Closed Bug 766624 Opened 12 years ago Closed 12 years ago

crash dereferencing null wrapper with <video></video> [@ nsXPConnectParticipant::TraverseImpl ] [@ WrapperIsNotMainThreadOnly ] [@ GetProto ]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 752764

People

(Reporter: dbaron, Assigned: mccr8)

References

(
URL
)

Details

(Keywords: crash)

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Reporter

Description

•

12 years ago

Steps to reproduce:
 1. load http://software.hixie.ch/utilities/js/live-dom-viewer/
 2. click in the top text field
 3. delete the "..."
 4. type "<video></video>" in its place
 5. close the window and wait a bit, or exit the browser

Actual results:
 crash during cycle collection

Expected results:
 no crash

Reproduced in today's Linux 64 mozilla-central nightly:
https://crash-stats.mozilla.com/report/index/15b4d3d3-0ba1-4e92-944d-311912120620

and in a debug build from within the past few days:

#4  <signal handler called>
#5  GetProto (this=0x0)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/xpconnect/src/nsXPConnect.cpp:2910
#6  WrapperIsNotMainThreadOnly (wrapper=0x0)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/xpconnect/src/nsXPConnect.cpp:748
#7  nsXPConnect::Traverse (this=0x7ff44425e490, p=0x7ff42ae1bcd0, cb=...)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/xpconnect/src/nsXPConnect.cpp:784
#8  0x00007ff458949f2a in GCGraphBuilder::Traverse (this=<optimized out>, 
    aPtrInfo=0x3282fa8)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/xpcom/base/nsCycleCollector.cpp:1743
#9  0x00007ff45894c4ec in nsCycleCollector::MarkRoots (this=0x7ff4440218a0, 
    builder=...)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/xpcom/base/nsCycleCollector.cpp:2054
#10 0x00007ff45894fb0f in nsCycleCollector::BeginCollection (
    this=0x7ff4440218a0, aListener=0x0)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/xpcom/base/nsCycleCollector.cpp:2758
#11 0x00007ff45894fedb in BeginCollection (aListener=0x0, this=0x7ff4440218a0)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/xpcom/base/nsCycleCollector.cpp:2716
#12 nsCycleCollector::Collect (this=0x7ff4440218a0, aResults=<optimized out>, 
    aTryCollections=5, aListener=0x0)
    at /home/dbaron/builds/ssd/mozilla-central/mozilla/xpcom/base/nsCycleCollector.cpp:2700

Andrew McCreight [:mccr8]

Assignee

Updated

•

12 years ago

Assignee: nobody → continuation

Andrew McCreight [:mccr8]

Assignee

Updated

•

12 years ago

Group: core-security

Andrew McCreight [:mccr8]

Assignee

Comment 1

•

12 years ago

could be a dupe of bug 752764

Andrew McCreight [:mccr8]

Assignee

Comment 2

•

12 years ago

Looks like it is fixed by my patch in bug 752764, so I'm calling this a dupe.  Interesting to see that it is something that happens in the wild, though!

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → DUPLICATE

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Reporter

Comment 3

•

12 years ago

Yep, I typed this into live-dom-viewer this morning to figure out what happened to the contents of a video element, and crashed my main browser session.

Daniel Veditz [:dveditz]

Updated

•

10 years ago

Group: core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

crash dereferencing null wrapper with <video></video> [@ nsXPConnectParticipant::TraverseImpl ] [@ WrapperIsNotMainThreadOnly ] [@ GetProto ]

Categories

(Core :: XPConnect, defect)

Tracking

()

People

(Reporter: dbaron, Assigned: mccr8)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Comment 1

Comment 2

Comment 3

Updated