Last Comment Bug 723894 - Firefox 13.0a1 Crash @ JSAutoEnterCompartment::enter
: Firefox 13.0a1 Crash @ JSAutoEnterCompartment::enter
: crash, regression, reproducible
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: 12 Branch
: All All
-- critical (vote)
: mozilla13
Assigned To: Masatoshi Kimura [:emk]
: Andrew Overholt [:overholt]
Depends on:
Blocks: 709569 721569
  Show dependency treegraph
Reported: 2012-02-03 04:40 PST by Masatoshi Kimura [:emk]
Modified: 2012-03-30 09:08 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (2.06 KB, patch)
2012-02-03 04:51 PST, Masatoshi Kimura [:emk]
mrbkap: review-
Details | Diff | Splinter Review
patch v2 (2.10 KB, patch)
2012-02-04 05:13 PST, Masatoshi Kimura [:emk]
mrbkap: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description User image Masatoshi Kimura [:emk] 2012-02-03 04:40:32 PST

Steps to reproduce:
new MouseEvent("click", null);
Comment 1 User image Masatoshi Kimura [:emk] 2012-02-03 04:51:27 PST
Created attachment 594131 [details] [diff] [review]

JSVAL_IS_OBJECT(v) is not equivalent to v.isObject(), but is equivalent to v.isObjectOrNull().
Comment 2 User image Blake Kaplan (:mrbkap) 2012-02-04 03:17:10 PST
Comment on attachment 594131 [details] [diff] [review]

Review of attachment 594131 [details] [diff] [review]:

This looks pretty good -- can you add a crashtest for this as well as addressing the comment below? r- for now, but I'm sure r+ on the next patch.

::: js/xpconnect/src/
@@ +381,5 @@
>               "  if (!aCx || !aVal) {\n"
>               "    return NS_OK;\n"
>               "  }\n"
> +             "  NS_ENSURE_STATE(aVal->isObject());\n\n"
> +             "  JSObject& obj = aVal->toObject();\n"

I'd rather see this as |JSObject *obj = &aValue->toObject();| that way you can reduce the changes later and to match other toObject() using code in the tree.
Comment 3 User image Masatoshi Kimura [:emk] 2012-02-04 05:13:55 PST
Created attachment 594432 [details] [diff] [review]
patch v2

Resolved review comments.
Comment 4 User image Blake Kaplan (:mrbkap) 2012-02-04 08:41:51 PST
Comment on attachment 594432 [details] [diff] [review]
patch v2

Perfect, thanks.
Comment 5 User image Mozilla RelEng Bot 2012-02-04 09:46:29 PST
Autoland Patchset:
	Patches: 594432
	Branch: mozilla-central => try
Try run started, revision d1e88e9e3e63. To cancel or monitor the job, see:
Comment 6 User image Mozilla RelEng Bot 2012-02-04 14:30:23 PST
Try run for d1e88e9e3e63 is complete.
Detailed breakdown of the results available here:
Results (out of 208 total builds):
    success: 190
    warnings: 18
Builds (or logs if builds failed) available at:
Comment 8 User image Marco Bonardo [::mak] 2012-02-06 00:49:25 PST
Comment 9 User image Alex Keybl [:akeybl] 2012-02-10 13:06:04 PST
Recent regression that will likely spike as our testing audience grows. If considered low risk, we'd definitely consider uplifting a fix if nominated.
Comment 10 User image Masatoshi Kimura [:emk] 2012-02-10 16:24:33 PST
Comment on attachment 594432 [details] [diff] [review]
patch v2

[Approval Request Comment]
Regression caused by (bug #): 709569
User impact if declined: DoS attack can be made because this is a reproducible crash.
Testing completed (on m-c, etc.): Crashtest added on m-c.
Risk to taking this patch (and alternatives if risky): Low, trivial one line fix.
String changes made by this patch: No.
Comment 11 User image Alex Keybl [:akeybl] 2012-02-14 11:34:05 PST
Comment on attachment 594432 [details] [diff] [review]
patch v2

[Triage Comment]
Approved for Aurora 12.
Comment 13 User image Virgil Dicu [:virgil] [QA] 2012-03-30 09:08:21 PDT
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0

Verified in Firefox 12 beta3 on Windows XP, Mac OS 10.6, ubuntu 11.10.

No crash when loading new MouseEvent("click", null); in Error Console. Could previously reproduce.

Note You need to log in before you can comment on or make changes to this bug.