Closed Bug 904147 Opened 12 years ago Closed 12 years ago

crash in mozilla::dom::WindowNamedPropertiesHandler::getOwnPropertyDescriptor

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
26 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla26
Tracking Flags:
Tracking Status
firefox25 --- unaffected
firefox26 + fixed

People

(Reporter: scoobidiver, Assigned: peterv)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

904147.patch
1.14 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
It first showed up in 26.0a1/20130812 and is currently #1 crasher in this build. The regression window is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3d20597e0a07&tochange=87c1796bc46c It's likely a regression from bug 895758. Signature mozilla::dom::WindowNamedPropertiesHandler::getOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, JS::MutableHandle<JSPropertyDescriptor>, unsigned int) More Reports Search UUID 95633af1-2010-4a3a-aa9b-cb88b2130812 Date Processed 2013-08-12 17:37:04.824391 Uptime 89 Last Crash 7617632 seconds before submission Install Age 89 since version was first installed. Install Time 2013-08-12 17:35:16 Product Firefox Version 26.0a1 Build ID 20130812030209 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 | 4 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 3672103c, AdapterDriverVersion: 9.17.10.2867 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Frame Module Signature Source 0 xul.dll mozilla::dom::WindowNamedPropertiesHandler::getOwnPropertyDescriptor(JSContext *,JS::Handle<JSObject *>,JS::Handle<int>,JS::MutableHandle<JSPropertyDescriptor>,unsigned int) dom/base/WindowNamedPropertiesHandler.cpp 1 xul.dll mozilla::AutoPushJSContext::AutoPushJSContext(JSContext *) js/xpconnect/src/nsCxPusher.cpp 2 mozjs.dll js::Proxy::has(JSContext *,JS::Handle<JSObject *>,JS::Handle<int>,bool *) js/src/jsproxy.cpp 3 mozjs.dll proxy_LookupGeneric js/src/jsproxy.cpp 4 mozjs.dll js::ObjectImpl::nativeLookup(js::ExclusiveContext *,int) js/src/vm/ObjectImpl.cpp 5 xul.dll xul.dll@0x1ce280 6 @0x5 7 mozjs.dll Interpret js/src/vm/Interpreter.cpp 8 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp 9 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 10 mozjs.dll js_fun_call(JSContext *,unsigned int,JS::Value *) js/src/jsfun.cpp 11 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 12 mozjs.dll Interpret js/src/vm/Interpreter.cpp 13 kernel32.dll GetLastError More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Adom%3A%3AWindowNamedPropertiesHandler%3A%3AgetOwnPropertyDescriptor%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AMutableHandle%3CJSPropertyDescriptor%3E%2C+unsigned+int%29 https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Adom%3A%3AWindowNamedPropertiesHandler%3A%3AgetOwnPropertyDescriptor%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Clong%3E%2C+JS%3A%3AMutableHandle%3CJSPropertyDescriptor%3E%2C+unsigned+int%29 https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Adom%3A%3AWindowNamedPropertiesHandler%3A%3AgetOwnPropertyDescriptor%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3C__int64%3E%2C+JS%3A%3AMutableHandle%3CJSPropertyDescriptor%3E%2C+unsigned+int%29
Some of the stacks don't look very useful, but some of them seem to be happening during shutdown, at which point nsDOMClassInfo::ScriptSecurityManager() could be null.
tracking-firefox26: --- → ?
Keywords: topcrash
I confirm it happens every time during shutdown for me.
At a guess this is always a shutdown crash, the secman is null, and we used to not hit this because we unhooked the GSP when doing SetNewDocument stuff but now we never unhook it... Peter, thoughts on what we should do when there is no secman here?
Flags: needinfo?(peterv)
I can reproduce this with the YSlow addon.
Assignee: nobody → peterv
Attached patch 904147.patchSplinter Review
We shut down nsDOMClassInfo's pointer to the security manager early from nsDOMScriptObjectFactory::Observe for XPCOM shutdown, instead of just letting nsLayoutStatics do it (it already calls nsDOMClassInfo::Shutdown).
Flags: needinfo?(peterv)
Attachment #792283 - Flags: review?(bzbarsky)
Comment on attachment 792283 [details] [diff] [review] 904147.patch r=me
Attachment #792283 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/497a75a9a15f
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Tracking so we get confirmation this is truly fixed by the crash data.
tracking-firefox26: ?+
Flags: needinfo?(kairo)
No crashes after it landed, from all I can see.
status-firefox26: affectedfixed
Flags: needinfo?(kairo)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: