Closed Bug 611401 Opened 14 years ago Closed 14 years ago

crash in [@ xpc_CreateSandboxObject]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b9
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: ddahl, Assigned: mrbkap)

References

Details

(Keywords: crash)

Crash Data

Attachments

(3 files, 1 obsolete file)

backtrace
25.96 KB, text/plain
Details
Another backtrace
19.60 KB, text/plain
Details
Proposed fix
1.12 KB, patch
gal
: review+
Details | Diff | Splinter Review
Attached file backtrace 
attaching full backtrace.

here is the gist of it:

	mozjs.dll!JS_Assert(const char * s=0x60dcceb4, const char * file=0x60dcce84, int ln=211)  Line 73	C++
 	xul.dll!JSVAL_TO_OBJECT(jsval_layout v={...})  Line 211 + 0x2b bytes	C++
 	xul.dll!xpc_CreateSandboxObject(JSContext * cx=0x0400ab90, jsval_layout * vp=0x03b60dc8, nsISupports * prinOrSop=0x109598c0, JSObject * proto=0x0aece168, bool wantXrays=false)  Line 3247 + 0xd bytes	C++
probably unrelated, but I had the patches from bug 568629 and bug 610714 applied, with the ConsoleAPI.manifest uncommented
Attachment #489865 - Attachment mime type: application/octet-stream → text/plain
Severity: normal → critical
blocking2.0: --- → ?
Keywords: crash
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
OS: Windows 7 → All
QA Contact: general → xpconnect
Hardware: x86 → All
I just tried to reproduce this again and failed.
3242             if (xpc::WrapperFactory::IsXrayWrapper(proto) && !wantXrays) {
3243                 jsval v;
3244                 if (!JS_GetProperty(cx, proto, "wrappedJSObject", &v))
3245                     return NS_ERROR_XPC_UNEXPECTED;
3246 
3247                 proto = JSVAL_TO_OBJECT(v);

someone presumably set wrappedJSObject to a number or something :).
Attached patch proposal (obsolete) — Splinter Review 
Assignee: nobody → timeless
Status: NEW → ASSIGNED

        Attachment #490042 -
        Flags: review?(mrbkap)

    
    

    
  

      
      
      
      

        Attached file
          
        Another backtrace
      

    


  
I was able to reproduce this crash. I opened the web console and typed document and inspected it by clicking on it. i loaded another page and as it was loading the debug in MSVC popped up.

    
    

    
  
Comment on attachment 490042 [details] [diff] [review]
proposal

proto is an Xray wrapper, wrappedJSObject can't be replaced.

        Attachment #490042 -
        Flags: review?(mrbkap) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fixSplinter Review
      

    


  
This avoids the potential problem here by doing the unwrapping manually.

However, ddahl, I realized after our discussion on IRC that the reason this is failing is that we've decided that this window is cross-origin to the sandbox. Do you know why that would happen? Once this bug is fixed, I think that we'll see a bunch of stuff not work from the sandbox since the window is cross-origin and the sandbox won't be able to access most of the properties on it. You might want to open a separate bug on that.
Assignee: timeless → mrbkap

        Attachment #490042 -
        Attachment is obsolete: true

        Attachment #490614 -
        Flags: review?(peterv)

    
  
Blocks: 612342

    
  

        Attachment #490614 -
        Flags: review?(peterv) → review+

    
  
Summary: crash in xpc_CreateSandboxObject → crash in [@ xpc_CreateSandboxObject]
blocking2.0: ? → betaN+

    
    

    
  
this looks like it has all the pieces to make it ready to land.

I tested the console with this patch applied and we pass all our tests.

Some informal testing revealed some weirdness with the results being returned from some types of dom queries though. They don't appear to be related to this patch.

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/3e97742e029a
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
This got backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: fixed-in-tracemonkey

    
    

    
  
... but for reasons that had nothing to do with this bug. This patch needs to re-land.
Summary: crash in [@ xpc_CreateSandboxObject] → [ready to land] crash in [@ xpc_CreateSandboxObject]
Whiteboard: fixed-in-tracemonkey

    
    

    
  
Pushed:
https://hg.mozilla.org/mozilla-central/rev/09103345873c
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Summary: [ready to land] crash in [@ xpc_CreateSandboxObject] → crash in [@ xpc_CreateSandboxObject]
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b9
Crash Signature: [@ xpc_CreateSandboxObject]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: