Closed Bug 480975 Opened 15 years ago Closed 15 years ago

Crash [@ nsCOMPtr_base::assign_from_qi] using Ubiquity screengrab verb

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: crowderbt, Assigned: mrbkap)

References

Details

(Keywords: fixed1.9.1, topcrash)

Crash Data

Attachments

(1 file)

Possible fix
3.55 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
Woops, meant "screengrab", not "screencap".  This is 100% reproducible for me.
Summary: Crash (@ nsCOMPtr_base::assign_from_qi) using Ubiquity screencap verb → Crash (@ nsCOMPtr_base::assign_from_qi) using Ubiquity screengrab verb
this isn't a bug in xpcom, it's probably either xpconnect or js

2	XPCNativeWrapper::GetNewOrUsed	 nsCOMPtr.h:572
3	nsXPConnect::GetWrapperForObject	js/src/xpconnect/src/nsXPConnect.cpp:2378
4	XPC_WN_JSOp_ThisObject	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1374
5	js_ComputeThis	js/src/jsinterp.cpp:860
6	js_Invoke	js/src/jsinterp.cpp:1173
7	js_InternalInvoke	js/src/jsinterp.cpp:1388
8	js_InternalGetOrSet	js/src/jsinterp.cpp:1451
9	js_NativeGet	js/src/jsscope.h:360
10	js_GetPropertyHelper	js/src/jsobj.cpp:4050
11	js_Interpret	js/src/jsinterp.cpp:4294
12	js_Invoke	js/src/jsinterp.cpp:1330
13	js_InternalInvoke	js/src/jsinterp.cpp:1388
14	js_InternalGetOrSet	js/src/jsinterp.cpp:1451
15	js_NativeGet	js/src/jsscope.h:360
16	js_Interpret	js/src/jsinterp.cpp:5153
17	js_Invoke	js/src/jsinterp.cpp:1330
18	nsXPCWrappedJSClass::CallMethod	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608
19	nsXPCWrappedJS::CallMethod	js/src/xpconnect/src/xpcwrappedjs.cpp:561
20	PrepareAndDispatch	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
..
26	nsXULWindow::ShowModal	 nsWeakReference.h:413
27	nsWindowWatcher::OpenWindowJSInternal	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:989
28	nsWindowWatcher::OpenWindow	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:421
29	nsPromptService::DoDialog	embedding/components/windowwatcher/src/nsPromptService.cpp:786
30	nsPromptService::PromptUsernameAndPassword	embedding/components/windowwatcher/src/nsPromptService.cpp:540
31	nsPrompt::PromptPasswordAdapter	embedding/components/windowwatcher/src/nsPrompt.cpp:524
32	nsPromptService::PromptAuth	embedding/components/windowwatcher/src/nsPromptService.cpp:663
33	NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
34	XPCWrappedNative::CallMethod	js/src/xpconnect/src/xpcwrappednative.cpp:2424
35	XPC_WN_CallMethod	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1587
36	js_Invoke	js/src/jsinterp.cpp:1312
37	js_Interpret	js/src/jsinterp.cpp:5020
38	js_Invoke	js/src/jsinterp.cpp:1330
39	nsXPCWrappedJSClass::CallMethod	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608
40	nsXPCWrappedJS::CallMethod	js/src/xpconnect/src/xpcwrappedjs.cpp:561
41	PrepareAndDispatch	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
42	PrepareAndDispatch	
43	nsHttpChannel::PromptForIdentity	netwerk/protocol/http/src/nsHttpChannel.cpp:3515
Severity: normal → critical
Component: XPCOM → XPConnect
Keywords: crash
QA Contact: xpcom → xpconnect
Summary: Crash (@ nsCOMPtr_base::assign_from_qi) using Ubiquity screengrab verb → Crash [@ nsCOMPtr_base::assign_from_qi] using Ubiquity screengrab verb
Tony Chung said this crash that is similar enough to one that is becoming a frequent startup crash on b3 in os x. 77 OSX crashes since the beta was released about 24 hours ago http://tinyurl.com/agsvk9. Found talking to a user on Slashdot http://tech.slashdot.org/comments.pl?sid=1158309&cid=27169747

0  	libmozjs.dylib  	JS_ClearWatchPointsForObject  	js/src/jsdbgapi.cpp:903
1 	XUL 	nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) 	nsCOMPtr.cpp:96
2 	XUL 	XPCNativeWrapper::GetNewOrUsed(JSContext*, XPCWrappedNative*, nsIPrincipal*) 	nsCOMPtr.h:572
3 	XUL 	nsXPConnect::GetWrapperForObject(JSContext*, JSObject*, JSObject*, nsIPrincipal*, unsigned int, long*) 	js/src/xpconnect/src/nsXPConnect.cpp:2386
4 	XUL 	XPC_WN_JSOp_ThisObject 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1374
5 	libmozjs.dylib 	js_ComputeThis 	js/src/jsinterp.cpp:861
6 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1174
7 	libmozjs.dylib 	js_InternalInvoke 	js/src/jsinterp.cpp:1389
8 	libmozjs.dylib 	js_InternalGetOrSet 	js/src/jsinterp.cpp:1452
9 	libmozjs.dylib 	js_NativeGet 	js/src/jsscope.h:359
10 	libmozjs.dylib 	js_GetPropertyHelper 	js/src/jsobj.cpp:4058
11 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:4298
12 	libmozjs.dylib 	js_Execute 	js/src/jsinterp.cpp:1562
13 	libmozjs.dylib 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:5241
14 	XUL 	xpc_EvalInSandbox(JSContext*, JSObject*, nsAString_internal const&, char const*, int, JSVersion, int, long*) 	js/src/xpconnect/src/xpccomponents.cpp:3574
15 	XUL 	nsXPCComponents_Utils::EvalInSandbox(nsAString_internal const&) 	js/src/xpconnect/src/xpccomponents.cpp:3511
16 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
17 	XUL 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/src/xpconnect/src/xpcwrappednative.cpp:2424
18 	XUL 	XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1587
19 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1313
20 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5024
21 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1331
22 	libmozjs.dylib 	array_extra 	js/src/jsarray.cpp:2944
23 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5007
24 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1331
25 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608
26 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
27 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
28 	XUL 	PrepareAndDispatch 	
29 	XUL 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsPIDOMEventTarget*, unsigned int) 	content/events/src/nsEventListenerManager.cpp:1090
30 	XUL 	nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsPIDOMEventTarget*, unsigned int, nsEventStatus*) 	content/events/src/nsEventListenerManager.cpp:1195
31 	XUL 	nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, int) 	content/events/src/nsEventDispatcher.cpp:236
32 	XUL 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, int) 	content/events/src/nsEventDispatcher.cpp:324
33 	XUL 	nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) 	content/events/src/nsEventDispatcher.cpp:514
34 	XUL 	nsDocument::DispatchEventToWindow(nsEvent*) 	content/base/src/nsDocument.cpp:7095
35 	XUL 	nsDocument::OnPageShow(int, nsIDOMEventTarget*) 	content/base/src/nsDocument.cpp:7134
36 	XUL 	DocumentViewerImpl::LoadComplete(unsigned int) 	layout/base/nsDocumentViewer.cpp:1027
37 	XUL 	nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) 	docshell/base/nsDocShell.cpp:5243
38 	XUL 	nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) 	docshell/base/nsWebShell.cpp:1013
39 	XUL 	nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) 	docshell/base/nsDocShell.cpp:5139
40 	XUL 	nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned int) 	uriloader/base/nsDocLoader.cpp:1235
41 	XUL 	nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) 	uriloader/base/nsDocLoader.cpp:858
42 	XUL 	nsDocLoader::DocLoaderIsEmpty() 	uriloader/base/nsDocLoader.cpp:763
43 	XUL 	nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) 	uriloader/base/nsDocLoader.cpp:679
44 	XUL 	nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) 	netwerk/base/src/nsLoadGroup.cpp:688
45 	XUL 	nsDocument::DoUnblockOnload() 	content/base/src/nsDocument.cpp:7044
46 	XUL 	nsDocument::DispatchContentLoadedEvents() 	content/base/src/nsDocument.cpp:3964
47 	XUL 	nsRunnableMethod<nsDocument>::Run() 	nsThreadUtils.h:264
48 	XUL 	nsThread::ProcessNextEvent(int, int*) 	xpcom/threads/nsThread.cpp:510
49 	XUL 	NS_ProcessNextEvent_P(nsIThread*, int) 	nsThreadUtils.cpp:227
50 	XUL 	nsThread::Shutdown() 	xpcom/threads/nsThread.cpp:465
51 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
52 	XUL 	nsProxyObjectCallInfo::Run() 	xpcom/proxy/src/nsProxyEvent.cpp:181
53 	XUL 	nsThread::ProcessNextEvent(int, int*) 	xpcom/threads/nsThread.cpp:510
54 	XUL 	NS_ProcessPendingEvents_P(nsIThread*, unsigned int) 	nsThreadUtils.cpp:180
55 	XUL 	nsBaseAppShell::NativeEventCallback() 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
56 	XUL 	nsAppShell::ProcessGeckoEvents(void*) 	widget/src/cocoa/nsAppShell.mm:374
57 	CoreFoundation 	CoreFoundation@0x735f4 	
58 	CoreFoundation 	CoreFoundation@0x73cd7 	
59 	HIToolbox 	HIToolbox@0x302bf 	
60 	HIToolbox 	HIToolbox@0x300d8 	
61 	HIToolbox 	HIToolbox@0x2ff4c 	
62 	AppKit 	AppKit@0x40d7c 	
63 	AppKit 	AppKit@0x4062f 	
64 	AppKit 	AppKit@0x3966a 	
65 	XUL 	nsAppShell::Run() 	widget/src/cocoa/nsAppShell.mm:693
66 	XUL 	nsAppStartup::Run() 	toolkit/components/startup/src/nsAppStartup.cpp:192
67 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3279
68 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
69 	firefox-bin 	firefox-bin@0x1541 	
70 	firefox-bin 	firefox-bin@0x1468 	
71 		@0x2
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: crashtopcrash
Priority: -- → P1
Attached patch Possible fixSplinter Review 
The apparent bug here is that document fragments don't cache their wrappers, leading to multiple XPCWrappedNatives being created for the same nsISupports object. As a result, it would be possible to get one's hands on an XPCWrappedNative for a rooted object that could die during garbage collection. This patch makes document fragments cache their wrappers, removing that possibility.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #368612 - Flags: superreview?(jst)
Attachment #368612 - Flags: review?(jst)
Comment on attachment 368612 [details] [diff] [review]
Possible fix

I'd say *likely* fix, even.
Attachment #368612 - Flags: superreview?(jst)
Attachment #368612 - Flags: superreview+
Attachment #368612 - Flags: review?(jst)
Attachment #368612 - Flags: review+
http://hg.mozilla.org/mozilla-central/rev/825869c4798a
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Shouldn't we just have used nsNodeSH for document fragments? I guess we probably don't want to fall through to the nsEventReceiverSH methods, but afaict we do want the nsNodeSH ones.
I'd like to take the fix from bug 480975 on branch instead of this one. It should also fix this bug, and avoid any potential bugs in other classes.
(In reply to comment #9)
> I'd like to take the fix from bug 480975 on branch instead of this one.

s/bug 480975/bug 484692/.
Because of the magical 4th parameter to .addEventListener we do want to
fall through to nsEventReceiverSH.
Unblocking on this one in favor of blocking on bug 484692 which fixes this and any other possible cases like this.
Flags: blocking1.9.1+ → blocking1.9.1-
Then, are you actually looking for (1.9.1) checkin-needed or not ?
Target Milestone: --- → mozilla1.9.2a1
Sorry, forgot this was marked as checkin-needed.
Keywords: checkin-needed
Fixed on 1.9.1 branch by the fix for bug 484692.
Keywords: fixed1.9.1
Crash Signature: [@ nsCOMPtr_base::assign_from_qi]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: