The default bug view has changed. See this FAQ.

crash mozilla::dom::binding::instanceIsProxy

RESOLVED FIXED in mozilla10

Status

()

Core
DOM
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Robert Kaiser, Assigned: peterv)

Tracking

({crash})

10 Branch
mozilla10
crash
Points:
---

Firefox Tracking Flags

(firefox10-)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
This bug was filed from the Socorro interface and is 
report bp-caa90875-fd1b-4f7b-8221-2f2432111012 .
============================================================= 

Top frames:
0 	xul.dll 	mozilla::dom::binding::instanceIsProxy 	js/src/xpconnect/src/xpcpublic.h:274
1 	xul.dll 	nsWrapperCache::GetExpandoObjectPreserveColor 	dom/base/nsWrapperCacheInlines.h:92
2 	xul.dll 	nsWrapperCache::RemoveExpandoObject 	content/base/src/nsGenericElement.cpp:168
3 	xul.dll 	nsGlobalWindow::~nsGlobalWindow 	dom/base/nsGlobalWindow.cpp:1049
4 	xul.dll 	nsGlobalWindow::`vector deleting destructor' 	
5 	xul.dll 	nsGlobalChromeWindow::Release 	dom/base/nsGlobalWindow.cpp:1375
6 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/dist/include/nsAutoPtr.h:907
7 	xul.dll 	nsPIDOMWindow::~nsPIDOMWindow 	dom/base/nsGlobalWindow.cpp:771
8 	xul.dll 	nsGlobalWindow::~nsGlobalWindow 	dom/base/nsGlobalWindow.cpp:1049
9 	xul.dll 	nsGlobalWindow::`vector deleting destructor' 	
10 	xul.dll 	nsGlobalChromeWindow::Release 	dom/base/nsGlobalWindow.cpp:1375
11 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/dist/include/nsAutoPtr.h:907
12 	xul.dll 	nsTHashtable<nsBaseHashtableET<nsCharPtrHashKey,nsCOMPtr<nsISupports> > >::s_ClearEntry 	xpcom/glue/nsTHashtable.h:397

(Win64 builds are missing the entry that's frame 0 here and therefore end up with the signature being what frame 1 is in this stack.)

This is a new crash happening since the 20111011031000 Nightly. The signatures are #11 and #14 in yesterday's Nightly crash data and would sum up to be #5.
(Reporter)

Updated

6 years ago
Version: 9 Branch → 10 Branch

Updated

6 years ago
Blocks: 648801
Adding Mac signatures as the regression range maps to Comment 0.
Crash Signature: [@ mozilla::dom::binding::instanceIsProxy(JSObject*)] [@ nsWrapperCache::GetExpandoObjectPreserveColor()] → [@ mozilla::dom::binding::instanceIsProxy(JSObject*)] [@ nsWrapperCache::GetExpandoObjectPreserveColor()] [@ nsWrapperCache::RemoveExpandoObject ] [@ mozilla::dom::binding::ListBase<mozilla::dom::binding::ListClass<nsIHTMLCollection mozilla::dom&hellip;
OS: Windows 7 → All
Hardware: x86 → All
tracking-firefox10: --- → ?
(Assignee)

Comment 2

6 years ago
Created attachment 566778 [details] [diff] [review]
v1

Not sure how to reproduce this, but pretty sure we should clear the outer window's wrapper cache when the outer window proxy is finalized. I ended up storing the window in the first proxy extra slot for the outer window proxy, so we have direct access from the finalizer. Ideally we'd be able to store a pointer to the cache itself, but we need to pass this through nsIScriptContext::CreateOuter and I'd rather not change that signature :-/. We should at some point just move the CreateOuter code into nsGlobalWindow IMO.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attachment #566778 - Flags: review?(mrbkap)

Updated

6 years ago
Attachment #566778 - Flags: review?(mrbkap) → review+
https://hg.mozilla.org/mozilla-central/rev/046e6eadb285
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10

Updated

5 years ago
tracking-firefox10: ? → -
You need to log in before you can comment on or make changes to this bug.