Closed
Bug 522839
Opened 16 years ago
Closed 16 years ago
Remaining crash [@ WillDeadlock] after the fix for bug 514554
Categories
(Core :: XPConnect, defect, P2)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a1
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta3-fixed |
| blocking1.9.1 | --- | .6+ |
| status1.9.1 | --- | .6-fixed |
People
(Reporter: mrbkap, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:investigate])
Attachments
(1 file)
|
1.06 KB,
patch
|
bent.mozilla
:
review+
samuel.sidler+old
:
approval1.9.1.6+
|
Details | Diff | Splinter Review |
See bug 514554, comment 29 and following. This is likely a race that's left over. I'll mark this security sensitive since the original bug is and because the testcase isn't yet public.
|
||
Comment 1•16 years ago
|
||
This is my other reported crash: http://crash-stats.mozilla.com/report/index/1f4d1c31-bee6-41e1-a967-edc5d2091016
|
||
Comment 2•16 years ago
|
||
http://crash-stats.mozilla.com/report/index/1f4d1c31-bee6-41e1-a967-edc5d2091016
0 js3250.dll WillDeadlock js/src/jslock.cpp:385
1 js3250.dll js3250.dll@0x6b06e
2 js3250.dll js_LookupPropertyWithFlags js/src/jsobj.cpp:3802
3 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1950
4 js3250.dll js_GetPropertyHelper js/src/jsobj.cpp:4258
Summary: Remaining crash after the fix for bug 514554 → Remaining crash [@ WillDeadlock] after the fix for bug 514554
|
||
Updated•16 years ago
|
blocking1.9.1: --- → ?
status1.9.1:
--- → wanted
Flags: blocking1.9.2?
Whiteboard: [sg:investigate][3.6.x]
|
|
||
Updated•16 years ago
|
Group: core-security
|
||
Updated•16 years ago
|
Depends on: CVE-2009-3371
|
|
||
Updated•16 years ago
|
blocking1.9.1: ? → .5+
Whiteboard: [sg:investigate][3.6.x] → [sg:investigate]
|
||
Comment 4•16 years ago
|
||
Ben says this one's all Blake's. Blake, do you think this should block the release?
Assignee: bent.mozilla → nobody
Component: DOM: Mozilla Extensions → XPConnect
OS: Mac OS X → All
QA Contact: general → xpconnect
Hardware: x86 → All
|
Assignee | |
Comment 5•16 years ago
|
||
I'm confused, in bug 514554 Al said the crash he saw on this testcase was http://crash-stats.mozilla.com/report/index/62c11801-4dbe-403b-811f-3d2ad2091016?p=1 which is very different crash.
|
|
||
Updated•16 years ago
|
Assignee: nobody → mrbkap
|
|
Assignee | |
Comment 6•16 years ago
|
||
|
|
Assignee | |
Comment 7•16 years ago
|
||
It would be a bit cleaner to be able to tell the thread pool manager that we shouldn't create the thread if creating the context fails, but it ignores the return value of OnThreadCreated, so we end up with this partially-constructed thread anyway. I went through the other places that look up contexts and I believe that they are all safe (either null check or in order to get to that point, we must have successfully run code on this thread and therefore have a context).
Attachment #410757 -
Flags: review?(bent.mozilla)
|
|
||
Comment 8•16 years ago
|
||
Is there a question for me? I just reported what I got when I crashed. The explanations as to cause were from you. :-)
|
|
Assignee | |
Comment 9•16 years ago
|
||
Al, did you crash in WillDeadlock or JS_SetContextPrivate or both?
|
|
||
Comment 10•16 years ago
|
||
Both, separately, when I tested.
Comment on attachment 410757 [details] [diff] [review]
Easiest fix
Sorry Blake, I meant the crash in comment 1 would be all you. We need to spin that out into a separate bug I guess. The null check you have here is ok for now.
Attachment #410757 -
Flags: review?(bent.mozilla) → review+
|
|
||
Comment 12•16 years ago
|
||
Comment on attachment 410757 [details] [diff] [review]
Easiest fix
No reason not to take this null pointer check for 1.9.1 IMO.
Attachment #410757 -
Flags: approval1.9.1.6?
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Target Milestone: --- → mozilla1.9.2
|
|
||
Comment 13•16 years ago
|
||
Comment on attachment 410757 [details] [diff] [review]
Easiest fix
Approved for 1.9.1.6. a=ss
Attachment #410757 -
Flags: approval1.9.1.6? → approval1.9.1.6+
|
||
Updated•16 years ago
|
Keywords: checkin-needed
|
|
||
Comment 14•16 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e5261adb8014
Marking fixed for 1.9.1.6, but leaving bug open as there's likely more to do here (or in followup bugs that get filed once mrbkap is back).
|
||
Comment 15•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/f5ab4934c855
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ea520cb019ce
Status: NEW → RESOLVED
Closed: 16 years ago
status1.9.2:
--- → final-fixed
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: mozilla1.9.2 → mozilla1.9.3a1
|
|
||
Comment 16•16 years ago
|
||
I'm still crashing using the "index.html" file from the testcase in 1.9.1.6 pretty reliably when I click on the red 'x' to close Firefox.
I'm not getting the crashreporter in my debug build but my debug output shows:
WARNING: NS_ENSURE_TRUE(browserChrome) failed: file c:/projects/moz1.9.1/docshel
l/base/nsDocShell.cpp, line 9324
WARNING: Something wrong when creating the docshell for a frameloader!: file c:/
projects/moz1.9.1/content/base/src/nsFrameLoader.cpp, line 902
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file c:/projec
ts/moz1.9.1/content/base/src/nsFrameLoader.cpp, line 926
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file c:/projec
ts/moz1.9.1/content/base/src/nsFrameLoader.cpp, line 182
++WEBSHELL 02EDC940 == 5
++DOMWINDOW == 6 (02EDD3A0) [serial = 6] [outer = 00000000]
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
++DOMWINDOW == 7 (031B5020) [serial = 7] [outer = 023844C8]
++DOMWINDOW == 8 (030BD5A0) [serial = 8] [outer = 02EDD370]
pldhash: for the table at address 0325CA68, the given entrySize of 52 probably f
avors chaining over double hashing.
++DOMWINDOW == 9 (03339068) [serial = 9] [outer = 02EDD370]
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
--DOMWINDOW == 8 (030BD5A0) [serial = 8] [outer = 02EDD370] [url = about:blank]
++DOMWINDOW == 9 (05003FE0) [serial = 10] [outer = 02EDD370]
WARNING: getting z level of unregistered window: file c:/projects/moz1.9.1/xpfe/
appshell/src/nsWindowMediator.cpp, line 635
WARNING: getting z level of unregistered window: file c:/projects/moz1.9.1/xpfe/
appshell/src/nsWindowMediator.cpp, line 635
--WEBSHELL 0239E640 == 4
--DOMWINDOW == 8 (023844F8) [serial = 5] [outer = 00000000] [url = about:blank]
--DOMWINDOW == 7 (031B5020) [serial = 7] [outer = 00000000] [url = about:blank]
WARNING: NS_ENSURE_SUCCESS(rv, rv--WEBSHELL 0212ED10 == 3
--WEBSHELL 020A81C0 == 2
) failed with result 0x80040111: file c:/projects/moz1.9.1/dom/src/threads/nsDOM
Worker.cpp, line 1242
WARNING: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsD
OMThreadService.cpp, line 985
--DWARNIOMWINDOW == 6 (02139790) [serial = 3] [outer = 0212FB18] [url = about:bl
ank]
--DOMWINDOW == 5 (020BF158) [serial = 1] [outer = 00000000] [url = resource://gr
e/res/hiddenWindow.html]
NG: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsDOMThr
eadService.cpp, line 985
--DOMWINDOW == 4 (0212FB48) [serial = 2] [outer = 00000000] [url = chrome://brow
ser/content/browser.xul]
--DOMWINDOW == 3 (022386A0) [serial = 4] [outer = 00000000] [url = resource://gr
e/res/hiddenWindow.html]
--DOMWINDOW == 2 (03339068) [serial = 9] [outer = 02EDD370] [url = http://www.mo
zilla.org/projects/shiretoko/]
--WEBSHELL 02EDC940 == 1
WARNING: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsD
OMThreadService.cpp, line 985
WARNING: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsD
OMThreadService.cpp, line 985
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1388
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1365
WARNING: NS_ENSURE_TRUE(!mShutdown) failed: file c:/projects/moz1.9.1/xpcom/thre
ads/nsThreadPool.cpp, line 240
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1388
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1365
WARNING: NS_ENSURE_TRUE(gDbBackgroundThread) failed: file c:/projects/moz1.9.1/t
oolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp, line 4082
************************************************************
* Call to xpconnect wrapped JSObject produced this error: *
[Exception... "Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIAL
IZED) [nsIUrlClassifierDBService.getTables]" nsresult: "0xc1f30001 (NS_ERROR_NO
T_INITIALIZED)" location: "JS frame :: file:///C:/projects/moz1.9.1/ffx-dbg/dis
t/firefox/components/nsUrlClassifierListManager.js :: anonymous :: line 359" da
ta: no]
************************************************************
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file c:/projec
ts/moz1.9.1/dom/src/threads/nsDOMThreadService.cpp, line 999
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1388
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1365
(these last two lines repeat over and over many times)
|
|
||
Comment 17•16 years ago
|
||
Talked this over with Blake, and he's comfortable shipping with the above issue based on his reproduction attempts and analysis in a debug build.
Might or might not be related, but I have just witnessed
13:58:50 INFO - 11-19 13:57:20.328 E/GeckoConsole( 2226): [JavaScript Error: "[Exception... "Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIALIZED) [nsIUrlClassifierDBService.getTables]" nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: jar:jar:file:///data/app/org.mozilla.fennec-1.apk!/assets/omni.ja!/components/nsUrlClassifierListManager.js :: PROT_ListManager.prototype.checkForUpdates :: line 359" data: no]" {file: "jar:jar:file:///data/app/org.mozilla.fennec-1.apk!/assets/omni.ja!/components/nsUrlClassifierListManager.js" line: 359}]
on Android.
You need to log in
before you can comment on or make changes to this bug.
Description
•