Closed
Bug 604361
Opened 14 years ago
Closed 14 years ago
crash [@ JSObject::unwrap(unsigned int*) ] [@ JSObject::unwrap ]
Categories
(Core :: XPConnect, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla2.0b7
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
People
(Reporter: scoobidiver, Assigned: gal)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
1.67 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre This is a new crash signature. Crashes first appeared in b8pre/20101011 build. It is #14 top crasher in 4.0b8pre for the last week. Signature JSObject::unwrap(unsigned int*) UUID b728dcb6-c104-45df-a0aa-a6a122101014 Time 2010-10-14 07:12:03.816936 Uptime 49 Install Age 3102 seconds (51.7 minutes) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101014041748 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 28 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x4 App Notes AdapterVendorID: 8086, AdapterDeviceID: a011 Frame Module Signature [Expand] Source 0 mozjs.dll JSObject::unwrap js/src/jswrapper.cpp:82 1 xul.dll xpc::WrapperFactory::WaiveXrayAndWrap js/src/xpconnect/wrappers/WrapperFactory.cpp:289 2 xul.dll xpc::CrossOriginWrapper::get js/src/xpconnect/wrappers/CrossOriginWrapper.cpp:84 3 mozjs.dll js::JSProxy::get js/src/jsproxy.cpp:774 4 mozjs.dll js::proxy_GetProperty js/src/jsproxy.cpp:867 5 mozjs.dll js::mjit::ic::GetProp js/src/methodjit/PolyIC.cpp:2065 The regression range is : http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631 More reports at: http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=JSObject%3A%3Aunwrap%28unsigned%20int*%29
Reporter | ||
Updated•14 years ago
|
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Assignee | ||
Comment 1•14 years ago
|
||
We only landed for a short time so this must be very frequent.
Assignee | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Comment 2•14 years ago
|
||
81 wrapped = wrapped->getProxyPrivate().toObjectOrNull(); 82 if (wrapped->getClass()->ext.innerObject) That'll crash if |wrapped| is null, right? And the crashes listed are null derefs, no?
Assignee | ||
Comment 3•14 years ago
|
||
Yeah, the thing is wrapped should never be null.
Comment 4•14 years ago
|
||
Is it worth using toObject() to self-document that?
Updated•14 years ago
|
blocking2.0: ? → beta7+
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre Steps to reproduce: 1. open new tab 2. open firebug (I'm using now 1.7a3) 3. write in console: document.body 4. hover the mouse on the element shown in the console
Assignee | ||
Comment 6•14 years ago
|
||
I will try #5. Thanks.
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → gal
Assignee | ||
Updated•14 years ago
|
Severity: critical → major
Priority: -- → P2
Target Milestone: --- → mozilla2.0b7
Hovering sometimes doesn't make firefox crash, but clicking on the element in console work every time
Assignee | ||
Comment 8•14 years ago
|
||
Assignee | ||
Updated•14 years ago
|
Attachment #483223 -
Flags: review?
Assignee | ||
Comment 9•14 years ago
|
||
Thanks for the STR jk1700.
Assignee | ||
Updated•14 years ago
|
Attachment #483223 -
Flags: review? → review?(mrbkap)
Updated•14 years ago
|
Attachment #483223 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/578aeacda09a
Reporter | ||
Updated•14 years ago
|
OS: Windows 7 → All
Summary: crash [@ JSObject::unwrap(unsigned int*) ] → crash [@ JSObject::unwrap(unsigned int*) ] [@ JSObject::unwrap ]
Updated•14 years ago
|
Severity: major → critical
Comment 11•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/578aeacda09a
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ JSObject::unwrap(unsigned int*) ]
[@ JSObject::unwrap ]
You need to log in
before you can comment on or make changes to this bug.
Description
•