Closed Bug 382133 Opened 17 years ago Closed 17 years ago

"(function(){}).apply.ee = <foo/>;" causes shutdown crash [@ nsXPConnect::Unlink] during nsCycleCollector::CollectWhite

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: peterv)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical] post 1.8-branch)

Crash Data

Attachments

(2 files, 1 obsolete file)

testcase (causes shutdown crash)
53 bytes, text/html
Details
v1.1
1.41 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
Steps to reproduce:
1. Load the testcase.
2. Cmd+Q.

Result: Firefox crashes during shutdown.  Sometimes it's EXC_BAD_INSTRUCTION but usually it looks exactly like this:


Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x80000001

Thread 0 Crashed:
0   <<00000000>> 	0x80000001 0 + -2147483647
1   nsXPConnect::Unlink(void*) + 55 (nsXPConnect.cpp:619)
2   nsCycleCollector::CollectWhite(GCGraph&) + 518 (nsCycleCollector.cpp:1360)
3   nsCycleCollector::Collect(unsigned) + 392 (nsCycleCollector.cpp:2005)
4   nsCycleCollector::Shutdown() + 49 (nsCycleCollector.cpp:2051)
5   nsCycleCollector_shutdown() + 40 (nsCycleCollector.cpp:2207)
6   NS_ShutdownXPCOM_P + 857 (nsXPComInit.cpp:780)
7   ScopedXPCOMStartup::~ScopedXPCOMStartup [in-charge]() + 57 (nsAppRunner.cpp:794)
8   XRE_main + 5992 (nsAppRunner.cpp:2856)
9   main + 40 (nsBrowserApp.cpp:70)
10  _start + 216
11  start + 41
Flags: blocking1.9?
Steps to reproduce:
1. Download the testcase.
2. Launch a debug build of Firefox (from the command line).
3. Drag the testcase into it from Finder or the Desktop.
4. Cmd+Q Firefox.

Result: crash.

I swear it wasn't so fragile before I made the reduced testcase ;)
Whiteboard: [sg:critical]
Attached patch v1 (obsolete) — Splinter Review 
Haven't been able to reproduce this yet. Any chance you could try this patch?
Comment on attachment 266447 [details] [diff] [review]
v1

Any reason to move GCTypeToTraceKindMap up?

/be
Yep, that fixes the crash :)
Assignee: nobody → peterv
Flags: blocking1.9? → blocking1.9+
In comment 4, I meant "Yep, the patch in comment 2 fixes the crash".  It was not in response to comment 3.
Attached patch v1.1Splinter Review 

        Attachment #266447 -
        Attachment is obsolete: true

        Attachment #266873 -
        Flags: superreview?(jst)

        Attachment #266873 -
        Flags: review?(jst)

        Attachment #266873 -
        Flags: superreview?(jst)

        Attachment #266873 -
        Flags: superreview+

        Attachment #266873 -
        Flags: review?(jst)

        Attachment #266873 -
        Flags: review+

    
  
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
Group: security
Flags: in-testsuite?

    
    

    
  
Testcase checked in as a crashtest.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsXPConnect::Unlink]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: