Closed
Bug 965921
Opened 11 years ago
Closed 11 years ago
crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla30
Tracking | Status | |
---|---|---|
firefox28 | --- | unaffected |
firefox29 | + | verified |
firefox30 | + | verified |
People
(Reporter: jbecerra, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [Australis:P-])
Crash Data
Attachments
(1 file)
(deleted),
patch
|
mrbkap
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-7654b713-b1bd-4456-9a78-004592140130.
=============================================================
New signature in the top 10 on nightly. The first signature is from builds from 1/26. It also showed up at the top on the explosive reports. A lot of these seem to be dupes, however.
0 xul.dll XPC_WN_DoubleWrappedGetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp
1 mozjs.dll js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp
2 mozjs.dll GetPropertyOperation js/src/vm/Interpreter.cpp
3 mozjs.dll Interpret js/src/vm/Interpreter.cpp
4 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp
5 mozjs.dll js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) js/src/vm/Interpreter.cpp
6 mozjs.dll js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) js/src/vm/Interpreter.cpp
7 mozjs.dll JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,wchar_t const *,unsigned int,JS::Value *) js/src/jsapi.cpp
8 xul.dll nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions &,JS::Value *,void * *) dom/base/nsJSUtils.cpp
9 xul.dll nsJSContext::EvaluateString(nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,bool,JS::Value *,void * *) dom/base/nsJSEnvironment.cpp
10 xul.dll nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString const &,void * *) content/base/src/nsScriptLoader.cpp
11 xul.dll nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) content/base/src/nsScriptLoader.cpp
12 xul.dll nsScriptLoader::ProcessScriptElement(nsIScriptElement *) content/base/src/nsScriptLoader.cpp
13 xul.dll nsScriptElement::MaybeProcessScript() content/base/src/nsScriptElement.cpp
14 xul.dll nsIScriptElement::AttemptToExecute() obj-firefox/dist/include/nsIScriptElement.h
15 xul.dll nsHtml5TreeOpExecutor::RunScript(nsIContent *) parser/html/nsHtml5TreeOpExecutor.cpp
16 xul.dll nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp
17 xul.dll nsHtml5ExecutorReflusher::Run() parser/html/nsHtml5TreeOpExecutor.cpp
18 xul.dll nsThread::ProcessNextEvent(bool,bool *) xpcom/threads/nsThread.cpp
19 xul.dll NS_ProcessNextEvent(nsIThread *,bool) xpcom/glue/nsThreadUtils.cpp
20 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) ipc/glue/MessagePump.cpp
21 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc
22 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc
23 xul.dll nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp
24 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp
25 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp
26 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp
27 xul.dll XREMain::XRE_main(int,char * * const,nsXREAppData const *) toolkit/xre/nsAppRunner.cpp
28 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp
29 firefox.exe do_main browser/app/nsBrowserApp.cpp
30 firefox.exe NS_internal_main(int,char * *) browser/app/nsBrowserApp.cpp
31 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp
32 firefox.exe __tmainCRTStartup f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
33 kernel32.dll BaseThreadInitThunk
34 ntdll.dll __RtlUserThreadStart
35 ntdll.dll _RtlUserThreadStart
Comment 1•11 years ago
|
||
FF crashes continuously after the AVG toolbar installation http://www.softpedia.com/progDownload/AVG-Security-Toolbar-Download-220682.html
https://crash-stats.mozilla.com/report/index/ff4710c6-de00-46be-9709-95cd92140131
29.0a1 (2014-01-30), win 7 x64
Reporter | ||
Updated•11 years ago
|
Keywords: reproducible,
topcrash
Comment 2•11 years ago
|
||
see bug 956766
This is the failing line:
> // It is a double wrapped object. This should never appear in content these
> // days, but let's be safe here.
> MOZ_RELEASE_ASSERT(nsContentUtils::IsCallerChrome());
Comment 4•11 years ago
|
||
I'd like to know whether the toolbar has binary components (XPCOM components or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the addon is pure-JS, it seems like we should focus on fixing this on our side. Otherwise we should contact them to stop using JSAPI.
Flags: needinfo?(dmajor)
Comment 5•11 years ago
|
||
Sent a message to AVG about this, asking for a copy of the add-on.
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> Sent a message to AVG about this, asking for a copy of the add-on.
The link from comment 1 worked for me.
Flags: needinfo?(dmajor)
(In reply to Benjamin Smedberg [:bsmedberg] from comment #4)
> I'd like to know whether the toolbar has binary components (XPCOM components
> or other DLLs loaded via ctypes) which call into JSAPI or xpconnect. If the
> addon is pure-JS, it seems like we should focus on fixing this on our side.
> Otherwise we should contact them to stop using JSAPI.
Kind of both. Yes there are some DLLs loaded via ctypes, but they appear to be doing leaf-function-ish URL classification work, not calling back into xul or mozjs as far as I can see. The actual assertion happens during eval of:
+0x000 mData : 0x0b4a5658 "try { avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");} catch (ex) { } if ($('#SetHPBtnHeaderNav').is(':visible') == false) { $('.nt-restore').find('.divider').hide();}."
Updated•11 years ago
|
Blocks: australis-addons
Updated•11 years ago
|
Summary: crash in XPC_WN_DoubleWrappedGetter → crash in XPC_WN_DoubleWrappedGetter (with AVG toolbar)
Updated•11 years ago
|
No longer blocks: australis-addons
Comment 8•11 years ago
|
||
(In reply to David Major [:dmajor] from comment #7)
> avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");
I wonder what does and how it is implemented. From what it sounds, it might do something to the UI and that could of course have an Australis impact.
Updated•11 years ago
|
Blocks: australis-addons
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> (In reply to David Major [:dmajor] from comment #7)
> > avgweb.utils.displaySetHomepageBtn("SetHPBtnHeaderNav");
>
> I wonder what does and how it is implemented. From what it sounds, it might
> do something to the UI and that could of course have an Australis impact.
I can reproduce the assert and the graphics glitch with the 1/30 Holly build (non-Australis).
Comment 10•11 years ago
|
||
(In reply to David Major [:dmajor] from comment #9)
> I can reproduce the assert and the graphics glitch with the 1/30 Holly build
> (non-Australis).
OK, gtk, removing Australis dependency and requesting tracking for 28 independently.
No longer blocks: australis-addons
tracking-firefox28:
--- → ?
Assignee | ||
Comment 12•11 years ago
|
||
Oh, this was a MOZ_RELEASE_ASSERT I landed a few weeks ago. The addon is certainly doing something bad here, but we can just handle it. Patch forthcoming.
Assignee: nobody → bobbyholley
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 13•11 years ago
|
||
Attachment #8371180 -
Flags: review?(mrbkap)
Assignee | ||
Comment 14•11 years ago
|
||
This is a regression from bug 794943, which landed on 29.
Does this actually reproduce for 28? I would be very surprised.
tracking-firefox28:
? → ---
tracking-firefox29:
--- → ?
tracking-firefox30:
--- → ?
Depends on: 794943
Keywords: regression
Comment 15•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #14)
> This is a regression from bug 794943, which landed on 29.
>
> Does this actually reproduce for 28? I would be very surprised.
Nope, only 29 and 30.
Updated•11 years ago
|
status-firefox28:
--- → unaffected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
Updated•11 years ago
|
Attachment #8371180 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 16•11 years ago
|
||
Comment 17•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Comment 18•11 years ago
|
||
(just making sure this shows up on Australis tracking for Aurora approvals and landings)
Whiteboard: [Australis:P-]
Comment 19•11 years ago
|
||
Confirmed the crash in 30.0a1 (2014-02-11).
Verified fixed in 30.0a1 (2014-02-12), win 7 x64.
Status: RESOLVED → VERIFIED
Comment 20•11 years ago
|
||
An uplift request should be nice. It is a top crash.
Assignee | ||
Comment 21•11 years ago
|
||
Comment on attachment 8371180 [details] [diff] [review]
Handle addons that expose JS-implemented XPCOM components to content. v1
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 794943
User impact if declined: Crashes
Testing completed (on m-c, etc.): Baked on m-c
Risk to taking this patch (and alternatives if risky): very low risk
String or IDL/UUID changes made by this patch: None
Attachment #8371180 -
Flags: approval-mozilla-aurora?
Comment 22•11 years ago
|
||
Comment on attachment 8371180 [details] [diff] [review]
Handle addons that expose JS-implemented XPCOM components to content. v1
Thanks for your quick reply!
Attachment #8371180 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 23•11 years ago
|
||
Updated•11 years ago
|
QA Contact: cornel.ionce
Comment 24•11 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Build ID:20140306004001
Issue is no longer reproducing using the AVG toolbar. Verified as fixed in latest Firefox Aurora.
You need to log in
before you can comment on or make changes to this bug.
Description
•