810520 - crash in mozilla::dom::XrayResolveProperty due to Xrays on window.URL

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Scoobidiver (away)]

It first showed up in 19.0a1/20121109 and is currently #1 top crasher in this build with about 35 crashes an hour.
The regression window is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=36e99ea02c05&tochange=90cea19e27e2

Here are a few comments:
"I changed the theme from Windows Classic to Aero with Mozzarella Foxfire open. It wasn't me, I swear."
"Posting on /g/-Technology. Will try without my fancy dancy userscripts. Sorry to keep clogging the pipes. As an aside, I am unable to view the details, though the button visibly accepts my input."
"Submitting a post causes Nightly to crash"

Signature 	mozilla::dom::XrayResolveProperty More Reports Search
UUID	5d5cdcc9-581e-4767-9bcf-9862b2121109
Date Processed	2012-11-09 16:51:13
Uptime	2378
Install Age	42.2 minutes since version was first installed.
Install Time	2012-11-09 16:08:45
Product	Firefox
Version	19.0a1
Build ID	20121109030635
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 26 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x05e2, AdapterSubsysID: 212019da, AdapterDriverVersion: 9.18.13.697
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x05e2
Total Virtual Memory	4294836224
Available Virtual Memory	3697786880
System Memory Use Percentage	34
Available Page File	20459446272
Available Physical Memory	8488300544

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::dom::XrayResolveProperty 	dom/bindings/BindingUtils.cpp:684
1 	xul.dll 	mozilla::dom::XrayResolveNativeProperty 	dom/bindings/BindingUtils.cpp:816
2 	xul.dll 	mozilla::dom::XrayResolveNativeProperty 	dom/bindings/BindingUtils.cpp:861
3 	xul.dll 	xpc::XrayWrapper<js::CrossCompartmentWrapper,xpc::DOMXrayTraits>::getPropertyDes 	js/xpconnect/wrappers/XrayWrapper.cpp:1410
4 	mozjs.dll 	js::BaseProxyHandler::get 	js/src/jsproxy.cpp:89
5 	xul.dll 	xpc::XrayWrapper<js::CrossCompartmentWrapper,xpc::DOMXrayTraits>::get 	js/xpconnect/wrappers/XrayWrapper.cpp:1643
6 	mozjs.dll 	proxy_GetGeneric 	js/src/jsproxy.cpp:2646
7 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:169
8 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:286
9 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2206
10 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:318
11 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:381
12 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:414
13 	mozjs.dll 	js::CrossCompartmentWrapper::call 	js/src/jswrapper.cpp:626
14 	mozjs.dll 	proxy_Call 	js/src/jsproxy.cpp:3021
15 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:362
16 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:414
17 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5790
18 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1935
19 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:213
20 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:957
21 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:316
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3AXrayResolveProperty

Comment 1

[Boris Zbarsky [:bzbarsky]]

Line 684 of BindingUtils.cpp is:

        for ( ; methodIds[i] != JSID_VOID; ++i) {

and the crash is a null-deref.

The callstack indicates we're coming through XrayResolveNativeProperty and the DOMObjectType is neither eInstance nor eInterfacePrototype.  So we're looking at an interface object.  Furthermore, we're looking at the .regular field of a NativePropertyiesHolder.

Comment 2

[Boris Zbarsky [:bzbarsky]]

I poked through our generated code, and in URLBinding.cpp we have:

  static const NativeProperties sNativeProperties = {
    sStaticMethods, nullptr, sStaticMethods_specs,

so if we're hitting Xrays with that NativeProperties instance, we'd get a crash like this!

In our test codegen, we also have:

  static const NativeProperties sNativeProperties = {
    sStaticMethods, nullptr, sStaticMethods_specs,
    sStaticAttributes, nullptr, sStaticAttributes_specs,

for TestInterfaceBinding.

Comment 3

[Boris Zbarsky [:bzbarsky]]

I have no idea why this first showed up today.  The underlying issue has been in place since bug 763643 and bug 778152 (some combination of the two) as far as I can tell.

Comment 4

[Boris Zbarsky [:bzbarsky]]

Oh, I know why.  Because bug 792675 is what added static stuff to URL.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Attachment: Correctly handle static methods and attributes in the NativeProperties structs that Xrays use. that at this point we actaully do Xrays for all of our various

property types, except in worker code.  The real substantive change
here is the change to what usedForXrays returns.  The rest is minor
cleanup.

Comment 7

[Boris Zbarsky [:bzbarsky]]

http://hg.mozilla.org/integration/mozilla-inbound/rev/2378c3dd095d

Comment 8

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/2378c3dd095d

Comment 9

[Virgil Dicu [:virgil] [QA]]

No crashes found on crash stats report for FF > 18.0.1. Based on this, I am moving this to verified.