Closed Bug 996077 Opened 6 years ago Closed 6 years ago

crash in JSAutoCompartment::JSAutoCompartment(JSContext*, JSObject*) | nsXBLBinding::DoInitJSClass(JSContext*, JS::Handle<JSObject*>, nsCString const&, nsXBLPrototypeBinding*, JS::MutableHandle<JSObject*>, bool*) starting on 2014-04-12

Categories

(Core :: JavaScript Engine, defect, critical)

31 Branch
x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla31
Tracking Status
firefox30 --- unaffected
firefox31 --- verified

People

(Reporter: ashughes, Assigned: bholley)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-ceec5d28-3168-4566-832e-c968d2140412.
=============================================================
0 	mozjs.dll 	JSAutoCompartment::JSAutoCompartment(JSContext *,JSObject *) 	js/src/jsapi.cpp
1 	xul.dll 	nsXBLBinding::DoInitJSClass(JSContext *,JS::Handle<JSObject *>,nsCString const &,nsXBLPrototypeBinding *,JS::MutableHandle<JSObject *>,bool *) 	dom/xbl/nsXBLBinding.cpp
2 	xul.dll 	nsXBLProtoImpl::InitTargetObjects(nsXBLPrototypeBinding *,nsIContent *,JS::MutableHandle<JSObject *>,bool *) 	dom/xbl/nsXBLProtoImpl.cpp
3 	xul.dll 	nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding *,nsXBLBinding *) 	dom/xbl/nsXBLProtoImpl.cpp
4 	xul.dll 	nsXBLBinding::InstallImplementation() 	dom/xbl/nsXBLBinding.cpp
5 	xul.dll 	nsXBLService::LoadBindings(nsIContent *,nsIURI *,nsIPrincipal *,nsXBLBinding * *,bool *) 	dom/xbl/nsXBLService.cpp
6 	xul.dll 	nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState &,nsIContent *,nsIFrame *,nsIAtom *,int,bool,nsStyleContext *,unsigned int,nsTArray<nsIAnonymousContentCreator::ContentInfo> *,nsCSSFrameConstructor::FrameConstructionItemList &) 	layout/base/nsCSSFrameConstructor.cpp
7 	xul.dll 	nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState &,nsIContent *,bool,nsIFrame *,nsCSSFrameConstructor::FrameConstructionItemList &) 	layout/base/nsCSSFrameConstructor.cpp
8 	xul.dll 	nsCSSFrameConstructor::CreateAnonymousFrames(nsFrameConstructorState &,nsIContent *,nsIFrame *,PendingBinding *,nsFrameItems &) 	layout/base/nsCSSFrameConstructor.cpp
9 	xul.dll 	nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState &,nsIContent *,nsStyleContext *,nsIFrame *,nsIAtom *,bool,nsIFrame * &) 	layout/base/nsCSSFrameConstructor.cpp
10 	xul.dll 	nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent *) 	layout/base/nsCSSFrameConstructor.cpp
11 	xul.dll 	nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element *,nsILayoutHistoryState *) 	layout/base/nsCSSFrameConstructor.cpp
12 	xul.dll 	nsCSSFrameConstructor::ContentRangeInserted(nsIContent *,nsIContent *,nsIContent *,nsILayoutHistoryState *,bool) 	layout/base/nsCSSFrameConstructor.cpp
13 	xul.dll 	PresShell::Initialize(int,int) 	layout/base/nsPresShell.cpp
14 	xul.dll 	nsContentSink::StartLayout(bool) 	content/base/src/nsContentSink.cpp
15 	xul.dll 	nsContentSink::StyleSheetLoaded(nsCSSStyleSheet *,bool,tag_nsresult) 	content/base/src/nsContentSink.cpp
16 	xul.dll 	mozilla::css::Loader::SheetComplete(mozilla::css::SheetLoadData *,tag_nsresult) 	layout/style/Loader.cpp
17 	xul.dll 	mozilla::css::SheetLoadData::OnStreamComplete(nsIUnicharStreamLoader *,nsISupports *,tag_nsresult,nsAString_internal const &) 	layout/style/Loader.cpp
18 	xul.dll 	nsUnicharStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,tag_nsresult) 	netwerk/base/src/nsUnicharStreamLoader.cpp
19 	xul.dll 	mozilla::net::HttpBaseChannel::DoNotifyListener() 	netwerk/protocol/http/HttpBaseChannel.cpp
20 	xul.dll 	mozilla::net::HttpAsyncAborter<mozilla::net::nsHttpChannel>::HandleAsyncAbort() 	netwerk/protocol/http/HttpBaseChannel.h
21 	xul.dll 	nsRunnableMethodImpl<void ( nsDocument::*)(void),void,0>::Run() 	obj-firefox/dist/include/nsThreadUtils.h
22 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
23 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
24 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
25 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
26 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
27 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
28 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
29 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
30 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
31 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
32 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
33 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
34 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
35 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
36 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
37 	kernel32.dll 	kernel32.dll@0x1919f 	
38 	ntdll.dll 	ntdll.dll@0x4a8cb 	
39 	ntdll.dll 	ntdll.dll@0x4a8a1 	
=============================================================

More Reports:
https://crash-stats.mozilla.com/report/list?signature=JSAutoCompartment%3A%3AJSAutoCompartment%28JSContext*%2C%20JSObject*%29%20|%20nsXBLBinding%3A%3ADoInitJSClass%28JSContext*%2C%20JS%3A%3AHandle%3CJSObject*%3E%2C%20nsCString%20const%26%2C%20nsXBLPrototypeBinding*%2C%20JS%3A%3AMutableHandle%3CJSObject*%3E%2C%20bool*%29

This crash first showed up in Firefox 31.0a1 on 2014-04-12. It's pretty low volume right now but there are reports across all platforms. Unfortunately, nothing stands out to me in the pushlog.

Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8c1b10c3a3d&tochange=6149db60c6cb
Flags: needinfo?(bobbyholley)
This is a regression from bug 990290.
Assignee: nobody → bobbyholley
Blocks: 990290
So. We're failing to null-check |holder|, which is an easy fix. Given that those crash reports don't look like OOM, I'm guessing we're getting null because SetWeakMapEntry is failing. And the most likely non-oom way for that to fail is try to use an object as a WeakMap key whose |preserve| callback fails. At present, the preserve callback in XPConnect does this:

return mozilla::dom::IsDOMObject(obj) && mozilla::dom::TryPreserveWrapper(obj);

So, absent any failures in TryPreserveWrapper, this is most likely the result of a WN being on a prototype chain of a bound object. I'm not sure why someone would do that, but it could certainly happen. I'll attach a patch.
Flags: needinfo?(bobbyholley)
Comment on attachment 8406284 [details] [diff] [review]
Null-check |holder|, and warn if SetWeakMapEntry fails. v1

r=me
Attachment #8406284 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/fb250395c0b1
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in before you can comment on or make changes to this bug.