crash [@ xpc::holder_get ] [@ xpc::GetWrappedNativeObjectFromHolder ]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: scoobidiver, Assigned: mrbkap)

Tracking

({crash, regression})

Trunk
x86
All
crash, regression
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(blocking2.0 beta7+)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014
Firefox/4.0b8pre

This is a new crash signature. Crashes first appeared in b8pre/20101011 build.
It is #10 top crasher in 4.0b8pre for the last week.

Signature	xpc::holder_get
UUID	bf1b8924-9a65-4214-b4e2-1615d2101014
Time 	2010-10-14 07:27:49.141277
Uptime	24
Last Crash	26 seconds before submission
Install Age	83 seconds since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101014041748
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	AuthenticAMD family 15 model 47 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x34
App Notes 	AdapterVendorID: 1002, AdapterDeviceID: 4153

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	xpc::holder_get 	js/src/xpconnect/wrappers/XrayWrapper.cpp:161
1 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5151
2 	mozjs.dll 	js_CreateThis 	js/src/jsobj.cpp:2783
3 	mozjs.dll 	js::InvokeConstructor 	js/src/jsinterp.cpp:1265
4 	mozjs.dll 	JS_New 	js/src/jsapi.cpp:5000
5 	mozjs.dll 	js::JSProxyHandler::construct 	js/src/jsproxy.cpp:273
6 	mozjs.dll 	JSCrossCompartmentWrapper::construct 	js/src/jswrapper.cpp:609
7 	mozjs.dll 	js::JSProxy::construct 	js/src/jsproxy.cpp:809
8 	mozjs.dll 	js::proxy_Construct 	js/src/jsproxy.cpp:1036
9 	mozjs.dll 	js::InvokeConstructor 	js/src/jsinterp.cpp:1256
10 	mozjs.dll 	js::mjit::ic::NativeNew 	js/src/methodjit/MonoIC.cpp:668
11 		@0xf4f1d43 	
12 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:742
13 	mozjs.dll 	CheckStackAndEnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:767
14 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:784
15 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:635
16 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:747
17 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:871
18 	mozjs.dll 	js::JSProxyHandler::call 	js/src/jsproxy.cpp:259
19 	mozjs.dll 	JSCrossCompartmentWrapper::call 	js/src/jswrapper.cpp:590
20 	mozjs.dll 	js::JSProxy::call 	js/src/jsproxy.cpp:802
21 	mozjs.dll 	js::proxy_Call 	js/src/jsproxy.cpp:1027
22 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:674
23 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:871
24 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4961
25 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1692
26 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:571
27 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
28 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
29 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1112

The regression range is :
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=xpc%3A%3Aholder_get

Updated

8 years ago
status2.0: --- → ?

Comment 1

8 years ago
I think this is a dup of bug 544610.

Comment 2

8 years ago
Sorry, wrong bug. Please ignore #1.
(Reporter)

Updated

8 years ago
blocking2.0: --- → ?
status2.0: ? → ---
A few of the crashes are at 0x20.  Most are at 0x34, and the OS 10.6 ones are at 0x60.
Ah, the 0x20 are builds from before bug 584917 changed the layout of JSObject.
On 64-bit, 0x60 is the offset of |slots| in JSObject.  So presumably |holder| is null?

Updated

8 years ago
blocking2.0: ? → beta7+
I think this might be fixed by the patch that landed (on tracemonkey) for bug 604368. I'll make sure it gets into the nightlies on m-c and we'll see from there.
I just grabbed a tracemonkey-latest build (in the last 20 minutes) and I can still reproduce this crash.

bp-c6126e3c-891e-4182-89de-4c3ad2101014
bp-3ef1fd44-de5c-4b0c-a30d-be4732101014

about:buildconfig says
    Built from http://hg.mozilla.org/tracemonkey/rev/0b754642eedb

Comment 9

8 years ago
I will try to catch this in a debug build.
(Reporter)

Comment 10

8 years ago
It also happens on linux with a different crash signature: xpc::GetWrappedNativeObjectFromHolder, but almost the same stack trace.

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=xpc%3A%3AGetWrappedNativeObjectFromHolder
OS: Windows 7 → All
Summary: crash [@ xpc::holder_get ] → crash [@ xpc::holder_get ] [@ xpc::GetWrappedNativeObjectFromHolder ]
Created attachment 484042 [details] [diff] [review]
Fix

Oops, I forgot to bump the other slot numbers. This *probably* is the bug here, though it's hard to tell.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #484042 - Flags: review?(peterv)
Flags: in-testsuite?
Attachment #484042 - Flags: review?(peterv) → review+

Comment 14

8 years ago
How long before this lands, considering that this missed the latest TM->MC merge?

This bug is occurring if Greasemonkey is enabled.
Status: ASSIGNED → NEW
http://hg.mozilla.org/mozilla-central/rev/34d43093c1e0
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Crash Signature: [@ xpc::holder_get ] [@ xpc::GetWrappedNativeObjectFromHolder ]
You need to log in before you can comment on or make changes to this bug.