStartup::Run(nsAppStartup * const 0x011faf30) line 150 + 26 bytes
XRE_main(int 0x00000002, char * * 0x003f6ef8, const nsXREAppData * 0x0042201c kAppData) line 2313 + 35 bytes
main(int 0x00000002, char * * 0x003f6ef8) line 61 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()
Comment 1 Daniel Veditz [:dveditz] 2005-11-06 23:29:00 PST
Crashes 1.0.7 as well (1.0.7 stack: TB11542408). Probably a regression caused by the fix for bug 291178.

The InstallTrigger call goes through and that entire script runs. It's crashing later in a call to the nsIWebProgressListener -- no doubt we've molested the document object passed to call(). 0xfd is used by the windows debug malloc to mark "no man's land" around the allocated data. We've clearly corrupted memory.
Comment 2 Daniel Veditz [:dveditz] 2005-11-07 08:32:13 PST
Created attachment 202101 [details] [diff] [review]
Don't stomp on foreign objects passed through .call()
Comment 3 Daniel Veditz [:dveditz] 2005-11-07 09:06:17 PST
Pete: if you want to review this instead of dougt that'd be great. This fixes a regression from your patch for bug 291178 (itself a regression fix).
Comment 4 Asa Dotzler [:asa] 2005-11-07 09:55:21 PST
Dan, what is the user impact of this bug?
Comment 5 Doug Turner (:dougt) 2005-11-07 10:35:52 PST
Comment on attachment 202101 [details] [diff] [review]
Don't stomp on foreign objects passed through .call()

I have asked dan to simply add a comment explaining why we need getTriggerNative:
(10:31:12) dveditz: GetInstancePrivate is a helper function that does something like jsInstanceof(), and if it passes then calls getprivate
            10:31
(10:31:55) dveditz: the problem is that we need to know the difference between an object of the correct type with no private created yet, and one of the wrong type
Comment 6 Brendan Eich [:brendan] 2005-11-07 11:13:20 PST
Comment on attachment 202101 [details] [diff] [review]
Don't stomp on foreign objects passed through .call()

sr=me.

/be
Comment 7 Daniel Veditz [:dveditz] 2005-11-07 11:14:09 PST
Created attachment 202123 [details] [diff] [review]
with comment changes dougt requested
Comment 8 Daniel Veditz [:dveditz] 2005-11-07 11:15:19 PST
Comment on attachment 202123 [details] [diff] [review]
with comment changes dougt requested

carrying over reviews. Note I also removed comment about "stomping" on anything lest it provide clues to any bonsai readers.
Comment 9 Mike Schroepfer 2005-11-07 11:48:34 PST
Comment on attachment 202123 [details] [diff] [review]
with comment changes dougt requested

Per meeting this am taking this for respin since it is reproduced with a public testcase
Comment 10 Daniel Veditz [:dveditz] 2005-11-07 12:00:32 PST
Fix checked into trunk and 1.8 branch
Comment 11 Tracy Walker [:tracy] 2005-11-07 13:39:25 PST
verified with the 2005-11-07-12-mozilla1.8 respin on Windows XP
Comment 12 Bob Clary [:bc:] 2005-11-07 13:44:09 PST
(In reply to comment #11)
ditto.
Comment 13 Scott MacGregor 2005-11-07 18:22:56 PST
flag pixie dust
Comment 14 Marcia Knous [:marcia - use ni] 2006-02-16 11:03:24 PST
verified fixed using Mozilla 1.7.13 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216. No crash with either testcase cited in the bug.

verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216 Firefox/1.0.8. No crash with either testcase cited in the bug. Adding relevant keywords.

Note You need to log in before you can comment on or make changes to this bug.