Closed
Bug 701299
Opened 14 years ago
Closed 13 years ago
crash nsGlobalWindow::LeaveModalState
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla18
People
(Reporter: martijn.martijn, Assigned: drexler)
References
Details
(Keywords: crash, testcase, topcrash, Whiteboard: [native-crash])
Crash Data
Attachments
(2 files)
|
517 bytes,
text/html
|
Details | |
|
1.05 KB,
patch
|
smaug
:
review+
khuey
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-9cfe03ea-8c52-4281-a7b3-275402111109 .
=============================================================
0 xul.dll nsGlobalWindow::LeaveModalState dom/base/nsGlobalWindow.cpp:6795
1 xul.dll nsDOMWindowUtils::LeaveModalStateWithWindow dom/base/nsDOMWindowUtils.cpp:1530
2 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
3 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1553
4 mozjs.dll CallCompiler::generateNativeStub js/src/methodjit/MonoIC.cpp:939
5 mozjs.dll js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:1173
6 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1064
7 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:1142
8 mozjs.dll js::RunScript js/src/jsinterp.cpp:581
9 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:647
10 mozjs.dll js::Invoke js/src/jsinterp.cpp:679
11 mozjs.dll js::ProxyHandler::call js/src/jsproxy.cpp:275
12 mozjs.dll js::Wrapper::call js/src/jswrapper.cpp:262
13 mozjs.dll js::CrossCompartmentWrapper::call js/src/jswrapper.cpp:718
14 mozjs.dll js::Proxy::call js/src/jsproxy.cpp:841
15 mozjs.dll proxy_Call js/src/jsproxy.cpp:1345
16 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:622
17 mozjs.dll js::Interpret js/src/jsinterp.cpp:3948
18 mozjs.dll js::types::TypeSet::addType js/src/jsinferinlines.h:1034
19 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:628
20 mozjs.dll js::ExecuteKernel js/src/jsinterp.cpp:783
|
||
Comment 1•14 years ago
|
||
Most of these are from FF 4.0b11. Several from 10.0a1.
|
Reporter | |
Comment 2•13 years ago
|
||
|
|
Reporter | |
Updated•13 years ago
|
Component: General → DOM
Keywords: testcase
OS: Windows 7 → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
|
Assignee | |
Comment 3•13 years ago
|
||
Looks like null deref. It might indicate further problems afield but this nips it in the bud.
Attachment #623450 -
Flags: review?(dolske)
|
||
Comment 4•13 years ago
|
||
Comment on attachment 623450 [details] [diff] [review]
patch
Bouncing to jst; I've no idea if |scx| being null here is a problem or not.
Attachment #623450 -
Flags: review?(dolske) → review?(jst)
|
|
||
Comment 5•13 years ago
|
||
See also bug 632833 :)
|
||
Comment 6•13 years ago
|
||
Comment on attachment 623450 [details] [diff] [review]
patch
Unfortunately I don't see how this could possibly fix anything here. aCallerWin is an nsPIDOMWindow, meaning it's an nsGlobalWindow. nsGlobalWindow directly inherits nsIScriptGlobalObject and a QI call on a valid nsPIDOMWindow pointer to nsIScriptGlobalObject will always succeed, so the null pointer check addition here is not fixing the root cause here. Something went wrong before we got to this point :(
Attachment #623450 -
Flags: review?(jst) → review-
Also occurs on Native Fennec: https://crash-stats.mozilla.com/report/list?signature=nsGlobalWindow%3A%3ALeaveModalState
Crash Signature: [@ nsGlobalWindow::LeaveModalState(nsIDOMWindow*)] → [@ nsGlobalWindow::LeaveModalState(nsIDOMWindow*)]
[@ nsGlobalWindow::LeaveModalState]
Whiteboard: [native-crash]
|
||
Comment 8•13 years ago
|
||
It's #39 top browser crasher in 15.0a2. It first appeared in 15.0a1/20120426. The regression window is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=75c7378c87b6&tochange=cc5254f9825f
According to comments, it's related to email spell checking.
|
|
||
Comment 9•13 years ago
|
||
It's #36 top browser crasher and #4 on Mac OS X in 15.0b5.
Keywords: topcrash
|
|
||
Comment 10•13 years ago
|
||
It's #14 top browser crasher in 15.0 and #2 on Mac OS X.
It's still related to the spell checker.
tracking-firefox15:
--- → ?
tracking-firefox16:
--- → ?
|
|
||
Comment 11•13 years ago
|
||
Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce.
|
|
||
Comment 12•13 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #11)
> Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce.
There's already a testcase!
|
||
Comment 13•13 years ago
|
||
Comment on attachment 623450 [details] [diff] [review]
patch
I believe this is the right fix.
nsIDOMWindow is not a builtinclass, so we may end up calling
LeaveModalStateWithWindow with random JSObject. And if I've
understood correctly how hueyfix works, after closing the window, pointers
to it are transplanted to point to some other JSObject than the original
DOMWindow wrapper.
Per GDB aCallerWin doesn't look like a dead object, and QI certainly fails,
so I don't know what other could cause this problem.
Attachment #623450 -
Flags: review?(khuey)
Attachment #623450 -
Flags: review-
Attachment #623450 -
Flags: review+
|
|
||
Comment 14•13 years ago
|
||
(In reply to Scoobidiver from comment #12)
> (In reply to Alex Keybl [:akeybl] from comment #11)
> > Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce.
> There's already a testcase!
Woops
Keywords: needURLs,
qawanted,
steps-wanted
Attachment #623450 -
Flags: review?(khuey) → review+
|
|
||
Updated•13 years ago
|
Assignee: nobody → andrew.quartey
|
|
||
Comment 15•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 16•13 years ago
|
||
Comment on attachment 623450 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): hueyfix?
User impact if declined: crashes
Testing completed (on m-c, etc.): just landed m-c. Simple null check
Risk to taking this patch (and alternatives if risky): should be very low risk
String or UUID changes made by this patch: NA
Attachment #623450 -
Flags: approval-mozilla-beta?
Attachment #623450 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 17•13 years ago
|
||
Comment on attachment 623450 [details] [diff] [review]
patch
[Triage Comment]
Null check for a top crash - let's get this into Aurora 17 and Beta 16.
Attachment #623450 -
Flags: approval-mozilla-beta?
Attachment #623450 -
Flags: approval-mozilla-beta+
Attachment #623450 -
Flags: approval-mozilla-aurora?
Attachment #623450 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•13 years ago
|
Target Milestone: --- → mozilla18
|
|
||
Comment 18•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/440aa0d7c3d3
https://hg.mozilla.org/releases/mozilla-beta/rev/b1ec5d08e466
status-firefox16:
--- → fixed
status-firefox17:
--- → fixed
|
||
Comment 20•13 years ago
|
||
Able to see the issue loading the testcase on Nightly 2012-07-19.
Verified fixed on FF 16b3 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.6.8
|
|
||
Comment 21•13 years ago
|
||
Verified fixed on FF 17b2 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.7.5
Status: RESOLVED → VERIFIED
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•