Closed Bug 896900 Opened 6 years ago Closed 6 years ago

crash in nsXBLBinding::DoInitJSClass @ js::CompartmentChecker::fail

Categories

(Core :: XBL, defect, critical)

25 Branch
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox24 --- unaffected
firefox25 + unaffected

People

(Reporter: scoobidiver, Unassigned)

References

Details

(5 keywords, Whiteboard: [firebug-p1])

Crash Data

With the stack trace below, it first showed up in 25.0a1/20130715100109 and spiked in 25.0a1/20130720. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=18467a85acf6&tochange=5e191a26d909

Signature 	js::CompartmentChecker::fail(JSCompartment*, JSCompartment*) More Reports Search
UUID 	3c5051b7-80e4-45a5-9ba8-d4dd92130722
Date Processed	2013-07-22 23:53:21.118831
Uptime	7545
Last Crash	27335820 seconds before submission
Install Age 	16679 since version was first installed.
Install Time 	2013-07-22 19:15:23
Product 	Firefox
Version 	25.0a1
Build ID 	20130722030226
Release Channel 	nightly
OS 	Windows NT
OS Version 	6.1.7601 Service Pack 1
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 42 stepping 7 | 4
Crash Reason 	EXCEPTION_BREAKPOINT
Crash Address 	0x611b8c19
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x6779, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.812.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::CompartmentChecker::fail(JSCompartment *,JSCompartment *) 	js/src/jscntxtinlines.h
1 	mozjs.dll 	JS_GetObjectId(JSContext *,JSObject *,int *) 	js/src/jsapi.cpp
2 	xul.dll 	nsXBLBinding::DoInitJSClass(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,nsCString const &,nsXBLPrototypeBinding *,JS::MutableHandle<JSObject *>,bool *) 	content/xbl/src/nsXBLBinding.cpp
3 	xul.dll 	nsXBLProtoImpl::InitTargetObjects(nsXBLPrototypeBinding *,nsIScriptContext *,nsIContent *,nsIXPConnectJSObjectHolder * *,JS::MutableHandle<JSObject *>,bool *) 	content/xbl/src/nsXBLProtoImpl.cpp
4 	xul.dll 	nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding *,nsXBLBinding *) 	content/xbl/src/nsXBLProtoImpl.cpp
5 	xul.dll 	nsXBLBinding::InstallImplementation() 	content/xbl/src/nsXBLBinding.cpp
6 	xul.dll 	nsXBLService::LoadBindings(nsIContent *,nsIURI *,nsIPrincipal *,nsXBLBinding * *,bool *) 	content/xbl/src/nsXBLService.cpp
7 	xul.dll 	nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState &,nsIContent *,nsIFrame *,nsIAtom *,int,bool,nsStyleContext *,unsigned int,nsCSSFrameConstructor::FrameConstructionItemList &) 	layout/base/nsCSSFrameConstructor.cpp
8 	xul.dll 	nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState &,nsIContent *,bool,nsIFrame *,nsCSSFrameConstructor::FrameConstructionItemList &) 	layout/base/nsCSSFrameConstructor.cpp
9 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState &,nsIContent *,nsStyleContext *,nsIFrame *,bool,nsFrameItems &,bool,PendingBinding *,nsIFrame *) 	layout/base/nsCSSFrameConstructor.cpp
10 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem &,nsFrameConstructorState &,nsIFrame *,nsFrameItems &) 	layout/base/nsCSSFrameConstructor.cpp
11 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState &,nsCSSFrameConstructor::FrameConstructionItemList::Iterator &,nsIFrame *,nsFrameItems &) 	layout/base/nsCSSFrameConstructor.cpp
12 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState &,nsCSSFrameConstructor::FrameConstructionItemList &,nsIFrame *,nsFrameItems &) 	layout/base/nsCSSFrameConstructor.cpp
13 	xul.dll 	nsCSSFrameConstructor::ContentRangeInserted(nsIContent *,nsIContent *,nsIContent *,nsILayoutHistoryState *,bool) 	layout/base/nsCSSFrameConstructor.cpp
14 	xul.dll 	nsCSSFrameConstructor::ContentInserted(nsIContent *,nsIContent *,nsILayoutHistoryState *,bool) 	layout/base/nsCSSFrameConstructor.cpp
15 	xul.dll 	nsCSSFrameConstructor::IssueSingleInsertNofications(nsIContent *,nsIContent *,nsIContent *,bool) 	layout/base/nsCSSFrameConstructor.cpp
16 	xul.dll 	nsCSSFrameConstructor::GetRangeInsertionPoint(nsIContent *,nsIContent *,nsIContent *,bool) 	layout/base/nsCSSFrameConstructor.cpp
17 	xul.dll 	nsCSSFrameConstructor::ContentAppended(nsIContent *,nsIContent *,bool) 	layout/base/nsCSSFrameConstructor.cpp
18 	xul.dll 	PresShell::ContentAppended(nsIDocument *,nsIContent *,nsIContent *,int) 	layout/base/nsPresShell.cpp
19 	xul.dll 	nsNodeUtils::ContentAppended(nsIContent *,nsIContent *,int) 	content/base/src/nsNodeUtils.cpp
20 	xul.dll 	nsINode::doInsertChildAt(nsIContent *,unsigned int,bool,nsAttrAndChildArray &) 	content/base/src/nsINode.cpp
21 	xul.dll 	mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent *,unsigned int,bool) 	content/base/src/FragmentOrElement.cpp
22 	xul.dll 	nsINode::ReplaceOrInsertBefore(bool,nsINode *,nsINode *,mozilla::ErrorResult &) 	content/base/src/nsINode.cpp
...

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ACompartmentChecker%3A%3Afail%28JSCompartment*%2C+JSCompartment*%29
STR in bug 821733 comment 28.
Keywords: reproducible
Depends on: 897043
Whiteboard: [firebug-p1]
Scoobidiver, how many of these crashes are for people with Firebug installed?  The one comment I see mentions Firebug.
(In reply to Andrew McCreight [:mccr8] from comment #2)
> Scoobidiver, how many of these crashes are for people with Firebug
> installed?  The one comment I see mentions Firebug.
Here are correlations from July 23:
    100% (17/17) vs.   7% (124/1798) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
== Bug 821733 comment 28 from Jan Honza Odvarko ==

Here is another STR I found yesterday:

1) Install Firebug 1.12 beta 4 + Firefox Nightly
https://getfirebug.com/releases/firebug/1.12/firebug-1.12.0b4.xpi
2) Open any page e.g. www.google.com
3) Open Firebug UI (F12)
4) Click the Firebug (menu) icon available at the Firebug toolbar (the first toolbar button) -> CRASH

https://crash-stats.mozilla.com/report/index/01dbc791-168c-4d54-8e74-ea1fb2130723
(In reply to Jesse Ruderman from comment #4)
> == Bug 821733 comment 28 from Jan Honza Odvarko ==
Yeah, I filed that as bug 897043.
Marking sec-high because it requires an addon, but it seems to happen a lot.
Keywords: sec-high
I haven't investigated this yet but it's very likely that this is going to be fixed by the fix for bug 897386.
Depends on: 897386
I think this got fixed in one of the other bugs blocking this one, so I'm going to close this.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.