604361 - crash [@ JSObject::unwrap(unsigned int*) ] [@ JSObject::unwrap ]

Status: RESOLVED FIXED

(Core :: XPConnect, defect, P2)

Description

[Scoobidiver (away)]

Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre

This is a new crash signature. Crashes first appeared in b8pre/20101011 build.
It is #14 top crasher in 4.0b8pre for the last week.

Signature	JSObject::unwrap(unsigned int*)
UUID	b728dcb6-c104-45df-a0aa-a6a122101014
Time 	2010-10-14 07:12:03.816936
Uptime	49
Install Age	3102 seconds (51.7 minutes) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101014041748
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 28 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x4
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: a011

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	JSObject::unwrap 	js/src/jswrapper.cpp:82
1 	xul.dll 	xpc::WrapperFactory::WaiveXrayAndWrap 	js/src/xpconnect/wrappers/WrapperFactory.cpp:289
2 	xul.dll 	xpc::CrossOriginWrapper::get 	js/src/xpconnect/wrappers/CrossOriginWrapper.cpp:84
3 	mozjs.dll 	js::JSProxy::get 	js/src/jsproxy.cpp:774
4 	mozjs.dll 	js::proxy_GetProperty 	js/src/jsproxy.cpp:867
5 	mozjs.dll 	js::mjit::ic::GetProp 	js/src/methodjit/PolyIC.cpp:2065

The regression range is :
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=JSObject%3A%3Aunwrap%28unsigned%20int*%29

Comment 1

[Andreas Gal :gal]

We only landed for a short time so this must be very frequent.

Comment 2

[Boris Zbarsky [:bzbarsky]]

81         wrapped = wrapped->getProxyPrivate().toObjectOrNull();
82         if (wrapped->getClass()->ext.innerObject)

That'll crash if |wrapped| is null, right?  And the crashes listed are null derefs, no?

Comment 3

[Andreas Gal :gal]

Yeah, the thing is wrapped should never be null.

Comment 4

[Boris Zbarsky [:bzbarsky]]

Is it worth using toObject() to self-document that?

Comment 5

[gadjo]

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre

Steps to reproduce:
1. open new tab
2. open firebug (I'm using now 1.7a3)
3. write in console: document.body
4. hover the mouse on the element shown in the console

Comment 6

[Andreas Gal :gal]

I will try #5. Thanks.

Comment 7

[gadjo]

Hovering sometimes doesn't make firefox crash, but clicking on the element in console work every time

Comment 8

[Andreas Gal :gal]

Attachment: patch

Comment 9

[Andreas Gal :gal]

Thanks for the STR jk1700.

Comment 10

[Andreas Gal :gal]

http://hg.mozilla.org/tracemonkey/rev/578aeacda09a

Comment 11

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/578aeacda09a