Crash combining JavaScript "Harmony" forwarding proxy with DOMParser-generated document

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
8 years ago
3 years ago

People

(Reporter: WeirdAl, Assigned: automation)

Tracking

({crash, testcase})

Trunk
x86_64
All
crash, testcase
Points:
---

Firefox Tracking Flags

(blocking2.0 final+)

Details

(Whiteboard: [hardblocker] fixed-in-tracemonkey)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

8 years ago
Created attachment 501682 [details]
crash testcase

I was tinkering around with JavaScript proxies, first trying it with a pure JavaScript object.  Then I tried it with a nsIDOMDocument on FF4 beta 8, Fedora 14, and my CPU started spinning endlessly.  I tried to reproduce it on Windows 7 x64 with FF4 trunk, and crashed.
(Reporter)

Comment 1

8 years ago
Created attachment 501683 [details]
stack trace when RunTest() is fired from onload

Without the onload call, I crash on Windows x64, but MSVC 2008 Express is not able to trap the assertion failure, and FF4 simply crashes on the same line:

Assertion failure: wrapper->isWrapper(), at c:/trunk/base/mozilla/js/src/xpconnect/wrappers/AccessCheck.cpp:370
(Reporter)

Updated

8 years ago
blocking2.0: --- → ?
(Reporter)

Updated

8 years ago
Hardware: x86 → x86_64
(Reporter)

Comment 2

8 years ago
gal, mrbkap:  can one of you please explain what the assertion failure means?
JS_ASSERT(wrapper->isWrapper());

I'm just looking for a little insight, to see if there's anything I can do or learn from this.
(Reporter)

Comment 3

8 years ago
jst: I nominated this for blocking FF4 7 days ago.  What do you think: hardblocker, softblocker, notablocker?

Comment 4

8 years ago
Its at least a crash so we should look at it. Probably an easy fix.

Updated

8 years ago
blocking2.0: ? → betaN+

Updated

8 years ago
QA Contact: xpconnect → gal

Updated

8 years ago
Assignee: nobody → gal
blocking2.0: betaN+ → final+
QA Contact: gal → xpconnect
Whiteboard: [hardblocker]

Comment 5

8 years ago
This WFM with TM debug. I think bug 626290 fixed this.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 6

8 years ago
(In reply to comment #5)
> This WFM with TM debug. I think bug 626290 fixed this.

I'd appreciate a cc on that bug, please.

When you said "WFM", did you mean it wasn't crashing, or that it was generating useful results?  (I realize the data variable's contents didn't end up in the "output" textarea afterwards... I guess I over-minimized the testcase in that respect.)

Updated

8 years ago
Group: core-security

Comment 7

8 years ago
I shouldn't have linked a hidden bug from an open bug with a test case. I will hide this one. Alex, I added you to the other one as well. I only checked that we no longer crash.

Updated

8 years ago
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

Updated

8 years ago
Attachment #505631 - Flags: review?(mrbkap)

Comment 9

8 years ago
Actually we need another spot fix for this after all. Alex, I will land this patch shortly. After that please try your test case with the tracemonkey nightly if you can.

Updated

8 years ago
Attachment #505631 - Flags: review?(mrbkap) → review+

Comment 11

8 years ago
Created attachment 505652 [details]
testcase for this bug and bug 627302
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/b03242ce2fce
Note: not marking as fixed because fixed-in-tracemonkey is not present on the whiteboard.
(Reporter)

Comment 13

8 years ago
Created attachment 505694 [details] [diff] [review]
further testcase

Further testing shows this isn't enough.  Sure, we fixed the crash, and it's not hanging... but it throws NS_ERROR_XPC_BAD_CONVERT_JS calling doc.getElementById("test").

I'm not sure this should still be a hardblocker based on that (it's a bug in a very new feature)... but I can't say this is fixed to my satisfaction.

(I am aware that in this testcase, several values will come up false, because proxies don't support equality comparisons directly.  That's fine - I have other JS proxy code I've written to take care of that.)

Comment 14

8 years ago
Alex, can you file a new bug with the new test case? We will fix it there. Please cc me.
(Reporter)

Comment 15

8 years ago
Filed as bug 627634.

Updated

8 years ago
Status: REOPENED → RESOLVED
Last Resolved: 8 years ago8 years ago
Resolution: --- → FIXED
Whiteboard: [hardblocker] → [hardblocker] fixed-in-tracemonkey
(Reporter)

Comment 16

8 years ago
OK, 627634 was invalid.  However, I discovered further proxy oddities in bug 627648.
(Reporter)

Updated

8 years ago
Attachment #505694 - Attachment is obsolete: true
(Assignee)

Updated

3 years ago
Assignee: gal → automation
(Assignee)

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.