"(function(){}).apply.ee = <foo/>;" causes shutdown crash [@ nsXPConnect::Unlink] during nsCycleCollector::CollectWhite

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
12 years ago
8 years ago

People

(Reporter: jruderman, Assigned: peterv)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
Mac OS X
crash, testcase
Points:
---
Bug Flags:
blocking1.9 +
wanted1.8.1.x -
wanted1.8.0.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] post 1.8-branch, crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

12 years ago
Created attachment 266221 [details]
testcase (causes shutdown crash)

Steps to reproduce:
1. Load the testcase.
2. Cmd+Q.

Result: Firefox crashes during shutdown.  Sometimes it's EXC_BAD_INSTRUCTION but usually it looks exactly like this:


Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x80000001

Thread 0 Crashed:
0   <<00000000>> 	0x80000001 0 + -2147483647
1   nsXPConnect::Unlink(void*) + 55 (nsXPConnect.cpp:619)
2   nsCycleCollector::CollectWhite(GCGraph&) + 518 (nsCycleCollector.cpp:1360)
3   nsCycleCollector::Collect(unsigned) + 392 (nsCycleCollector.cpp:2005)
4   nsCycleCollector::Shutdown() + 49 (nsCycleCollector.cpp:2051)
5   nsCycleCollector_shutdown() + 40 (nsCycleCollector.cpp:2207)
6   NS_ShutdownXPCOM_P + 857 (nsXPComInit.cpp:780)
7   ScopedXPCOMStartup::~ScopedXPCOMStartup [in-charge]() + 57 (nsAppRunner.cpp:794)
8   XRE_main + 5992 (nsAppRunner.cpp:2856)
9   main + 40 (nsBrowserApp.cpp:70)
10  _start + 216
11  start + 41
Flags: blocking1.9?
(Reporter)

Comment 1

12 years ago
Steps to reproduce:
1. Download the testcase.
2. Launch a debug build of Firefox (from the command line).
3. Drag the testcase into it from Finder or the Desktop.
4. Cmd+Q Firefox.

Result: crash.

I swear it wasn't so fragile before I made the reduced testcase ;)
(Reporter)

Updated

12 years ago
Whiteboard: [sg:critical]
(Assignee)

Comment 2

12 years ago
Created attachment 266447 [details] [diff] [review]
v1

Haven't been able to reproduce this yet. Any chance you could try this patch?
Comment on attachment 266447 [details] [diff] [review]
v1

Any reason to move GCTypeToTraceKindMap up?

/be
(Reporter)

Comment 4

12 years ago
Yep, that fixes the crash :)
Assignee: nobody → peterv
Flags: blocking1.9? → blocking1.9+
(Reporter)

Comment 5

12 years ago
In comment 4, I meant "Yep, the patch in comment 2 fixes the crash".  It was not in response to comment 3.
(Assignee)

Comment 6

12 years ago
Created attachment 266873 [details] [diff] [review]
v1.1
Attachment #266447 - Attachment is obsolete: true
Attachment #266873 - Flags: superreview?(jst)
Attachment #266873 - Flags: review?(jst)
Attachment #266873 - Flags: superreview?(jst)
Attachment #266873 - Flags: superreview+
Attachment #266873 - Flags: review?(jst)
Attachment #266873 - Flags: review+
(Assignee)

Updated

12 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
Group: security
Flags: in-testsuite?
(Reporter)

Comment 7

11 years ago
Testcase checked in as a crashtest.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsXPConnect::Unlink]
You need to log in before you can comment on or make changes to this bug.