I got this crash twice in the last hour, both times after closing a tab to return to a bug list. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 libxpconnect.dylib 0x02a6f187 XPCContext::GetRuntime() const + 9 (xpcprivate.h:757) 1 libxpconnect.dylib 0x02a6f6cf XPCCallContext::GetRuntime() const + 39 (xpcprivate.h:85) 2 libxpconnect.dylib 0x02a51e3c XPCWrappedNativeScope::FindInJSObjectScope(XPCCallContext&, JSObject*, int) + 128 (xpcwrappednativescope.cpp:676) 3 libxpconnect.dylib 0x02a57be7 XPC_XOW_Finalize(JSContext*, JSObject*) + 139 (XPCCrossOriginWrapper.cpp:711) 4 libmozjs.dylib 0x0108aea5 js_FinalizeObject + 136 (jsobj.c:2788) 5 libmozjs.dylib 0x0105b51e js_GC + 2316 (jsgc.c:2448) 6 libmozjs.dylib 0x010288fc js_DestroyContext + 600 (jscntxt.c:432) 7 libmozjs.dylib 0x01015383 JS_DestroyContext + 25 (jsapi.c:986) 8 libxpconnect.dylib 0x02a094e5 nsXPConnect::ReleaseJSContext(JSContext*, int) + 349 (nsXPConnect.cpp:1857) 9 libgklayout.dylib 0x17d4df08 nsJSContext::~nsJSContext [in-charge deleting]() + 344 (nsJSEnvironment.cpp:1024) 10 libgklayout.dylib 0x17d4e5c9 nsJSContext::Release() + 285 (nsJSEnvironment.cpp:1091) 11 libgklayout.dylib 0x18068b7e nsCOMPtr<nsIScriptContext>::assign_assuming_AddRef(nsIScriptContext*) + 94 (nsContentUtils.cpp:568) 12 libgklayout.dylib 0x18068bb0 nsCOMPtr<nsIScriptContext>::assign_with_AddRef(nsISupports*) + 48 (nsContentUtils.cpp:1236) 13 libgklayout.dylib 0x18069d74 nsCOMPtr<nsIScriptContext>::operator=(nsIScriptContext*) + 24 (nsCOMPtr.h:714) 14 libgklayout.dylib 0x17d0beee nsXBLDocGlobalObject::SetContext(nsIScriptContext*) + 40 (nsXBLDocumentInfo.cpp:256) 15 libgklayout.dylib 0x17d0c036 nsXBLDocGlobalObject::SetScriptContext(unsigned, nsIScriptContext*) + 86 (nsXBLDocumentInfo.cpp:278) 16 libgklayout.dylib 0x17d0bc29 nsXBLDocumentInfo::~nsXBLDocumentInfo [in-charge deleting]() + 123 (nsXBLDocumentInfo.cpp:501) 17 libgklayout.dylib 0x17d0b76f nsXBLDocumentInfo::Release() + 283 (nsXBLDocumentInfo.cpp:472) 18 libgklayout.dylib 0x180d9462 nsCOMPtr<nsIXBLDocumentInfo>::~nsCOMPtr [in-charge]() + 66 (nsCOMPtr.h:583) 19 libgklayout.dylib 0x180dd890 nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> >::~nsBaseHashtableET [in-charge]() + 20 (nsBaseHashtable.h:312) 20 libgklayout.dylib 0x180dd8b1 nsTHashtable<nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> > >::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) + 17 (nsTHashtable.h:391) 21 libxpcom_core.dylib 0x012f7af5 PL_DHashTableFinish + 166 (pldhash.c:375) 22 libgklayout.dylib 0x180dbffb nsTHashtable<nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> > >::~nsTHashtable [not-in-charge]() + 27 (nsTHashtable.h:312) 23 libgklayout.dylib 0x180dc025 nsBaseHashtable<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo>, nsIXBLDocumentInfo*>::~nsBaseHashtable [not-in-charge]() + 17 (nsBaseHashtable.h:84) 24 libgklayout.dylib 0x180dc04d nsInterfaceHashtable<nsURIHashKey, nsIXBLDocumentInfo>::~nsInterfaceHashtable [in-charge]() + 17 (nsInterfaceHashtable.h:56) 25 libgklayout.dylib 0x17d1f017 nsBindingManager::~nsBindingManager [in-charge]() + 207 (nsBindingManager.cpp:406) 26 libgklayout.dylib 0x17d1f140 nsBindingManager::Release() + 276 (nsBindingManager.cpp:383) 27 libgklayout.dylib 0x17ba3021 nsDocument::~nsDocument [not-in-charge]() + 1507 (nsDocument.cpp:875) 28 libgklayout.dylib 0x17c8c8ca nsHTMLDocument::~nsHTMLDocument [in-charge deleting]() + 678 (nsHTMLDocument.cpp:343) 29 libgklayout.dylib 0x17bd5d84 nsNodeUtils::LastRelease(nsINode*) + 710 (nsNodeUtils.cpp:229) 30 libgklayout.dylib 0x17b9df41 nsDocument::Release() + 279 (nsDocument.cpp:927) 31 libgklayout.dylib 0x17c8a435 nsHTMLDocument::Release() + 23 (nsHTMLDocument.cpp:382) 32 libxpcom_core.dylib 0x012fa69d nsCOMPtr_base::~nsCOMPtr_base [not-in-charge]() + 69 (nsCOMPtr.cpp:82) 33 libgklayout.dylib 0x17ff744a nsCOMPtr<nsISupports>::~nsCOMPtr [in-charge]() + 14 (nsCSSFrameConstructor.cpp:929) 34 libgklayout.dylib 0x1800774c nsEvent::~nsEvent [in-charge]() + 48 (nsGUIEvent.h:375) 35 libgklayout.dylib 0x17c1d77a nsDOMEvent::~nsDOMEvent [not-in-charge]() + 190 (nsDOMEvent.cpp:141) 36 libgklayout.dylib 0x1808ca21 nsDOMPageTransitionEvent::~nsDOMPageTransitionEvent [in-charge deleting]() + 93 (nsDOMPageTransitionEvent.h:47) 37 libgklayout.dylib 0x17c1ddcd nsDOMEvent::Release() + 283 (nsDOMEvent.cpp:156) 38 libgklayout.dylib 0x17c26ece nsDOMPageTransitionEvent::Release() + 26 (nsDOMPageTransitionEvent.cpp:63) 39 libxpconnect.dylib 0x02a2dc2f XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) + 2139 (xpcjsruntime.cpp:603) 40 libgklayout.dylib 0x17d4f1c9 DOMGCCallback(JSContext*, JSGCStatus) + 47 (nsJSEnvironment.cpp:3337) 41 libxpconnect.dylib 0x02a0a9bf XPCCycleGCCallback(JSContext*, JSGCStatus) + 47 (nsXPConnect.cpp:523) 42 libmozjs.dylib 0x0105b92d js_GC + 3355 (jsgc.c:2589) 43 libmozjs.dylib 0x01017b0f JS_GC + 85 (jsapi.c:2360) 44 libxpconnect.dylib 0x02a0a179 nsXPConnect::BeginCycleCollection() + 409 (nsXPConnect.cpp:573) 45 libxpcom_core.dylib 0x01368d67 nsCycleCollector::Collect(unsigned) + 215 (nsCycleCollector.cpp:2037) 46 libxpcom_core.dylib 0x01368ec4 nsCycleCollector_collect() + 48 (nsCycleCollector.cpp:2555) 47 libgklayout.dylib 0x17d510d9 nsJSContext::Notify(nsITimer*) + 165 (nsJSEnvironment.cpp:3239) 48 libxpcom_core.dylib 0x0135c79f nsTimerImpl::Fire() + 925 (nsTimerImpl.cpp:387) 49 libxpcom_core.dylib 0x0135c92b nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458) 50 libxpcom_core.dylib 0x01358d97 nsThread::ProcessNextEvent(int, int*) + 627 (nsThread.cpp:491) 51 libxpcom_core.dylib 0x01302256 NS_ProcessNextEvent_P(nsIThread*, int) + 76 (nsThreadUtils.cpp:227) 52 libwidget_mac.dylib 0x05034ae2 nsBaseAppShell::Run() + 70 (nsBaseAppShell.cpp:153) 53 libwidget_mac.dylib 0x05017054 nsAppShell::Run() + 190 (nsAppShell.mm:355) 54 libwidget_mac.dylib 0x050173d0 -[AppShellDelegate runAppShell] + 36 (nsAppShell.mm:459) 55 com.apple.Foundation 0x9280a03b __NSFireDelayedPerform + 403 56 com.apple.CoreFoundation 0x9082d7e2 CFRunLoopRunSpecific + 3341 57 com.apple.CoreFoundation 0x9082cace CFRunLoopRunInMode + 61 58 com.apple.HIToolbox 0x92dec8d8 RunCurrentEventLoopInMode + 285 59 com.apple.HIToolbox 0x92debfe2 ReceiveNextEventCommon + 385 60 com.apple.HIToolbox 0x92debe39 BlockUntilNextEventMatchingListInMode + 81 61 com.apple.AppKit 0x93292465 _DPSNextEvent + 572 62 com.apple.AppKit 0x93292056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 63 com.apple.AppKit 0x9328bddb -[NSApplication run] + 512 64 libwidget_mac.dylib 0x05017028 nsAppShell::Run() + 146 (nsAppShell.mm:352) 65 libtoolkitcomps.dylib 0x1669773f nsAppStartup::Run() + 147 (nsAppStartup.cpp:170) 66 XUL 0x0020fbbc XRE_main + 11592 (nsAppRunner.cpp:3057) 67 org.mozilla.firefox 0x00002798 main + 708 (nsBrowserApp.cpp:153) 68 org.mozilla.firefox 0x00001dca _start + 216 69 org.mozilla.firefox 0x00001cf1 start + 41

(I'm using a debug build of Firefox trunk on Mac.)

This should fix this by: a) Making sure we only use valid XPCCallContexts -- valid means that we, at the very least, have a context (which is what this bug is about). b) Using the safe context in the finalizer so we don't run into the problem of a weird context causing us to leave XOWs in the map.

Comment on attachment 274426 [details] [diff] [review] Proposed fix GetSecurityManager(JSContext *cx) { XPCCallContext ccx(JS_CALLER, cx); + NS_ENSURE_TRUE(ccx.IsValid(), nsnull); Seems getting at a security manager would be rather important. Is there other code that guarantees that we do the right thing if we hit an invalid ccx here?

Good point. I went through the callers of GetSecurityManager, and made them return failure if we can't get a security manager for whatever reason.

Fix checked into trunk.