Last Comment Bug 760118 - crash in JSCompartment::wrap @ xpc::WrapperFactory::PrepareForWrapping
: crash in JSCompartment::wrap @ xpc::WrapperFactory::PrepareForWrapping
Status: VERIFIED FIXED
[native-crash]
: crash, regression, reproducible, topcrash
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: 15 Branch
: All All
: -- critical (vote)
: mozilla16
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
: 760768 761498 (view as bug list)
Depends on: 758415
Blocks: 739796
  Show dependency treegraph
 
Reported: 2012-05-31 07:51 PDT by Scoobidiver (away)
Modified: 2012-08-07 06:41 PDT (History)
13 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
verified


Attachments

Description Scoobidiver (away) 2012-05-31 07:51:34 PDT
It first appeared in 15.0a1/20120530144327 and is currently #1 top crasher in one of today's nightlies. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=79262a88881d&tochange=e89ed404ebe5
It's likely a regression from bug 752038.

Signature 	xpc::WrapperFactory::PrepareForWrapping(JSContext*, JSObject*, JSObject*, unsigned int) More Reports Search
UUID	aacace80-c87e-431c-89f1-cbfe72120531
Date Processed	2012-05-31 11:58:18
Uptime	1012
Last Crash	26.1 minutes before submission
Install Age	2.2 hours since version was first installed.
Install Time	2012-05-31 09:39:41
Product	Firefox
Version	15.0a1
Build ID	20120530144327
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 1671103c, AdapterDriverVersion: 8.15.10.2372
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Total Virtual Memory	4294836224
Available Virtual Memory	3571265536
System Memory Use Percentage	81
Available Page File	3174137856
Available Physical Memory	790507520

Frame 	Module 	Signature 	Source
0 	xul.dll 	xpc::WrapperFactory::PrepareForWrapping 	js/xpconnect/wrappers/WrapperFactory.cpp:170
1 	mozjs.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:176
2 	mozjs.dll 	JS_CopyPropertiesFrom 	js/src/jsobj.cpp:3153
3 	xul.dll 	XPCWrappedNative::ReparentWrapperIfFound 	js/xpconnect/src/XPCWrappedNative.cpp:1614
4 	xul.dll 	MoveWrapper 	js/xpconnect/src/nsXPConnect.cpp:1610
5 	xul.dll 	nsXPConnect::MoveWrappers 	js/xpconnect/src/nsXPConnect.cpp:1670
6 	xul.dll 	nsContentUtils::ReparentContentWrappersInScope 	content/base/src/nsContentUtils.cpp:1639
7 	xul.dll 	nsHTMLDocument::Open 	content/html/document/src/nsHTMLDocument.cpp:1501
8 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
9 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2356
10 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1500
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=xpc%3A%3AWrapperFactory%3A%3APrepareForWrapping%28JSContext*%2C+JSObject*%2C+JSObject*%2C+unsigned+int%29
https://crash-stats.mozilla.com/report/list?signature=xpc%3A%3AWrapperFactory%3A%3APrepareForWrapping
Comment 1 Bobby Holley (:bholley) (busy with Stylo) 2012-05-31 08:18:16 PDT
Hm, looks like the private is null, which means that the object was transplanted but that we haven't forgotten about it like we should. Maybe bug 752764, maybe something else.

Some STR would be helpful if they're easy to get.
Comment 2 Scoobidiver (away) 2012-06-01 01:45:39 PDT
One comment says: "Crash every time I play Farmville, very frustrating I will probably canel the app if you can not fix it."
Comment 3 Lukas Blakk [:lsblakk] use ?needinfo 2012-06-01 15:59:07 PDT
[Triage Comment]
Adding qawanted to see if we can get some STR with Farmville here, will re-visit tracking nom once we have a better sense of the origin.
Comment 4 Marcia Knous [:marcia - use ni] 2012-06-01 16:11:04 PDT
Here are some addon correlations I got manually:

Windows NT
  xpc::WrapperFactory::PrepareForWrapping(JSContext*, JSObject*, JSObject*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (136 crashes)
     10% (14/136) vs.   1% (25/2092) crossriderapp2258@crossrider.com
     99% (135/136) vs.  93% (1943/2092) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150)
      7% (10/136) vs.   1% (21/2092) ffxtlbr@incredibar.com
      8% (11/136) vs.   2% (40/2092) {635abd67-4fe9-1b23-4f01-e679fa7484c1} (Yahoo! Toolbar, https://addons.mozilla.org/addon/2032)
     33% (45/136) vs.  27% (563/2092) uriloader@pdf.js
      6% (8/136) vs.   0% (8/2092) 39ffxtbr@MapsGalaxy_39.com
      6% (8/136) vs.   0% (8/2092) {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} (AOL Toolbar, https://addons.mozilla.org/addon/2114)
      6% (8/136) vs.   1% (11/2092) 64ffxtbr@TelevisionFanatic.com
      7% (9/136) vs.   2% (33/2092) netvideohunter@netvideohunter.com (NetVideoHunter Video Downloader, https://addons.mozilla.org/addon/7447)
Comment 5 Marcia Knous [:marcia - use ni] 2012-06-01 16:40:45 PDT
I was just able to reproduce this on a Windows 7 machine, https://crash-stats.mozilla.com/report/index/bp-65017bad-de85-4178-9be8-d86bb2120601 using the latest nightly.

I did add a few of the extensions above and left Farmville playing in a open tab. I will see if those steps are reproducible.
Comment 6 Marcia Knous [:marcia - use ni] 2012-06-01 17:25:35 PDT
This is reproducible for me, with the following set of extensions installed:

        Ad Muncher Browser Extensions
        2.0
        true
        {3ED591BC-7CC7-495B-A526-B2431356EDC1}

        Ant Video Downloader
        2.4.7
        true
        anttoolbar@ant.com

        avast! WebRep
        7.0.1426
        true
        wrc@avast.com

        Browser Button
        0.81.3
        true
        crossriderapp5179@crossrider.com

        Crossbrowser
        1.03
        true
        crossbrowser@kolibri-italia.com

        Google+Facebook
        0.81.80
        true
        crossriderapp519@crossrider.com

        PDF Viewer
        0.2.536
        true
        uriloader@pdf.js

        Test Pilot
        1.2.1
        true
        testpilot@labs.mozilla.com

        Yahoo! Toolbar
        2.4.8.20120412011105
        true
        {635abd67-4fe9-1b23-4f01-e679fa7484c1}

        Roboform Toolbar for Firefox
        7.6.0
        false
        {22119944-ED35-4ab1-910B-E619EA06A115}

The person who crashed in Comment 2 had one of the CrossRider addons installed, but not the exact ones I have.

STR:
1. Load Farmville.
2. Leave game sitting idle for a while
3. Eventually crash.
Comment 7 Patrick McManus [:mcmanus] PTO until Sep 6 2012-06-03 12:08:51 PDT
I get this easily using evernote.. just trying to edit and move notes through the web interface
Comment 8 Bobby Holley (:bholley) (busy with Stylo) 2012-06-04 03:09:58 PDT
Looks like this also might be reproducible with the patches from bug 745025. I'll try to look at this soon.
Comment 9 Bobby Holley (:bholley) (busy with Stylo) 2012-06-04 03:52:01 PDT
(In reply to Patrick McManus [:mcmanus] from comment #7)
> I get this easily using evernote.. just trying to edit and move notes
> through the web interface

Huzzah, I can reproduce! Thanks patrick. Looking at it now.
Comment 10 Julian Viereck 2012-06-04 03:58:42 PDT
(In reply to Bobby Holley (:bholley) from comment #8)
> Looks like this also might be reproducible with the patches from bug 745025.
> I'll try to look at this soon.

Running the tests locally, I get some assertions that might indicate it's not related to this bug. Looking into it.
Comment 11 Bobby Holley (:bholley) (busy with Stylo) 2012-06-04 04:04:14 PDT
Ok, this seems to be the same issue as bug 752764. It appears to be fixed with my patches from bug 758415, which is what I expected given my analysis of the issue.

Marking the dep.
Comment 12 Jason Smith [:jsmith] 2012-06-04 21:46:50 PDT
*** Bug 761498 has been marked as a duplicate of this bug. ***
Comment 13 Jason Smith [:jsmith] 2012-06-04 21:48:05 PDT
FYI - I've got a consistent reproduction of this bug with the following reproduction steps:

1. Go to http://evernote.com/
2. Login with an existing evernote account with notes already created
3. Read a few of the notes

Result - Crash occurs

https://crash-stats.mozilla.com/report/index/bp-7fd86967-215d-47ea-af24-5d80c2120605
Comment 14 Alice0775 White 2012-06-05 05:59:06 PDT
Regression window(m-c) with STR in comment #13
Good:
http://hg.mozilla.org/mozilla-central/rev/f6d082275253
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120530012752
Bad:
http://hg.mozilla.org/mozilla-central/rev/b5af439f1717
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120530042453
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f6d082275253&tochange=b5af439f1717

Regression window(m-c)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/98410387837c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120529094953
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/8ffcc3efc77e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120529150154
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=98410387837c&tochange=8ffcc3efc77e

In local build:
Last good: d88590f8a245
First bad: 3bfee91d5f09

Suspected : 3bfee91d5f09	Bobby Holley — Bug 752038 - Avoid getting confused by PreCreate giving a different answer when we wrap objects cross-compartment during reparenting. r=mrbkap
Comment 15 Bobby Holley (:bholley) (busy with Stylo) 2012-06-05 06:06:38 PDT
The actual regression is bug 739796. Bug 758415 fixes it, but is waiting on a dependent bug. Hopefully that will be sorted out soon.
Comment 16 Robert Kaiser 2012-06-06 12:06:33 PDT
(In reply to Bobby Holley (:bholley) from comment #15)
> The actual regression is bug 739796. Bug 758415 fixes it, but is waiting on
> a dependent bug. Hopefully that will be sorted out soon.

This crash is on 15, bug 758415 has now landed on 16 (will see in the next days if it helps, I surely hope so), what's the plan here for 15 (currently on aurora)?
Comment 17 Bobby Holley (:bholley) (busy with Stylo) 2012-06-06 16:08:44 PDT
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #16)

> This crash is on 15, bug 758415 has now landed on 16 (will see in the next
> days if it helps, I surely hope so), what's the plan here for 15 (currently
> on aurora)?

It is currently waiting on aurora approval. I expect to land it in the next day or two.
Comment 18 Scoobidiver (away) 2012-06-12 23:48:10 PDT
I am closing as fixed per comment 15 and crash stats (latest crash in 16.0a1/20120607025755).
Comment 19 Scoobidiver (away) 2012-06-12 23:50:33 PDT
*** Bug 760768 has been marked as a duplicate of this bug. ***
Comment 20 Lukas Blakk [:lsblakk] use ?needinfo 2012-06-15 17:34:20 PDT
Bug 758415 is approved for aurora and also tracked for 15 so I'm removing the tracking request here.
Comment 21 Paul Silaghi, QA [:pauly] 2012-08-07 06:41:29 PDT
Able to see the crash on Nightly 2012-06-01 using the STR in comment 13.
Verified fixed on FF 15b3 on Win 7/64, Ubuntu 12.04 and Mac OS X 10.6

Note You need to log in before you can comment on or make changes to this bug.