358755 - crash [@ nsDOMClassInfo::PreCreate] when going back

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Henrik Gemal]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061029 Minefield/3.0a1 ID:2006102904 [cairo]

When I go back I'm crashing
TB25254823Q
TB25254766W
TB25254487Z

nsDOMClassInfo::PreCreate  [mozilla\dom\src\base\nsdomclassinfo.cpp, line 3310]
XPCWrappedNative::GetNewOrUsed  [mozilla\js\src\xpconnect\src\xpcwrappednative.cpp, line 320]
XPCConvert::NativeInterface2JSObject  [mozilla\js\src\xpconnect\src\xpcconvert.cpp, line 1098]
XPCConvert::NativeData2JS  [mozilla\js\src\xpconnect\src\xpcconvert.cpp, line 474]
XPCWrappedNative::CallMethod  [mozilla\js\src\xpconnect\src\xpcwrappednative.cpp, line 2252]

Comment 1

[Alex Vincent [:WeirdAl]]

WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061026 SeaMonkey/1.5a - maybe something checked in over the weekend?

Comment 2

[Adam Guthrie]

What site(s) does this occur on?

Comment 3

[Adam Guthrie]

This looks like it could be fallout from bug 355161. Henrik, are you using any extensions that might be provoking this?

Comment 4

[Adam Guthrie]

*** Bug 360855 has been marked as a duplicate of this bug. ***

Comment 5

[Boris Zbarsky [:bzbarsky]]

Actually, this is probably indeed fallout from bug 355161.  The line those talkbacks are crashing on is:

 3309    *parentObj = ((nsGlobalWindow *)piwin.get())->
 3310                   GetCurrentInnerWindowInternal()->GetGlobalJSObject();

The change in bug 355161 made it so the outer window is frozen until we get an explicit inner, so this code in nsWindowSH::NewResolve:

 5968 if ((!innerWin || !innerWin->GetExtantDocument()) && !win->IsFrozen()) {

now basically never tests true.  So you get crashes, a la bug 348990 and bug 323641.  I bet the steps in those bugs will reproduce this nicely.

Comment 6

[Johnny Stenback (:jst)]

Attachment: Untested fix.

This reverts the behavior in the piece of code that bz pointed at to what it was before bug 355161 was fixed. I have yet to see this happen, but this should at least revert this code to work as it used to.

Comment 7

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 245805 [details] [diff] [review]
Untested fix.

Makes sense.

Like I said, bug 323641 and bug 348990 have steps to reproduce (one of them even has a testcase).

Comment 8

[Johnny Stenback (:jst)]

Yeah, but that testcase does *not* show this crash, or at least not here (installed as chrome n' all).

Comment 9

[Johnny Stenback (:jst)]

Fix landed, let's see if the fix really fixed this bug. (Reopen if it didn't).

Comment 10

[Adam Guthrie]

Maybe Wladimir can help us verify this using his steps to reproduce from bug 360855.

Comment 11

[Wladimir Palant]

Tested with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061117 Minefield/3.0a1
The crash from bug 360855 is fixed. And all the testcases for bug 355161 that I found seem to be fine as well.

Comment 12

[Jay Patel [:jay]]

Comment on attachment 245805 [details] [diff] [review]
Untested fix.

Approved for 1.8.1 branch, a=jay for drivers.

Comment 13

[Johnny Stenback (:jst)]

Fixed on the branch.

Comment 14

[juan becerra [:juanb]]

Verified using steps mentioned in comment #10 (bug 360855) and comment #11 (bug 355161) on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1pre) Gecko/20061130 BonEcho/2.0.0.1pre