Closed Bug 899687 Opened 6 years ago Closed 6 years ago

crash in (anonymous namespace)::Worker::Trace(JSTracer*, JSObject*)

Categories

(Core :: DOM: Workers, defect, critical)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25
Tracking Status
firefox24 --- affected

People

(Reporter: till, Assigned: jonco)

References

Details

(Keywords: crash, Whiteboard: [js:t])

Crash Data

Attachments

(1 file)

Looks like this is x64 only. From crashstats.m.o, it seem to also happen under other circumstances, but these STR work reliably for me on OS X 10.8 and a reporter (:Pereba in #shumway) on Win.


STR:

- install the Shumway extension from http://www.areweflashyet.com/shumway/
- install the Custom Buttons extension from https://addons.mozilla.org/en-US/firefox/addon/custom-buttons/
- disable the Flash plugin
- restart the browser
- visit http://geocities.ws/___/troll.swf

A stack trace for these STR can be found at https://crash-stats.mozilla.com/report/index/15b1ec1a-cc5b-470f-bc04-2bbd32130730
Severity: normal → critical
Crash Signature: [@ (anonymous namespace)::Worker::Trace(JSTracer*, JSObject*)] `anonymous namespace''::Worker::Trace(JSTracer*, JSObject*) → [@ (anonymous namespace)::Worker::Trace(JSTracer*, JSObject*)] [@ `anonymous namespace''::Worker::Trace(JSTracer*, JSObject*)]
Would you mind taking a look at this, Jon? It looks like a fun bug.
Flags: needinfo?(jcoppeard)
(In reply to Bill McCloskey (:billm) from comment #1)
> Would you mind taking a look at this, Jon? It looks like a fun bug.

Fun? :)

Sure, no problem.
Assignee: general → jcoppeard
Status: NEW → ASSIGNED
Flags: needinfo?(jcoppeard)
Attached patch worker-crashSplinter Review
The DOM_OBJECT_SLOT of the JSObject is always assumed to hold a private value.  However, it can be accessed by the Trace() method before it is initialised as such if WorkerPrivate::Create() triggers a GC.

The solution is just to always set it to a null private value as soon as it is created.
Attachment #784424 - Flags: review?(jonas)
Component: JavaScript Engine → DOM: Workers
https://hg.mozilla.org/mozilla-central/rev/284946982e36
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.