Closed Bug 701299 Opened 11 years ago Closed 10 years ago

crash nsGlobalWindow::LeaveModalState


(Core :: DOM: Core & HTML, defect)

Not set



Tracking Status
firefox15 + ---
firefox16 + verified
firefox17 --- verified


(Reporter: martijn.martijn, Assigned: drexler)



(Keywords: crash, testcase, topcrash, Whiteboard: [native-crash])

Crash Data


(2 files)

This bug was filed from the Socorro interface and is 
report bp-9cfe03ea-8c52-4281-a7b3-275402111109 .
0 	xul.dll 	nsGlobalWindow::LeaveModalState 	dom/base/nsGlobalWindow.cpp:6795
1 	xul.dll 	nsDOMWindowUtils::LeaveModalStateWithWindow 	dom/base/nsDOMWindowUtils.cpp:1530
2 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
3 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1553
4 	mozjs.dll 	CallCompiler::generateNativeStub 	js/src/methodjit/MonoIC.cpp:939
5 	mozjs.dll 	js::mjit::ic::NativeCall 	js/src/methodjit/MonoIC.cpp:1173
6 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1064
7 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1142
8 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:581
9 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:647
10 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:679
11 	mozjs.dll 	js::ProxyHandler::call 	js/src/jsproxy.cpp:275
12 	mozjs.dll 	js::Wrapper::call 	js/src/jswrapper.cpp:262
13 	mozjs.dll 	js::CrossCompartmentWrapper::call 	js/src/jswrapper.cpp:718
14 	mozjs.dll 	js::Proxy::call 	js/src/jsproxy.cpp:841
15 	mozjs.dll 	proxy_Call 	js/src/jsproxy.cpp:1345
16 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:622
17 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3948
18 	mozjs.dll 	js::types::TypeSet::addType 	js/src/jsinferinlines.h:1034
19 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:628
20 	mozjs.dll 	js::ExecuteKernel 	js/src/jsinterp.cpp:783
Most of these are from FF 4.0b11. Several from 10.0a1.
Attached file testcase
Component: General → DOM
Keywords: testcase
OS: Windows 7 → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Attached patch patchSplinter Review
Looks like null deref. It might indicate further problems afield but this nips it in the bud.
Attachment #623450 - Flags: review?(dolske)
Comment on attachment 623450 [details] [diff] [review]

Bouncing to jst; I've no idea if |scx| being null here is a problem or not.
Attachment #623450 - Flags: review?(dolske) → review?(jst)
See also bug 632833 :)
Comment on attachment 623450 [details] [diff] [review]

Unfortunately I don't see how this could possibly fix anything here. aCallerWin is an nsPIDOMWindow, meaning it's an nsGlobalWindow. nsGlobalWindow directly inherits nsIScriptGlobalObject and a QI call on a valid nsPIDOMWindow pointer to nsIScriptGlobalObject will always succeed, so the null pointer check addition here is not fixing the root cause here. Something went wrong before we got to this point :(
Attachment #623450 - Flags: review?(jst) → review-
Also occurs on Native Fennec:
Crash Signature: [@ nsGlobalWindow::LeaveModalState(nsIDOMWindow*)] → [@ nsGlobalWindow::LeaveModalState(nsIDOMWindow*)] [@ nsGlobalWindow::LeaveModalState]
Whiteboard: [native-crash]
It's #39 top browser crasher in 15.0a2. It first appeared in 15.0a1/20120426. The regression window is:

According to comments, it's related to email spell checking.
It's #36 top browser crasher and #4 on Mac OS X in 15.0b5.
Keywords: topcrash
It's #14 top browser crasher in 15.0 and #2 on Mac OS X.

It's still related to the spell checker.
Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce.
(In reply to Alex Keybl [:akeybl] from comment #11)
> Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce.
There's already a testcase!
Comment on attachment 623450 [details] [diff] [review]

I believe this is the right fix.
nsIDOMWindow is not a builtinclass, so we may end up calling
LeaveModalStateWithWindow with random JSObject. And if I've
understood correctly how hueyfix works, after closing the window, pointers
to it are transplanted to point to some other JSObject than the original
DOMWindow wrapper.

Per GDB aCallerWin doesn't look like a dead object, and QI certainly fails,
so I don't know what other could cause this problem.
Attachment #623450 - Flags: review?(khuey)
Attachment #623450 - Flags: review-
Attachment #623450 - Flags: review+
(In reply to Scoobidiver from comment #12)
> (In reply to Alex Keybl [:akeybl] from comment #11)
> > Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce.
> There's already a testcase!

Assignee: nobody → andrew.quartey
Closed: 10 years ago
Resolution: --- → FIXED
Comment on attachment 623450 [details] [diff] [review]

[Approval Request Comment]
Bug caused by (feature/regressing bug #): hueyfix?
User impact if declined: crashes
Testing completed (on m-c, etc.): just landed m-c. Simple null check 
Risk to taking this patch (and alternatives if risky): should be very low risk
String or UUID changes made by this patch: NA
Attachment #623450 - Flags: approval-mozilla-beta?
Attachment #623450 - Flags: approval-mozilla-aurora?
Comment on attachment 623450 [details] [diff] [review]

[Triage Comment]
Null check for a top crash - let's get this into Aurora 17 and Beta 16.
Attachment #623450 - Flags: approval-mozilla-beta?
Attachment #623450 - Flags: approval-mozilla-beta+
Attachment #623450 - Flags: approval-mozilla-aurora?
Attachment #623450 - Flags: approval-mozilla-aurora+
Target Milestone: --- → mozilla18
Duplicate of this bug: 791285
Able to see the issue loading the testcase on Nightly 2012-07-19.
Verified fixed on FF 16b3 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.6.8
Verified fixed on FF 17b2 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.7.5
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.