Closed Bug 854604 Opened 8 years ago Closed 8 years ago

Typing 'Components' in the Web Console crashes the browser

Categories

(Core :: XPConnect, defect)

22 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed

People

(Reporter: reuben, Assigned: bholley)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

I don't know how the autocompletion works, but it looks like it's trying to evaluate the string to inspect the resulting object and crashing in XPConnect when trying to unwrap Components.

bp-afa935a8-ab92-4cce-b8ad-3e05d2130325
bp-a17c7cd8-5822-4659-a9b5-dc29d2130325
Severity: major → critical
Crash Signature: [@ js::UnwrapObject(JSObject*, bool, unsigned int*) ]
Keywords: crash
Component: Developer Tools: Console → XPConnect
Product: Firefox → Core
Bobby, might this be a regression from something you landed?
I believe this is a GWNOJO regression. Investigating more.
Assignee: nobody → bobbyholley+bmo
Blocks: 658909
Version: Trunk → 22 Branch
I've audited all the places where we instantiate an XPCCallContext with more
than just (cx, {NATIVE,JS}_CALLER), and the toString hook is the only place
where we don't check IsValid() or something that depends on it.
Attachment #729893 - Flags: review?(mrbkap)
Attachment #729893 - Flags: review?(mrbkap) → review+
https://hg.mozilla.org/mozilla-central/rev/eb3e5d23f987
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
That's not surprising.  It seems unlikely that many people were typing "Components" in the web console.  The remaining crashes look all like null derefs.  Maybe that deserves an extra bug, if it is easy to fix by looking at the crash stacks.
js::UnwrapObject is a very common function, so if that's the only point of similarity they're unlikely to be related.

A lot of those crashes have no stack, but one of them does, and points to an obvious bug. I'll file.
Filed bug 858642 for this.
Blocks: 858648
Note that js::UnwrapObject is going to be renamed to js::UncheckedUnwrap in bug 854503.
You need to log in before you can comment on or make changes to this bug.