Last Comment Bug 787637 - crash in js::NukeCrossCompartmentWrapper
: crash in js::NukeCrossCompartmentWrapper
Status: VERIFIED FIXED
[js:t]
: crash, regression, topcrash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 16 Branch
: All All
: -- critical (vote)
: mozilla18
Assigned To: Bobby Holley (:bholley) (busy with Stylo)
: Marcia Knous [:marcia - use ni]
Mentors:
Depends on: 789713
Blocks: 781476
  Show dependency treegraph
 
Reported: 2012-09-01 02:10 PDT by Scoobidiver (away)
Modified: 2012-09-17 09:41 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
verified
verified


Attachments

Description Scoobidiver (away) 2012-09-01 02:10:24 PDT
It's #20 top browser crasher in 16.0b1, #26 in 17.0a2, and #34 in 18.0a1.
It first appeared in 17.0a1/20120818 and 16.0a2/20120822. The regression windows are:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a79132ac2f05&tochange=812ea773f166
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=d7b344615437&tochange=5e6da3c55e7c
It's a regression from bug 781476.

Signature 	js::NukeCrossCompartmentWrapper(JSObject*) More Reports Search
UUID	dd961717-aafe-41b8-a2ac-a6e252120831
Date Processed	2012-08-31 12:06:21
Uptime	106
Last Crash	23.5 hours before submission
Install Age	1.8 minutes since version was first installed.
Install Time	2012-08-31 12:04:19
Product	Firefox
Version	18.0a1
Build ID	20120830030531
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x4
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x68b8, AdapterSubsysID: 25431002, AdapterDriverVersion: 8.850.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	False
Adapter Vendor ID	0x1002
Adapter Device ID	0x68b8
Total Virtual Memory	4294836224
Available Virtual Memory	3618304000
System Memory Use Percentage	12
Available Page File	39380279296
Available Physical Memory	18852683776

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::NukeCrossCompartmentWrapper 	js/src/jswrapper.cpp:978
1 	mozjs.dll 	js::RemapWrapper 	js/src/jswrapper.cpp:1058
2 	mozjs.dll 	js::RecomputeWrappers 	js/src/jswrapper.cpp:1148
3 	xul.dll 	nsPrincipal::SetDomain 	caps/src/nsPrincipal.cpp:998
4 	xul.dll 	nsHTMLDocument::SetDomain 	content/html/document/src/nsHTMLDocument.cpp:1012
5 	xul.dll 	nsIDOMHTMLDocument_SetDomain 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:13793
6 	mozjs.dll 	js::Shape::set 	js/src/jsscopeinlines.h:334
7 	mozjs.dll 	js_NativeSet 	js/src/jsobj.cpp:4509
8 	mozjs.dll 	js::SetPropertyOperation 	js/src/jsinterpinlines.h:331
9 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2315
10 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
11 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:388
12 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5854
13 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1430
14 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
15 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
16 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
17 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:875
18 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:317
19 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:640
20 	xul.dll 	DocumentViewerImpl::LoadComplete 	layout/base/nsDocumentViewer.cpp:1025
21 	xul.dll 	nsDocShell::EndPageLoad 	docshell/base/nsDocShell.cpp:6414
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrapper%28JSObject*%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrapper
Comment 1 Marcia Knous [:marcia - use ni] 2012-09-01 09:26:38 PDT
Beta volume is still pretty low, but as it increased we can get addon and module correlations, as well as URLs. Right now here is what the addon correlation looks like:

js::NukeCrossCompartmentWrapper(JSObject*)|EXCEPTION_ACCESS_VIOLATION_READ (78 crashes)
     35% (27/78) vs.   5% (766/16616) plugin@yontoo.com
     10% (8/78) vs.   1% (164/16616) OneClickDownloader@OneClickDownloader.com
     10% (8/78) vs.   3% (453/16616) {EEE6C361-6118-11DC-9C72-001320C79847}
     83% (65/78) vs.  78% (12959/16616) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
      6% (5/78) vs.   1% (212/16616) {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} (FlashGot, https://addons.mozilla.org/addon/220)
Comment 2 Marcia Knous [:marcia - use ni] 2012-09-05 10:56:47 PDT
Latest correlations for one signature show:

32% (96/302) vs.   5% (2415/47409) plugin@yontoo.com

Trying that as a possible reproducible scenario.
Comment 3 Martijn Wargers [:mwargers] (not working for Mozilla) 2012-09-05 15:51:49 PDT
I'm seeing this crash, apparently while setting document.domain in some combination with document.write calls.
https://crash-stats.mozilla.com/report/index/bp-a26d87df-4f98-483c-819d-683d42120905
Comment 4 Bobby Holley (:bholley) (busy with Stylo) 2012-09-05 18:28:45 PDT
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #3)
> I'm seeing this crash, apparently while setting document.domain in some
> combination with document.write calls.

That makes total sense given the code here. If you can narrow down STR, I'll gladly take a look.
Comment 5 Martijn Wargers [:mwargers] (not working for Mozilla) 2012-09-07 10:08:56 PDT
I'll add it on my things to do, but don't hold your breath on it.
Comment 6 Bobby Holley (:bholley) (busy with Stylo) 2012-09-10 12:47:01 PDT
I think this is bug 789713. Working up a patch now.
Comment 7 Scoobidiver (away) 2012-09-16 09:46:11 PDT
There are no crashes after 18.0a1/20120911 matching the fix of bug 789713.
Comment 8 Alex Keybl [:akeybl] 2012-09-17 09:32:31 PDT
(In reply to Scoobidiver from comment #7)
> There are no crashes after 18.0a1/20120911 matching the fix of bug 789713.

That's fantastic news, thanks Scoobidiver - we'll be able to verify in 16b4 as well in that case.
Comment 9 Scoobidiver (away) 2012-09-17 09:41:59 PDT
There are no crashes after 17.0a2/20120714 for the same reason.
I guess the same thing in 16.0b4.

Note You need to log in before you can comment on or make changes to this bug.