Closed Bug 674568 Opened 14 years ago Closed 9 years ago

crash in XPCConvert::NativeInterface2JSObject @ JSCompartment::wrap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
fennec - ---

People

(Reporter: nhirata, Unassigned)

References

Details

(Keywords: crash, Whiteboard: js-triage-needed, [mobile-crash])

Crash Data

Attachments

(1 file)

Not the problem
1.97 KB, patch
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-0b5603e0-9ab1-470b-bb9d-f46512110725 . ============================================================= Frame Module Signature [Expand] Source 0 @0x410e4564 1 libxul.so JSCompartment::wrap js/src/jscompartment.cpp:363 2 @0x418dffff 3 libxul.so js::mjit::JaegerShot js/src/vm/Stack.h:1256 4 libxul.so js::ExternalInvoke js/src/jsinterp.cpp:610 5 libxul.so JS_CallFunctionValue js/src/jsapi.cpp:5055 6 libxul.so nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1659 7 libxul.so nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:586 8 libxul.so PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:134 9 libxul.so libxul.so@0x8eb098 10 libxul.so nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1080 11 @0x435d3caf 12 libxul.so nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1177 13 libxul.so nsEventTargetChainItem::HandleEvent content/events/src/nsEventListenerManager.h:155 14 libxul.so nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:346 15 libxul.so nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:674 16 libxul.so nsEventDispatcher::DispatchDOMEvent content/events/src/nsEventDispatcher.cpp:735 17 libxul.so nsINode::DispatchEvent content/base/src/nsGenericElement.cpp:1109 18 libxul.so nsContentUtils::DispatchTrustedEvent content/base/src/nsContentUtils.cpp:3034 19 libxul.so nsHTMLMediaElement::DispatchEvent content/html/content/src/nsHTMLMediaElement.cpp:2282 20 libxul.so nsAsyncEventRunner::Run content/html/content/src/nsHTMLMediaElement.cpp:211 21 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:617 22 libxul.so NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:245 23 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:111 24 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:230 25 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 26 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:511 27 libxul.so nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:191 28 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:671 29 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:222 30 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 31 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:511 32 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:514 33 libmozutils.so ChildProcessInit other-licenses/android/APKOpen.cpp:801 34 plugin-container main ipc/app/MozillaRuntimeMainAndroid.cpp:69 35 libc.so libc.so@0xd67a Different crash from bug 673835 - crash wrapping object returned from JS_NewArrayObject ?
Assignee: nobody → general
tracking-fennec: --- → ?
Component: General → JavaScript Engine
Product: Fennec → Core
QA Contact: general → general
Whiteboard: js-triage-needed
not tracking without STR
tracking-fennec: ? → -
It is now #94 top crasher in 8.0b1 after the fix of bug 605290 (#26 in 7.0.1).
Crash Signature: [@ JSCompartment::wrap] → [@ JSCompartment::wrap ] [@ JSCompartment::wrap(JSContext*, js::Value*) ]
OS: Linux → All
Summary: crash [@ JSCompartment::wrap] → crash [@ JSCompartment::wrap ] [@ JSCompartment::wrap(JSContext*, js::Value*) ]
STR: 1) install Firebug 1.9b1 2) open www.andrethierry.com 3) open firebug, enable all panels (drop down on firebug icon) 4) reload Crash. 9.0 http://crash-stats.mozilla.com/report/index/bp-9efa40cb-4127-45f4-8b63-5c3662111118
Whiteboard: js-triage-needed → js-triage-needed, [mobile-crash]
Printing a page to cups-pdf printer via the 'Print' button on the page. Unfortunately the page is https and requires a member login, so I can't supply a URL for testing. Note: printing from File|Print|cups-pdf works fine. I tried that before using the 'Print' button on the page to replicate the crash. <https://crash-stats.mozilla.com/report/index/bp-aa70df3b-d05d-49d1-907f-5f4172111208> Subsequent crashes (repeatable) resulted in [@ nsGlobalWindow::GetContextInternal ] crashes. See: <https://bugzilla.mozilla.org/show_bug.cgi?id=605018#c6> for crash details.
This signature is #25 on 8.* in yesterday's data.
Crash Signature: [@ JSCompartment::wrap ] [@ JSCompartment::wrap(JSContext*, js::Value*) ] → [@ JSCompartment::wrap ] [@ JSCompartment::wrap(JSContext*, js::Value*) ] [@ JSCompartment::wrap(JSContext*, JS::Value*) ]
Summary: crash [@ JSCompartment::wrap ] [@ JSCompartment::wrap(JSContext*, js::Value*) ] → crash in JSCompartment::wrap
i just ran into this in my development process. i have firebug 1.9 installed in this profile. crash was caused by submitting a form, after an ajax request inserts a <script>some_non_existent_function('foo');</script> line that calls a function that i had removed from my somefile.js. after i removed the offending line in the backend that spits out that <script> line into DOM, crashing stopped.
Comment 3 and comment 8 are two crashes related to firebug, but aren't related to comment 0. I looked into those stacks, since they finger a particular piece of code pretty specifically, but I can't find the bug. I'll attach my attempt, though.
Attached patch Not the problemSplinter Review
It turns out that the conservative stack scanner keeps the scope properties alive.
I am consistently getting this crash on my system. Most recent: https://crash-stats.mozilla.com/report/index/bp-bdf21d9d-74f5-4e0d-b3d2-31d452120112 Have tried on FF 9, FF 10, and nightly. The one above is a fresh install of nightly. I have tried disabling all plugins but firebug. I have tried removing all plugins but firebug. I have removed firebug and re-installed it. I have removed Firefox and reinstalled. I have tried a number of different versions. It's fairly reliable, but appears to occur more often on sites with jQuery.
Josh, it's the same comment as in comment 9: you are hitting bug 715907 because your stack differs from the one in comment 0.
Here is a fresh stack: Frame Module Signature [Expand] Source 0 mozjs.dll JSCompartment::wrap js/src/jscompartment.cpp:250 1 mozjs.dll JSCompartment::wrap js/src/jscompartment.cpp:367 2 mozjs.dll JSCompartment::wrap js/src/jscompartment.cpp:327 3 mozjs.dll JSCompartment::wrap js/src/jscompartment.cpp:367 4 mozjs.dll JS_WrapObject js/src/jsapi.cpp:1302 5 xul.dll XPCConvert::NativeInterface2JSObject js/src/xpconnect/src/xpcconvert.cpp:1172 6 xul.dll XPCConvert::NativeData2JS js/src/xpconnect/src/xpcconvert.cpp:495 7 xul.dll XPCConvert::NativeData2JS js/src/xpconnect/src/xpcprivate.h:3232 8 xul.dll XPC_WN_GetterSetter js/src/xpconnect/src/xpcwrappednativejsops.cpp:1679 9 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:660 10 mozjs.dll js::Invoke js/src/jsinterp.cpp:710 ...
Summary: crash in JSCompartment::wrap → crash in XPCConvert::NativeInterface2JSObject @ JSCompartment::wrap
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: