Last Comment Bug 657125 - Venkman crash in XrayWrapper<JSCrossCompartmentWrapper>::createHolder
: Venkman crash in XrayWrapper<JSCrossCompartmentWrapper>::createHolder
Status: RESOLVED FIXED
: crash, regression
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on: 657292
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-14 06:42 PDT by Ian Neal
Modified: 2011-07-07 10:43 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Ian Neal 2011-05-14 06:42:01 PDT
Steps to reproduce:
1/ Start Browser
2/ Start JS Debugger

Expected Result:
1/ JS Debugger starts and lets you debug JS

Actual Result:
1/ Segfault and crash

Program received signal SIGSEGV, Segmentation fault.
xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder (cx=0x7fffd7db5c00, 
    wrappedNative=0x7fffe2cf6340, parent=<value optimized out>)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:914
914	    XPCWrappedNative *wn = GetWrappedNative(inner);

Start of backtrace:
#0  xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder (cx=
    0x7fffd7db5c00, wrappedNative=0x7fffe2cf6340, parent=<value optimized out>)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:914
#1  0x00007ffff677d113 in xpc::WrapperFactory::Rewrap (cx=0x7fffd7db5c00, obj=
    0x7fffe2cf6340, wrappedProto=0x7fffd80d5208, parent=0x7fffe3a61048, flags=
    0)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/wrappers/WrapperFactory.cpp:307
#2  0x00007ffff7127056 in JSCompartment::wrap (this=0x7fffd7d0b000, cx=
    0x7fffd7db5c00, vp=0x7fffffffbe58)
    at /home/gizmo/comm-central/mozilla/js/src/jscompartment.cpp:328
#3  0x00007ffff7126a63 in JSCompartment::wrap (this=<value optimized out>, 
    cx=<value optimized out>, objp=0x7fffffffbe80)
    at /home/gizmo/comm-central/mozilla/js/src/jscompartment.cpp:358
#4  0x00007ffff70feaf6 in JS_WrapObject (cx=<value optimized out>, 
    objp=<value optimized out>)
    at /home/gizmo/comm-central/mozilla/js/src/jsapi.cpp:1313
#5  0x00007ffff6306393 in nsWindowSH::OuterObject (this=<value optimized out>, 
    wrapper=<value optimized out>, cx=<value optimized out>, 
    obj=<value optimized out>, _retval=0x7fffffffbea0)
    at /home/gizmo/comm-central/mozilla/dom/base/nsDOMClassInfo.cpp:7241

I'll try on a full debug build rather than optimized with debugger-info-modules
Comment 1 Ian Neal 2011-05-14 07:40:18 PDT
With full debug build I get:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff510726a in xpc::CompartmentPrivate::LookupExpandoObjectPreserveColor
    (this=0x0, wn=0x2b23e00)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/src/xpcprivate.h:4473
4473	        return expandoMap ? expandoMap->Get(wn) : nsnull;

but looking at the backtrace, just seems to be a couple of extra frames (frame #0 above seems similar to frame #2 below):
#0  0x00007ffff510726a in xpc::CompartmentPrivate::LookupExpandoObjectPreserveColor (this=0x0, wn=0x2b23e00)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/src/xpcprivate.h:4473
#1  0x00007ffff51de9b1 in xpc::CompartmentPrivate::LookupExpandoObject (this=
    0x0, wn=0x2b23e00)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/wrappers/../src/xpcprivate.h:4481
#2  0x00007ffff51e010d in xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder (cx=0x2873110, wrappedNative=0x7fffc29a4c30, parent=0x7fffda244048)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:915
#3  0x00007ffff51e3606 in xpc::WrapperFactory::Rewrap (cx=0x2873110, obj=
    0x7fffc29a4c30, wrappedProto=0x7fff92fe8208, parent=0x7fffda244048, flags=
    0)
    at /home/gizmo/comm-central/mozilla/js/src/xpconnect/wrappers/WrapperFactory.cpp:307
#4  0x00007ffff61a230f in JSCompartment::wrap (this=0x2f33780, cx=0x2873110, 
    vp=0x7fffffff9ca8)
    at /home/gizmo/comm-central/mozilla/js/src/jscompartment.cpp:328
#5  0x00007ffff61a24fd in JSCompartment::wrap (this=0x2f33780, cx=0x2873110, 
    objp=0x7fffffff9d78)
    at /home/gizmo/comm-central/mozilla/js/src/jscompartment.cpp:358
Comment 2 Karsten Düsterloh 2011-05-16 13:47:05 PDT
Just ran into that. :-/
Crashes should have severity "critical".
Comment 3 Blake Kaplan (:mrbkap) 2011-05-20 11:01:25 PDT
The patch in bug 657292 should fix this bug as well.
Comment 4 Blake Kaplan (:mrbkap) 2011-07-07 10:43:52 PDT
Optimistically marking as fixed based on comment 3.

Note You need to log in before you can comment on or make changes to this bug.