Closed
Bug 854604
Opened 12 years ago
Closed 12 years ago
Typing 'Components' in the Web Console crashes the browser
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | fixed |
People
(Reporter: reuben, Assigned: bholley)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
(deleted),
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
I don't know how the autocompletion works, but it looks like it's trying to evaluate the string to inspect the resulting object and crashing in XPConnect when trying to unwrap Components.
bp-afa935a8-ab92-4cce-b8ad-3e05d2130325
bp-a17c7cd8-5822-4659-a9b5-dc29d2130325
|
||
Updated•12 years ago
|
Severity: major → critical
Crash Signature: [@ js::UnwrapObject(JSObject*, bool, unsigned int*) ]
Keywords: crash
|
||
Updated•12 years ago
|
Component: Developer Tools: Console → XPConnect
Product: Firefox → Core
|
||
Comment 1•12 years ago
|
||
Bobby, might this be a regression from something you landed?
|
|
||
Updated•12 years ago
|
Keywords: regressionwindow-wanted
|
Assignee | |
Comment 2•12 years ago
|
||
I believe this is a GWNOJO regression. Investigating more.
|
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Version: Trunk → 22 Branch
|
|
Assignee | |
Comment 3•12 years ago
|
||
I've audited all the places where we instantiate an XPCCallContext with more
than just (cx, {NATIVE,JS}_CALLER), and the toString hook is the only place
where we don't check IsValid() or something that depends on it.
Attachment #729893 -
Flags: review?(mrbkap)
|
||
Updated•12 years ago
|
Attachment #729893 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
||
Comment 5•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
|
||
Updated•12 years ago
|
|
|
||
Comment 6•12 years ago
|
||
There are almost as many crashes after the fix as before. See https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A23.0a1&version=Firefox%3A22.0a1&range_value=4&range_unit=weeks&signature=js%3A%3AUnwrapObject%28JSObject*%2C%20bool%2C%20unsigned%20int*%29
|
|
||
Comment 7•12 years ago
|
||
That's not surprising. It seems unlikely that many people were typing "Components" in the web console. The remaining crashes look all like null derefs. Maybe that deserves an extra bug, if it is easy to fix by looking at the crash stacks.
|
|
Assignee | |
Comment 8•12 years ago
|
||
js::UnwrapObject is a very common function, so if that's the only point of similarity they're unlikely to be related.
A lot of those crashes have no stack, but one of them does, and points to an obvious bug. I'll file.
|
|
Assignee | |
Comment 9•12 years ago
|
||
Filed bug 858642 for this.
|
|
Assignee | |
Comment 10•12 years ago
|
||
Note that js::UnwrapObject is going to be renamed to js::UncheckedUnwrap in bug 854503.
You need to log in
before you can comment on or make changes to this bug.
Description
•