Closed Bug 1122802 Opened 10 years ago Closed 10 years ago

Assert !isInterpretedLazy() in JSFunction::isHeavyWeight

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1122833

People

(Reporter: jya, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-critical)

This causes constant crash in YouTube in m-c. in JSFunction::isHeavyWeight MOZ_ASSERT(!isInterpretedLazy()); To reproduce: Go to YouTube, plays any videos, seek a few times. Boom. (lldb) bt * thread #1: tid = 0x8268b6, 0x00000001093b665b XUL`JSFunction::isHeavyweight(this=0x0000000149866ec0) const + 91 at jsfun.h:94, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001093b665b XUL`JSFunction::isHeavyweight(this=0x0000000149866ec0) const + 91 at jsfun.h:94 frame #1: 0x00000001094349c5 XUL`js::StaticScopeIter<(this=0x00007fff5fbf78e8)0>::hasDynamicScopeObject() const + 197 at ScopeObject-inl.h:106 frame #2: 0x00000001093e2499 XUL`AssertDynamicScopeMatchesStaticScope(cx=0x000000012c5f9770, script=0x00000001498adcc0, scope=0x00000001498e11c0) + 153 at Stack.cpp:148 frame #3: 0x00000001093e21d5 XUL`js::InterpreterFrame::prologue(this=0x000000011b42a050, cx=0x000000012c5f9770) + 741 at Stack.cpp:213 frame #4: 0x00000001092f50b0 XUL`Interpret(cx=0x000000012c5f9770, state=0x00007fff5fbfa678) + 1424 at Interpreter.cpp:1508 frame #5: 0x00000001092f4a3a XUL`js::RunScript(cx=0x000000012c5f9770, state=0x00007fff5fbfa678) + 666 at Interpreter.cpp:448 frame #6: 0x00000001092e6c8e XUL`js::Invoke(cx=0x000000012c5f9770, args=CallArgs at 0x00007fff5fbfab70, construct=NO_CONSTRUCT) + 1582 at Interpreter.cpp:517 frame #7: 0x000000010930c6f4 XUL`js::Invoke(cx=0x000000012c5f9770, thisv=0x00007fff5fbfaf70, fval=0x00007fff5fbfafa0, argc=1, argv=0x00007fff5fbfb0f8, rval=JS::MutableHandleValue at 0x00007fff5fbfac70) + 900 at Interpreter.cpp:554 frame #8: 0x0000000108cf9271 XUL`js::jit::DoCallFallback(cx=0x000000012c5f9770, frame=0x00007fff5fbfb148, stub_=0x000000011ce25bb8, argc=1, vp=0x00007fff5fbfb0e8, res=JS::MutableHandleValue at 0x00007fff5fbfb058) + 1921 at BaselineIC.cpp:9294 frame #9: 0x00000001001decbb (lldb)
I can reproduce it consistently doing this: Go to https://www.youtube.com/watch?v=XqLTe8h0-jo Seek to 1 minute, wait until seek completes, and seek back to 25s.
Blocks: MSE
another bt: Assertion failure: hasScript(), at /Users/jyavenard/Work/Mozilla/mozilla-central/js/src/jsfun.h:316 (lldb) bt * thread #1: tid = 0x83b884, 0x0000000109339c49 XUL`JSFunction::nonLazyScript(this=0x000000014b637ac0) const + 89 at jsfun.h:316, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000109339c49 XUL`JSFunction::nonLazyScript(this=0x000000014b637ac0) const + 89 at jsfun.h:316 frame #1: 0x00000001091f5f6e XUL`js::StaticScopeIter<(this=0x00007fff5fbf3f90)0>::funScript() const + 142 at ScopeObject-inl.h:164 frame #2: 0x0000000109186a41 XUL`js::LazyScript::staticLevel(this=0x0000000143b94600, cx=0x000000012be1c330) const + 97 at jsscript.cpp:3866 frame #3: 0x0000000108b9447e XUL`js::frontend::CompileLazyFunction(cx=0x000000012be1c330, lazy=Handle<js::LazyScript *> at 0x00007fff5fbf4368, chars=0x0000000122674ed0, length=34) + 942 at BytecodeCompiler.cpp:487 frame #4: 0x0000000109078ad0 XUL`JSFunction::createScriptForLazilyInterpretedFunction(cx=0x000000012be1c330, fun=JS::HandleFunction at 0x00007fff5fbf4f60) + 1920 at jsfun.cpp:1478 frame #5: 0x00000001093408b5 XUL`JSFunction::getOrCreateScript(this=0x000000014b63ed80, cx=0x000000012be1c330) + 309 at jsfun.h:285 frame #6: 0x0000000109301131 XUL`Interpret(cx=0x000000012be1c330, state=0x00007fff5fbf7bf8) + 50705 at Interpreter.cpp:2544 frame #7: 0x00000001092f4a3a XUL`js::RunScript(cx=0x000000012be1c330, state=0x00007fff5fbf7bf8) + 666 at Interpreter.cpp:448 frame #8: 0x00000001092e6c8e XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbf80f0, construct=NO_CONSTRUCT) + 1582 at Interpreter.cpp:517 frame #9: 0x00000001090796d6 XUL`js::CallOrConstructBoundFunction(cx=0x000000012be1c330, argc=1, vp=0x000000011bc2a0c0) + 1142 at jsfun.cpp:1592 frame #10: 0x00000001093405c4 XUL`js::CallJSNative(cx=0x000000012be1c330, native=0x0000000109079260, args=0x00007fff5fbf88e0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 164 at jscntxtinlines.h:226 frame #11: 0x00000001092e6b4d XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbf88e0, construct=NO_CONSTRUCT) + 1261 at Interpreter.cpp:498 frame #12: 0x0000000109301364 XUL`Interpret(cx=0x000000012be1c330, state=0x00007fff5fbfb4d8) + 51268 at Interpreter.cpp:2561 frame #13: 0x00000001092f4a3a XUL`js::RunScript(cx=0x000000012be1c330, state=0x00007fff5fbfb4d8) + 666 at Interpreter.cpp:448 frame #14: 0x00000001092e6c8e XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbfb9d0, construct=NO_CONSTRUCT) + 1582 at Interpreter.cpp:517 frame #15: 0x00000001090796d6 XUL`js::CallOrConstructBoundFunction(cx=0x000000012be1c330, argc=0, vp=0x00007fff5fbfc328) + 1142 at jsfun.cpp:1592 frame #16: 0x00000001093405c4 XUL`js::CallJSNative(cx=0x000000012be1c330, native=0x0000000109079260, args=0x00007fff5fbfc1c0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 164 at jscntxtinlines.h:226 frame #17: 0x00000001092e6b4d XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbfc1c0, construct=NO_CONSTRUCT) + 1261 at Interpreter.cpp:498 frame #18: 0x000000010930c6f4 XUL`js::Invoke(cx=0x000000012be1c330, thisv=0x00007fff5fbfc6b8, fval=0x00007fff5fbfc518, argc=0, argv=0x00007fff5fbfc5f8, rval=JS::MutableHandleValue at 0x00007fff5fbfc2c0) + 900 at Interpreter.cpp:554 frame #19: 0x0000000109051b04 XUL`JS::Call(cx=0x000000012be1c330, thisv=JS::HandleValue at 0x00007fff5fbfc418, fval=JS::HandleValue at 0x00007fff5fbfc410, args=0x00007fff5fbfc4d8, rval=JS::MutableHandleValue at 0x00007fff5fbfc408) + 228 at jsapi.cpp:4587 frame #20: 0x00000001054386c2 XUL`mozilla::dom::Function::Call(this=0x000000012bd0a370, cx=0x000000012be1c330, aThisVal=Handle<JS::Value> at 0x00007fff5fbfc5b0, arguments=0x000000011cbab720, aRetVal=MutableHandle<JS::Value> at 0x00007fff5fbfc5a8, aRv=0x00007fff5fbfc970) + 946 at FunctionBinding.cpp:36 frame #21: 0x0000000104cfb311 XUL`void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(this=0x000000012bd0a370, thisObjPtr=0x00007fff5fbfc988, arguments=0x000000011cbab720, aRetVal=MutableHandle<JS::Value> at 0x00007fff5fbfc728, aRv=0x00007fff5fbfc970, aExceptionHandling=eReportExceptions, aCompartment=0x0000000000000000) + 577 at FunctionBinding.h:58 frame #22: 0x0000000104ce6e30 XUL`nsGlobalWindow::RunTimeoutHandler(this=0x000000011f72d400, aTimeout=0x000000012aee0200, aScx=0x000000012c8bc6a0) + 1296 at nsGlobalWindow.cpp:12260 frame #23: 0x0000000104cd6a2c XUL`nsGlobalWindow::RunTimeout(this=0x000000011f72d400, aTimeout=0x000000012ab7e900) + 1228 at nsGlobalWindow.cpp:12484 frame #24: 0x0000000104ce6710 XUL`nsGlobalWindow::TimerCallback(aTimer=0x0000000140cfeec0, aClosure=0x000000012ab7e900) + 80 at nsGlobalWindow.cpp:12731 frame #25: 0x00000001037077e2 XUL`nsTimerImpl::Fire(this=0x0000000140cfeec0) + 994 at nsTimerImpl.cpp:631 frame #26: 0x0000000103707bf1 XUL`nsTimerEvent::Run(this=0x000000011e12d5f0) + 209 at nsTimerImpl.cpp:724 frame #27: 0x0000000103702688 XUL`nsThread::ProcessNextEvent(this=0x0000000100437310, aMayWait=false, aResult=0x00007fff5fbfd063) + 2088 at nsThread.cpp:855 frame #28: 0x000000010375c22a XUL`NS_ProcessPendingEvents(aThread=0x0000000100437310, aTimeout=20) + 154 at nsThreadUtils.cpp:207 frame #29: 0x0000000106ae3099 XUL`nsBaseAppShell::NativeEventCallback(this=0x000000011bcb2de0) + 201 at nsBaseAppShell.cpp:98 frame #30: 0x0000000106b5bd1d XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x000000011bcb2de0) + 445 at nsAppShell.mm:373 frame #31: 0x00007fff91044661 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #32: 0x00007fff910367ed CoreFoundation`__CFRunLoopDoSources0 + 269 frame #33: 0x00007fff91035e1f CoreFoundation`__CFRunLoopRun + 927 frame #34: 0x00007fff91035838 CoreFoundation`CFRunLoopRunSpecific + 296 frame #35: 0x00007fff8958043f HIToolbox`RunCurrentEventLoopInMode + 235 frame #36: 0x00007fff895801ba HIToolbox`ReceiveNextEventCommon + 431 frame #37: 0x00007fff8957fffb HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #38: 0x00007fff838636d1 AppKit`_DPSNextEvent + 964 frame #39: 0x00007fff83862e80 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194 frame #40: 0x0000000106b5a867 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x00000001181373a0, _cmd=0x00007fff841b6b88, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff757a8f60, flag='\x01') + 119 at nsAppShell.mm:118 frame #41: 0x00007fff83856e23 AppKit`-[NSApplication run] + 594 frame #42: 0x0000000106b5c6d7 XUL`nsAppShell::Run(this=0x000000011bcb2de0) + 167 at nsAppShell.mm:647 frame #43: 0x0000000107a50cbc XUL`nsAppStartup::Run(this=0x000000011bc1bd80) + 156 at nsAppStartup.cpp:281 frame #44: 0x0000000107b00520 XUL`XREMain::XRE_mainRun(this=0x00007fff5fbfefe8) + 6208 at nsAppRunner.cpp:4145 frame #45: 0x0000000107b00dce XUL`XREMain::XRE_main(this=0x00007fff5fbfefe8, argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298) + 798 at nsAppRunner.cpp:4221 frame #46: 0x0000000107b01292 XUL`XRE_main(argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298, aFlags=0) + 98 at nsAppRunner.cpp:4441 frame #47: 0x0000000100002d0e firefox`do_main(argc=5, argv=0x00007fff5fbff918, xreDirectory=0x000000010040dd40) + 1950 at nsBrowserApp.cpp:294 frame #48: 0x0000000100002073 firefox`main(argc=5, argv=0x00007fff5fbff918) + 323 at nsBrowserApp.cpp:663 frame #49: 0x0000000100001ad4 firefox`start + 52 (lldb)
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security → core-security
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-critical
You need to log in before you can comment on or make changes to this bug.