Bug 1496805. Add some more instrumentation to try to pin down why ClearDocumentDependentSlots crashes. r=mccr8
authorBoris Zbarsky <bzbarsky@mit.edu>
Fri, 05 Oct 2018 15:59:43 -0400
changeset 495631 a994947dd760f44b168c870c0c243e284bda4b55
parent 495630 1522c7633aa80632a261704ed02c457f4413425d
child 495632 78f6d666ce6e3726fe8998a44de1387bf4543575
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmccr8
bugs1496805
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1496805. Add some more instrumentation to try to pin down why ClearDocumentDependentSlots crashes. r=mccr8
dom/base/nsGlobalWindowInner.cpp
dom/bindings/BindingUtils.cpp
--- a/dom/base/nsGlobalWindowInner.cpp
+++ b/dom/base/nsGlobalWindowInner.cpp
@@ -7515,16 +7515,20 @@ nsGlobalWindowInner::GetSidebar(OwningEx
 #else
   aRv.Throw(NS_ERROR_NOT_IMPLEMENTED);
 #endif
 }
 
 void
 nsGlobalWindowInner::ClearDocumentDependentSlots(JSContext* aCx)
 {
+  if (js::GetContextCompartment(aCx) != js::GetObjectCompartment(GetWrapperPreserveColor())) {
+    MOZ_CRASH("Looks like bug 1488480/1405521, with ClearDocumentDependentSlots in a bogus compartment");
+  }
+
   // If JSAPI OOMs here, there is basically nothing we can do to recover safely.
   if (!Window_Binding::ClearCachedDocumentValue(aCx, this) ||
       !Window_Binding::ClearCachedPerformanceValue(aCx, this)) {
     MOZ_CRASH("Unhandlable OOM while clearing document dependent slots.");
   }
 }
 
 /* static */
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -4181,16 +4181,20 @@ JS::Handle<JSObject*>
 GetPerInterfaceObjectHandle(JSContext* aCx,
                             size_t aSlotId,
                             CreateInterfaceObjectsMethod aCreator,
                             bool aDefineOnGlobal)
 {
   /* Make sure our global is sane.  Hopefully we can remove this sometime */
   JSObject* global = JS::CurrentGlobalOrNull(aCx);
   if (!(js::GetObjectClass(global)->flags & JSCLASS_DOM_GLOBAL)) {
+    if (aSlotId == prototypes::id::HTMLDocument ||
+        aSlotId == prototypes::id::Document) {
+      MOZ_CRASH("Looks like bug 1488480/1405521, with a non-DOM global in GetPerInterfaceObjectHandle");
+    }
     return nullptr;
   }
 
   /* Check to see whether the interface objects are already installed */
   ProtoAndIfaceCache& protoAndIfaceCache = *GetProtoAndIfaceCache(global);
   if (!protoAndIfaceCache.HasEntryInSlot(aSlotId)) {
     JS::Rooted<JSObject*> rootedGlobal(aCx, global);
     aCreator(aCx, rootedGlobal, protoAndIfaceCache, aDefineOnGlobal);
@@ -4205,16 +4209,24 @@ GetPerInterfaceObjectHandle(JSContext* a
    *
    * Calling address() avoids the read barrier that does gray unmarking, but
    * it's not possible for the object to be gray here.
    */
 
   const JS::Heap<JSObject*>& entrySlot =
     protoAndIfaceCache.EntrySlotMustExist(aSlotId);
   MOZ_ASSERT(JS::ObjectIsNotGray(entrySlot));
+
+  if (!entrySlot) {
+    if (aSlotId == prototypes::id::HTMLDocument ||
+        aSlotId == prototypes::id::Document) {
+      MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create the per-interface object");
+    }
+  }
+
   return JS::Handle<JSObject*>::fromMarkedLocation(entrySlot.address());
 }
 
 namespace binding_detail {
 bool
 IsGetterEnabled(JSContext* aCx, JS::Handle<JSObject*> aObj,
                 JSJitGetterOp aGetter,
                 const Prefable<const JSPropertySpec>* aAttributes)