Closed Bug 611401 Opened 9 years ago Closed 9 years ago

crash in [@ xpc_CreateSandboxObject]

Categories

(Core :: XPConnect, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla2.0b9
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: ddahl, Assigned: mrbkap)

References

Details

(Keywords: crash)

Crash Data

Attachments

(3 files, 1 obsolete file)

Attached file backtrace
attaching full backtrace.

here is the gist of it:

	mozjs.dll!JS_Assert(const char * s=0x60dcceb4, const char * file=0x60dcce84, int ln=211)  Line 73	C++
 	xul.dll!JSVAL_TO_OBJECT(jsval_layout v={...})  Line 211 + 0x2b bytes	C++
 	xul.dll!xpc_CreateSandboxObject(JSContext * cx=0x0400ab90, jsval_layout * vp=0x03b60dc8, nsISupports * prinOrSop=0x109598c0, JSObject * proto=0x0aece168, bool wantXrays=false)  Line 3247 + 0xd bytes	C++
probably unrelated, but I had the patches from bug 568629 and bug 610714 applied, with the ConsoleAPI.manifest uncommented
Attachment #489865 - Attachment mime type: application/octet-stream → text/plain
Severity: normal → critical
blocking2.0: --- → ?
Keywords: crash
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
OS: Windows 7 → All
QA Contact: general → xpconnect
Hardware: x86 → All
I just tried to reproduce this again and failed.
3242             if (xpc::WrapperFactory::IsXrayWrapper(proto) && !wantXrays) {
3243                 jsval v;
3244                 if (!JS_GetProperty(cx, proto, "wrappedJSObject", &v))
3245                     return NS_ERROR_XPC_UNEXPECTED;
3246 
3247                 proto = JSVAL_TO_OBJECT(v);

someone presumably set wrappedJSObject to a number or something :).
Attached patch proposal (obsolete) — Splinter Review
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #490042 - Flags: review?(mrbkap)
Attached file Another backtrace
I was able to reproduce this crash. I opened the web console and typed document and inspected it by clicking on it. i loaded another page and as it was loading the debug in MSVC popped up.
Comment on attachment 490042 [details] [diff] [review]
proposal

proto is an Xray wrapper, wrappedJSObject can't be replaced.
Attachment #490042 - Flags: review?(mrbkap) → review-
Attached patch Proposed fixSplinter Review
This avoids the potential problem here by doing the unwrapping manually.

However, ddahl, I realized after our discussion on IRC that the reason this is failing is that we've decided that this window is cross-origin to the sandbox. Do you know why that would happen? Once this bug is fixed, I think that we'll see a bunch of stuff not work from the sandbox since the window is cross-origin and the sandbox won't be able to access most of the properties on it. You might want to open a separate bug on that.
Assignee: timeless → mrbkap
Attachment #490042 - Attachment is obsolete: true
Attachment #490614 - Flags: review?(peterv)
Blocks: 612342
Attachment #490614 - Flags: review?(peterv) → review+
Summary: crash in xpc_CreateSandboxObject → crash in [@ xpc_CreateSandboxObject]
blocking2.0: ? → betaN+
this looks like it has all the pieces to make it ready to land.

I tested the console with this patch applied and we pass all our tests.

Some informal testing revealed some weirdness with the results being returned from some types of dom queries though. They don't appear to be related to this patch.
http://hg.mozilla.org/mozilla-central/rev/3e97742e029a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
This got backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: fixed-in-tracemonkey
... but for reasons that had nothing to do with this bug. This patch needs to re-land.
Summary: crash in [@ xpc_CreateSandboxObject] → [ready to land] crash in [@ xpc_CreateSandboxObject]
Whiteboard: fixed-in-tracemonkey
Pushed:
https://hg.mozilla.org/mozilla-central/rev/09103345873c
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Summary: [ready to land] crash in [@ xpc_CreateSandboxObject] → crash in [@ xpc_CreateSandboxObject]
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b9
Crash Signature: [@ xpc_CreateSandboxObject]
You need to log in before you can comment on or make changes to this bug.