Closed Bug 694009 Opened 14 years ago Closed 14 years ago

crash mozilla::dom::binding::instanceIsProxy

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
10 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla10
Tracking Flags:
Tracking Status
firefox10 - ---

People

(Reporter: kairo, Assigned: peterv)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

v1
3.93 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-caa90875-fd1b-4f7b-8221-2f2432111012 . ============================================================= Top frames: 0 xul.dll mozilla::dom::binding::instanceIsProxy js/src/xpconnect/src/xpcpublic.h:274 1 xul.dll nsWrapperCache::GetExpandoObjectPreserveColor dom/base/nsWrapperCacheInlines.h:92 2 xul.dll nsWrapperCache::RemoveExpandoObject content/base/src/nsGenericElement.cpp:168 3 xul.dll nsGlobalWindow::~nsGlobalWindow dom/base/nsGlobalWindow.cpp:1049 4 xul.dll nsGlobalWindow::`vector deleting destructor' 5 xul.dll nsGlobalChromeWindow::Release dom/base/nsGlobalWindow.cpp:1375 6 xul.dll nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> obj-firefox/dist/include/nsAutoPtr.h:907 7 xul.dll nsPIDOMWindow::~nsPIDOMWindow dom/base/nsGlobalWindow.cpp:771 8 xul.dll nsGlobalWindow::~nsGlobalWindow dom/base/nsGlobalWindow.cpp:1049 9 xul.dll nsGlobalWindow::`vector deleting destructor' 10 xul.dll nsGlobalChromeWindow::Release dom/base/nsGlobalWindow.cpp:1375 11 xul.dll nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> obj-firefox/dist/include/nsAutoPtr.h:907 12 xul.dll nsTHashtable<nsBaseHashtableET<nsCharPtrHashKey,nsCOMPtr<nsISupports> > >::s_ClearEntry xpcom/glue/nsTHashtable.h:397 (Win64 builds are missing the entry that's frame 0 here and therefore end up with the signature being what frame 1 is in this stack.) This is a new crash happening since the 20111011031000 Nightly. The signatures are #11 and #14 in yesterday's Nightly crash data and would sum up to be #5.
Version: 9 Branch → 10 Branch
Adding Mac signatures as the regression range maps to Comment 0.
Crash Signature: [@ mozilla::dom::binding::instanceIsProxy(JSObject*)] [@ nsWrapperCache::GetExpandoObjectPreserveColor()] → [@ mozilla::dom::binding::instanceIsProxy(JSObject*)] [@ nsWrapperCache::GetExpandoObjectPreserveColor()] [@ nsWrapperCache::RemoveExpandoObject ] [@ mozilla::dom::binding::ListBase<mozilla::dom::binding::ListClass<nsIHTMLCollection mozilla::dom::bindi…
OS: Windows 7 → All
Hardware: x86 → All
Attached patch v1Splinter Review
Not sure how to reproduce this, but pretty sure we should clear the outer window's wrapper cache when the outer window proxy is finalized. I ended up storing the window in the first proxy extra slot for the outer window proxy, so we have direct access from the finalizer. Ideally we'd be able to store a pointer to the cache itself, but we need to pass this through nsIScriptContext::CreateOuter and I'd rather not change that signature :-/. We should at some point just move the CreateOuter code into nsGlobalWindow IMO.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attachment #566778 - Flags: review?(mrbkap)
Attachment #566778 - Flags: review?(mrbkap) → review+
https://hg.mozilla.org/mozilla-central/rev/046e6eadb285
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: