Closed Bug 760118 Opened 13 years ago Closed 13 years ago

crash in JSCompartment::wrap @ xpc::WrapperFactory::PrepareForWrapping

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
15 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox15 --- verified

People

(Reporter: scoobidiver, Unassigned)

References

Details

(4 keywords, Whiteboard: [native-crash])

Crash Data

It first appeared in 15.0a1/20120530144327 and is currently #1 top crasher in one of today's nightlies. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=79262a88881d&tochange=e89ed404ebe5 It's likely a regression from bug 752038. Signature xpc::WrapperFactory::PrepareForWrapping(JSContext*, JSObject*, JSObject*, unsigned int) More Reports Search UUID aacace80-c87e-431c-89f1-cbfe72120531 Date Processed 2012-05-31 11:58:18 Uptime 1012 Last Crash 26.1 minutes before submission Install Age 2.2 hours since version was first installed. Install Time 2012-05-31 09:39:41 Product Firefox Version 15.0a1 Build ID 20120530144327 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 1671103c, AdapterDriverVersion: 8.15.10.2372 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Total Virtual Memory 4294836224 Available Virtual Memory 3571265536 System Memory Use Percentage 81 Available Page File 3174137856 Available Physical Memory 790507520 Frame Module Signature Source 0 xul.dll xpc::WrapperFactory::PrepareForWrapping js/xpconnect/wrappers/WrapperFactory.cpp:170 1 mozjs.dll JSCompartment::wrap js/src/jscompartment.cpp:176 2 mozjs.dll JS_CopyPropertiesFrom js/src/jsobj.cpp:3153 3 xul.dll XPCWrappedNative::ReparentWrapperIfFound js/xpconnect/src/XPCWrappedNative.cpp:1614 4 xul.dll MoveWrapper js/xpconnect/src/nsXPConnect.cpp:1610 5 xul.dll nsXPConnect::MoveWrappers js/xpconnect/src/nsXPConnect.cpp:1670 6 xul.dll nsContentUtils::ReparentContentWrappersInScope content/base/src/nsContentUtils.cpp:1639 7 xul.dll nsHTMLDocument::Open content/html/document/src/nsHTMLDocument.cpp:1501 8 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70 9 xul.dll XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:2356 10 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1500 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=xpc%3A%3AWrapperFactory%3A%3APrepareForWrapping%28JSContext*%2C+JSObject*%2C+JSObject*%2C+unsigned+int%29 https://crash-stats.mozilla.com/report/list?signature=xpc%3A%3AWrapperFactory%3A%3APrepareForWrapping
Hm, looks like the private is null, which means that the object was transplanted but that we haven't forgotten about it like we should. Maybe bug 752764, maybe something else. Some STR would be helpful if they're easy to get.
One comment says: "Crash every time I play Farmville, very frustrating I will probably canel the app if you can not fix it."
[Triage Comment] Adding qawanted to see if we can get some STR with Farmville here, will re-visit tracking nom once we have a better sense of the origin.
Keywords: qawanted
Here are some addon correlations I got manually: Windows NT xpc::WrapperFactory::PrepareForWrapping(JSContext*, JSObject*, JSObject*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (136 crashes) 10% (14/136) vs. 1% (25/2092) crossriderapp2258@crossrider.com 99% (135/136) vs. 93% (1943/2092) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150) 7% (10/136) vs. 1% (21/2092) ffxtlbr@incredibar.com 8% (11/136) vs. 2% (40/2092) {635abd67-4fe9-1b23-4f01-e679fa7484c1} (Yahoo! Toolbar, https://addons.mozilla.org/addon/2032) 33% (45/136) vs. 27% (563/2092) uriloader@pdf.js 6% (8/136) vs. 0% (8/2092) 39ffxtbr@MapsGalaxy_39.com 6% (8/136) vs. 0% (8/2092) {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} (AOL Toolbar, https://addons.mozilla.org/addon/2114) 6% (8/136) vs. 1% (11/2092) 64ffxtbr@TelevisionFanatic.com 7% (9/136) vs. 2% (33/2092) netvideohunter@netvideohunter.com (NetVideoHunter Video Downloader, https://addons.mozilla.org/addon/7447)
I was just able to reproduce this on a Windows 7 machine, https://crash-stats.mozilla.com/report/index/bp-65017bad-de85-4178-9be8-d86bb2120601 using the latest nightly. I did add a few of the extensions above and left Farmville playing in a open tab. I will see if those steps are reproducible.
This is reproducible for me, with the following set of extensions installed: Ad Muncher Browser Extensions 2.0 true {3ED591BC-7CC7-495B-A526-B2431356EDC1} Ant Video Downloader 2.4.7 true anttoolbar@ant.com avast! WebRep 7.0.1426 true wrc@avast.com Browser Button 0.81.3 true crossriderapp5179@crossrider.com Crossbrowser 1.03 true crossbrowser@kolibri-italia.com Google+Facebook 0.81.80 true crossriderapp519@crossrider.com PDF Viewer 0.2.536 true uriloader@pdf.js Test Pilot 1.2.1 true testpilot@labs.mozilla.com Yahoo! Toolbar 2.4.8.20120412011105 true {635abd67-4fe9-1b23-4f01-e679fa7484c1} Roboform Toolbar for Firefox 7.6.0 false {22119944-ED35-4ab1-910B-E619EA06A115} The person who crashed in Comment 2 had one of the CrossRider addons installed, but not the exact ones I have. STR: 1. Load Farmville. 2. Leave game sitting idle for a while 3. Eventually crash.
Keywords: qawantedreproducible
I get this easily using evernote.. just trying to edit and move notes through the web interface
Looks like this also might be reproducible with the patches from bug 745025. I'll try to look at this soon.
(In reply to Patrick McManus [:mcmanus] from comment #7) > I get this easily using evernote.. just trying to edit and move notes > through the web interface Huzzah, I can reproduce! Thanks patrick. Looking at it now.
(In reply to Bobby Holley (:bholley) from comment #8) > Looks like this also might be reproducible with the patches from bug 745025. > I'll try to look at this soon. Running the tests locally, I get some assertions that might indicate it's not related to this bug. Looking into it.
Ok, this seems to be the same issue as bug 752764. It appears to be fixed with my patches from bug 758415, which is what I expected given my analysis of the issue. Marking the dep.
Depends on: 758415
FYI - I've got a consistent reproduction of this bug with the following reproduction steps: 1. Go to http://evernote.com/ 2. Login with an existing evernote account with notes already created 3. Read a few of the notes Result - Crash occurs https://crash-stats.mozilla.com/report/index/bp-7fd86967-215d-47ea-af24-5d80c2120605
Regression window(m-c) with STR in comment #13 Good: http://hg.mozilla.org/mozilla-central/rev/f6d082275253 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120530012752 Bad: http://hg.mozilla.org/mozilla-central/rev/b5af439f1717 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120530042453 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f6d082275253&tochange=b5af439f1717 Regression window(m-c) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/98410387837c Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120529094953 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/8ffcc3efc77e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120529150154 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=98410387837c&tochange=8ffcc3efc77e In local build: Last good: d88590f8a245 First bad: 3bfee91d5f09 Suspected : 3bfee91d5f09 Bobby Holley — Bug 752038 - Avoid getting confused by PreCreate giving a different answer when we wrap objects cross-compartment during reparenting. r=mrbkap
The actual regression is bug 739796. Bug 758415 fixes it, but is waiting on a dependent bug. Hopefully that will be sorted out soon.
Blocks: 739796
(In reply to Bobby Holley (:bholley) from comment #15) > The actual regression is bug 739796. Bug 758415 fixes it, but is waiting on > a dependent bug. Hopefully that will be sorted out soon. This crash is on 15, bug 758415 has now landed on 16 (will see in the next days if it helps, I surely hope so), what's the plan here for 15 (currently on aurora)?
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #16) > This crash is on 15, bug 758415 has now landed on 16 (will see in the next > days if it helps, I surely hope so), what's the plan here for 15 (currently > on aurora)? It is currently waiting on aurora approval. I expect to land it in the next day or two.
I am closing as fixed per comment 15 and crash stats (latest crash in 16.0a1/20120607025755).
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox15: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
Whiteboard: [native-crash]
Bug 758415 is approved for aurora and also tracked for 15 so I'm removing the tracking request here.
status-firefox15: affected → ---
tracking-firefox15: ? → ---
status-firefox15: --- → fixed
Able to see the crash on Nightly 2012-06-01 using the STR in comment 13. Verified fixed on FF 15b3 on Win 7/64, Ubuntu 12.04 and Mac OS X 10.6
Status: RESOLVED → VERIFIED
status-firefox15: fixedverified
You need to log in before you can comment on or make changes to this bug.