Closed
Bug 1258535
Opened 8 years ago
Closed 8 years ago
Segmentation fault in js::SavedStacks::saveCurrentStack
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: abacabadabacaba, Assigned: fitzgen)
References
Details
Attachments
(2 files, 1 obsolete file)
11.64 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
978 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
I'm using Firefox 45.0.1 on Debian x86_64 (package firefox-esr version 45.0.1esr-1). I found that Firefox segfaults after following a specific sequence of actions. How to reproduce: 0. Start with a clean Firefox profile. 1. Install NoScript extension (I used version 2.9.0.4). 2. Configure NoScript to enable scripts globally. 3. Open a new Private Browsing window (Ctrl-Shift-P). 4. Inside it, open Developer Tools Network tab (Ctrl-Shift-Q). 5. Type http://codeforces.com/enter into the address bar and press Enter. 6. Browser crashes. Backtrace: #0 0x00007ffff451bc65 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, unsigned int) (this=0xb8, cx=cx@entry=0x7fffe7151c00, frame=frame@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/vm/SavedStacks.cpp:1009 #1 0x00007ffff43924a8 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, unsigned int) (cx=cx@entry=0x7fffe7151c00, stackp=..., stackp@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/jsapi.cpp:6216 #2 0x00007ffff3bdb90f in mozilla::TimelineMarker::CaptureStack() (this=0x7fffbc1912c0) at /tmp/buildd/firefox-esr-45.0.1esr/docshell/base/timeline/TimelineMarker.cpp:52 #3 0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (aTracingType=mozilla::MarkerTracingType::START, aPhase=2, aType=..., this=0x7fffbc1912c0) at ../../dist/include/mozilla/EventTimelineMarker.h:23 #4 0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) () at ../../dist/include/mozilla/UniquePtr.h:634 #5 0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (this=0x7fffe1d6dee0, aPresContext=<optimized out>, aEvent=0x7fffc1f150f0, aDOMEvent=0x7fffffffbee8, aCurrentTarget=0x7fffcf0b0400, aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventListenerManager.cpp:1148 #6 0x00007ffff3355d5a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:315 #7 0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffcf0b0420, aPresContext=aPresContext@entry=0x7fffce14c000, aEvent=0x7fffc1f150f0, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654 #8 0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffcf0b0420, aEvent=aEvent@entry=0x0, aDOMEvent=<optimized out>, aPresContext=0x7fffce14c000, aEventStatus=aEventStatus@entry=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723 #9 0x00007ffff2d84e5d in NS_HandleScriptError(nsIScriptGlobalObject*, mozilla::dom::ErrorEventInit const&, nsEventStatus*) (aScriptGlobal=<optimized out>, aErrorEventInit=..., aStatus=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsJSEnvironment.cpp:351 #10 0x00007ffff2ca253c in nsIScriptGlobalObject::HandleScriptError(mozilla::dom::ErrorEventInit const&, nsEventStatus*) (this=<optimized out>, aErrorEventInit=..., aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsIScriptGlobalObject.h:76 #11 0x00007ffff363104c in mozilla::dom::indexedDB::IndexedDatabaseManager::CommonPostHandleEvent(mozilla::EventChainPostVisitor&, mozilla::dom::indexedDB::IDBFactory*) (aVisitor=..., aFactory=0x7fffc1b58be0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IndexedDatabaseManager.cpp:500 #12 0x00007ffff3617ead in mozilla::dom::indexedDB::IDBOpenDBRequest::PostHandleEvent(mozilla::EventChainPostVisitor&) (this=<optimized out>, aVisitor=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IDBRequest.cpp:619 #13 0x00007ffff3355c0a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:318 #14 0x00007ffff3355d02 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:367 #15 0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffc1bdc0c0, aPresContext=aPresContext@entry=0x0, aEvent=0x7fffc1f15080, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654 #16 0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffc1bdc0c0, aEvent=<optimized out>, aDOMEvent=<optimized out>, aPresContext=0x0, aEventStatus=0x7fffffffc4f4) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723 #17 0x00007ffff335a92f in mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*) (this=<optimized out>, aEvent=<optimized out>, aRetVal=0x7fffffffc578) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/DOMEventTargetHelper.cpp:256 #18 0x00007ffff3625200 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchErrorEvent(mozilla::dom::indexedDB::IDBRequest*, nsresult, mozilla::dom::indexedDB::IDBTransaction*, nsIDOMEvent*) (aRequest=<optimized out>, aErrorCode=aErrorCode@entry=-2140798970, aTransaction=aTransaction@entry=0x0, aEvent=0x7fffbc1f8100) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:738 #19 0x00007ffff3625a6e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse(nsresult) (this=this@entry=0x7fffc203b820, aResponse=-2140798970) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1281 #20 0x00007ffff362d976 in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) (this=0x7fffc203b820, aResponse=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1371 #21 0x00007ffff2897aed in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) (this=0x7fffc203b830, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundIDBFactoryRequestChild.cpp:183 #22 0x00007ffff27e9b6e in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (this=0x7fffd47b6000, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundChild.cpp:1721 #23 0x00007ffff27bf353 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1479 #24 0x00007ffff27c6411 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1414 #25 0x00007ffff27c7086 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() (this=0x7fffd47b6068) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1383 #26 0x00007ffff27acde1 in MessageLoop::RunTask(Task*) (this=0x7ffff6b914e0, task=0x7fffbbf4d4f0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:364 #27 0x00007ffff27b1423 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (this=<optimized out>, pending_task=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:372 #28 0x00007ffff27b1558 in MessageLoop::DoWork() (this=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:459 #29 0x00007ffff27bc714 in mozilla::ipc::DoWorkRunnable::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:220 #30 0x00007ffff25c1988 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7ffff6b66ae0, aMayWait=<optimized out>, aResult=0x7fffffffcaf7) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/threads/nsThread.cpp:972 #31 0x00007ffff25dd337 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/glue/nsThreadUtils.cpp:297 #32 0x00007ffff27bce1b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe7119680, aDelegate=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:95 #33 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:227 #34 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:201 #35 0x00007ffff3789f55 in nsBaseAppShell::Run() (this=0x7fffe060f200) at /tmp/buildd/firefox-esr-45.0.1esr/widget/nsBaseAppShell.cpp:156 #36 0x00007ffff3d5db99 in nsAppStartup::Run() (this=0x7fffe0605150) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/components/startup/nsAppStartup.cpp:281 #37 0x00007ffff3d924f3 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffcd98) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4285 #38 0x00007ffff3d9279d in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffcd98, argc=argc@entry=4, argv=argv@entry=0x7fffffffe2b8, aAppData=aAppData@entry=0x7fffffffcfa8) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4382 #39 0x00007ffff3d929c0 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=4, argv=0x7fffffffe2b8, aAppData=0x7fffffffcfa8, aFlags=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4484 #40 0x0000555555559321 in do_main(int, char**, nsIFile*) (argc=4, argv=0x7fffffffe2b8, xreDirectory=0x7ffff6b68840) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:212 #41 0x0000555555558a12 in main(int, char**) (argc=4, argv=0x7fffffffe2b8) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:352 This signal is caught and re-raised with the following backtrace: #0 0x00007ffff7bcec09 in raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/pt-raise.c:36 #1 0x00007ffff3d8b74f in nsProfileLock::FatalSignalHandler(int, siginfo_t*, void*) (signo=11, info=0x7fffffffb430, context=0x7fffffffb300) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/profile/nsProfileLock.cpp:185 #2 0x00007ffff468a911 in AsmJSFaultHandler(int, siginfo_t*, void*) (signum=<optimized out>, info=0x7fffffffb430, context=0x7fffffffb300) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/asmjs/AsmJSSignalHandlers.cpp:1159 #3 0x00007ffff7bced30 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0 #4 0x00007ffff451bc65 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, unsigned int) (this=0xb8, cx=cx@entry=0x7fffe7151c00, frame=frame@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/vm/SavedStacks.cpp:1009 #5 0x00007ffff43924a8 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, unsigned int) (cx=cx@entry=0x7fffe7151c00, stackp=..., stackp@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/jsapi.cpp:6216 #6 0x00007ffff3bdb90f in mozilla::TimelineMarker::CaptureStack() (this=0x7fffbc1912c0) at /tmp/buildd/firefox-esr-45.0.1esr/docshell/base/timeline/TimelineMarker.cpp:52 #7 0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (aTracingType=mozilla::MarkerTracingType::START, aPhase=2, aType=..., this=0x7fffbc1912c0) at ../../dist/include/mozilla/EventTimelineMarker.h:23 #8 0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) () at ../../dist/include/mozilla/UniquePtr.h:634 #9 0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (this=0x7fffe1d6dee0, aPresContext=<optimized out>, aEvent=0x7fffc1f150f0, aDOMEvent=0x7fffffffbee8, aCurrentTarget=0x7fffcf0b0400, aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventListenerManager.cpp:1148 #10 0x00007ffff3355d5a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:315 #11 0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffcf0b0420, aPresContext=aPresContext@entry=0x7fffce14c000, aEvent=0x7fffc1f150f0, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654 #12 0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffcf0b0420, aEvent=aEvent@entry=0x0, aDOMEvent=<optimized out>, aPresContext=0x7fffce14c000, aEventStatus=aEventStatus@entry=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723 #13 0x00007ffff2d84e5d in NS_HandleScriptError(nsIScriptGlobalObject*, mozilla::dom::ErrorEventInit const&, nsEventStatus*) (aScriptGlobal=<optimized out>, aErrorEventInit=..., aStatus=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsJSEnvironment.cpp:351 #14 0x00007ffff2ca253c in nsIScriptGlobalObject::HandleScriptError(mozilla::dom::ErrorEventInit const&, nsEventStatus*) (this=<optimized out>, aErrorEventInit=..., aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsIScriptGlobalObject.h:76 #15 0x00007ffff363104c in mozilla::dom::indexedDB::IndexedDatabaseManager::CommonPostHandleEvent(mozilla::EventChainPostVisitor&, mozilla::dom::indexedDB::IDBFactory*) (aVisitor=..., aFactory=0x7fffc1b58be0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IndexedDatabaseManager.cpp:500 #16 0x00007ffff3617ead in mozilla::dom::indexedDB::IDBOpenDBRequest::PostHandleEvent(mozilla::EventChainPostVisitor&) (this=<optimized out>, aVisitor=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IDBRequest.cpp:619 #17 0x00007ffff3355c0a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:318 #18 0x00007ffff3355d02 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:367 #19 0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffc1bdc0c0, aPresContext=aPresContext@entry=0x0, aEvent=0x7fffc1f15080, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654 #20 0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffc1bdc0c0, aEvent=<optimized out>, aDOMEvent=<optimized out>, aPresContext=0x0, aEventStatus=0x7fffffffc4f4) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723 #21 0x00007ffff335a92f in mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*) (this=<optimized out>, aEvent=<optimized out>, aRetVal=0x7fffffffc578) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/DOMEventTargetHelper.cpp:256 #22 0x00007ffff3625200 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchErrorEvent(mozilla::dom::indexedDB::IDBRequest*, nsresult, mozilla::dom::indexedDB::IDBTransaction*, nsIDOMEvent*) (aRequest=<optimized out>, aErrorCode=aErrorCode@entry=-2140798970, aTransaction=aTransaction@entry=0x0, aEvent=0x7fffbc1f8100) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:738 #23 0x00007ffff3625a6e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse(nsresult) (this=this@entry=0x7fffc203b820, aResponse=-2140798970) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1281 #24 0x00007ffff362d976 in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) (this=0x7fffc203b820, aResponse=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1371 #25 0x00007ffff2897aed in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) (this=0x7fffc203b830, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundIDBFactoryRequestChild.cpp:183 #26 0x00007ffff27e9b6e in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (this=0x7fffd47b6000, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundChild.cpp:1721 #27 0x00007ffff27bf353 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1479 #28 0x00007ffff27c6411 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1414 #29 0x00007ffff27c7086 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() (this=0x7fffd47b6068) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1383 #30 0x00007ffff27acde1 in MessageLoop::RunTask(Task*) (this=0x7ffff6b914e0, task=0x7fffbbf4d4f0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:364 #31 0x00007ffff27b1423 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (this=<optimized out>, pending_task=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:372 #32 0x00007ffff27b1558 in MessageLoop::DoWork() (this=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:459 #33 0x00007ffff27bc714 in mozilla::ipc::DoWorkRunnable::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:220 #34 0x00007ffff25c1988 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7ffff6b66ae0, aMayWait=<optimized out>, aResult=0x7fffffffcaf7) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/threads/nsThread.cpp:972 #35 0x00007ffff25dd337 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/glue/nsThreadUtils.cpp:297 #36 0x00007ffff27bce1b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe7119680, aDelegate=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:95 #37 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:227 #38 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:201 #39 0x00007ffff3789f55 in nsBaseAppShell::Run() (this=0x7fffe060f200) at /tmp/buildd/firefox-esr-45.0.1esr/widget/nsBaseAppShell.cpp:156 #40 0x00007ffff3d5db99 in nsAppStartup::Run() (this=0x7fffe0605150) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/components/startup/nsAppStartup.cpp:281 #41 0x00007ffff3d924f3 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffcd98) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4285 #42 0x00007ffff3d9279d in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffcd98, argc=argc@entry=4, argv=argv@entry=0x7fffffffe2b8, aAppData=aAppData@entry=0x7fffffffcfa8) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4382 #43 0x00007ffff3d929c0 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=4, argv=0x7fffffffe2b8, aAppData=0x7fffffffcfa8, aFlags=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4484 #44 0x0000555555559321 in do_main(int, char**, nsIFile*) (argc=4, argv=0x7fffffffe2b8, xreDirectory=0x7ffff6b68840) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:212 #45 0x0000555555558a12 in main(int, char**) (argc=4, argv=0x7fffffffe2b8) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:352
Comment 1•8 years ago
|
||
Does this reproduce with an official copy from mozilla.org ?
Component: General → JavaScript Engine
Flags: needinfo?(abacabadabacaba)
Product: Firefox → Core
Reporter | ||
Comment 2•8 years ago
|
||
Yes, I reproduced it with the official build of Firefox 45.0.1 for Linux x86_64. Crash ID: bp-d8202795-683a-4acd-b8f0-623d22160322.
Flags: needinfo?(abacabadabacaba)
Comment 3•8 years ago
|
||
Jan or Nick, looks like you last touched the method in question, and this is apparently straightforward to reproduce. With about 200 crashes in the last week, not the most frequent, but still annoying... any chance you could look at this?
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jdemooij)
Comment 4•8 years ago
|
||
The crash address is 0xf8. Based on the stack, my guess is we call CaptureCurrentStack without having entered a compartment first, so cx->compartment() is nullptr. I'll leave this to fitzgen.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 5•8 years ago
|
||
Another SavedStacks crash that I can't reproduce locally :( Adding more assertions to see if I can find out anything more. (In reply to Jan de Mooij [:jandem] from comment #4) > The crash address is 0xf8. Based on the stack, my guess is we call > CaptureCurrentStack without having entered a compartment first, so > cx->compartment() is nullptr. We assert that there is a compartment before we capture the stack: https://dxr.mozilla.org/mozilla-central/source/js/src/jsapi.cpp?from=CaptureCurrentStack#6284
Flags: needinfo?(nfitzgerald)
Assignee | ||
Comment 6•8 years ago
|
||
Also this assertion that we are in the SavedStacks' owning JSCompartment when saving a stack: https://dxr.mozilla.org/mozilla-central/source/js/src/vm/SavedStacks.cpp?from=saveCurrentStack#1010
Comment 7•8 years ago
|
||
(In reply to Nick Fitzgerald [:fitzgen] [⏰PDT; UTC-7] from comment #5) > We assert that there is a compartment before we capture the stack: > https://dxr.mozilla.org/mozilla-central/source/js/src/jsapi. > cpp?from=CaptureCurrentStack#6284 Well that assert doesn't do much in an opt build right? We could upgrade it to a MOZ_RELEASE_ASSERT, or ask the reporter to try with a debug build.
Assignee | ||
Comment 8•8 years ago
|
||
Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=061fb5b58d1e
Attachment #8734067 -
Flags: review?(jdemooij)
Assignee | ||
Updated•8 years ago
|
Keywords: leave-open
Assignee | ||
Comment 9•8 years ago
|
||
Some more asserts. Sorry for review request churn. https://treeherder.mozilla.org/#/jobs?repo=try&revision=0f3db0e1a238
Attachment #8734073 -
Flags: review?(jdemooij)
Assignee | ||
Updated•8 years ago
|
Attachment #8734067 -
Attachment is obsolete: true
Attachment #8734067 -
Flags: review?(jdemooij)
Comment 10•8 years ago
|
||
Comment on attachment 8734073 [details] [diff] [review] Part 0: Add more and stronger asserts that SavedStacks-related JSAPI methods are called correctly Review of attachment 8734073 [details] [diff] [review]: ----------------------------------------------------------------- Thanks. We should check crash-stats a few days after this lands :)
Attachment #8734073 -
Flags: review?(jdemooij) → review+
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → nfitzgerald
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: checkin-needed
Assignee | ||
Comment 11•8 years ago
|
||
Thanks, jandem! ni myself to check crash stats in a couple days
Flags: needinfo?(nfitzgerald)
Comment 12•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cd0123e0a09d
Keywords: checkin-needed
Comment 13•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/cd0123e0a09d
Assignee | ||
Comment 14•8 years ago
|
||
Looking through crash-stats, I don't find much, but this possibility jumped out at me.
Attachment #8738270 -
Flags: review?(jdemooij)
Assignee | ||
Comment 15•8 years ago
|
||
Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e5255aa91d4c
Flags: needinfo?(nfitzgerald)
Comment 16•8 years ago
|
||
Comment on attachment 8738270 [details] [diff] [review] Check for the existence of a global before checking if its standard classes are resolved Review of attachment 8738270 [details] [diff] [review]: ----------------------------------------------------------------- Based on the crash address (0xb8 etc) of some Aurora crashes on crash-stats this makes sense I think.
Attachment #8738270 -
Flags: review?(jdemooij) → review+
Comment 18•8 years ago
|
||
bugherder landing |
https://hg.mozilla.org/integration/mozilla-inbound/rev/029c36687f2f
Keywords: checkin-needed
Comment 19•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/029c36687f2f
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•