Closed Bug 965921 Opened 10 years ago Closed 10 years ago

crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
29 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 + verified
firefox30 + verified

People

(Reporter: jbecerra, Assigned: bholley)

References

Details

(4 keywords, Whiteboard: [Australis:P-])

Crash Data

Attachments

(1 file)

Handle addons that expose JS-implemented XPCOM components to content. v1
1.46 KB, patch
mrbkap
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-7654b713-b1bd-4456-9a78-004592140130.
=============================================================

New signature in the top 10 on nightly. The first signature is from builds from 1/26. It also showed up at the top on the explosive reports. A lot of these seem to be dupes, however.

0 	xul.dll 	XPC_WN_DoubleWrappedGetter 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
1 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
2 	mozjs.dll 	GetPropertyOperation 	js/src/vm/Interpreter.cpp
3 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
4 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
5 	mozjs.dll 	js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) 	js/src/vm/Interpreter.cpp
6 	mozjs.dll 	js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) 	js/src/vm/Interpreter.cpp
7 	mozjs.dll 	JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,wchar_t const *,unsigned int,JS::Value *) 	js/src/jsapi.cpp
8 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions &,JS::Value *,void * *) 	dom/base/nsJSUtils.cpp
9 	xul.dll 	nsJSContext::EvaluateString(nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,bool,JS::Value *,void * *) 	dom/base/nsJSEnvironment.cpp
10 	xul.dll 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString const &,void * *) 	content/base/src/nsScriptLoader.cpp
11 	xul.dll 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) 	content/base/src/nsScriptLoader.cpp
12 	xul.dll 	nsScriptLoader::ProcessScriptElement(nsIScriptElement *) 	content/base/src/nsScriptLoader.cpp
13 	xul.dll 	nsScriptElement::MaybeProcessScript() 	content/base/src/nsScriptElement.cpp
14 	xul.dll 	nsIScriptElement::AttemptToExecute() 	obj-firefox/dist/include/nsIScriptElement.h
15 	xul.dll 	nsHtml5TreeOpExecutor::RunScript(nsIContent *) 	parser/html/nsHtml5TreeOpExecutor.cpp
16 	xul.dll 	nsHtml5TreeOpExecutor::RunFlushLoop() 	parser/html/nsHtml5TreeOpExecutor.cpp
17 	xul.dll 	nsHtml5ExecutorReflusher::Run() 	parser/html/nsHtml5TreeOpExecutor.cpp
18 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
19 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
20 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
21 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
22 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
23 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
24 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
25 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
26 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
27 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
29 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
30 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
31 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
32 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
33 	kernel32.dll 	BaseThreadInitThunk 	
34 	ntdll.dll 	__RtlUserThreadStart 	
35 	ntdll.dll 	_RtlUserThreadStart
Keywords: reproducible, topcrash
This is the failing line:

>    // It is a double wrapped object. This should never appear in content these
>    // days, but let's be safe here.
>    MOZ_RELEASE_ASSERT(nsContentUtils::IsCallerChrome());
I'd like to know whether the toolbar has binary components (XPCOM components or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the addon is pure-JS, it seems like we should focus on fixing this on our side. Otherwise we should contact them to stop using JSAPI.
Flags: needinfo?(dmajor)
Sent a message to AVG about this, asking for a copy of the add-on.
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> Sent a message to AVG about this, asking for a copy of the add-on.
The link from comment 1 worked for me.
Flags: needinfo?(dmajor)
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #4)
> I'd like to know whether the toolbar has binary components (XPCOM components
> or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the
> addon is pure-JS, it seems like we should focus on fixing this on our side.
> Otherwise we should contact them to stop using JSAPI.

Kind of both. Yes there are some DLLs loaded via ctypes, but they appear to be doing leaf-function-ish URL classification work, not calling back into xul or mozjs as far as I can see. The actual assertion happens during eval of:

   +0x000 mData            : 0x0b4a5658  "try { avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");} catch (ex) { } if ($('#SetHPBtnHeaderNav').is(':visible') == false) { $('.nt-restore').find('.divider').hide();}."
Blocks: australis-addons
Summary: crash in XPC_WN_DoubleWrappedGetter → crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)
(In reply to David Major [:dmajor] from comment #7)
> avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");

I wonder what does and how it is implemented. From what it sounds, it might do something to the UI and that could of course have an Australis impact.
Blocks: australis-addons
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> (In reply to David Major [:dmajor] from comment #7)
> > avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");
> 
> I wonder what does and how it is implemented. From what it sounds, it might
> do something to the UI and that could of course have an Australis impact.

I can reproduce the assert and the graphics glitch with the 1/30 Holly build (non-Australis).
(In reply to David Major [:dmajor] from comment #9)
> I can reproduce the assert and the graphics glitch with the 1/30 Holly build
> (non-Australis).

OK, gtk, removing Australis dependency and requesting tracking for 28 independently.
No longer blocks: australis-addons
tracking-firefox28: --- → ?
bholley, can you suggest next steps?
Flags: needinfo?(bobbyholley)
Oh, this was a MOZ_RELEASE_ASSERT I landed a few weeks ago. The addon is certainly doing something bad here, but we can just handle it. Patch forthcoming.
Assignee: nobody → bobbyholley
Flags: needinfo?(bobbyholley)
This is a regression from bug 794943, which landed on 29.

Does this actually reproduce for 28? I would be very surprised.
tracking-firefox28: ? → ---
tracking-firefox29: --- → ?
tracking-firefox30: --- → ?
Depends on: 794943
Keywords: regression
(In reply to Bobby Holley (:bholley) from comment #14)
> This is a regression from bug 794943, which landed on 29.
> 
> Does this actually reproduce for 28? I would be very surprised.

Nope, only 29 and 30.
Attachment #8371180 - Flags: review?(mrbkap) → review+
https://hg.mozilla.org/mozilla-central/rev/ff7fd36c4a22
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox30: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
(just making sure this shows up on Australis tracking for Aurora approvals and landings)
Whiteboard: [Australis:P-]
Confirmed the crash in 30.0a1 (2014-02-11).
Verified fixed in 30.0a1 (2014-02-12), win 7 x64.
Status: RESOLVED → VERIFIED
status-firefox30: fixedverified
An uplift request should be nice. It is a top crash.
Comment on attachment 8371180 [details] [diff] [review]
Handle addons that expose JS-implemented XPCOM components to content. v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 794943
User impact if declined: Crashes
Testing completed (on m-c, etc.): Baked on m-c
Risk to taking this patch (and alternatives if risky): very low risk 
String or IDL/UUID changes made by this patch: None
Attachment #8371180 - Flags: approval-mozilla-aurora?
Comment on attachment 8371180 [details] [diff] [review]
Handle addons that expose JS-implemented XPCOM components to content. v1

Thanks for your quick reply!
Attachment #8371180 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
QA Contact: cornel.ionce
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Build ID:20140306004001

Issue is no longer reproducing using the AVG toolbar. Verified as fixed in latest Firefox Aurora.
status-firefox29: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: