Firefox 13.0a1 Crash @ JSAutoEnterCompartment::enter

RESOLVED FIXED in Firefox 12

Status

()

Core
XPConnect
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: emk, Assigned: emk)

Tracking

({crash, regression, reproducible})

12 Branch
mozilla13
crash, regression, reproducible
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox11 unaffected, firefox12+ verified)

Details

(Whiteboard: [qa+], crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

6 years ago
https://crash-stats.mozilla.com/report/index/bp-6caad3d3-e728-4b93-b549-82fa52120203

Steps to reproduce:
new MouseEvent("click", null);
(Assignee)

Comment 1

6 years ago
Created attachment 594131 [details] [diff] [review]
patch

JSVAL_IS_OBJECT(v) is not equivalent to v.isObject(), but is equivalent to v.isObjectOrNull().
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
Attachment #594131 - Flags: review?(mrbkap)
(Assignee)

Updated

6 years ago
status-firefox11: --- → unaffected
status-firefox12: --- → affected
tracking-firefox12: --- → ?

Updated

6 years ago
Severity: normal → critical
Crash Signature: [@ JSAutoEnterCompartment::enter(JSContext*, JSObject*)] [@ JSAutoEnterCompartment::enter]
Keywords: crash, regression, reproducible
Summary: Firefox 13.0a1 Crash Report [@ JSAutoEnterCompartment::enter(JSContext*, JSObject*) ] → Firefox 13.0a1 Crash @ JSAutoEnterCompartment::enter
Version: unspecified → 12 Branch
Comment on attachment 594131 [details] [diff] [review]
patch

Review of attachment 594131 [details] [diff] [review]:
-----------------------------------------------------------------

This looks pretty good -- can you add a crashtest for this as well as addressing the comment below? r- for now, but I'm sure r+ on the next patch.

::: js/xpconnect/src/dictionary_helper_gen.py
@@ +381,5 @@
>               "  if (!aCx || !aVal) {\n"
>               "    return NS_OK;\n"
>               "  }\n"
> +             "  NS_ENSURE_STATE(aVal->isObject());\n\n"
> +             "  JSObject& obj = aVal->toObject();\n"

I'd rather see this as |JSObject *obj = &aValue->toObject();| that way you can reduce the changes later and to match other toObject() using code in the tree.
Attachment #594131 - Flags: review?(mrbkap) → review-
(Assignee)

Comment 3

6 years ago
Created attachment 594432 [details] [diff] [review]
patch v2

Resolved review comments.
Attachment #594131 - Attachment is obsolete: true
Attachment #594432 - Flags: review?(mrbkap)
(Assignee)

Updated

6 years ago
Blocks: 721569
Comment on attachment 594432 [details] [diff] [review]
patch v2

Perfect, thanks.
Attachment #594432 - Flags: review?(mrbkap) → review+
(Assignee)

Updated

6 years ago
Keywords: checkin-needed

Updated

6 years ago
Whiteboard: [autoland-try]

Updated

6 years ago
Whiteboard: [autoland-try] → [autoland-in-queue]

Comment 5

6 years ago
Autoland Patchset:
	Patches: 594432
	Branch: mozilla-central => try
	Destination: http://hg.mozilla.org/try/rev/d1e88e9e3e63
Try run started, revision d1e88e9e3e63. To cancel or monitor the job, see: https://tbpl.mozilla.org/?tree=Try&rev=d1e88e9e3e63

Comment 6

6 years ago
Try run for d1e88e9e3e63 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=d1e88e9e3e63
Results (out of 208 total builds):
    success: 190
    warnings: 18
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/autolanduser@mozilla.com-d1e88e9e3e63

Updated

6 years ago
Whiteboard: [autoland-in-queue]

Comment 7

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4dcd64ada95c
Keywords: checkin-needed
Target Milestone: --- → mozilla13
https://hg.mozilla.org/mozilla-central/rev/4dcd64ada95c
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 9

6 years ago
Recent regression that will likely spike as our testing audience grows. If considered low risk, we'd definitely consider uplifting a fix if nominated.
tracking-firefox12: ? → +
(Assignee)

Comment 10

6 years ago
Comment on attachment 594432 [details] [diff] [review]
patch v2

[Approval Request Comment]
Regression caused by (bug #): 709569
User impact if declined: DoS attack can be made because this is a reproducible crash.
Testing completed (on m-c, etc.): Crashtest added on m-c.
Risk to taking this patch (and alternatives if risky): Low, trivial one line fix.
String changes made by this patch: No.
Attachment #594432 - Flags: approval-mozilla-aurora?
Comment on attachment 594432 [details] [diff] [review]
patch v2

[Triage Comment]
Approved for Aurora 12.
Attachment #594432 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Updated

6 years ago
Keywords: checkin-needed
Whiteboard: [land to aurora]
http://hg.mozilla.org/releases/mozilla-aurora/rev/4af6218cce89
status-firefox12: affected → fixed
Keywords: checkin-needed
Whiteboard: [land to aurora]
Whiteboard: [qa+]
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0

Verified in Firefox 12 beta3 on Windows XP, Mac OS 10.6, ubuntu 11.10.

No crash when loading new MouseEvent("click", null); in Error Console. Could previously reproduce.
status-firefox12: fixed → verified
You need to log in before you can comment on or make changes to this bug.