Closed Bug 657292 Opened 14 years ago Closed 14 years ago

Firefox 6.0a1 Crash Report [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder(JSContext*, JSObject*, JSObject*) ][@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox5 + fixed
firefox6 + fixed

People

(Reporter: Honza, Assigned: mrbkap)

References

Details

(Keywords: crash, regression, Whiteboard: [firebug-p1] fixed-in-tracemonkey [tracking requirement in comment 28])

Crash Data

Attachments

(2 files)

Firebug test XPI
1.23 MB, application/x-xpinstall
Details
Proposed fix
2.49 KB, patch
gal
: review+
dmandelin
: approval-mozilla-aurora+
dmandelin
: approval-mozilla-beta+
Details | Diff | Splinter Review 
CRASH: http://hg.mozilla.org/mozilla-central/rev/8b6d6c128641
Report: https://crash-stats.mozilla.com/report/index/bp-bff87130-9724-4465-974e-d3b432110516

Last working build:
http://hg.mozilla.org/mozilla-central/rev/ad1fa68dcaf5

STR:

1) Install Firebug (attached XPI)
2) Restart and open Firebug UI (F12)
3) CRASH

Honza
Attached file Firebug test XPI β€” 

  

  



    
    

    
  
Marking as Firebug-p1 since this is blocking Firebug team from testing on nightlies.

Honza

  

  


Whiteboard: [firebug-p1]

    
    

    
  
Yet another way how to see the exact regression range:
http://getfirebug.com/testresults
(started crashing on Sat: 14 May 2011 01:19:01 GMT, App Changeset: c2bea9fde3b0)

Honza

  

  


Version: 1.9.1 Branch → Trunk

    
    

    
  
Regression range from comment 0: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ad1fa68dcaf5&tochange=8b6d6c128641

Nothing in there jumps out at me....

  

  



    
    

    
  
There's a tracemonkey merge in there...

Trying out hourly builds I got to this:

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7f1c22983222&tochange=5b6a2be34c55

  

  



    
    

    
  
As of yesterday, this is the #1 crash on trunk with roughly 10% of all trunk crashes!
All the 6.0a1 crashes I checked in https://crash-stats.mozilla.com/report/list?signature=xpc%3A%3AXrayWrapper%3CJSCrossCompartmentWrapper%3E%3A%3AcreateHolder%28JSContext%2A%2C%20JSObject%2A%2C%20JSObject%2A%29 do have Firebug installed - but there are a few 4.0.1 crashes with the same signature (probably some other cause) and those don't have Firebug installed.

Still, the Nightly+Firebug problem is the immediate one, we should get that fixed, ideally before this code goes into Aurora next week.

  

  



    
    

    
  
jorge: can you try Tracemonkey nightlies and/or hourlies?

  

  


Assignee: nobody → general
Severity: normal → critical

          tracking-firefox6:
          --- → ?
Component: XPConnect → JavaScript Engine
Keywords: regression
QA Contact: xpconnect → general

    
    

    
  
ccing some of the people in that range too.

  

  



    
    

    
  
Happens on Mac as well, 
[@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder ]

  

  


OS: Windows Vista → All
Hardware: x86 → All

    
    

    
  
(In reply to comment #7)
> jorge: can you try Tracemonkey nightlies and/or hourlies?

Works (5e69cb4c544b):
http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/tracemonkey-win32/1305224281/

Crashes (673f93bb84aa):
http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/tracemonkey-win32/1305227465/

pushlog:
http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=5e69cb4c544b&tochange=673f93bb84aa

  

  



    
    

    
  
BTW, is there an easier way to browse and test these builds?
Doing it manually is a bit error-prone.

  

  



    
    

    
  
jorge, http://harthur.github.com/mozregression/ might work.

  

  



    
    

    
  
Blake, this looks like a regression from bug 641342.

All the crashes are at 0x10, which looks like a null deref somewhere here.

This code:


    2.15 +        JSObject *inner = obj;
    2.16 +        OBJ_TO_INNER_OBJECT(cx, inner);
    2.17 +        XPCWrappedNative *wn;
    2.18 +        if (IS_WN_WRAPPER(inner) &&
    2.19 +            (wn = static_cast<XPCWrappedNative *>(inner->getPrivate()))->HasProto() &&
    2.20 +            wn->GetProto()->ClassIsDOMObject()) {
    2.21 +            typedef XrayWrapper<JSCrossCompartmentWrapper> Xray;
    2.22 +            wrapper = &FilteringWrapper<Xray,
    2.23 +                                        CrossOriginAccessiblePropertiesOnly>::singleton;
    2.24 +            xrayHolder = Xray::createHolder(cx, obj, parent);

looks to me like a gc hazard if |inner| can go away while |obj| stays around, since nothing is using |inner| in this case after we get |wn|.  Can inner go away that way?

  

  


Assignee: general → mrbkap
Blocks: 641342

    
  
Summary: Firefox 6.0a1 Crash Report [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder(JSContext*, JSObject*, JSObject*) ] → Firefox 6.0a1 Crash Report [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder(JSContext*, JSObject*, JSObject*) ][@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder ]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fix
        β€” 
          β€” Splinter Review
      

    


  
In practice inner and outer are related, so there's no GC hazard there. That being said, I cleaned up the code a little bit. The actual fix is checking targetdata before trying to create the Xray wrapper.

Do note that I haven't actually been able to reproduce the crash. But based on crash stacks, this has to be the fix.

  

  



        Attachment #534029 -
        Flags: review?(gal)

    
  
Blocks: 657125

    
    

    
  
(In reply to comment #14)
Applying the patch to current mozilla-central fixes the problem on my end.

Latest nightly still crashes.

  

  



    
  

        Attachment #534029 -
        Flags: review?(gal) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/60d467ab6b69

  

  


Whiteboard: [firebug-p1] → [firebug-p1] fixed-in-tracemonkey

    
    

    
  
Still crashes in the latest Nightly channel. This bug blocks me to test Firebug on Nightlies and so, I have no idea whether there are any other problems raising.

Honza

  

  



    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/5b6059eff741

  

  


Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
(In reply to comment #18)
> http://hg.mozilla.org/mozilla-central/rev/5b6059eff741

Nice! If this works out, we'll want it on aurora as well, I guess, as this crash should be on Aurora 6 now.

  

  



        Attachment #534029 -
        Flags: approval-mozilla-beta?

        Attachment #534029 -
        Flags: approval-mozilla-aurora?

    
  
Whiteboard: [firebug-p1] fixed-in-tracemonkey → [firebug-p1] fixed-in-tracemonkey nominated at comment 20

    
    

    
  
For me it is still not fixed yet. See https://crash-stats.mozilla.com/report/index/bp-d0481b69-d9a3-485f-8a92-86d332110526
Or didn't your fix make it into the latest nightly yet?

  

  



    
    

    
  
Yep.  Blake's push was at 2011-05-26 06:15 Pacific, while that crash report is from a nightly that was pulled at 2011-05-26 03:05 Pacific.

  

  



    
    

    
  
Thanks, now the nightlies are finally working again. Though it seems the error now leaked into Aurora: https://crash-stats.mozilla.com/report/index/bp-6e26da3c-aa80-402a-985a-2cb102110527
So hopefully there'll be an update soon.

  

  



        Attachment #534029 -
        Flags: approval-mozilla-beta?

        Attachment #534029 -
        Flags: approval-mozilla-beta+

        Attachment #534029 -
        Flags: approval-mozilla-aurora?

        Attachment #534029 -
        Flags: approval-mozilla-aurora+

    
    

    
  
(In reply to comment #24)
> Though it seems the
> error now leaked into Aurora

That's why approval‑mozilla‑aurora had been requested and now granted, the latter meaning that the fix will soon be pushed there (a comment here will be made about this) and then fixed Aurora builds will appear.

  

  



    
    

    
  
Blake, can you please land this on Aurora? The last builds on trunk that are seeing this crash are the nightlies from before you checked in on m-c, but Aurora is still hitting this significantly. This crash now takes the two top spots in 6.0a2 topcrashes...

  

  



    
    

    
  
http://hg.mozilla.org/releases/mozilla-aurora/rev/155dea3ad17f

  

  



          status-firefox6:
          --- → fixed

    
  
Whiteboard: [firebug-p1] fixed-in-tracemonkey nominated at comment 20 → [firebug-p1] fixed-in-tracemonkey [tracking requirement in comment 28]

    
    

    
  
http://hg.mozilla.org/releases/mozilla-beta/rev/9eb6a0741123

  

  



          status-firefox5:
          --- → fixed

    
    

    
  
Verified on Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 - 5b5 and also on Mac OS X 10.6, Ubuntu 10.10 x86 and Win7 using the steps from Description.

Issue no longer present - setting status to Verified Fixed.

  

  


Status: RESOLVED → VERIFIED
Crash Signature: [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder(JSContext*, JSObject*, JSObject*) ]
[@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::createHolder ]

    
  
Keywords: crash

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: