Closed Bug 787637 Opened 10 years ago Closed 10 years ago

crash in js::NukeCrossCompartmentWrapper


(Core :: JavaScript Engine, defect)

16 Branch
Not set



Tracking Status
firefox16 + fixed
firefox17 + verified
firefox18 --- verified


(Reporter: scoobidiver, Assigned: bholley)



(Keywords: crash, regression, topcrash, Whiteboard: [js:t])

Crash Data

It's #20 top browser crasher in 16.0b1, #26 in 17.0a2, and #34 in 18.0a1.
It first appeared in 17.0a1/20120818 and 16.0a2/20120822. The regression windows are:
It's a regression from bug 781476.

Signature 	js::NukeCrossCompartmentWrapper(JSObject*) More Reports Search
UUID	dd961717-aafe-41b8-a2ac-a6e252120831
Date Processed	2012-08-31 12:06:21
Uptime	106
Last Crash	23.5 hours before submission
Install Age	1.8 minutes since version was first installed.
Install Time	2012-08-31 12:04:19
Product	Firefox
Version	18.0a1
Build ID	20120830030531
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Address	0x4
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x68b8, AdapterSubsysID: 25431002, AdapterDriverVersion: 8.850.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	False
Adapter Vendor ID	0x1002
Adapter Device ID	0x68b8
Total Virtual Memory	4294836224
Available Virtual Memory	3618304000
System Memory Use Percentage	12
Available Page File	39380279296
Available Physical Memory	18852683776

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::NukeCrossCompartmentWrapper 	js/src/jswrapper.cpp:978
1 	mozjs.dll 	js::RemapWrapper 	js/src/jswrapper.cpp:1058
2 	mozjs.dll 	js::RecomputeWrappers 	js/src/jswrapper.cpp:1148
3 	xul.dll 	nsPrincipal::SetDomain 	caps/src/nsPrincipal.cpp:998
4 	xul.dll 	nsHTMLDocument::SetDomain 	content/html/document/src/nsHTMLDocument.cpp:1012
5 	xul.dll 	nsIDOMHTMLDocument_SetDomain 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:13793
6 	mozjs.dll 	js::Shape::set 	js/src/jsscopeinlines.h:334
7 	mozjs.dll 	js_NativeSet 	js/src/jsobj.cpp:4509
8 	mozjs.dll 	js::SetPropertyOperation 	js/src/jsinterpinlines.h:331
9 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2315
10 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
11 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:388
12 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5854
13 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1430
14 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
15 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
16 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
17 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:875
18 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:317
19 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:640
20 	xul.dll 	DocumentViewerImpl::LoadComplete 	layout/base/nsDocumentViewer.cpp:1025
21 	xul.dll 	nsDocShell::EndPageLoad 	docshell/base/nsDocShell.cpp:6414

More reports at:*%29
Beta volume is still pretty low, but as it increased we can get addon and module correlations, as well as URLs. Right now here is what the addon correlation looks like:

js::NukeCrossCompartmentWrapper(JSObject*)|EXCEPTION_ACCESS_VIOLATION_READ (78 crashes)
     35% (27/78) vs.   5% (766/16616)
     10% (8/78) vs.   1% (164/16616)
     10% (8/78) vs.   3% (453/16616) {EEE6C361-6118-11DC-9C72-001320C79847}
     83% (65/78) vs.  78% (12959/16616) (Mozilla Labs - Test Pilot,
      6% (5/78) vs.   1% (212/16616) {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} (FlashGot,
Latest correlations for one signature show:

32% (96/302) vs.   5% (2415/47409)

Trying that as a possible reproducible scenario.
QA Contact: mozillamarcia.knous
I'm seeing this crash, apparently while setting document.domain in some combination with document.write calls.
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #3)
> I'm seeing this crash, apparently while setting document.domain in some
> combination with document.write calls.

That makes total sense given the code here. If you can narrow down STR, I'll gladly take a look.
I'll add it on my things to do, but don't hold your breath on it.
Whiteboard: [js:t]
I think this is bug 789713. Working up a patch now.
Depends on: 789713
Assignee: general → bobbyholley+bmo
There are no crashes after 18.0a1/20120911 matching the fix of bug 789713.
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
(In reply to Scoobidiver from comment #7)
> There are no crashes after 18.0a1/20120911 matching the fix of bug 789713.

That's fantastic news, thanks Scoobidiver - we'll be able to verify in 16b4 as well in that case.
There are no crashes after 17.0a2/20120714 for the same reason.
I guess the same thing in 16.0b4.
You need to log in before you can comment on or make changes to this bug.