Closed Bug 604361 Opened 15 years ago Closed 15 years ago

crash [@ JSObject::unwrap(unsigned int*) ] [@ JSObject::unwrap ]

Categories

(Core :: XPConnect, defect, P2)

Product:
Core
Component:
XPConnect
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b7
Tracking Flags:
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: scoobidiver, Assigned: gal)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

patch
1.67 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre This is a new crash signature. Crashes first appeared in b8pre/20101011 build. It is #14 top crasher in 4.0b8pre for the last week. Signature JSObject::unwrap(unsigned int*) UUID b728dcb6-c104-45df-a0aa-a6a122101014 Time 2010-10-14 07:12:03.816936 Uptime 49 Install Age 3102 seconds (51.7 minutes) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101014041748 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 28 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x4 App Notes AdapterVendorID: 8086, AdapterDeviceID: a011 Frame Module Signature [Expand] Source 0 mozjs.dll JSObject::unwrap js/src/jswrapper.cpp:82 1 xul.dll xpc::WrapperFactory::WaiveXrayAndWrap js/src/xpconnect/wrappers/WrapperFactory.cpp:289 2 xul.dll xpc::CrossOriginWrapper::get js/src/xpconnect/wrappers/CrossOriginWrapper.cpp:84 3 mozjs.dll js::JSProxy::get js/src/jsproxy.cpp:774 4 mozjs.dll js::proxy_GetProperty js/src/jsproxy.cpp:867 5 mozjs.dll js::mjit::ic::GetProp js/src/methodjit/PolyIC.cpp:2065 The regression range is : http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631 More reports at: http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=JSObject%3A%3Aunwrap%28unsigned%20int*%29
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
We only landed for a short time so this must be very frequent.
blocking2.0: --- → ?
81 wrapped = wrapped->getProxyPrivate().toObjectOrNull(); 82 if (wrapped->getClass()->ext.innerObject) That'll crash if |wrapped| is null, right? And the crashes listed are null derefs, no?
Yeah, the thing is wrapped should never be null.
Is it worth using toObject() to self-document that?
blocking2.0: ? → beta7+
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre Steps to reproduce: 1. open new tab 2. open firebug (I'm using now 1.7a3) 3. write in console: document.body 4. hover the mouse on the element shown in the console
I will try #5. Thanks.
Assignee: nobody → gal
Severity: critical → major
Priority: -- → P2
Target Milestone: --- → mozilla2.0b7
Hovering sometimes doesn't make firefox crash, but clicking on the element in console work every time
Attached patch patchSplinter Review
Attachment #483223 - Flags: review?
Thanks for the STR jk1700.
Attachment #483223 - Flags: review? → review?(mrbkap)
Attachment #483223 - Flags: review?(mrbkap) → review+
OS: Windows 7 → All
Summary: crash [@ JSObject::unwrap(unsigned int*) ] → crash [@ JSObject::unwrap(unsigned int*) ] [@ JSObject::unwrap ]
Severity: major → critical
http://hg.mozilla.org/mozilla-central/rev/578aeacda09a
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSObject::unwrap(unsigned int*) ] [@ JSObject::unwrap ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: