Assert !isInterpretedLazy() in JSFunction::isHeavyWeight

RESOLVED DUPLICATE of bug 1122833

Status

()

RESOLVED DUPLICATE of bug 1122833
4 years ago
2 years ago

People

(Reporter: jya, Unassigned)

Tracking

(Blocks: 1 bug, {sec-critical})

Trunk
sec-critical
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
This causes constant crash in YouTube in m-c.

in JSFunction::isHeavyWeight
        MOZ_ASSERT(!isInterpretedLazy());

To reproduce:
Go to YouTube, plays any videos, seek a few times. Boom.


(lldb) bt
* thread #1: tid = 0x8268b6, 0x00000001093b665b XUL`JSFunction::isHeavyweight(this=0x0000000149866ec0) const + 91 at jsfun.h:94, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001093b665b XUL`JSFunction::isHeavyweight(this=0x0000000149866ec0) const + 91 at jsfun.h:94
    frame #1: 0x00000001094349c5 XUL`js::StaticScopeIter<(this=0x00007fff5fbf78e8)0>::hasDynamicScopeObject() const + 197 at ScopeObject-inl.h:106
    frame #2: 0x00000001093e2499 XUL`AssertDynamicScopeMatchesStaticScope(cx=0x000000012c5f9770, script=0x00000001498adcc0, scope=0x00000001498e11c0) + 153 at Stack.cpp:148
    frame #3: 0x00000001093e21d5 XUL`js::InterpreterFrame::prologue(this=0x000000011b42a050, cx=0x000000012c5f9770) + 741 at Stack.cpp:213
    frame #4: 0x00000001092f50b0 XUL`Interpret(cx=0x000000012c5f9770, state=0x00007fff5fbfa678) + 1424 at Interpreter.cpp:1508
    frame #5: 0x00000001092f4a3a XUL`js::RunScript(cx=0x000000012c5f9770, state=0x00007fff5fbfa678) + 666 at Interpreter.cpp:448
    frame #6: 0x00000001092e6c8e XUL`js::Invoke(cx=0x000000012c5f9770, args=CallArgs at 0x00007fff5fbfab70, construct=NO_CONSTRUCT) + 1582 at Interpreter.cpp:517
    frame #7: 0x000000010930c6f4 XUL`js::Invoke(cx=0x000000012c5f9770, thisv=0x00007fff5fbfaf70, fval=0x00007fff5fbfafa0, argc=1, argv=0x00007fff5fbfb0f8, rval=JS::MutableHandleValue at 0x00007fff5fbfac70) + 900 at Interpreter.cpp:554
    frame #8: 0x0000000108cf9271 XUL`js::jit::DoCallFallback(cx=0x000000012c5f9770, frame=0x00007fff5fbfb148, stub_=0x000000011ce25bb8, argc=1, vp=0x00007fff5fbfb0e8, res=JS::MutableHandleValue at 0x00007fff5fbfb058) + 1921 at BaselineIC.cpp:9294
    frame #9: 0x00000001001decbb
(lldb)
(Reporter)

Comment 1

4 years ago
I can reproduce it consistently doing this:

Go to https://www.youtube.com/watch?v=XqLTe8h0-jo

Seek to 1 minute, wait until seek completes, and seek back to 25s.
Blocks: 778617
(Reporter)

Comment 2

4 years ago
another bt:
Assertion failure: hasScript(), at /Users/jyavenard/Work/Mozilla/mozilla-central/js/src/jsfun.h:316

(lldb) bt
* thread #1: tid = 0x83b884, 0x0000000109339c49 XUL`JSFunction::nonLazyScript(this=0x000000014b637ac0) const + 89 at jsfun.h:316, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000109339c49 XUL`JSFunction::nonLazyScript(this=0x000000014b637ac0) const + 89 at jsfun.h:316
    frame #1: 0x00000001091f5f6e XUL`js::StaticScopeIter<(this=0x00007fff5fbf3f90)0>::funScript() const + 142 at ScopeObject-inl.h:164
    frame #2: 0x0000000109186a41 XUL`js::LazyScript::staticLevel(this=0x0000000143b94600, cx=0x000000012be1c330) const + 97 at jsscript.cpp:3866
    frame #3: 0x0000000108b9447e XUL`js::frontend::CompileLazyFunction(cx=0x000000012be1c330, lazy=Handle<js::LazyScript *> at 0x00007fff5fbf4368, chars=0x0000000122674ed0, length=34) + 942 at BytecodeCompiler.cpp:487
    frame #4: 0x0000000109078ad0 XUL`JSFunction::createScriptForLazilyInterpretedFunction(cx=0x000000012be1c330, fun=JS::HandleFunction at 0x00007fff5fbf4f60) + 1920 at jsfun.cpp:1478
    frame #5: 0x00000001093408b5 XUL`JSFunction::getOrCreateScript(this=0x000000014b63ed80, cx=0x000000012be1c330) + 309 at jsfun.h:285
    frame #6: 0x0000000109301131 XUL`Interpret(cx=0x000000012be1c330, state=0x00007fff5fbf7bf8) + 50705 at Interpreter.cpp:2544
    frame #7: 0x00000001092f4a3a XUL`js::RunScript(cx=0x000000012be1c330, state=0x00007fff5fbf7bf8) + 666 at Interpreter.cpp:448
    frame #8: 0x00000001092e6c8e XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbf80f0, construct=NO_CONSTRUCT) + 1582 at Interpreter.cpp:517
    frame #9: 0x00000001090796d6 XUL`js::CallOrConstructBoundFunction(cx=0x000000012be1c330, argc=1, vp=0x000000011bc2a0c0) + 1142 at jsfun.cpp:1592
    frame #10: 0x00000001093405c4 XUL`js::CallJSNative(cx=0x000000012be1c330, native=0x0000000109079260, args=0x00007fff5fbf88e0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 164 at jscntxtinlines.h:226
    frame #11: 0x00000001092e6b4d XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbf88e0, construct=NO_CONSTRUCT) + 1261 at Interpreter.cpp:498
    frame #12: 0x0000000109301364 XUL`Interpret(cx=0x000000012be1c330, state=0x00007fff5fbfb4d8) + 51268 at Interpreter.cpp:2561
    frame #13: 0x00000001092f4a3a XUL`js::RunScript(cx=0x000000012be1c330, state=0x00007fff5fbfb4d8) + 666 at Interpreter.cpp:448
    frame #14: 0x00000001092e6c8e XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbfb9d0, construct=NO_CONSTRUCT) + 1582 at Interpreter.cpp:517
    frame #15: 0x00000001090796d6 XUL`js::CallOrConstructBoundFunction(cx=0x000000012be1c330, argc=0, vp=0x00007fff5fbfc328) + 1142 at jsfun.cpp:1592
    frame #16: 0x00000001093405c4 XUL`js::CallJSNative(cx=0x000000012be1c330, native=0x0000000109079260, args=0x00007fff5fbfc1c0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 164 at jscntxtinlines.h:226
    frame #17: 0x00000001092e6b4d XUL`js::Invoke(cx=0x000000012be1c330, args=CallArgs at 0x00007fff5fbfc1c0, construct=NO_CONSTRUCT) + 1261 at Interpreter.cpp:498
    frame #18: 0x000000010930c6f4 XUL`js::Invoke(cx=0x000000012be1c330, thisv=0x00007fff5fbfc6b8, fval=0x00007fff5fbfc518, argc=0, argv=0x00007fff5fbfc5f8, rval=JS::MutableHandleValue at 0x00007fff5fbfc2c0) + 900 at Interpreter.cpp:554
    frame #19: 0x0000000109051b04 XUL`JS::Call(cx=0x000000012be1c330, thisv=JS::HandleValue at 0x00007fff5fbfc418, fval=JS::HandleValue at 0x00007fff5fbfc410, args=0x00007fff5fbfc4d8, rval=JS::MutableHandleValue at 0x00007fff5fbfc408) + 228 at jsapi.cpp:4587
    frame #20: 0x00000001054386c2 XUL`mozilla::dom::Function::Call(this=0x000000012bd0a370, cx=0x000000012be1c330, aThisVal=Handle<JS::Value> at 0x00007fff5fbfc5b0, arguments=0x000000011cbab720, aRetVal=MutableHandle<JS::Value> at 0x00007fff5fbfc5a8, aRv=0x00007fff5fbfc970) + 946 at FunctionBinding.cpp:36
    frame #21: 0x0000000104cfb311 XUL`void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(this=0x000000012bd0a370, thisObjPtr=0x00007fff5fbfc988, arguments=0x000000011cbab720, aRetVal=MutableHandle<JS::Value> at 0x00007fff5fbfc728, aRv=0x00007fff5fbfc970, aExceptionHandling=eReportExceptions, aCompartment=0x0000000000000000) + 577 at FunctionBinding.h:58
    frame #22: 0x0000000104ce6e30 XUL`nsGlobalWindow::RunTimeoutHandler(this=0x000000011f72d400, aTimeout=0x000000012aee0200, aScx=0x000000012c8bc6a0) + 1296 at nsGlobalWindow.cpp:12260
    frame #23: 0x0000000104cd6a2c XUL`nsGlobalWindow::RunTimeout(this=0x000000011f72d400, aTimeout=0x000000012ab7e900) + 1228 at nsGlobalWindow.cpp:12484
    frame #24: 0x0000000104ce6710 XUL`nsGlobalWindow::TimerCallback(aTimer=0x0000000140cfeec0, aClosure=0x000000012ab7e900) + 80 at nsGlobalWindow.cpp:12731
    frame #25: 0x00000001037077e2 XUL`nsTimerImpl::Fire(this=0x0000000140cfeec0) + 994 at nsTimerImpl.cpp:631
    frame #26: 0x0000000103707bf1 XUL`nsTimerEvent::Run(this=0x000000011e12d5f0) + 209 at nsTimerImpl.cpp:724
    frame #27: 0x0000000103702688 XUL`nsThread::ProcessNextEvent(this=0x0000000100437310, aMayWait=false, aResult=0x00007fff5fbfd063) + 2088 at nsThread.cpp:855
    frame #28: 0x000000010375c22a XUL`NS_ProcessPendingEvents(aThread=0x0000000100437310, aTimeout=20) + 154 at nsThreadUtils.cpp:207
    frame #29: 0x0000000106ae3099 XUL`nsBaseAppShell::NativeEventCallback(this=0x000000011bcb2de0) + 201 at nsBaseAppShell.cpp:98
    frame #30: 0x0000000106b5bd1d XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x000000011bcb2de0) + 445 at nsAppShell.mm:373
    frame #31: 0x00007fff91044661 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #32: 0x00007fff910367ed CoreFoundation`__CFRunLoopDoSources0 + 269
    frame #33: 0x00007fff91035e1f CoreFoundation`__CFRunLoopRun + 927
    frame #34: 0x00007fff91035838 CoreFoundation`CFRunLoopRunSpecific + 296
    frame #35: 0x00007fff8958043f HIToolbox`RunCurrentEventLoopInMode + 235
    frame #36: 0x00007fff895801ba HIToolbox`ReceiveNextEventCommon + 431
    frame #37: 0x00007fff8957fffb HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #38: 0x00007fff838636d1 AppKit`_DPSNextEvent + 964
    frame #39: 0x00007fff83862e80 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
    frame #40: 0x0000000106b5a867 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x00000001181373a0, _cmd=0x00007fff841b6b88, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff757a8f60, flag='\x01') + 119 at nsAppShell.mm:118
    frame #41: 0x00007fff83856e23 AppKit`-[NSApplication run] + 594
    frame #42: 0x0000000106b5c6d7 XUL`nsAppShell::Run(this=0x000000011bcb2de0) + 167 at nsAppShell.mm:647
    frame #43: 0x0000000107a50cbc XUL`nsAppStartup::Run(this=0x000000011bc1bd80) + 156 at nsAppStartup.cpp:281
    frame #44: 0x0000000107b00520 XUL`XREMain::XRE_mainRun(this=0x00007fff5fbfefe8) + 6208 at nsAppRunner.cpp:4145
    frame #45: 0x0000000107b00dce XUL`XREMain::XRE_main(this=0x00007fff5fbfefe8, argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298) + 798 at nsAppRunner.cpp:4221
    frame #46: 0x0000000107b01292 XUL`XRE_main(argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298, aFlags=0) + 98 at nsAppRunner.cpp:4441
    frame #47: 0x0000000100002d0e firefox`do_main(argc=5, argv=0x00007fff5fbff918, xreDirectory=0x000000010040dd40) + 1950 at nsBrowserApp.cpp:294
    frame #48: 0x0000000100002073 firefox`main(argc=5, argv=0x00007fff5fbff918) + 323 at nsBrowserApp.cpp:663
    frame #49: 0x0000000100001ad4 firefox`start + 52
(lldb)

Updated

4 years ago
Group: javascript-core-security

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1122833
Group: javascript-core-security → core-security

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-critical
You need to log in before you can comment on or make changes to this bug.