Last Comment Bug 694009 - crash mozilla::dom::binding::instanceIsProxy
: crash mozilla::dom::binding::instanceIsProxy
: crash
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 10 Branch
: All All
-- critical (vote)
: mozilla10
Assigned To: Peter Van der Beken [:peterv]
: Andrew Overholt [:overholt]
Depends on:
Blocks: 648801
  Show dependency treegraph
Reported: 2011-10-12 07:39 PDT by Robert Kaiser
Modified: 2012-01-05 13:25 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

v1 (3.93 KB, patch)
2011-10-13 04:02 PDT, Peter Van der Beken [:peterv]
mrbkap: review+
Details | Diff | Splinter Review

Description User image Robert Kaiser 2011-10-12 07:39:00 PDT
This bug was filed from the Socorro interface and is 
report bp-caa90875-fd1b-4f7b-8221-2f2432111012 .

Top frames:
0 	xul.dll 	mozilla::dom::binding::instanceIsProxy 	js/src/xpconnect/src/xpcpublic.h:274
1 	xul.dll 	nsWrapperCache::GetExpandoObjectPreserveColor 	dom/base/nsWrapperCacheInlines.h:92
2 	xul.dll 	nsWrapperCache::RemoveExpandoObject 	content/base/src/nsGenericElement.cpp:168
3 	xul.dll 	nsGlobalWindow::~nsGlobalWindow 	dom/base/nsGlobalWindow.cpp:1049
4 	xul.dll 	nsGlobalWindow::`vector deleting destructor' 	
5 	xul.dll 	nsGlobalChromeWindow::Release 	dom/base/nsGlobalWindow.cpp:1375
6 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/dist/include/nsAutoPtr.h:907
7 	xul.dll 	nsPIDOMWindow::~nsPIDOMWindow 	dom/base/nsGlobalWindow.cpp:771
8 	xul.dll 	nsGlobalWindow::~nsGlobalWindow 	dom/base/nsGlobalWindow.cpp:1049
9 	xul.dll 	nsGlobalWindow::`vector deleting destructor' 	
10 	xul.dll 	nsGlobalChromeWindow::Release 	dom/base/nsGlobalWindow.cpp:1375
11 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/dist/include/nsAutoPtr.h:907
12 	xul.dll 	nsTHashtable<nsBaseHashtableET<nsCharPtrHashKey,nsCOMPtr<nsISupports> > >::s_ClearEntry 	xpcom/glue/nsTHashtable.h:397

(Win64 builds are missing the entry that's frame 0 here and therefore end up with the signature being what frame 1 is in this stack.)

This is a new crash happening since the 20111011031000 Nightly. The signatures are #11 and #14 in yesterday's Nightly crash data and would sum up to be #5.
Comment 1 User image Marcia Knous [:marcia - use ni] 2011-10-12 09:55:57 PDT
Adding Mac signatures as the regression range maps to Comment 0.
Comment 2 User image Peter Van der Beken [:peterv] 2011-10-13 04:02:10 PDT
Created attachment 566778 [details] [diff] [review]

Not sure how to reproduce this, but pretty sure we should clear the outer window's wrapper cache when the outer window proxy is finalized. I ended up storing the window in the first proxy extra slot for the outer window proxy, so we have direct access from the finalizer. Ideally we'd be able to store a pointer to the cache itself, but we need to pass this through nsIScriptContext::CreateOuter and I'd rather not change that signature :-/. We should at some point just move the CreateOuter code into nsGlobalWindow IMO.
Comment 3 User image Ed Morley [:emorley] 2011-10-15 05:38:10 PDT

Note You need to log in before you can comment on or make changes to this bug.