Closed
Bug 885668
Opened 11 years ago
Closed 11 years ago
crash in nsScriptSecurityManager::GetFunctionObjectPrincipal @ JS_GetFunctionScript
Categories
(Core :: Security: CAPS, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | unaffected |
| firefox24 | + | verified |
| firefox25 | + | verified |
People
(Reporter: scoobidiver, Assigned: bholley)
References
Details
(Keywords: crash, regression, topcrash)
Crash Data
Attachments
(1 file)
|
6.07 KB,
patch
|
bzbarsky
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
It first showed up in 24.0a1/20130615. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317
Signature JS_GetFunctionScript(JSContext*, JSFunction*) More Reports Search
UUID 7afded64-b3b6-47bd-8181-fa34a2130619
Date Processed 2013-06-19 19:27:12
Uptime 59
Last Crash 1.6 minutes before submission
Install Age 11.8 minutes since version was first installed.
Install Time 2013-06-19 19:14:59
Product Firefox
Version 24.0a1
Build ID 20130619031048
Release Channel nightly
OS Windows NT
OS Version 5.1.2600 Service Pack 2
Build Architecture x86
Build Architecture Info GenuineIntel family 15 model 3 stepping 4
Crash Reason EXCEPTION_BREAKPOINT
Crash Address 0x173f8de
App Notes
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2572, AdapterSubsysID: 12bc103c, AdapterDriverVersion: 6.14.10.4396
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers-
Processor Notes sp-processor07_phx1_mozilla_com_26539:2012
EMCheckCompatibility True
Adapter Vendor ID 0x8086
Adapter Device ID 0x2572
Total Virtual Memory 2147352576
Available Virtual Memory 1919021056
System Memory Use Percentage 80
Available Page File 132780032
Available Physical Memory 103968768
Frame Module Signature Source
0 mozjs.dll JS_GetFunctionScript js/src/jsdbgapi.cpp:523
1 xul.dll nsScriptSecurityManager::GetFunctionObjectPrincipal caps/src/nsScriptSecurityManager.cpp:1973
2 xul.dll nsScriptSecurityManager::CheckFunctionAccess caps/src/nsScriptSecurityManager.cpp:1589
3 xul.dll mozilla::dom::CallbackObject::CallSetup::CallSetup dom/bindings/CallbackObject.cpp:113
4 xul.dll mozilla::dom::Function::Call<nsCOMPtr<nsISupports> > obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:52
5 xul.dll nsGlobalWindow::RunTimeoutHandler dom/base/nsGlobalWindow.cpp:10209
6 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:10447
7 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:10694
...
More reports at:
https://crash-stats.mozilla.com/report/list?signature=JS_GetFunctionScript%28JSContext*%2C+JSFunction*%29
|
Reporter | |
Updated•11 years ago
|
status-firefox25:
--- → affected
Whiteboard: [native-crash]
|
|
Reporter | |
Comment 1•11 years ago
|
||
It's #18 crasher in 24.0a2 and #12 in 25.0a1.
|
|
Reporter | |
Updated•11 years ago
|
|
||
Comment 2•11 years ago
|
||
Actually, #8 on 25.0a1 and #12 on 24.0a2 now, on both we have ~70 crashes from ~50 installations within a week.
tracking-firefox25:
--- → ?
|
||
Updated•11 years ago
|
|
|
||
Comment 3•11 years ago
|
||
Tracking as this a topcrash.
:kairo/:bsmedberg discussed that we'll find an owner for this in the platform meeting.
Tracy mentioned we may have seen similar bugs in the past which could be related to data mgnr and would add more info on this bug which could help us move forward in some direction.Tracy any other URL's co-relations that we may have will be helpful.
|
|
Reporter | |
Comment 4•11 years ago
|
||
(In reply to bhavana bajaj [:bajaj] from comment #3)
> Tracy any other URL's co-relations that we may have will be helpful.
I am replying for Tracy. There are no correlations available because Socorro 52 containing bug 888219 hasn't been pushed to prod.
|
||
Comment 5•11 years ago
|
||
That request was crossed/confused with another signature I mentioned in the stability meeting. What's needed here is the culprit that caused the regression:
I think Bug 880917 - "Move JS versioning from the cx to the compartment" is the most likely suspect in the regression range Scoobidiver initially gave. cc'd bholly
Flags: needinfo?(twalker)
|
Assignee | |
Comment 6•11 years ago
|
||
Well, all this machinery can actually go away. That might result in us just crashing nearby, but we might as well do that. I'll upload a patch the remove this function.
|
|
Assignee | |
Comment 7•11 years ago
|
||
Attachment #772341 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 8•11 years ago
|
||
|
|
Assignee | |
Comment 9•11 years ago
|
||
Infra weirdness on the try push: https://tbpl.mozilla.org/?tree=Try&rev=33d711275f3f
|
|
||
Comment 10•11 years ago
|
||
Looks like Bobby is working on it, so assigning. :)
Assignee: nobody → bobbyholley+bmo
|
|
||
Comment 11•11 years ago
|
||
Total Count URL
23 https://www.facebook.com/
9 about:blank
6 https://mail.google.com/mail/u/0/
3 http://www.newspettacolo.com/games/win2
3 http://www.youtube.com/watch?v=XfSs_try4so
3 https://www.youtube.com/watch?v=rbLKEfB_MBY
3 http://www.youtube.com/watch?v=fsdbvHCLKyI
2 http://www.youtube.com/watch?v=3EEV9461Nvg
2 http://www.youtube.com/watch?v=yUv7556L2G8
Keywords: needURLs
|
|
||
Comment 12•11 years ago
|
||
Comment on attachment 772341 [details] [diff] [review]
Removed specialized function object principal machinery from CAPS. v1
r=me
Attachment #772341 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 13•11 years ago
|
||
|
|
Assignee | |
Comment 14•11 years ago
|
||
(note - there was some roughness on the try push in comment 9, but it appears to be infra related, with zip files failing to extract and so on).
|
||
Comment 15•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
||
Comment 16•11 years ago
|
||
:bholley, is this ready for aurora uplift ?
Flags: needinfo?(bobbyholley+bmo)
|
|
Assignee | |
Comment 17•11 years ago
|
||
Comment on attachment 772341 [details] [diff] [review]
Removed specialized function object principal machinery from CAPS. v1
[Approval Request Comment]
Bug caused by (feature/regressing bug #): unknown
User impact if declined: Crashes
Testing completed (on m-c, etc.): baked on m-c
Risk to taking this patch (and alternatives if risky): Low risk.
String or IDL/UUID changes made by this patch: None
Attachment #772341 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(bobbyholley+bmo)
|
|
||
Updated•11 years ago
|
Attachment #772341 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 18•11 years ago
|
||
|
||
Comment 19•11 years ago
|
||
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Unable to crash Firefox 24 beta 8 and latest Nightly. Only 6 crashes in Socorro in the last 2 weeks so I think it`s safe to call this verified fixed.
|
||
Comment 20•11 years ago
|
||
(In reply to Bogdan Maris [QA] [:bogdan_maris] from comment #19)
> Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
> Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101
> Firefox/24.0
>
> Unable to crash Firefox 24 beta 8 and latest Nightly.
Can you please also check Firefox 25?
Keywords: verifyme
|
|
||
Comment 21•11 years ago
|
||
Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0
Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0
Also verified on Aurora 25.0a2, there is only one crash in the last week in Socorro.
You need to log in
before you can comment on or make changes to this bug.
Description
•