Closed
Bug 701299
Opened 13 years ago
Closed 12 years ago
crash nsGlobalWindow::LeaveModalState
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla18
People
(Reporter: martijn.martijn, Assigned: drexler)
References
Details
(Keywords: crash, testcase, topcrash, Whiteboard: [native-crash])
Crash Data
Attachments
(2 files)
|
517 bytes,
text/html
|
Details | |
|
1.05 KB,
patch
|
smaug
:
review+
khuey
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-9cfe03ea-8c52-4281-a7b3-275402111109 . ============================================================= 0 xul.dll nsGlobalWindow::LeaveModalState dom/base/nsGlobalWindow.cpp:6795 1 xul.dll nsDOMWindowUtils::LeaveModalStateWithWindow dom/base/nsDOMWindowUtils.cpp:1530 2 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 3 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1553 4 mozjs.dll CallCompiler::generateNativeStub js/src/methodjit/MonoIC.cpp:939 5 mozjs.dll js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:1173 6 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1064 7 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:1142 8 mozjs.dll js::RunScript js/src/jsinterp.cpp:581 9 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:647 10 mozjs.dll js::Invoke js/src/jsinterp.cpp:679 11 mozjs.dll js::ProxyHandler::call js/src/jsproxy.cpp:275 12 mozjs.dll js::Wrapper::call js/src/jswrapper.cpp:262 13 mozjs.dll js::CrossCompartmentWrapper::call js/src/jswrapper.cpp:718 14 mozjs.dll js::Proxy::call js/src/jsproxy.cpp:841 15 mozjs.dll proxy_Call js/src/jsproxy.cpp:1345 16 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:622 17 mozjs.dll js::Interpret js/src/jsinterp.cpp:3948 18 mozjs.dll js::types::TypeSet::addType js/src/jsinferinlines.h:1034 19 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:628 20 mozjs.dll js::ExecuteKernel js/src/jsinterp.cpp:783
|
||
Comment 1•13 years ago
|
||
Most of these are from FF 4.0b11. Several from 10.0a1.
|
Reporter | |
Comment 2•12 years ago
|
||
|
|
Reporter | |
Updated•12 years ago
|
Component: General → DOM
Keywords: testcase
OS: Windows 7 → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
|
Assignee | |
Comment 3•12 years ago
|
||
Looks like null deref. It might indicate further problems afield but this nips it in the bud.
Attachment #623450 -
Flags: review?(dolske)
|
||
Comment 4•12 years ago
|
||
Comment on attachment 623450 [details] [diff] [review] patch Bouncing to jst; I've no idea if |scx| being null here is a problem or not.
Attachment #623450 -
Flags: review?(dolske) → review?(jst)
|
|
||
Comment 5•12 years ago
|
||
See also bug 632833 :)
|
||
Comment 6•12 years ago
|
||
Comment on attachment 623450 [details] [diff] [review] patch Unfortunately I don't see how this could possibly fix anything here. aCallerWin is an nsPIDOMWindow, meaning it's an nsGlobalWindow. nsGlobalWindow directly inherits nsIScriptGlobalObject and a QI call on a valid nsPIDOMWindow pointer to nsIScriptGlobalObject will always succeed, so the null pointer check addition here is not fixing the root cause here. Something went wrong before we got to this point :(
Attachment #623450 -
Flags: review?(jst) → review-
Also occurs on Native Fennec: https://crash-stats.mozilla.com/report/list?signature=nsGlobalWindow%3A%3ALeaveModalState
Crash Signature: [@ nsGlobalWindow::LeaveModalState(nsIDOMWindow*)] → [@ nsGlobalWindow::LeaveModalState(nsIDOMWindow*)]
[@ nsGlobalWindow::LeaveModalState]
Whiteboard: [native-crash]
|
||
Comment 8•12 years ago
|
||
It's #39 top browser crasher in 15.0a2. It first appeared in 15.0a1/20120426. The regression window is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=75c7378c87b6&tochange=cc5254f9825f According to comments, it's related to email spell checking.
|
|
||
Comment 9•12 years ago
|
||
It's #36 top browser crasher and #4 on Mac OS X in 15.0b5.
Keywords: topcrash
|
|
||
Comment 10•12 years ago
|
||
It's #14 top browser crasher in 15.0 and #2 on Mac OS X. It's still related to the spell checker.
tracking-firefox15:
--- → ?
tracking-firefox16:
--- → ?
|
||
Comment 11•12 years ago
|
||
Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce.
|
|
||
Comment 12•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #11) > Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce. There's already a testcase!
|
||
Comment 13•12 years ago
|
||
Comment on attachment 623450 [details] [diff] [review] patch I believe this is the right fix. nsIDOMWindow is not a builtinclass, so we may end up calling LeaveModalStateWithWindow with random JSObject. And if I've understood correctly how hueyfix works, after closing the window, pointers to it are transplanted to point to some other JSObject than the original DOMWindow wrapper. Per GDB aCallerWin doesn't look like a dead object, and QI certainly fails, so I don't know what other could cause this problem.
Attachment #623450 -
Flags: review?(khuey)
Attachment #623450 -
Flags: review-
Attachment #623450 -
Flags: review+
|
|
||
Comment 14•12 years ago
|
||
(In reply to Scoobidiver from comment #12) > (In reply to Alex Keybl [:akeybl] from comment #11) > > Adding qawanted, steps-wanted, and needURLs so that we can try to reproduce. > There's already a testcase! Woops
Keywords: needURLs,
qawanted,
steps-wanted
Attachment #623450 -
Flags: review?(khuey) → review+
|
|
||
Updated•12 years ago
|
Assignee: nobody → andrew.quartey
|
|
||
Comment 15•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/bcc2d5b5b351
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 16•12 years ago
|
||
Comment on attachment 623450 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): hueyfix? User impact if declined: crashes Testing completed (on m-c, etc.): just landed m-c. Simple null check Risk to taking this patch (and alternatives if risky): should be very low risk String or UUID changes made by this patch: NA
Attachment #623450 -
Flags: approval-mozilla-beta?
Attachment #623450 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 17•12 years ago
|
||
Comment on attachment 623450 [details] [diff] [review] patch [Triage Comment] Null check for a top crash - let's get this into Aurora 17 and Beta 16.
Attachment #623450 -
Flags: approval-mozilla-beta?
Attachment #623450 -
Flags: approval-mozilla-beta+
Attachment #623450 -
Flags: approval-mozilla-aurora?
Attachment #623450 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•12 years ago
|
Target Milestone: --- → mozilla18
|
|
||
Comment 18•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/440aa0d7c3d3 https://hg.mozilla.org/releases/mozilla-beta/rev/b1ec5d08e466
status-firefox16:
--- → fixed
status-firefox17:
--- → fixed
|
||
Comment 20•12 years ago
|
||
Able to see the issue loading the testcase on Nightly 2012-07-19. Verified fixed on FF 16b3 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.6.8
|
|
||
Comment 21•12 years ago
|
||
Verified fixed on FF 17b2 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.7.5
Status: RESOLVED → VERIFIED
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•