Closed Bug 787637 Opened 13 years ago Closed 13 years ago

crash in js::NukeCrossCompartmentWrapper

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
16 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox16 + fixed
firefox17 + verified
firefox18 --- verified

People

(Reporter: scoobidiver, Assigned: bholley)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [js:t])

Crash Data

It's #20 top browser crasher in 16.0b1, #26 in 17.0a2, and #34 in 18.0a1. It first appeared in 17.0a1/20120818 and 16.0a2/20120822. The regression windows are: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a79132ac2f05&tochange=812ea773f166 http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=d7b344615437&tochange=5e6da3c55e7c It's a regression from bug 781476. Signature js::NukeCrossCompartmentWrapper(JSObject*) More Reports Search UUID dd961717-aafe-41b8-a2ac-a6e252120831 Date Processed 2012-08-31 12:06:21 Uptime 106 Last Crash 23.5 hours before submission Install Age 1.8 minutes since version was first installed. Install Time 2012-08-31 12:04:19 Product Firefox Version 18.0a1 Build ID 20120830030531 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x4 App Notes AdapterVendorID: 0x1002, AdapterDeviceID: 0x68b8, AdapterSubsysID: 25431002, AdapterDriverVersion: 8.850.0.0 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility False Adapter Vendor ID 0x1002 Adapter Device ID 0x68b8 Total Virtual Memory 4294836224 Available Virtual Memory 3618304000 System Memory Use Percentage 12 Available Page File 39380279296 Available Physical Memory 18852683776 Frame Module Signature Source 0 mozjs.dll js::NukeCrossCompartmentWrapper js/src/jswrapper.cpp:978 1 mozjs.dll js::RemapWrapper js/src/jswrapper.cpp:1058 2 mozjs.dll js::RecomputeWrappers js/src/jswrapper.cpp:1148 3 xul.dll nsPrincipal::SetDomain caps/src/nsPrincipal.cpp:998 4 xul.dll nsHTMLDocument::SetDomain content/html/document/src/nsHTMLDocument.cpp:1012 5 xul.dll nsIDOMHTMLDocument_SetDomain obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:13793 6 mozjs.dll js::Shape::set js/src/jsscopeinlines.h:334 7 mozjs.dll js_NativeSet js/src/jsobj.cpp:4509 8 mozjs.dll js::SetPropertyOperation js/src/jsinterpinlines.h:331 9 mozjs.dll js::Interpret js/src/jsinterp.cpp:2315 10 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:355 11 mozjs.dll js::Invoke js/src/jsinterp.cpp:388 12 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5854 13 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1430 14 xul.dll nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:580 15 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85 16 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112 17 xul.dll nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:875 18 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:317 19 xul.dll nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:640 20 xul.dll DocumentViewerImpl::LoadComplete layout/base/nsDocumentViewer.cpp:1025 21 xul.dll nsDocShell::EndPageLoad docshell/base/nsDocShell.cpp:6414 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrapper%28JSObject*%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrapper
Beta volume is still pretty low, but as it increased we can get addon and module correlations, as well as URLs. Right now here is what the addon correlation looks like: js::NukeCrossCompartmentWrapper(JSObject*)|EXCEPTION_ACCESS_VIOLATION_READ (78 crashes) 35% (27/78) vs. 5% (766/16616) plugin@yontoo.com 10% (8/78) vs. 1% (164/16616) OneClickDownloader@OneClickDownloader.com 10% (8/78) vs. 3% (453/16616) {EEE6C361-6118-11DC-9C72-001320C79847} 83% (65/78) vs. 78% (12959/16616) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661) 6% (5/78) vs. 1% (212/16616) {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} (FlashGot, https://addons.mozilla.org/addon/220)
Latest correlations for one signature show: 32% (96/302) vs. 5% (2415/47409) plugin@yontoo.com Trying that as a possible reproducible scenario.
QA Contact: mozillamarcia.knous
I'm seeing this crash, apparently while setting document.domain in some combination with document.write calls. https://crash-stats.mozilla.com/report/index/bp-a26d87df-4f98-483c-819d-683d42120905
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #3) > I'm seeing this crash, apparently while setting document.domain in some > combination with document.write calls. That makes total sense given the code here. If you can narrow down STR, I'll gladly take a look.
I'll add it on my things to do, but don't hold your breath on it.
Whiteboard: [js:t]
I think this is bug 789713. Working up a patch now.
Depends on: 789713
Assignee: general → bobbyholley+bmo
There are no crashes after 18.0a1/20120911 matching the fix of bug 789713.
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox18: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
(In reply to Scoobidiver from comment #7) > There are no crashes after 18.0a1/20120911 matching the fix of bug 789713. That's fantastic news, thanks Scoobidiver - we'll be able to verify in 16b4 as well in that case.
There are no crashes after 17.0a2/20120714 for the same reason. I guess the same thing in 16.0b4.
Status: RESOLVED → VERIFIED
status-firefox16: --- → fixed
status-firefox17: --- → verified
status-firefox18: fixedverified
You need to log in before you can comment on or make changes to this bug.