Closed Bug 850741 Opened 10 years ago Closed 10 years ago

crash in js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones


(Core :: XPConnect, defect)

22 Branch
Not set



Tracking Status
firefox21 --- unaffected
firefox22 + fixed


(Reporter: scoobidiver, Assigned: billm)




(Keywords: crash, regression, topcrash)

Crash Data

It first showed up in 22.0a1/20130313. The regression range is:

Signature 	js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones(JSObject*) More Reports Search
UUID	6ee26d13-1a08-4f84-a97b-a31002130313
Date Processed	2013-03-13 16:37:35
Uptime	1390
Last Crash	2.8 hours before submission
Install Age	2.5 hours since version was first installed.
Install Time	2013-03-13 14:06:59
Product	Firefox
Version	22.0a1
Build ID	20130313031041
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 6 stepping 3
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9553, AdapterSubsysID: 10731462, AdapterDriverVersion: 8.930.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor10.phx1.mozilla.com_25440:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9553
Total Virtual Memory	4294836224
Available Virtual Memory	3254460416
System Memory Use Percentage	76
Available Page File	660520960
Available Physical Memory	1023672320

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones 	js/src/jsgc.cpp:4951
1 	xul.dll 	XPCWrappedNative::GetNewOrUsed 	js/xpconnect/src/XPCWrappedNative.cpp:514
2 	xul.dll 	XPCWrappedNative::GetNewOrUsed 	js/xpconnect/src/XPCWrappedNative.cpp:534
3 	xul.dll 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:925
4 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:323
5 	xul.dll 	XPC_WN_GetterSetter 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1465
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:383
7 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:430
8 	mozjs.dll 	js::BaseProxyHandler::get 	js/src/jsproxy.cpp:163
9 	xul.dll 	xpc::XrayWrapper<js::CrossCompartmentWrapper,xpc::XPCWrappedNativeXrayTraits>::g 	js/xpconnect/wrappers/XrayWrapper.cpp:1720
10 	mozjs.dll 	js::Proxy::get 	js/src/jsproxy.cpp:2476
11 	mozjs.dll 	proxy_GetGeneric 	js/src/jsproxy.cpp:2806
12 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:292
13 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2211
14 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:332
15 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:397
16 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:430
17 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5714
18 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1433
19 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:578
20 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
21 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
22 	xul.dll 	nsObserverService::NotifyObservers 	xpcom/ds/nsObserverService.cpp:161

More reports at:*%29
OS: Windows 7 → All
More reports also at:*%2C+XPCNativeInterface*%2C+XPCWrappedNative**%29
Blocks: 749655
Crash Signature: [@ js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones(JSObject*)] → [@ js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones(JSObject*)] [@ XPCWrappedNative::GetNewOrUsed(XPCCallContext&, xpcObjectHelper&, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) ]
It's #2 top browser crasher in today's build.
Keywords: topcrash
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
Bill added AutoMaybeTouchDeadZone, maybe he can make at least an initial analysis here.
Looks like a null deref. The parent argument we're passing in from XPCWrappedNative::GetNewOrUsed appears to be null. That's a little weird. The parent comes directly from a WN scope's global object, which I wouldn't expect to be null.

Bobby, can you take a look? It looks like you landed some stuff in the regression range, and you understand this code much better.
He just landed some tests. ;)
So. I would guess that the _initial_ XPCWrappedNativeScope is valid, because it comes from here:

We pull it off the object's compartment's private _and_ null-check to boot. And XPCWrappedNativeScope is never deleted until the global is finalized, which means that we wouldn't even have the object in the first place. So I would posit that the scope and its global are alive modulo memory corruption or GC hazards.

However, in XPCWrappedNative::GetNewOrUsed, we invoke PreCreate, and then appear to run into the |parent != plannedParent| code. This means that the PreCreate hook decided to use a different parent, so we reinvoke XPCWrappedNative::GetNewOrUsed with the scope pulled off that parent object.

But this is weird, because we have a presumably non-null object returned from precreate, which has a scope, but whose scope has no global. This would imply that the PreCreate hook here is returning something nasty. Bill, what's the deal with this stuff about PreCreate touching dead compartments? That sounds...suspicious.
Flags: needinfo?(wmccloskey)
Assignee: nobody → wmccloskey
We like to have tracked bugs assigned, although it's unclear whether this will end up falling on Bill or Bobby.
Crash Signature: [@ js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones(JSObject*)] [@ XPCWrappedNative::GetNewOrUsed(XPCCallContext&, xpcObjectHelper&, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) ] → [@ js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones(JSObject*)] [@ js::AutoMaybeTouchDeadZones::AutoMaybeTouchDeadZones ] [@ XPCWrappedNative::GetNewOrUsed(XPCCallContext&, xpcObjectHelper&, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNat…
Crashes have stopped since 22.0a1/20130318.
Flags: needinfo?(wmccloskey)
I hit this 100% of the time trying to go into as a "shooter" on Google Nexus 4 with today's nightly (3-28) -- adding QA to see if they can also repro this.
I'm hoping this is a dupe of bug 852436. That fix should be in tomorrow's nightly. Could you please re-test after that?
Flags: needinfo?(lsblakk)
no longer crashing - resolving.
Closed: 10 years ago
Flags: needinfo?(lsblakk)
Resolution: --- → WORKSFORME
I'm assuming QAWANTED can be dropped given comment 11. Please re-add if there's some QA help needed here.
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.