762197 - crash in JSObject::getGeneric

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

With combined signatures, it's #5 top crasher in today's build.
It first appeared in 16.0a1/20120606. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917

Signature 	JSObject::getGeneric(JSContext*, JS::Handle<int>, JS::Value*) More Reports Search
UUID	6f6984e3-1ca2-4dec-9a85-c48932120606
Date Processed	2012-06-06 18:45:30
Uptime	156
Last Crash	more than 3 months before submission
Install Age	19.1 minutes since version was first installed.
Install Time	2012-06-06 18:25:56
Product	Firefox
Version	16.0a1
Build ID	20120606030528
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x69727453
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 043f1028, AdapterDriverVersion: 8.15.10.2622
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Device ID	
Total Virtual Memory	2147352576
Available Virtual Memory	1530040320
System Memory Use Percentage	40
Available Page File	4256292864
Available Physical Memory	1836113920

Frame 	Module 	Signature 	Source
0 		@0x69727453 	
1 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:177
2 	mozjs.dll 	JSObject::getProperty 	js/src/jsobjinlines.h:183
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:1489
4 	mozjs.dll 	js::types::TypeSet::addType 	js/src/jsinferinlines.h:1116
5 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:690
6 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:493

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetGeneric%28JSContext*%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29
https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetGeneric%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29
https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetProperty%28JSContext*%2C+js%3A%3APropertyName*%2C+JS%3A%3AValue*%29

Comment 1

[Bob Clary [:bc] (inactive)]

This shows as highly exploitable on Windows in crash automation. I'll see about reproducing.
Debug pseudo-stack:

JSObject::getGeneric(JSContext*, JS::Handle<jsid>, JS::Value*) JSObject::getProperty(JSContext*, js::PropertyName*, JS::Value*) js::GetObjectElementOperation js::GetElementOperation js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)

Comment 2

[Bob Clary [:bc] (inactive)]

The url is:

http://www.google.com.vn/imgres?q=TravelMate%2B4750&hl=vi&biw=1366&bih=567&tbm=isch&tbnid=crk98WCtEsQ8IM:&imgrefurl=http://www.dienmay.com/laptop/acer-travelmate-4750-2332g50-%28039%29&docid=RyoM3kcMDg0D9M&imgurl=http://cdn.thegioididong.com/Products/Images/44/

I haven't been able to reproduce locally however. Note that Mac has a different stack/assertion:

Assertion failure: (ptrBits & 0x7) == 0
JSVAL_TO_OBJECT_IMPL JS::Value::toObject js::CompartmentChecker::check
js::assertSameCompartment<JS::Value> js::Interpret

Windows XP once gave the following stack:
js::EncapsulatedPtr<js::types::TypeObject, unsigned int>::operator->() js::ObjectImpl::hasSingletonType() js::types::Type::ObjectType(JSObject*) js::types::GetValueType(JSContext*, JS::Value const&) js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)

Note the crash reason for the exploitable windows crashes was EXCEPTION_ACCESS_VIOLATION_EXEC

Comment 3

[Marcia Knous [:marcia]]

I was able to repro the crash with one of the URLs (http://www.factorydirect.ca/), but I get a slightly different stack:

https://crash-stats.mozilla.com/report/index/bp-8ca67003-fb21-4766-914e-b6ca12120607

Comment 4

[Semtex]

I wasn't able to reproduce this crash, it is to randomly, I've try to keep my attention on Error Console without luck, any way this crash happen for me on one very popular Polish IT Forums, only during navigation between sub forums and Forum -> Portal page, never on Portal, forum is based on phpBB with their own Mods.

Since I'm completely new on Bugzilla I will not post link  now, if someone need it, please let me know in comment.

Comment 6

[Semtex]

This is odd, almost whole day without single crash, no I got 3 in 15 minutes, last two in almost same time:
https://crash-stats.mozilla.com/report/index/bp-4381c12e-b49a-4948-b881-f9d662120609
https://crash-stats.mozilla.com/report/index/bp-c0375f18-0388-49da-ba55-d42d32120609

Some steps to reproduce:
1. Go to this Forum: http://forum.dobreprogramy.pl/
2. navigate a bit on site, sub forums etc.
3. On top of Page You can find header with "Forum Dobreprogramy"
4. "Dobreprogramy" lead to Portal page, use it, 99% times crash happen form me on this link.

This is very not regular, You can browse there few hours without single crash and suddenly when You use this link browser crash.
Hope this can help a bit.

Comment 7

[Brian Hackett [Laid off!]]

Given the regression range, could this be bug 659577?

Comment 8

[Luke Wagner [:luke]]

Yes, there was definitely a big spike in this crash caused by bug 659577.  However, the fix landed a few days later and the crashes practically all went away.  If I look at crash-stats now, this is #42 and dropping; there is only one crash after 20120608, so I think we can resolve fixed here?

Comment 9

[Scoobidiver (away)]

(In reply to Luke Wagner [:luke] from comment #8)
> If I look at crash-stats now, this is #42 and dropping; there is
> only one crash after 20120608, so I think we can resolve fixed here?
There are still crashes in 15.0a2 and 16.0a1 at a very low volume.

Comment 10

[Luke Wagner [:luke]]

Can we make the bug public?

Comment 11

[David Bolter [:davidb] (NeedInfo me for attention)]

OK news is this appears fixed on 16 via bug 659577! Thanks Naveed, Luke, and Brian for checking :)