Closed Bug 480975 Opened 16 years ago Closed 16 years ago

Crash [@ nsCOMPtr_base::assign_from_qi] using Ubiquity screengrab verb

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: crowderbt, Assigned: mrbkap)

References

Details

(Keywords: fixed1.9.1, topcrash)

Crash Data

Attachments

(1 file)

Possible fix
3.55 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
Woops, meant "screengrab", not "screencap". This is 100% reproducible for me.
Summary: Crash (@ nsCOMPtr_base::assign_from_qi) using Ubiquity screencap verb → Crash (@ nsCOMPtr_base::assign_from_qi) using Ubiquity screengrab verb
this isn't a bug in xpcom, it's probably either xpconnect or js 2 XPCNativeWrapper::GetNewOrUsed nsCOMPtr.h:572 3 nsXPConnect::GetWrapperForObject js/src/xpconnect/src/nsXPConnect.cpp:2378 4 XPC_WN_JSOp_ThisObject js/src/xpconnect/src/xpcwrappednativejsops.cpp:1374 5 js_ComputeThis js/src/jsinterp.cpp:860 6 js_Invoke js/src/jsinterp.cpp:1173 7 js_InternalInvoke js/src/jsinterp.cpp:1388 8 js_InternalGetOrSet js/src/jsinterp.cpp:1451 9 js_NativeGet js/src/jsscope.h:360 10 js_GetPropertyHelper js/src/jsobj.cpp:4050 11 js_Interpret js/src/jsinterp.cpp:4294 12 js_Invoke js/src/jsinterp.cpp:1330 13 js_InternalInvoke js/src/jsinterp.cpp:1388 14 js_InternalGetOrSet js/src/jsinterp.cpp:1451 15 js_NativeGet js/src/jsscope.h:360 16 js_Interpret js/src/jsinterp.cpp:5153 17 js_Invoke js/src/jsinterp.cpp:1330 18 nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608 19 nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:561 20 PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 .. 26 nsXULWindow::ShowModal nsWeakReference.h:413 27 nsWindowWatcher::OpenWindowJSInternal embedding/components/windowwatcher/src/nsWindowWatcher.cpp:989 28 nsWindowWatcher::OpenWindow embedding/components/windowwatcher/src/nsWindowWatcher.cpp:421 29 nsPromptService::DoDialog embedding/components/windowwatcher/src/nsPromptService.cpp:786 30 nsPromptService::PromptUsernameAndPassword embedding/components/windowwatcher/src/nsPromptService.cpp:540 31 nsPrompt::PromptPasswordAdapter embedding/components/windowwatcher/src/nsPrompt.cpp:524 32 nsPromptService::PromptAuth embedding/components/windowwatcher/src/nsPromptService.cpp:663 33 NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 34 XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2424 35 XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1587 36 js_Invoke js/src/jsinterp.cpp:1312 37 js_Interpret js/src/jsinterp.cpp:5020 38 js_Invoke js/src/jsinterp.cpp:1330 39 nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608 40 nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:561 41 PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 42 PrepareAndDispatch 43 nsHttpChannel::PromptForIdentity netwerk/protocol/http/src/nsHttpChannel.cpp:3515
Severity: normal → critical
Component: XPCOM → XPConnect
Keywords: crash
QA Contact: xpcom → xpconnect
Summary: Crash (@ nsCOMPtr_base::assign_from_qi) using Ubiquity screengrab verb → Crash [@ nsCOMPtr_base::assign_from_qi] using Ubiquity screengrab verb
Tony Chung said this crash that is similar enough to one that is becoming a frequent startup crash on b3 in os x. 77 OSX crashes since the beta was released about 24 hours ago http://tinyurl.com/agsvk9. Found talking to a user on Slashdot http://tech.slashdot.org/comments.pl?sid=1158309&cid=27169747 0 libmozjs.dylib JS_ClearWatchPointsForObject js/src/jsdbgapi.cpp:903 1 XUL nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) nsCOMPtr.cpp:96 2 XUL XPCNativeWrapper::GetNewOrUsed(JSContext*, XPCWrappedNative*, nsIPrincipal*) nsCOMPtr.h:572 3 XUL nsXPConnect::GetWrapperForObject(JSContext*, JSObject*, JSObject*, nsIPrincipal*, unsigned int, long*) js/src/xpconnect/src/nsXPConnect.cpp:2386 4 XUL XPC_WN_JSOp_ThisObject js/src/xpconnect/src/xpcwrappednativejsops.cpp:1374 5 libmozjs.dylib js_ComputeThis js/src/jsinterp.cpp:861 6 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1174 7 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:1389 8 libmozjs.dylib js_InternalGetOrSet js/src/jsinterp.cpp:1452 9 libmozjs.dylib js_NativeGet js/src/jsscope.h:359 10 libmozjs.dylib js_GetPropertyHelper js/src/jsobj.cpp:4058 11 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:4298 12 libmozjs.dylib js_Execute js/src/jsinterp.cpp:1562 13 libmozjs.dylib JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:5241 14 XUL xpc_EvalInSandbox(JSContext*, JSObject*, nsAString_internal const&, char const*, int, JSVersion, int, long*) js/src/xpconnect/src/xpccomponents.cpp:3574 15 XUL nsXPCComponents_Utils::EvalInSandbox(nsAString_internal const&) js/src/xpconnect/src/xpccomponents.cpp:3511 16 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 17 XUL XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/src/xpconnect/src/xpcwrappednative.cpp:2424 18 XUL XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) js/src/xpconnect/src/xpcwrappednativejsops.cpp:1587 19 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1313 20 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5024 21 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1331 22 libmozjs.dylib array_extra js/src/jsarray.cpp:2944 23 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5007 24 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1331 25 XUL nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608 26 XUL nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjs.cpp:561 27 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 28 XUL PrepareAndDispatch 29 XUL nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsPIDOMEventTarget*, unsigned int) content/events/src/nsEventListenerManager.cpp:1090 30 XUL nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsPIDOMEventTarget*, unsigned int, nsEventStatus*) content/events/src/nsEventListenerManager.cpp:1195 31 XUL nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, int) content/events/src/nsEventDispatcher.cpp:236 32 XUL nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, int) content/events/src/nsEventDispatcher.cpp:324 33 XUL nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) content/events/src/nsEventDispatcher.cpp:514 34 XUL nsDocument::DispatchEventToWindow(nsEvent*) content/base/src/nsDocument.cpp:7095 35 XUL nsDocument::OnPageShow(int, nsIDOMEventTarget*) content/base/src/nsDocument.cpp:7134 36 XUL DocumentViewerImpl::LoadComplete(unsigned int) layout/base/nsDocumentViewer.cpp:1027 37 XUL nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) docshell/base/nsDocShell.cpp:5243 38 XUL nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) docshell/base/nsWebShell.cpp:1013 39 XUL nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) docshell/base/nsDocShell.cpp:5139 40 XUL nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned int) uriloader/base/nsDocLoader.cpp:1235 41 XUL nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) uriloader/base/nsDocLoader.cpp:858 42 XUL nsDocLoader::DocLoaderIsEmpty() uriloader/base/nsDocLoader.cpp:763 43 XUL nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) uriloader/base/nsDocLoader.cpp:679 44 XUL nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) netwerk/base/src/nsLoadGroup.cpp:688 45 XUL nsDocument::DoUnblockOnload() content/base/src/nsDocument.cpp:7044 46 XUL nsDocument::DispatchContentLoadedEvents() content/base/src/nsDocument.cpp:3964 47 XUL nsRunnableMethod<nsDocument>::Run() nsThreadUtils.h:264 48 XUL nsThread::ProcessNextEvent(int, int*) xpcom/threads/nsThread.cpp:510 49 XUL NS_ProcessNextEvent_P(nsIThread*, int) nsThreadUtils.cpp:227 50 XUL nsThread::Shutdown() xpcom/threads/nsThread.cpp:465 51 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 52 XUL nsProxyObjectCallInfo::Run() xpcom/proxy/src/nsProxyEvent.cpp:181 53 XUL nsThread::ProcessNextEvent(int, int*) xpcom/threads/nsThread.cpp:510 54 XUL NS_ProcessPendingEvents_P(nsIThread*, unsigned int) nsThreadUtils.cpp:180 55 XUL nsBaseAppShell::NativeEventCallback() widget/src/xpwidgets/nsBaseAppShell.cpp:121 56 XUL nsAppShell::ProcessGeckoEvents(void*) widget/src/cocoa/nsAppShell.mm:374 57 CoreFoundation CoreFoundation@0x735f4 58 CoreFoundation CoreFoundation@0x73cd7 59 HIToolbox HIToolbox@0x302bf 60 HIToolbox HIToolbox@0x300d8 61 HIToolbox HIToolbox@0x2ff4c 62 AppKit AppKit@0x40d7c 63 AppKit AppKit@0x4062f 64 AppKit AppKit@0x3966a 65 XUL nsAppShell::Run() widget/src/cocoa/nsAppShell.mm:693 66 XUL nsAppStartup::Run() toolkit/components/startup/src/nsAppStartup.cpp:192 67 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3279 68 firefox-bin main browser/app/nsBrowserApp.cpp:156 69 firefox-bin firefox-bin@0x1541 70 firefox-bin firefox-bin@0x1468 71 @0x2
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: crashtopcrash
Priority: -- → P1
Attached patch Possible fixSplinter Review
The apparent bug here is that document fragments don't cache their wrappers, leading to multiple XPCWrappedNatives being created for the same nsISupports object. As a result, it would be possible to get one's hands on an XPCWrappedNative for a rooted object that could die during garbage collection. This patch makes document fragments cache their wrappers, removing that possibility.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #368612 - Flags: superreview?(jst)
Attachment #368612 - Flags: review?(jst)
Comment on attachment 368612 [details] [diff] [review] Possible fix I'd say *likely* fix, even.
Attachment #368612 - Flags: superreview?(jst)
Attachment #368612 - Flags: superreview+
Attachment #368612 - Flags: review?(jst)
Attachment #368612 - Flags: review+
http://hg.mozilla.org/mozilla-central/rev/825869c4798a
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Shouldn't we just have used nsNodeSH for document fragments? I guess we probably don't want to fall through to the nsEventReceiverSH methods, but afaict we do want the nsNodeSH ones.
I'd like to take the fix from bug 480975 on branch instead of this one. It should also fix this bug, and avoid any potential bugs in other classes.
(In reply to comment #9) > I'd like to take the fix from bug 480975 on branch instead of this one. s/bug 480975/bug 484692/.
Because of the magical 4th parameter to .addEventListener we do want to fall through to nsEventReceiverSH.
Unblocking on this one in favor of blocking on bug 484692 which fixes this and any other possible cases like this.
Flags: blocking1.9.1+ → blocking1.9.1-
Then, are you actually looking for (1.9.1) checkin-needed or not ?
Target Milestone: --- → mozilla1.9.2a1
Sorry, forgot this was marked as checkin-needed.
Keywords: checkin-needed
Fixed on 1.9.1 branch by the fix for bug 484692.
Keywords: fixed1.9.1
Crash Signature: [@ nsCOMPtr_base::assign_from_qi]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: