Closed Bug 882164 Opened 6 years ago Closed 6 years ago

startup crash in nsHTMLDocument::GetAll @ js::CompartmentChecker::fail with Client-Side Adaptations Tool or McAfee Site Advisor

Categories

(Core :: DOM: Core & HTML, defect, critical)

24 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 + verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: scoobidiver, Assigned: Ms2ger)

References

Details

(5 keywords, Whiteboard: [startupcrash])

Crash Data

Attachments

(1 file)

It seems to be a regression in 24.0a1/20130612 according to startup crashes in crash stats. There are many startup crashes with McAfee Site Advisor.

STR:
1. Install https://www.dropbox.com/s/c36to2gyoo4ulbo/cs-adaptation@lifia.xpi
2. Restart -> Patatra

The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=86413e921d5d&tochange=0414d6d0f60d
It's likely a regression from bug 877277.

Signature 	js::CompartmentChecker::fail(JSCompartment*, JSCompartment*) More Reports Search
UUID	e82462cb-4075-4748-a0e7-be1602130612
Date Processed	2013-06-12 15:18:20
Uptime	4
Last Crash	1.7 days before submission
Install Age	11.8 minutes since version was first installed.
Install Time	2013-06-12 15:06:54
Product	Firefox
Version	24.0a1
Build ID	20130612031138
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_BREAKPOINT
Crash Address	0x69b01b33
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 02961025, AdapterDriverVersion: 8.15.10.2869
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor05_phx1_mozilla_com_3890:2012
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x2a42
Total Virtual Memory	4294836224
Available Virtual Memory	3937624064
System Memory Use Percentage	61
Available Page File	5804310528
Available Physical Memory	1612771328

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::CompartmentChecker::fail 	js/src/jscntxtinlines.h:165
1 	mozjs.dll 	JS_GetGlobalForObject 	js/src/jsapi.cpp:2244
2 	xul.dll 	nsHTMLDocument::GetAll 	content/html/document/src/nsHTMLDocument.cpp:2728
3 	xul.dll 	mozilla::dom::HTMLDocumentBinding::get_all 	obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:1297
4 	xul.dll 	mozilla::dom::HTMLDocumentBinding::genericGetter 	obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:1443
5 	mozjs.dll 	js::Invoke 	js/src/vm/Interpreter.cpp:434
6 	mozjs.dll 	js::BaseProxyHandler::get 	js/src/jsproxy.cpp:159
7 	xul.dll 	xpc::XrayWrapper<js::CrossCompartmentWrapper,xpc::DOMXrayTraits>::get 	js/xpconnect/wrappers/XrayWrapper.cpp:1821
8 	mozjs.dll 	js::Proxy::get 	js/src/jsproxy.cpp:2478
9 	mozjs.dll 	proxy_GetGeneric 	js/src/jsproxy.cpp:2816
10 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:158
11 	mozjs.dll 	JSObject::getProperty 	js/src/jsobjinlines.h:182
12 	mozjs.dll 	js::ion::TryAttachScopeNameStub 	js/src/ion/BaselineIC.cpp:4894
13 		@0x9063be4 	
14 		@0xffffff82 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ACompartmentChecker%3A%3Afail%28JSCompartment*%2C+JSCompartment*%29
Blocks: 877277
Does this need anything else than a JSAutoCompartment?
Assignee: nobody → Ms2ger
Keywords: sec-high
Attached patch Patch v1Splinter Review
Sounds like I can do it, then.
Attachment #761607 - Flags: review?(bugs)
Comment on attachment 761607 [details] [diff] [review]
Patch v1

r=me
Attachment #761607 - Flags: review?(bugs) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/f850d84e4bb5

This should probably have a test, but I guess it needs to be something with frames or something... I'll look later.
Status: NEW → ASSIGNED
Flags: in-testsuite?
OS: Windows 7 → All
Hardware: x86 → All
Doing document.all on an Xray is the right way to trigger this.
Tough actually, getting the document.all getter from one window and doing a .call() on a document from another window will in fact work too.
There are 341 crashes in today's build.
https://hg.mozilla.org/mozilla-central/rev/f850d84e4bb5

(In reply to :Ms2ger from comment #5)
> This should probably have a test, but I guess it needs to be something with
> frames or something... I'll look later.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(Ms2ger)
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Group: core-security
Reproduced on nightly 2013-06-12.
Verified fixed FF 24b8, 26.0a1 (2013-09-02) Win 7.
Status: RESOLVED → VERIFIED
Flags: needinfo?(Ms2ger)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.