Closed
Bug 382133
Opened 17 years ago
Closed 17 years ago
"(function(){}).apply.ee = <foo/>;" causes shutdown crash [@ nsXPConnect::Unlink] during nsCycleCollector::CollectWhite
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: peterv)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical] post 1.8-branch)
Crash Data
Attachments
(2 files, 1 obsolete file)
53 bytes,
text/html
|
Details | |
1.41 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
Steps to reproduce: 1. Load the testcase. 2. Cmd+Q. Result: Firefox crashes during shutdown. Sometimes it's EXC_BAD_INSTRUCTION but usually it looks exactly like this: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x80000001 Thread 0 Crashed: 0 <<00000000>> 0x80000001 0 + -2147483647 1 nsXPConnect::Unlink(void*) + 55 (nsXPConnect.cpp:619) 2 nsCycleCollector::CollectWhite(GCGraph&) + 518 (nsCycleCollector.cpp:1360) 3 nsCycleCollector::Collect(unsigned) + 392 (nsCycleCollector.cpp:2005) 4 nsCycleCollector::Shutdown() + 49 (nsCycleCollector.cpp:2051) 5 nsCycleCollector_shutdown() + 40 (nsCycleCollector.cpp:2207) 6 NS_ShutdownXPCOM_P + 857 (nsXPComInit.cpp:780) 7 ScopedXPCOMStartup::~ScopedXPCOMStartup [in-charge]() + 57 (nsAppRunner.cpp:794) 8 XRE_main + 5992 (nsAppRunner.cpp:2856) 9 main + 40 (nsBrowserApp.cpp:70) 10 _start + 216 11 start + 41
Flags: blocking1.9?
Reporter | ||
Comment 1•17 years ago
|
||
Steps to reproduce: 1. Download the testcase. 2. Launch a debug build of Firefox (from the command line). 3. Drag the testcase into it from Finder or the Desktop. 4. Cmd+Q Firefox. Result: crash. I swear it wasn't so fragile before I made the reduced testcase ;)
Reporter | ||
Updated•17 years ago
|
Whiteboard: [sg:critical]
Assignee | ||
Comment 2•17 years ago
|
||
Haven't been able to reproduce this yet. Any chance you could try this patch?
Comment 3•17 years ago
|
||
Comment on attachment 266447 [details] [diff] [review] v1 Any reason to move GCTypeToTraceKindMap up? /be
Reporter | ||
Comment 4•17 years ago
|
||
Yep, that fixes the crash :)
Updated•17 years ago
|
Assignee: nobody → peterv
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Reporter | ||
Comment 5•17 years ago
|
||
In comment 4, I meant "Yep, the patch in comment 2 fixes the crash". It was not in response to comment 3.
Assignee | ||
Comment 6•17 years ago
|
||
Attachment #266447 -
Attachment is obsolete: true
Attachment #266873 -
Flags: superreview?(jst)
Attachment #266873 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #266873 -
Flags: superreview?(jst)
Attachment #266873 -
Flags: superreview+
Attachment #266873 -
Flags: review?(jst)
Attachment #266873 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
Updated•17 years ago
|
Group: security
Flags: in-testsuite?
Reporter | ||
Comment 7•17 years ago
|
||
Testcase checked in as a crashtest.
Flags: in-testsuite? → in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ nsXPConnect::Unlink]
You need to log in
before you can comment on or make changes to this bug.
Description
•