Closed Bug 762199 Opened 9 years ago Closed 9 years ago

IndexedDB: checking availability of IDBTransaction constants in a Greasemonkey userscript crashes Firefox

Categories

(Core :: JavaScript Engine, defect)

13 Branch
x86_64
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla16

People

(Reporter: Omar_Hawk, Assigned: billm)

References

Details

(Keywords: addon-compat, crash, dev-doc-complete, Whiteboard: [js:p1:fx16])

Crash Data

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0
Build ID: 20120601045813

Steps to reproduce:

When putting the following code into any Greasemonkey userscript (or in any other real AddOn; with userscripts, it is easier to test):

if (IDBTransaction.READ_WRITE) alert('true');

Firefox crashes when the code is executed.
The problem is, that these constants have been removed as of Firefox 13.

Executing this code on a normal web page shows an alert containing 'true', which is also wrong.

Crash report: https://crash-stats.mozilla.com/report/index/6398a357-d5c6-455f-9be8-cb5ec2120606


Actual results:

Firefox crashed.


Expected results:

Firefox should not crash.
Blocks: IndexedDB
Assignee: nobody → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ DefineProperty]
Component: Untriaged → JavaScript Engine
Ever confirmed: true
Keywords: crash
Product: Firefox → Core
QA Contact: untriaged → general
I found another add-on possibly affected by this: https://addons.mozilla.org/firefox/addon/web-highlighter-by-diigo/

I contacted the developers.
Whiteboard: [js:p1]
Whiteboard: [js:p1] → [js:p1:fx16]
Attached patch patchSplinter Review
We have some indexeddb code that seems to try to keep these properties around for backwards compatibility. Bug 735094 seems to suggest that these will be removed in a few months. Nevertheless, I think the code functions as desired in content code.

From chrome, we seem to go through some proxies, and we get all screwed up and crash because these properties are implemented using the tiny ID mechanism, which is somewhat broken and should be deprecated. This patch changes the indexeddb code so it doesn't use tiny IDs. It stops us from crashing.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #635486 - Flags: review?(jwalden+bmo)
Attachment #635486 - Flags: review?(jwalden+bmo) → review+
Bill, I used tiny IDs in workers quite a bit... Should I be worried?
(In reply to ben turner [:bent] from comment #3)
> Bill, I used tiny IDs in workers quite a bit... Should I be worried?

Really? I didn't see any other uses, but maybe I didn't search for the right thing. Can you link to one or two places?
Those should be turned into JSNatives to make introspection show the right things (a getter function, no setter function, etc.), in which case the need for tinyids would coincidentally go away, I think.  For the one case touched here, Bill said the code in question was going to die quickly enough that it probably wasn't worth the trouble to do anything like that.
https://hg.mozilla.org/mozilla-central/rev/ef0f6e8707ae
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.