Note: There are a few cases of duplicates in user autocompletion which are being worked on.

crash in js::NukeCrossCompartmentWrapper

VERIFIED FIXED in Firefox 16

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: bholley)

Tracking

({crash, regression, topcrash})

16 Branch
mozilla18
crash, regression, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox16+ fixed, firefox17+ verified, firefox18 verified)

Details

(Whiteboard: [js:t], crash signature)

(Reporter)

Description

5 years ago
It's #20 top browser crasher in 16.0b1, #26 in 17.0a2, and #34 in 18.0a1.
It first appeared in 17.0a1/20120818 and 16.0a2/20120822. The regression windows are:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a79132ac2f05&tochange=812ea773f166
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=d7b344615437&tochange=5e6da3c55e7c
It's a regression from bug 781476.

Signature 	js::NukeCrossCompartmentWrapper(JSObject*) More Reports Search
UUID	dd961717-aafe-41b8-a2ac-a6e252120831
Date Processed	2012-08-31 12:06:21
Uptime	106
Last Crash	23.5 hours before submission
Install Age	1.8 minutes since version was first installed.
Install Time	2012-08-31 12:04:19
Product	Firefox
Version	18.0a1
Build ID	20120830030531
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x4
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x68b8, AdapterSubsysID: 25431002, AdapterDriverVersion: 8.850.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	False
Adapter Vendor ID	0x1002
Adapter Device ID	0x68b8
Total Virtual Memory	4294836224
Available Virtual Memory	3618304000
System Memory Use Percentage	12
Available Page File	39380279296
Available Physical Memory	18852683776

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::NukeCrossCompartmentWrapper 	js/src/jswrapper.cpp:978
1 	mozjs.dll 	js::RemapWrapper 	js/src/jswrapper.cpp:1058
2 	mozjs.dll 	js::RecomputeWrappers 	js/src/jswrapper.cpp:1148
3 	xul.dll 	nsPrincipal::SetDomain 	caps/src/nsPrincipal.cpp:998
4 	xul.dll 	nsHTMLDocument::SetDomain 	content/html/document/src/nsHTMLDocument.cpp:1012
5 	xul.dll 	nsIDOMHTMLDocument_SetDomain 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:13793
6 	mozjs.dll 	js::Shape::set 	js/src/jsscopeinlines.h:334
7 	mozjs.dll 	js_NativeSet 	js/src/jsobj.cpp:4509
8 	mozjs.dll 	js::SetPropertyOperation 	js/src/jsinterpinlines.h:331
9 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2315
10 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
11 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:388
12 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5854
13 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1430
14 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
15 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
16 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
17 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:875
18 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:317
19 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:640
20 	xul.dll 	DocumentViewerImpl::LoadComplete 	layout/base/nsDocumentViewer.cpp:1025
21 	xul.dll 	nsDocShell::EndPageLoad 	docshell/base/nsDocShell.cpp:6414
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrapper%28JSObject*%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrapper
Beta volume is still pretty low, but as it increased we can get addon and module correlations, as well as URLs. Right now here is what the addon correlation looks like:

js::NukeCrossCompartmentWrapper(JSObject*)|EXCEPTION_ACCESS_VIOLATION_READ (78 crashes)
     35% (27/78) vs.   5% (766/16616) plugin@yontoo.com
     10% (8/78) vs.   1% (164/16616) OneClickDownloader@OneClickDownloader.com
     10% (8/78) vs.   3% (453/16616) {EEE6C361-6118-11DC-9C72-001320C79847}
     83% (65/78) vs.  78% (12959/16616) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
      6% (5/78) vs.   1% (212/16616) {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} (FlashGot, https://addons.mozilla.org/addon/220)

Updated

5 years ago
tracking-firefox16: ? → +
tracking-firefox17: ? → +
Latest correlations for one signature show:

32% (96/302) vs.   5% (2415/47409) plugin@yontoo.com

Trying that as a possible reproducible scenario.
QA Contact: mozillamarcia.knous
I'm seeing this crash, apparently while setting document.domain in some combination with document.write calls.
https://crash-stats.mozilla.com/report/index/bp-a26d87df-4f98-483c-819d-683d42120905
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #3)
> I'm seeing this crash, apparently while setting document.domain in some
> combination with document.write calls.

That makes total sense given the code here. If you can narrow down STR, I'll gladly take a look.
I'll add it on my things to do, but don't hold your breath on it.
Whiteboard: [js:t]
I think this is bug 789713. Working up a patch now.
Depends on: 789713

Updated

5 years ago
Assignee: general → bobbyholley+bmo
(Reporter)

Comment 7

5 years ago
There are no crashes after 18.0a1/20120911 matching the fix of bug 789713.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox18: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla18

Comment 8

5 years ago
(In reply to Scoobidiver from comment #7)
> There are no crashes after 18.0a1/20120911 matching the fix of bug 789713.

That's fantastic news, thanks Scoobidiver - we'll be able to verify in 16b4 as well in that case.
(Reporter)

Comment 9

5 years ago
There are no crashes after 17.0a2/20120714 for the same reason.
I guess the same thing in 16.0b4.
Status: RESOLVED → VERIFIED
status-firefox16: --- → fixed
status-firefox17: --- → verified
status-firefox18: fixed → verified
You need to log in before you can comment on or make changes to this bug.