Closed Bug 965921 Opened 11 years ago Closed 11 years ago

crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
29 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 + verified
firefox30 + verified

People

(Reporter: jbecerra, Assigned: bholley)

References

Details

(4 keywords, Whiteboard: [Australis:P-])

Crash Data

Attachments

(1 file)

Handle addons that expose JS-implemented XPCOM components to content. v1
1.46 KB, patch
mrbkap
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-7654b713-b1bd-4456-9a78-004592140130. ============================================================= New signature in the top 10 on nightly. The first signature is from builds from 1/26. It also showed up at the top on the explosive reports. A lot of these seem to be dupes, however. 0 xul.dll XPC_WN_DoubleWrappedGetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp 1 mozjs.dll js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 2 mozjs.dll GetPropertyOperation js/src/vm/Interpreter.cpp 3 mozjs.dll Interpret js/src/vm/Interpreter.cpp 4 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp 5 mozjs.dll js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) js/src/vm/Interpreter.cpp 6 mozjs.dll js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) js/src/vm/Interpreter.cpp 7 mozjs.dll JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,wchar_t const *,unsigned int,JS::Value *) js/src/jsapi.cpp 8 xul.dll nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions &,JS::Value *,void * *) dom/base/nsJSUtils.cpp 9 xul.dll nsJSContext::EvaluateString(nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,bool,JS::Value *,void * *) dom/base/nsJSEnvironment.cpp 10 xul.dll nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString const &,void * *) content/base/src/nsScriptLoader.cpp 11 xul.dll nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) content/base/src/nsScriptLoader.cpp 12 xul.dll nsScriptLoader::ProcessScriptElement(nsIScriptElement *) content/base/src/nsScriptLoader.cpp 13 xul.dll nsScriptElement::MaybeProcessScript() content/base/src/nsScriptElement.cpp 14 xul.dll nsIScriptElement::AttemptToExecute() obj-firefox/dist/include/nsIScriptElement.h 15 xul.dll nsHtml5TreeOpExecutor::RunScript(nsIContent *) parser/html/nsHtml5TreeOpExecutor.cpp 16 xul.dll nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp 17 xul.dll nsHtml5ExecutorReflusher::Run() parser/html/nsHtml5TreeOpExecutor.cpp 18 xul.dll nsThread::ProcessNextEvent(bool,bool *) xpcom/threads/nsThread.cpp 19 xul.dll NS_ProcessNextEvent(nsIThread *,bool) xpcom/glue/nsThreadUtils.cpp 20 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) ipc/glue/MessagePump.cpp 21 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 22 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 23 xul.dll nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 24 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 25 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 26 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 27 xul.dll XREMain::XRE_main(int,char * * const,nsXREAppData const *) toolkit/xre/nsAppRunner.cpp 28 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp 29 firefox.exe do_main browser/app/nsBrowserApp.cpp 30 firefox.exe NS_internal_main(int,char * *) browser/app/nsBrowserApp.cpp 31 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp 32 firefox.exe __tmainCRTStartup f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c 33 kernel32.dll BaseThreadInitThunk 34 ntdll.dll __RtlUserThreadStart 35 ntdll.dll _RtlUserThreadStart
Keywords: reproducible, topcrash
This is the failing line: > // It is a double wrapped object. This should never appear in content these > // days, but let's be safe here. > MOZ_RELEASE_ASSERT(nsContentUtils::IsCallerChrome());
I'd like to know whether the toolbar has binary components (XPCOM components or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the addon is pure-JS, it seems like we should focus on fixing this on our side. Otherwise we should contact them to stop using JSAPI.
Flags: needinfo?(dmajor)
Sent a message to AVG about this, asking for a copy of the add-on.
(In reply to Jorge Villalobos [:jorgev] from comment #5) > Sent a message to AVG about this, asking for a copy of the add-on. The link from comment 1 worked for me.
Flags: needinfo?(dmajor)
(In reply to Benjamin Smedberg [:bsmedberg] from comment #4) > I'd like to know whether the toolbar has binary components (XPCOM components > or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the > addon is pure-JS, it seems like we should focus on fixing this on our side. > Otherwise we should contact them to stop using JSAPI. Kind of both. Yes there are some DLLs loaded via ctypes, but they appear to be doing leaf-function-ish URL classification work, not calling back into xul or mozjs as far as I can see. The actual assertion happens during eval of: +0x000 mData : 0x0b4a5658 "try { avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");} catch (ex) { } if ($('#SetHPBtnHeaderNav').is(':visible') == false) { $('.nt-restore').find('.divider').hide();}."
Blocks: australis-addons
Summary: crash in XPC_WN_DoubleWrappedGetter → crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)
(In reply to David Major [:dmajor] from comment #7) > avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav"); I wonder what does and how it is implemented. From what it sounds, it might do something to the UI and that could of course have an Australis impact.
Blocks: australis-addons
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8) > (In reply to David Major [:dmajor] from comment #7) > > avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav"); > > I wonder what does and how it is implemented. From what it sounds, it might > do something to the UI and that could of course have an Australis impact. I can reproduce the assert and the graphics glitch with the 1/30 Holly build (non-Australis).
(In reply to David Major [:dmajor] from comment #9) > I can reproduce the assert and the graphics glitch with the 1/30 Holly build > (non-Australis). OK, gtk, removing Australis dependency and requesting tracking for 28 independently.
No longer blocks: australis-addons
tracking-firefox28: --- → ?
bholley, can you suggest next steps?
Flags: needinfo?(bobbyholley)
Oh, this was a MOZ_RELEASE_ASSERT I landed a few weeks ago. The addon is certainly doing something bad here, but we can just handle it. Patch forthcoming.
Assignee: nobody → bobbyholley
Flags: needinfo?(bobbyholley)
This is a regression from bug 794943, which landed on 29. Does this actually reproduce for 28? I would be very surprised.
tracking-firefox28: ? → ---
tracking-firefox29: --- → ?
tracking-firefox30: --- → ?
Depends on: 794943
Keywords: regression
(In reply to Bobby Holley (:bholley) from comment #14) > This is a regression from bug 794943, which landed on 29. > > Does this actually reproduce for 28? I would be very surprised. Nope, only 29 and 30.
Attachment #8371180 - Flags: review?(mrbkap) → review+
https://hg.mozilla.org/mozilla-central/rev/ff7fd36c4a22
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox30: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
(just making sure this shows up on Australis tracking for Aurora approvals and landings)
Whiteboard: [Australis:P-]
Confirmed the crash in 30.0a1 (2014-02-11). Verified fixed in 30.0a1 (2014-02-12), win 7 x64.
Status: RESOLVED → VERIFIED
status-firefox30: fixedverified
An uplift request should be nice. It is a top crash.
Comment on attachment 8371180 [details] [diff] [review] Handle addons that expose JS-implemented XPCOM components to content. v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 794943 User impact if declined: Crashes Testing completed (on m-c, etc.): Baked on m-c Risk to taking this patch (and alternatives if risky): very low risk String or IDL/UUID changes made by this patch: None
Attachment #8371180 - Flags: approval-mozilla-aurora?
Comment on attachment 8371180 [details] [diff] [review] Handle addons that expose JS-implemented XPCOM components to content. v1 Thanks for your quick reply!
Attachment #8371180 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
QA Contact: cornel.ionce
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Build ID:20140306004001 Issue is no longer reproducing using the AVG toolbar. Verified as fixed in latest Firefox Aurora.
status-firefox29: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: