Closed Bug 965921 Opened 6 years ago Closed 6 years ago

crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)

Categories

(Core :: JavaScript Engine, defect, critical)

29 Branch
x86
Windows NT
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla30
Tracking Status
firefox28 --- unaffected
firefox29 + verified
firefox30 + verified

People

(Reporter: jbecerra, Assigned: bholley)

References

Details

(4 keywords, Whiteboard: [Australis:P-])

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-7654b713-b1bd-4456-9a78-004592140130.
=============================================================

New signature in the top 10 on nightly. The first signature is from builds from 1/26. It also showed up at the top on the explosive reports. A lot of these seem to be dupes, however.

0 	xul.dll 	XPC_WN_DoubleWrappedGetter 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
1 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
2 	mozjs.dll 	GetPropertyOperation 	js/src/vm/Interpreter.cpp
3 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
4 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
5 	mozjs.dll 	js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) 	js/src/vm/Interpreter.cpp
6 	mozjs.dll 	js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) 	js/src/vm/Interpreter.cpp
7 	mozjs.dll 	JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,wchar_t const *,unsigned int,JS::Value *) 	js/src/jsapi.cpp
8 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions &,JS::Value *,void * *) 	dom/base/nsJSUtils.cpp
9 	xul.dll 	nsJSContext::EvaluateString(nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,bool,JS::Value *,void * *) 	dom/base/nsJSEnvironment.cpp
10 	xul.dll 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString const &,void * *) 	content/base/src/nsScriptLoader.cpp
11 	xul.dll 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) 	content/base/src/nsScriptLoader.cpp
12 	xul.dll 	nsScriptLoader::ProcessScriptElement(nsIScriptElement *) 	content/base/src/nsScriptLoader.cpp
13 	xul.dll 	nsScriptElement::MaybeProcessScript() 	content/base/src/nsScriptElement.cpp
14 	xul.dll 	nsIScriptElement::AttemptToExecute() 	obj-firefox/dist/include/nsIScriptElement.h
15 	xul.dll 	nsHtml5TreeOpExecutor::RunScript(nsIContent *) 	parser/html/nsHtml5TreeOpExecutor.cpp
16 	xul.dll 	nsHtml5TreeOpExecutor::RunFlushLoop() 	parser/html/nsHtml5TreeOpExecutor.cpp
17 	xul.dll 	nsHtml5ExecutorReflusher::Run() 	parser/html/nsHtml5TreeOpExecutor.cpp
18 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
19 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
20 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
21 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
22 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
23 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
24 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
25 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
26 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
27 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
29 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
30 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
31 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
32 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
33 	kernel32.dll 	BaseThreadInitThunk 	
34 	ntdll.dll 	__RtlUserThreadStart 	
35 	ntdll.dll 	_RtlUserThreadStart
This is the failing line:

>    // It is a double wrapped object. This should never appear in content these
>    // days, but let's be safe here.
>    MOZ_RELEASE_ASSERT(nsContentUtils::IsCallerChrome());
I'd like to know whether the toolbar has binary components (XPCOM components or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the addon is pure-JS, it seems like we should focus on fixing this on our side. Otherwise we should contact them to stop using JSAPI.
Flags: needinfo?(dmajor)
Sent a message to AVG about this, asking for a copy of the add-on.
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> Sent a message to AVG about this, asking for a copy of the add-on.
The link from comment 1 worked for me.
Flags: needinfo?(dmajor)
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #4)
> I'd like to know whether the toolbar has binary components (XPCOM components
> or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the
> addon is pure-JS, it seems like we should focus on fixing this on our side.
> Otherwise we should contact them to stop using JSAPI.

Kind of both. Yes there are some DLLs loaded via ctypes, but they appear to be doing leaf-function-ish URL classification work, not calling back into xul or mozjs as far as I can see. The actual assertion happens during eval of:

   +0x000 mData            : 0x0b4a5658  "try { avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");} catch (ex) { } if ($('#SetHPBtnHeaderNav').is(':visible') == false) { $('.nt-restore').find('.divider').hide();}."
Summary: crash in XPC_WN_DoubleWrappedGetter → crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)
(In reply to David Major [:dmajor] from comment #7)
> avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");

I wonder what does and how it is implemented. From what it sounds, it might do something to the UI and that could of course have an Australis impact.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> (In reply to David Major [:dmajor] from comment #7)
> > avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");
> 
> I wonder what does and how it is implemented. From what it sounds, it might
> do something to the UI and that could of course have an Australis impact.

I can reproduce the assert and the graphics glitch with the 1/30 Holly build (non-Australis).
(In reply to David Major [:dmajor] from comment #9)
> I can reproduce the assert and the graphics glitch with the 1/30 Holly build
> (non-Australis).

OK, gtk, removing Australis dependency and requesting tracking for 28 independently.
No longer blocks: australis-addons
bholley, can you suggest next steps?
Flags: needinfo?(bobbyholley)
Oh, this was a MOZ_RELEASE_ASSERT I landed a few weeks ago. The addon is certainly doing something bad here, but we can just handle it. Patch forthcoming.
Assignee: nobody → bobbyholley
Flags: needinfo?(bobbyholley)
This is a regression from bug 794943, which landed on 29.

Does this actually reproduce for 28? I would be very surprised.
Depends on: 794943
Keywords: regression
(In reply to Bobby Holley (:bholley) from comment #14)
> This is a regression from bug 794943, which landed on 29.
> 
> Does this actually reproduce for 28? I would be very surprised.

Nope, only 29 and 30.
Attachment #8371180 - Flags: review?(mrbkap) → review+
https://hg.mozilla.org/mozilla-central/rev/ff7fd36c4a22
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
(just making sure this shows up on Australis tracking for Aurora approvals and landings)
Whiteboard: [Australis:P-]
Confirmed the crash in 30.0a1 (2014-02-11).
Verified fixed in 30.0a1 (2014-02-12), win 7 x64.
Status: RESOLVED → VERIFIED
An uplift request should be nice. It is a top crash.
Comment on attachment 8371180 [details] [diff] [review]
Handle addons that expose JS-implemented XPCOM components to content. v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 794943
User impact if declined: Crashes
Testing completed (on m-c, etc.): Baked on m-c
Risk to taking this patch (and alternatives if risky): very low risk 
String or IDL/UUID changes made by this patch: None
Attachment #8371180 - Flags: approval-mozilla-aurora?
Comment on attachment 8371180 [details] [diff] [review]
Handle addons that expose JS-implemented XPCOM components to content. v1

Thanks for your quick reply!
Attachment #8371180 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
QA Contact: cornel.ionce
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Build ID:20140306004001

Issue is no longer reproducing using the AVG toolbar. Verified as fixed in latest Firefox Aurora.
You need to log in before you can comment on or make changes to this bug.