Last Comment Bug 694009 - crash mozilla::dom::binding::instanceIsProxy
: crash mozilla::dom::binding::instanceIsProxy
Status: RESOLVED FIXED
: crash
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 10 Branch
: All All
: -- critical (vote)
: mozilla10
Assigned To: Peter Van der Beken [:peterv]
:
Mentors:
Depends on:
Blocks: 648801
  Show dependency treegraph
 
Reported: 2011-10-12 07:39 PDT by Robert Kaiser (not working on stability any more)
Modified: 2012-01-05 13:25 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments
v1 (3.93 KB, patch)
2011-10-13 04:02 PDT, Peter Van der Beken [:peterv]
mrbkap: review+
Details | Diff | Review

Description Robert Kaiser (not working on stability any more) 2011-10-12 07:39:00 PDT
This bug was filed from the Socorro interface and is 
report bp-caa90875-fd1b-4f7b-8221-2f2432111012 .
============================================================= 

Top frames:
0 	xul.dll 	mozilla::dom::binding::instanceIsProxy 	js/src/xpconnect/src/xpcpublic.h:274
1 	xul.dll 	nsWrapperCache::GetExpandoObjectPreserveColor 	dom/base/nsWrapperCacheInlines.h:92
2 	xul.dll 	nsWrapperCache::RemoveExpandoObject 	content/base/src/nsGenericElement.cpp:168
3 	xul.dll 	nsGlobalWindow::~nsGlobalWindow 	dom/base/nsGlobalWindow.cpp:1049
4 	xul.dll 	nsGlobalWindow::`vector deleting destructor' 	
5 	xul.dll 	nsGlobalChromeWindow::Release 	dom/base/nsGlobalWindow.cpp:1375
6 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/dist/include/nsAutoPtr.h:907
7 	xul.dll 	nsPIDOMWindow::~nsPIDOMWindow 	dom/base/nsGlobalWindow.cpp:771
8 	xul.dll 	nsGlobalWindow::~nsGlobalWindow 	dom/base/nsGlobalWindow.cpp:1049
9 	xul.dll 	nsGlobalWindow::`vector deleting destructor' 	
10 	xul.dll 	nsGlobalChromeWindow::Release 	dom/base/nsGlobalWindow.cpp:1375
11 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/dist/include/nsAutoPtr.h:907
12 	xul.dll 	nsTHashtable<nsBaseHashtableET<nsCharPtrHashKey,nsCOMPtr<nsISupports> > >::s_ClearEntry 	xpcom/glue/nsTHashtable.h:397

(Win64 builds are missing the entry that's frame 0 here and therefore end up with the signature being what frame 1 is in this stack.)

This is a new crash happening since the 20111011031000 Nightly. The signatures are #11 and #14 in yesterday's Nightly crash data and would sum up to be #5.
Comment 1 Marcia Knous [:marcia - use ni] 2011-10-12 09:55:57 PDT
Adding Mac signatures as the regression range maps to Comment 0.
Comment 2 Peter Van der Beken [:peterv] 2011-10-13 04:02:10 PDT
Created attachment 566778 [details] [diff] [review]
v1

Not sure how to reproduce this, but pretty sure we should clear the outer window's wrapper cache when the outer window proxy is finalized. I ended up storing the window in the first proxy extra slot for the outer window proxy, so we have direct access from the finalizer. Ideally we'd be able to store a pointer to the cache itself, but we need to pass this through nsIScriptContext::CreateOuter and I'd rather not change that signature :-/. We should at some point just move the CreateOuter code into nsGlobalWindow IMO.
Comment 3 Ed Morley [:emorley] 2011-10-15 05:38:10 PDT
https://hg.mozilla.org/mozilla-central/rev/046e6eadb285

Note You need to log in before you can comment on or make changes to this bug.