Last Comment Bug 605290 - Crash in [@ JSCompartment::wrap(JSContext*, js::Value*) ] [@ JSCompartment::wrap] mainly with Firebug (Mac) or Adblock Plus (Windows) or Video Download Helper (both)
: Crash in [@ JSCompartment::wrap(JSContext*, js::Value*) ] [@ JSCompartment::w...
Status: RESOLVED FIXED
[compartments][softblocker][tbird crash]
: crash, regression, topcrash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 All
: -- critical with 3 votes (vote)
: mozilla8
Assigned To: David Mandelin [:dmandelin]
:
Mentors:
: 676703 (view as bug list)
Depends on: 623441 626936 627227 635298
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-18 15:07 PDT by Marcia Knous [:marcia - use ni]
Modified: 2013-12-27 14:23 PST (History)
29 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected


Attachments
Patch (1.54 KB, patch)
2011-07-12 13:51 PDT, David Mandelin [:dmandelin]
luke: review+
Details | Diff | Review
Patch v2 (3.83 KB, patch)
2011-07-12 18:25 PDT, David Mandelin [:dmandelin]
luke: review+
Details | Diff | Review
Patch v3 (3.98 KB, patch)
2011-07-14 15:47 PDT, David Mandelin [:dmandelin]
luke: review+
Details | Diff | Review

Description Marcia Knous [:marcia - use ni] 2010-10-18 15:07:17 PDT
Seen while reviewing chofmann's daily crash report. http://tinyurl.com/3xjjzn7 to the crashes which are all Windows. Crashes started showing up in crash stats using the 2010101300 build.

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:147
1 	mozjs.dll 	JSCrossCompartmentWrapper::call 	js/src/jswrapper.cpp:594
2 	mozjs.dll 	js::JSProxy::call 	js/src/jsproxy.cpp:802
3 	mozjs.dll 	js::proxy_Call 	js/src/jsproxy.cpp:1027
4 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:674
5 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:871
6 	mozjs.dll 	js::ExternalGetOrSet 	js/src/jsinterp.cpp:891
7 	mozjs.dll 	js::JSProxyHandler::get 	js/src/jsproxy.cpp:131
8 	mozjs.dll 	js::JSProxy::get 	js/src/jsproxy.cpp:774
9 	mozjs.dll 	js::proxy_GetProperty 	js/src/jsproxy.cpp:867
10 	mozjs.dll 	JSObject::getProperty 	js/src/jsobj.h:1047
11 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4115
12 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
13 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:747
14 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:2369
15 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4714
16 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
17 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:747
18 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:2369
19 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4714
20 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
21 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:747
22 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:2369
23 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4714
24 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
25 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:747
26 	mozjs.dll 	js::InvokeSessionGuard::invoke 	js/src/jsinterpinlines.h:553
27 	mozjs.dll 	array_extra 	js/src/jsarray.cpp:2721
28 	mozjs.dll 	array_forEach 	js/src/jsarray.cpp:2778
29 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4714
30 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
31 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:747
32 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:2369
33 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4714
34 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
35 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:747
36 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:871
37 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4961
38 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1692
39 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:571
40 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
41 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
42 	xul.dll 	nsBrowserStatusFilter::OnLocationChange 	toolkit/components/statusfilter/nsBrowserStatusFilter.cpp:231
43 	xul.dll 	nsDocLoader::FireOnLocationChange 	uriloader/base/nsDocLoader.cpp:1377
44 	xul.dll 	nsDocShell::CreateContentViewer 	docshell/base/nsDocShell.cpp:7403
45 	xul.dll 	nsDSURIContentListener::DoContent 	docshell/base/nsDSURIContentListener.cpp:138
46 	xul.dll 	nsDocumentOpenInfo::TryContentListener 	uriloader/base/nsURILoader.cpp:757
47 	xul.dll 	nsDocumentOpenInfo::DispatchContent 	uriloader/base/nsURILoader.cpp:455
48 	xul.dll 	nsDocumentOpenInfo::OnStartRequest 	uriloader/base/nsURILoader.cpp:295
49 	xul.dll 	nsHttpChannel::CallOnStartRequest 	netwerk/protocol/http/nsHttpChannel.cpp:770
50 	xul.dll 	nsHttpChannel::ContinueProcessNormal 	netwerk/protocol/http/nsHttpChannel.cpp:1228
51 	mozcrt19.dll 	arena_dalloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4204
52 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4281
53 	xul.dll 	nsHttpChannel::ProcessNormal 	netwerk/protocol/http/nsHttpChannel.cpp:1165
54 	xul.dll 	nsHttpChannel::ProcessResponse 	netwerk/protocol/http/nsHttpChannel.cpp:1052
55 	xul.dll 	nsHttpChannel::OnStartRequest 	netwerk/protocol/http/nsHttpChannel.cpp:3805
56 	xul.dll 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:441
57 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:397
58 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
59 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:547
60 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
61 	xul.dll 	xul.dll@0xae48cb 	
62 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
63 	mozsqlite3.dll 	sqlite3Pragma 	
64 	nspr4.dll 	PR_IsNetAddrType 	nsprpub/pr/src/misc/prnetdb.c:1533
65 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
66 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:180
67 	xul.dll 	xul.dll@0xae48cb 	
68 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:243
69 	nss3.dll 	pkix_pl_CertNameConstraints_ToString 	security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c:539
Comment 1 chris hofmann 2010-10-18 18:39:07 PDT
looks like this might have first appeared on the trunk on sept 14 in builds from the 13th.  slow uptick in volume after that.

date     tl crashes at, count build, count build, ...
         JSCompartment::wrap.JSContext...js::Value..   
20101013   
20101014 3  2 4.0b8pre2010101404, 
	        1 4.0b8pre2010101322, 
20101015 5  4 4.0b8pre2010101504, 
	        1 4.0b8pre2010101404, 
20101016 6  3 4.0b8pre2010101604, 
	        3 4.0b8pre2010101504, 
20101017 9  6 4.0b8pre2010101604, 
	        2 4.0b8pre2010101704, 1 4.0b8pre2010101504,
Comment 3 Damon Sicore (:damons) 2010-10-19 12:03:39 PDT
Blocking 2.0 beta 8 to make sure we investigate this.
Comment 4 David Mandelin [:dmandelin] 2010-10-28 15:49:34 PDT
This one's been dropping the past few days. It is probably fallout from various compartment/thread faults that are being fixed.
Comment 5 IU 2010-10-31 21:49:48 PDT
I encountered this yesterday, with the Oct 30th nightly build.  It occurred when I clicked another tab while a cbsnews.com video was playing; however, I'm unable to find a way to reproduce. 

http://crash-stats.mozilla.com/report/index/bp-2b8c48fa-1879-4d31-a391-0fc9a2101030
Comment 6 Alex Limi (:limi) — Firefox UX Team 2010-11-17 11:46:37 PST
I had it happen on a Mac, here's my report:

http://crash-stats.mozilla.com/report/index/bp-5aaabfe4-13d8-41f9-ad4d-7469d2101117
Comment 7 Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2010-11-18 19:21:03 PST
Somewhat similar-looking crash on tinderbox:

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1290133792.1290136166.20784.gz
WINNT 5.2 mozilla-central debug test mochitest-other on 2010/11/18 18:29:52 
s: mw32-ix-slave05
PROCESS-CRASH | Main app process exited normally | application crashed (minidump found)
Thread 0 (crashed)
TEST-UNEXPECTED-FAIL | chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/xpinstall/browser_badargs.js | Exited with code -1073741819 during test run
PROCESS-CRASH | chrome://mochitests/content/browser/toolkit/mozapps/extensions/test/xpinstall/browser_badargs.js | application crashed (minidump found)
Thread 0 (crashed)
TEST-UNEXPECTED-FAIL | automationutils.processLeakLog() | missing output line for total leaks!

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdadadb26

Thread 0 (crashed)
 0  mozjs.dll!JSCompartment::wrap(JSContext *,js::Value *) [jscompartment.cpp:302e3ea21728 : 165 + 0x8]
    eip = 0x00697210   esp = 0x0012b874   ebp = 0x0012b8b4   ebx = 0x00000001
    esi = 0x089d1f74   edi = 0xffff0007   eax = 0xdadadada   ecx = 0x05ef14c8
    edx = 0x05ef1000   efl = 0x00010282
    Found by: given as instruction pointer in context
 1  mozjs.dll!JSCompartment::wrap(JSContext *,JSObject * *) [jscompartment.cpp:302e3ea21728 : 265 + 0x14]
    eip = 0x006978ed   esp = 0x0012b8bc   ebp = 0x0012b8fc
    Found by: previous frame's frame pointer
 2  mozjs.dll!JS_WrapObject [jsapi.cpp:302e3ea21728 : 1209 + 0x12]
    eip = 0x005f0127   esp = 0x0012b904   ebp = 0x0012b914
    Found by: previous frame's frame pointer
 3  xul.dll!XPCConvert::NativeInterface2JSObject(XPCLazyCallContext &,jsval_layout *,nsIXPConnectJSObjectHolder * *,xpcObjectHelper &,nsID const *,XPCNativeInterface * *,JSObject *,int,int,unsigned int *) [xpcconvert.cpp:302e3ea21728 : 1199 + 0x12]
    eip = 0x11162b66   esp = 0x0012b91c   ebp = 0x0012ba18
    Found by: call frame info
 4  xul.dll!XPCConvert::NativeData2JS(XPCLazyCallContext &,jsval_layout *,void const *,nsXPTType const &,nsID const *,JSObject *,unsigned int *) [xpcconvert.cpp:302e3ea21728 : 491 + 0x27]
    eip = 0x11160d55   esp = 0x0012ba20   ebp = 0x0012bbac
    Found by: call frame info
 5  xul.dll!XPCConvert::NativeData2JS(XPCCallContext &,jsval_layout *,void const *,nsXPTType const &,nsID const *,JSObject *,unsigned int *) [xpcprivate.h:302e3ea21728 : 3231 + 0x23]
    eip = 0x11164e06   esp = 0x0012bbb4   ebp = 0x0012bc94
    Found by: call frame info
 6  xul.dll!CallMethodHelper::GatherAndConvertResults() [xpcwrappednative.cpp:302e3ea21728 : 2562 + 0x2f]
    eip = 0x11170ae4   esp = 0x0012bc9c   ebp = 0x0012be10
    Found by: call frame info
 7  xul.dll!CallMethodHelper::Call() [xpcwrappednative.cpp:302e3ea21728 : 2319 + 0x7]
    eip = 0x1117020c   esp = 0x0012be18   ebp = 0x0012be24
    Found by: call frame info
 8  xul.dll!XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode) [xpcwrappednative.cpp:302e3ea21728 : 2268 + 0x15]
    eip = 0x1116ff3d   esp = 0x0012be2c   ebp = 0x0012bfa8
    Found by: call frame info
 9  xul.dll!XPC_WN_CallMethod(JSContext *,unsigned int,jsval_layout *) [xpcwrappednativejsops.cpp:302e3ea21728 : 1594 + 0xd]
    eip = 0x11154d8c   esp = 0x0012bfb0   ebp = 0x0012c07c
    Found by: call frame info
10  mozjs.dll!js::CallJSNative(JSContext *,int (*)(JSContext *,unsigned int,js::Value *),unsigned int,js::Value *) [jscntxtinlines.h:302e3ea21728 : 684 + 0xe]
    eip = 0x0069bb04   esp = 0x0012c084   ebp = 0x0012c0a0
    Found by: call frame info
11  mozjs.dll!js::Interpret(JSContext *,JSStackFrame *,unsigned int,JSInterpMode) [jsinterp.cpp:302e3ea21728 : 4743 + 0x20]
    eip = 0x006ad2ac   esp = 0x0012c0a8   ebp = 0x0012d10c
    Found by: call frame info
12  mozjs.dll!js::RunScript(JSContext *,JSScript *,JSStackFrame *) [jsinterp.cpp:302e3ea21728 : 657 + 0x10]
    eip = 0x0069b20c   esp = 0x0012d114   ebp = 0x0012d134   ebx = 0x00000001
    Found by: call frame info
13  mozjs.dll!js::Invoke(JSContext *,js::CallArgs const &,unsigned int) [jsinterp.cpp:302e3ea21728 : 737 + 0x10]
    eip = 0x0069b677   esp = 0x0012d13c   ebp = 0x0012d194
    Found by: call frame info
14  mozjs.dll!js::ExternalInvoke(JSContext *,js::Value const &,js::Value const &,unsigned int,js::Value *,js::Value *) [jsinterp.cpp:302e3ea21728 : 858 + 0xe]
    eip = 0x0069c683   esp = 0x0012d19c   ebp = 0x0012d1d4
    Found by: call frame info
15  mozjs.dll!js::ExternalInvoke [jsinterp.h:302e3ea21728 : 954 + 0x29]
    eip = 0x00600490   esp = 0x0012d1dc   ebp = 0x0012d1fc
    Found by: call frame info
16  mozjs.dll!JS_CallFunctionValue [jsapi.cpp:302e3ea21728 : 4973 + 0x37]
    eip = 0x006008e4   esp = 0x0012d204   ebp = 0x0012d230
    Found by: call frame info
17  xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *,unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) [xpcwrappedjsclass.cpp:302e3ea21728 : 1694 + 0x37]
    eip = 0x112254bb   esp = 0x0012d238   ebp = 0x0012d69c
    Found by: call frame info
18  xul.dll!nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) [xpcwrappedjs.cpp:302e3ea21728 : 588 + 0x29]
    eip = 0x1121fc93   esp = 0x0012d6a4   ebp = 0x0012d6dc
    Found by: call frame info
19  xul.dll!PrepareAndDispatch [xptcstubs.cpp:302e3ea21728 : 114 + 0x20]
    eip = 0x114f6bc6   esp = 0x0012d6e4   ebp = 0x0012d7b0
    Found by: call frame info
20  xul.dll!SharedStub [xptcstubs.cpp:302e3ea21728 : 141 + 0x4]
    eip = 0x114f6896   esp = 0x0012d7b8   ebp = 0x0012d7cc
    Found by: call frame info
21  xul.dll!NS_InvokeByIndex_P [xptcinvoke.cpp:302e3ea21728 : 102 + 0x2]
    eip = 0x114f6697   esp = 0x0012d7d4   ebp = 0x0012d7cc
    Found by: call frame info with scanning
Comment 8 Scoobidiver (away) 2010-11-28 05:59:51 PST
It is #25 top crasher in 4.0b8pre for the last week.
Comment 9 chris hofmann 2010-12-09 18:18:20 PST
about 20-30 crashes per day now on beta7 and b8pre

         JSCompartment::wrap

date     total    breakdown by build
         crashes  count build, count build, ...

20101130 29  	22 4.0b72010110413, 
        		3 4.0b8pre2010113003, 	3 4.0b72010110412, 
        		1 4.0b8pre2010112803, 

Mardak may have isolated part of the problem in Bug 618118
Comment 10 Jeff Muizelaar [:jrmuizel] 2010-12-30 09:30:16 PST
I can reproduce something like this problem by going to http://old.thesixtyone.com/ with the web inspector open.
Comment 11 Jeff Muizelaar [:jrmuizel] 2010-12-30 09:30:39 PST
I get this crash: http://crash-stats.mozilla.com/report/index/bp-5fdba53c-5c83-45e0-bd3e-fad2a2101230
Comment 12 christian 2011-01-04 15:33:16 PST
As per today's meeting, beta 9 will be a time-based release. Marking these all betaN+. Please move it back to beta9+ if  you believe it MUST be in the next beta (ie: trunk is in an unshippable state without this)
Comment 13 chris hofmann 2011-01-04 16:26:46 PST
volume reduced on this in beta 8

down in ranking to #74	v. #18	in beta7 for
JSCompartment::wrap(JSContext*, js::Value*)
Comment 14 David Mandelin [:dmandelin] 2011-01-04 18:06:44 PST
This appears to be at least 3 separate bugs: one where the crash address is 0, another where is is 4, and at least one more with other addresses. 0 is the most common address. For that one, the problem is that XPCWrappedNative::CallMethod is trying to wrap an object jsval where the payload is 0 (i.e., an invalid jsval). We'd need to trace back further where that bad value is coming from in order to figure out more.

Given that the volume is not too high, especially of each of the 3 sub-bugs, I'm going to put a lower priority on this, but it would still be nice to figure out more if possible.
Comment 15 Luke Wagner [:luke] 2011-01-06 12:11:37 PST
The null-tagged-as-object case could be caused by code not testing OOM and using the internal setObject/ObjectValue API (which does not dynamically test for null).  Bug 623441 found such case in JSCompartment::wrap so we should see what happens to these crashes when that lands.
Comment 16 Luke Wagner [:luke] 2011-01-14 18:44:43 PST
Bug 623441 didn't seem to be the cause.
Comment 17 Asa Dotzler [:asa] 2011-01-30 02:47:16 PST
My wife sees this crash several times a day on windows on beta 10. Is there anything I can do to provide more information to help this bug along?
Comment 18 Mike Shaver (:shaver -- probably not reading bugmail closely) 2011-01-30 07:25:37 PST
If she's on Windows, then https://developer.mozilla.org/Capturing_a_minidump would be very very helpful.
Comment 19 Luke Wagner [:luke] 2011-01-30 16:23:17 PST
Asa: could you test whether she experiences the same crash on a nightly?  The reason I ask is that bug 627227 should fix a set of these crashes (what percent, I don't know) and it missed b10 but is in nightlies.
Comment 20 Asa Dotzler [:asa] 2011-01-30 16:39:24 PST
Luke, will do.
Comment 21 Wayne Mery (:wsmwk, NI for questions) 2011-03-18 15:19:05 PDT
bp-74b6004c-a0cc-452c-afc7-6217c2110318 0x4  using FF 4.0rc1 on vista is my first occurrence of this crash afaik.  Interesting that the crash calls out http://platform0.twitter.com/widgets/tweet_button.html?_=1300478420908&count=horizontal&lang=en&text=Logitech%20Wireless%20Keyboard%20%7C%20eHow.com&url=http%3A%2F%2Fwww.ehow.com%2Flogitech-wireless-keyboard%2F&via=ehow ... I never accessed such a link, so it must be something from behind a google search or from an ehow page (where I did in fact search on logitech wireless keyboard) which I had not touched since restarting firefox and doing session restore.

I crash OOM once or twice a week, so comment 14 may be relevant to my crash. 

OTOH, there are comments on crash-stats like
* 4.0 Pre-release after 8 hrs running. 17? open Tabs.  (which isn't much)
* wasn't doing anything. Came home and Firefox had crashed...

2/3 of 4.0 crashes from the past week are 0x4 
https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A4.0&query_search=signature&query_type=exact&query=JSCompartment%3A%3Awrap%28JSContext*%2C%20js%3A%3AValue*%29&date=03%2F18%2F2011%2015%3A04%3A25&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=1&signature=JSCompartment%3A%3Awrap%28JSContext*%2C%20js%3A%3AValue*%29

Thunderbird also sees this - mostly of the 
0	mozjs.dll	JSCompartment::wrap	js/src/jscompartment.cpp:190
1	mozjs.dll	JSCompartment::wrap	js/src/jscompartment.cpp:315
2	mozjs.dll	JS_WrapObject	js/src/jsapi.cpp:1249 
variety, as in bp-9ee49f39-958a-4ed5-9fb7-4c8cd2110311

The other, eg bp-fe8c7a5f-8a26-4e54-ac6e-dc3062110118, is 
0	mozjs.dll	JSCompartment::wrap	js/src/jscompartment.cpp:190
1	mozjs.dll	JS_WrapValue	js/src/jsapi.cpp:1256
2	xul.dll	mozJSComponentLoader::ImportInto	js/src/xpconnect/loader/mozJSComponentLoader.cpp:1562
3	xul.dll	mozJSComponentLoader::Import	js/src/xpconnect/loader/mozJSComponentLoader.cpp:1385
4	xul.dll	nsXPCComponents_Utils::Import	js/src/xpconnect/src/xpccomponents.cpp:3793
5	xul.dll	NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
Comment 22 Wayne Mery (:wsmwk, NI for questions) 2011-03-18 15:25:33 PDT
#23 crash for 4.0 and apparently climbing
Comment 23 Wayne Mery (:wsmwk, NI for questions) 2011-03-18 15:58:26 PDT
(In reply to comment #21)
> bp-74b6004c-a0cc-452c-afc7-6217c2110318 0x4  using FF 4.0rc1 on vista is my
> first occurrence of this crash afaik.  

to be explicit - I've been running various trunk builds continuously for months (it's not like I only just started using 4.0).  Also, at time of crash I had ~300 tabs

-----

0x4 Mac and linux crashes with signature and frame 1 JSCompartment::wrap
bp-7d640768-87f2-42ae-844e-0a46f2110318
App Notes	WebGL? GL Context? GL Context+
WebGL+
bp-0c26149d-4c6c-4ca6-b7e7-2b63b2110317

----

0x0 Mac and linux crashes have JSContext::wrapPendingException for frame 1
bp-07b11e33-8287-41fd-afc7-d95e82110317
bp-91af44ab-d2b9-4940-af05-f03a02110316
Frame	Module	Signature [Expand]	Source
0	XUL	JSCompartment::wrap	js/src/jscompartment.cpp:241
1	XUL	JSContext::wrapPendingException	js/src/jscntxt.cpp:2039
2	XUL	js::AutoCompartment::enter	js/src/jswrapper.cpp:392
3	XUL	JS_EnterCrossCompartmentCall	js/src/jsapi.cpp:1185
4	XUL	JSAutoEnterCompartment::enter	js/src/jsapi.cpp:1225
5	XUL	nsXPCWrappedJSClass::CallMethod	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1318
Comment 24 Scoobidiver (away) 2011-03-29 14:40:26 PDT
> #23 crash for 4.0 and apparently climbing
until #18 top crasher in 4.0 over the last 3 days.
Comment 25 Sheila Mooney 2011-03-31 11:24:56 PDT
dmandelin - have we looked at this at all? Do we know anything?
Comment 26 David Mandelin [:dmandelin] 2011-03-31 11:52:37 PDT
(In reply to comment #25)
> dmandelin - have we looked at this at all? Do we know anything?

Not much. See comment 14 for the first look. The population has changed since then: 0x4 is the most common crash address now. Those crash here:

226 JSObject *global;
227 if (cx->hasfp()) {
228     global = cx->fp()->scopeChain().getGlobal();
229 } else {
230     global = cx->globalObject;
231     OBJ_TO_INNER_OBJECT(cx, global);
        ^^^^^^^^^^
        crash here

232 if (!global)
233     return false;
234 } 

OBJ_TO_INNER_OBJECT reads &global->clasp, and offsetof(JSObject, clasp) is 4, so this is an NPE on |cx->globalObject|. 

So this might be pretty simple: we need to check for null before innerizing as well. But there is also a comment saying that parenting all wrappers to the global is very cheesy, so maybe we should be doing something else entirely.

Andreas, does it seem right to just add another null check?
Comment 27 Blake Kaplan (:mrbkap) (please use needinfo!) 2011-03-31 15:28:33 PDT
I'm a little wary of that... I don't know of any contexts that we create that have a null globalObject.
Comment 28 David Mandelin [:dmandelin] 2011-03-31 17:41:00 PDT
(In reply to comment #27)
> I'm a little wary of that... I don't know of any contexts that we create that
> have a null globalObject.

Q. Do our invariants allow null globalObject? i.e., are you saying that's a straight-out bug?

This crash is somewhat correlated with a bunch of add-ons--maybe they are creating these contexts with null globalObjects. If so, how should we guard against that? Get back to the authors, or cover for it ourselves?
Comment 29 city_zen 2011-04-15 01:25:41 PDT
(In reply to comment #28)
> This crash is somewhat correlated with a bunch of add-ons

David,
Is there a list of the add-ons that MAY be causing this crash? I'm trying to identify which of my installed add-ons may be the culprit(s), but this process is very time consuming and a list of potential crash-causing add-ons, based on the aggregate information of all reported crashes of this type, would be very welcome
Comment 30 David Mandelin [:dmandelin] 2011-04-15 11:33:31 PDT
(In reply to comment #29)
> (In reply to comment #28)
> > This crash is somewhat correlated with a bunch of add-ons
> 
> David,
> Is there a list of the add-ons that MAY be causing this crash? I'm trying to
> identify which of my installed add-ons may be the culprit(s), but this process
> is very time consuming and a list of potential crash-causing add-ons, based on
> the aggregate information of all reported crashes of this type, would be very
> welcome

For Windows, see http://bit.ly/hFGYtS, click "Correlations", and scroll down to the list of addons. 
For Mac/Linux, same, but URL is http://bit.ly/dOiKDo

Let me know if you can't find them. The big ones are currently Firbug, Adblock Plus, and Video DownloadHelper, but there are several more.
Comment 31 chris hofmann 2011-04-18 20:17:25 PDT
jorge,  is there an easy to work though this list and identify which of these addons have binary components?

41 48 (87/180) vs.   7 (3739/57509) {b9db16a4-6edc-47ec-a1f4-b86292ed211d} (Video DownloadHelper, https://addons.mozilla.org/addon/3006)
33 45 (81/180) vs.  12 (6757/57509) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
17 19 (34/180) vs.   2 (1073/57509) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
15 18 (32/180) vs.   3 (1998/57509) {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} (Download Statusbar, https://addons.mozilla.org/addon/26)
14 17 (31/180) vs.   3 (1810/57509) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748)
13 15 (27/180) vs.   2 (1417/57509) {DDC359D1-844A-42a7-9AA1-88A850A938A8} (DownThemAll!, https://addons.mozilla.org/addon/201)
12 37 (67/180) vs.  25 (14549/57509) {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
10 12 (21/180) vs.   2 (880/57509) {dc572301-7619-498c-a57d-39143191b318} (Tab Mix Plus, https://addons.mozilla.org/addon/1122)
8 19 (34/180) vs.  11 (6519/57509) {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
8 13 (24/180) vs.   5 (2840/57509) personas@christopher.beard (Personas, https://addons.mozilla.org/addon/10900)
8 12 (21/180) vs.   4 (2290/57509) {3112ca9c-de6d-4884-a869-9855de68056c} (Google Toolbar, https://addons.mozilla.org/addon/6249)
7 9 (17/180) vs.   2 (1196/57509) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791)
7 9 (16/180) vs.   2 (911/57509) foxmarks@kei.com (Xmarks (formerly Foxmarks), https://addons.mozilla.org/addon/2410)
7 8 (14/180) vs.   1 (778/57509) piclens@cooliris.com (Cooliris, https://addons.mozilla.org/addon/5579)
7 8 (14/180) vs.   1 (468/57509) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60)
7 13 (23/180) vs.   6 (3632/57509) {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
6 8 (15/180) vs.   2 (1174/57509) {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Console, http://java.sun.com/javase/downloads/)
6 7 (12/180) vs.   1 (537/57509) {a7c6cf7f-112c-4500-a7ea-39801a327e5f} (FireFTP, https://addons.mozilla.org/addon/684)
6 21 (37/180) vs.  15 (8461/57509) {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
6 19 (35/180) vs.  13 (7234/57509) {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
5 9 (17/180) vs.   4 (2276/57509) {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Console, http://java.sun.com/javase/downloads/)
5 8 (15/180) vs.   3 (1457/57509) {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} (Java Console, http://java.sun.com/javase/downloads/)
5 7 (13/180) vs.   2 (1236/57509) {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} (FlashGot, https://addons.mozilla.org/addon/220)
5 6 (10/180) vs.   1 (311/57509) isreaditlater@ideashower.com (Read It Later, https://addons.mozilla.org/addon/7661)
Comment 32 Jorge Villalobos [:jorgev] 2011-04-19 08:54:52 PDT
Cooliris has binary components and a binary plugin.

Google Toolbar has binary components.

Java Console most likely has binaries, but I didn't install it.

The rest don't have any binaries. FWIW, that looks more like a list of the top add-ons by usage, so maybe there's no strong correlation to an add-on.
Comment 33 chris hofmann 2011-04-19 09:08:15 PDT
I poked around a bit on mxr too.

Is it possible we might also get hit by addons that don't ship binary components, but call into os/third party .dlls that they find available on the system?

here is what got me thinking about that idea in the downloadhelper code
https://mxr.mozilla.org/addons/source/3006/components/dhConvertMgr.js#169

the numbers for a lot of the windows os .dll's are also higher that in the general population in the list at http://bit.ly/hFGYtS
Comment 34 Robert Claypool 2011-07-09 05:58:05 PDT
I have a crash dump. How should I share it?
Comment 35 Ludovic Hirlimann [:Usul] 2011-07-11 06:30:58 PDT
(In reply to comment #34)
> I have a crash dump. How should I share it?

zip/gzip it and use the add an attachment link above.
Comment 36 Robert Claypool 2011-07-11 15:16:07 PDT
I'm getting a file too large error. The file is 355,418,174 bytes.
Comment 37 David Mandelin [:dmandelin] 2011-07-11 16:34:17 PDT
(In reply to comment #36)
> I'm getting a file too large error. The file is 355,418,174 bytes.

Do you have a website where you could host it? Alternatively, I think you could share it with me via Dropbox.
Comment 38 David Mandelin [:dmandelin] 2011-07-12 13:51:24 PDT
Created attachment 545467 [details] [diff] [review]
Patch

Robert, thanks for sending the dump and getting this back on the radar. After looking at that (it's another of the NPE set, which I said was the most common kind earlier) and talking to Luke, I'm sure this is the right thing to do. Note also that this code will be obviated by compartment per global.
Comment 39 Luke Wagner [:luke] 2011-07-12 14:13:38 PDT
Comment on attachment 545467 [details] [diff] [review]
Patch

Review of attachment 545467 [details] [diff] [review]:
-----------------------------------------------------------------

I think you'll want to report an error before returning false in both these cases.  As for the particular error to report, you could copy what GetGlobalForScopeChain does.
Comment 40 David Mandelin [:dmandelin] 2011-07-12 18:25:07 PDT
Created attachment 545565 [details] [diff] [review]
Patch v2

Decided to kill off the redundancy while I'm at it.
Comment 41 Luke Wagner [:luke] 2011-07-12 21:09:14 PDT
Comment on attachment 545565 [details] [diff] [review]
Patch v2

Review of attachment 545565 [details] [diff] [review]:
-----------------------------------------------------------------

Good idea.  One suggestion is to use the name NULLABLE_OBJ_TO_INNER_OBJECT since this gives a more direct indication as to the extra checking being performed vs. the generic adjective "safe".
Comment 42 Kyle Huey [:khuey] (khuey@mozilla.com) 2011-07-13 18:26:58 PDT
Backed out for breaking opt builds on m-i.
Comment 43 David Mandelin [:dmandelin] 2011-07-14 15:47:46 PDT
Created attachment 546022 [details] [diff] [review]
Patch v3

v2 bounced off m-i because of linker errors in gcc.
Comment 44 :Ehsan Akhgari (busy, don't ask for review please) 2011-07-15 07:09:46 PDT
http://hg.mozilla.org/mozilla-central/rev/ecb74109d719
Comment 45 Scoobidiver (away) 2011-08-09 03:30:09 PDT
It is #20 top browser crasher in 7.0a2.
Comment 47 Brendan Eich [:brendan] 2011-10-24 22:08:09 PDT
(In reply to Scoobidiver from comment #45)
> It is #20 top browser crasher in 7.0a2.

If the patch proves to be a good fix, should we consider escalating it into a nearer release? Pinging Asa.

/be
Comment 48 Asa Dotzler [:asa] 2011-10-25 00:16:07 PDT
Comment on attachment 546022 [details] [diff] [review]
Patch v3

nominating for Aurora and Beta to see if we can get this to users a bit sooner considering that it's a topcrash with high-profile add-ons.
Comment 49 Johnny Stenback (:jst, jst@mozilla.com) 2011-10-25 14:59:57 PDT
Comment on attachment 546022 [details] [diff] [review]
Patch v3

Approved for beta and aurora per today's meeting, please land asap (especially on beta).
Comment 50 christian 2011-10-26 09:52:15 PDT
This is actually already in beta8 and aurora9 as it landed on mozilla-central when Firefox 8 was in development (and hg transplanting says it is already applied).

Clearing approvals as they aren't needed.
Comment 51 Wayne Mery (:wsmwk, NI for questions) 2013-02-25 08:54:35 PST
*** Bug 676703 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.