Closed Bug 1258535 Opened 4 years ago Closed 4 years ago

Segmentation fault in js::SavedStacks::saveCurrentStack

Categories

(Core :: JavaScript Engine, defect)

45 Branch
x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: abacabadabacaba, Assigned: fitzgen)

References

Details

Attachments

(2 files, 1 obsolete file)

I'm using Firefox 45.0.1 on Debian x86_64 (package firefox-esr version 45.0.1esr-1). I found that Firefox segfaults after following a specific sequence of actions.

How to reproduce:
0. Start with a clean Firefox profile.
1. Install NoScript extension (I used version 2.9.0.4).
2. Configure NoScript to enable scripts globally.
3. Open a new Private Browsing window (Ctrl-Shift-P).
4. Inside it, open Developer Tools Network tab (Ctrl-Shift-Q).
5. Type http://codeforces.com/enter into the address bar and press Enter.
6. Browser crashes.

Backtrace:
#0  0x00007ffff451bc65 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, unsigned int) (this=0xb8, cx=cx@entry=0x7fffe7151c00, frame=frame@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/vm/SavedStacks.cpp:1009
#1  0x00007ffff43924a8 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, unsigned int) (cx=cx@entry=0x7fffe7151c00, stackp=..., stackp@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/jsapi.cpp:6216
#2  0x00007ffff3bdb90f in mozilla::TimelineMarker::CaptureStack() (this=0x7fffbc1912c0) at /tmp/buildd/firefox-esr-45.0.1esr/docshell/base/timeline/TimelineMarker.cpp:52
#3  0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (aTracingType=mozilla::MarkerTracingType::START, aPhase=2, aType=..., this=0x7fffbc1912c0) at ../../dist/include/mozilla/EventTimelineMarker.h:23
#4  0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) () at ../../dist/include/mozilla/UniquePtr.h:634
#5  0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (this=0x7fffe1d6dee0, aPresContext=<optimized out>, aEvent=0x7fffc1f150f0, aDOMEvent=0x7fffffffbee8, aCurrentTarget=0x7fffcf0b0400, aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventListenerManager.cpp:1148
#6  0x00007ffff3355d5a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:315
#7  0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffcf0b0420, aPresContext=aPresContext@entry=0x7fffce14c000, aEvent=0x7fffc1f150f0, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654
#8  0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffcf0b0420, aEvent=aEvent@entry=0x0, aDOMEvent=<optimized out>, aPresContext=0x7fffce14c000, aEventStatus=aEventStatus@entry=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723
#9  0x00007ffff2d84e5d in NS_HandleScriptError(nsIScriptGlobalObject*, mozilla::dom::ErrorEventInit const&, nsEventStatus*) (aScriptGlobal=<optimized out>, aErrorEventInit=..., aStatus=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsJSEnvironment.cpp:351
#10 0x00007ffff2ca253c in nsIScriptGlobalObject::HandleScriptError(mozilla::dom::ErrorEventInit const&, nsEventStatus*) (this=<optimized out>, aErrorEventInit=..., aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsIScriptGlobalObject.h:76
#11 0x00007ffff363104c in mozilla::dom::indexedDB::IndexedDatabaseManager::CommonPostHandleEvent(mozilla::EventChainPostVisitor&, mozilla::dom::indexedDB::IDBFactory*) (aVisitor=..., aFactory=0x7fffc1b58be0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IndexedDatabaseManager.cpp:500
#12 0x00007ffff3617ead in mozilla::dom::indexedDB::IDBOpenDBRequest::PostHandleEvent(mozilla::EventChainPostVisitor&) (this=<optimized out>, aVisitor=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IDBRequest.cpp:619
#13 0x00007ffff3355c0a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:318
#14 0x00007ffff3355d02 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:367
#15 0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffc1bdc0c0, aPresContext=aPresContext@entry=0x0, aEvent=0x7fffc1f15080, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654
#16 0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffc1bdc0c0, aEvent=<optimized out>, aDOMEvent=<optimized out>, aPresContext=0x0, aEventStatus=0x7fffffffc4f4) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723
#17 0x00007ffff335a92f in mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*) (this=<optimized out>, aEvent=<optimized out>, aRetVal=0x7fffffffc578) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/DOMEventTargetHelper.cpp:256
#18 0x00007ffff3625200 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchErrorEvent(mozilla::dom::indexedDB::IDBRequest*, nsresult, mozilla::dom::indexedDB::IDBTransaction*, nsIDOMEvent*) (aRequest=<optimized out>, aErrorCode=aErrorCode@entry=-2140798970, aTransaction=aTransaction@entry=0x0, aEvent=0x7fffbc1f8100) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:738
#19 0x00007ffff3625a6e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse(nsresult) (this=this@entry=0x7fffc203b820, aResponse=-2140798970) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1281
#20 0x00007ffff362d976 in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) (this=0x7fffc203b820, aResponse=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1371
#21 0x00007ffff2897aed in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) (this=0x7fffc203b830, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundIDBFactoryRequestChild.cpp:183
#22 0x00007ffff27e9b6e in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (this=0x7fffd47b6000, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundChild.cpp:1721
#23 0x00007ffff27bf353 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1479
#24 0x00007ffff27c6411 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1414
#25 0x00007ffff27c7086 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() (this=0x7fffd47b6068) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1383
#26 0x00007ffff27acde1 in MessageLoop::RunTask(Task*) (this=0x7ffff6b914e0, task=0x7fffbbf4d4f0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:364
#27 0x00007ffff27b1423 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (this=<optimized out>, pending_task=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:372
#28 0x00007ffff27b1558 in MessageLoop::DoWork() (this=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:459
#29 0x00007ffff27bc714 in mozilla::ipc::DoWorkRunnable::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:220
#30 0x00007ffff25c1988 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7ffff6b66ae0, aMayWait=<optimized out>, aResult=0x7fffffffcaf7) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/threads/nsThread.cpp:972
#31 0x00007ffff25dd337 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/glue/nsThreadUtils.cpp:297
#32 0x00007ffff27bce1b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe7119680, aDelegate=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:95
#33 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:227
#34 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:201
#35 0x00007ffff3789f55 in nsBaseAppShell::Run() (this=0x7fffe060f200) at /tmp/buildd/firefox-esr-45.0.1esr/widget/nsBaseAppShell.cpp:156
#36 0x00007ffff3d5db99 in nsAppStartup::Run() (this=0x7fffe0605150) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/components/startup/nsAppStartup.cpp:281
#37 0x00007ffff3d924f3 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffcd98) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4285
#38 0x00007ffff3d9279d in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffcd98, argc=argc@entry=4, argv=argv@entry=0x7fffffffe2b8, aAppData=aAppData@entry=0x7fffffffcfa8) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4382
#39 0x00007ffff3d929c0 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=4, argv=0x7fffffffe2b8, aAppData=0x7fffffffcfa8, aFlags=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4484
#40 0x0000555555559321 in do_main(int, char**, nsIFile*) (argc=4, argv=0x7fffffffe2b8, xreDirectory=0x7ffff6b68840) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:212
#41 0x0000555555558a12 in main(int, char**) (argc=4, argv=0x7fffffffe2b8) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:352

This signal is caught and re-raised with the following backtrace:
#0  0x00007ffff7bcec09 in raise (sig=sig@entry=11) at ../sysdeps/unix/sysv/linux/pt-raise.c:36
#1  0x00007ffff3d8b74f in nsProfileLock::FatalSignalHandler(int, siginfo_t*, void*) (signo=11, info=0x7fffffffb430, context=0x7fffffffb300) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/profile/nsProfileLock.cpp:185
#2  0x00007ffff468a911 in AsmJSFaultHandler(int, siginfo_t*, void*) (signum=<optimized out>, info=0x7fffffffb430, context=0x7fffffffb300) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/asmjs/AsmJSSignalHandlers.cpp:1159
#3  0x00007ffff7bced30 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0
#4  0x00007ffff451bc65 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, unsigned int) (this=0xb8, cx=cx@entry=0x7fffe7151c00, frame=frame@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/vm/SavedStacks.cpp:1009
#5  0x00007ffff43924a8 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, unsigned int) (cx=cx@entry=0x7fffe7151c00, stackp=..., stackp@entry=..., maxFrameCount=maxFrameCount@entry=0) at /tmp/buildd/firefox-esr-45.0.1esr/js/src/jsapi.cpp:6216
#6  0x00007ffff3bdb90f in mozilla::TimelineMarker::CaptureStack() (this=0x7fffbc1912c0) at /tmp/buildd/firefox-esr-45.0.1esr/docshell/base/timeline/TimelineMarker.cpp:52
#7  0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (aTracingType=mozilla::MarkerTracingType::START, aPhase=2, aType=..., this=0x7fffbc1912c0) at ../../dist/include/mozilla/EventTimelineMarker.h:23
#8  0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) () at ../../dist/include/mozilla/UniquePtr.h:634
#9  0x00007ffff336b15f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (this=0x7fffe1d6dee0, aPresContext=<optimized out>, aEvent=0x7fffc1f150f0, aDOMEvent=0x7fffffffbee8, aCurrentTarget=0x7fffcf0b0400, aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventListenerManager.cpp:1148
#10 0x00007ffff3355d5a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:315
#11 0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffcf0b0420, aPresContext=aPresContext@entry=0x7fffce14c000, aEvent=0x7fffc1f150f0, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654
#12 0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffcf0b0420, aEvent=aEvent@entry=0x0, aDOMEvent=<optimized out>, aPresContext=0x7fffce14c000, aEventStatus=aEventStatus@entry=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723
#13 0x00007ffff2d84e5d in NS_HandleScriptError(nsIScriptGlobalObject*, mozilla::dom::ErrorEventInit const&, nsEventStatus*) (aScriptGlobal=<optimized out>, aErrorEventInit=..., aStatus=0x7fffffffc094) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsJSEnvironment.cpp:351
#14 0x00007ffff2ca253c in nsIScriptGlobalObject::HandleScriptError(mozilla::dom::ErrorEventInit const&, nsEventStatus*) (this=<optimized out>, aErrorEventInit=..., aEventStatus=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/dom/base/nsIScriptGlobalObject.h:76
#15 0x00007ffff363104c in mozilla::dom::indexedDB::IndexedDatabaseManager::CommonPostHandleEvent(mozilla::EventChainPostVisitor&, mozilla::dom::indexedDB::IDBFactory*) (aVisitor=..., aFactory=0x7fffc1b58be0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IndexedDatabaseManager.cpp:500
#16 0x00007ffff3617ead in mozilla::dom::indexedDB::IDBOpenDBRequest::PostHandleEvent(mozilla::EventChainPostVisitor&) (this=<optimized out>, aVisitor=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/IDBRequest.cpp:619
#17 0x00007ffff3355c0a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:318
#18 0x00007ffff3355d02 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=aCallback@entry=0x0, aCd=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:367
#19 0x00007ffff335a5a9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=aTarget@entry=0x7fffc1bdc0c0, aPresContext=aPresContext@entry=0x0, aEvent=0x7fffc1f15080, aDOMEvent=<optimized out>, aEventStatus=<optimized out>, aCallback=<optimized out>, aTargets=0x0) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:654
#20 0x00007ffff335a8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (aTarget=0x7fffc1bdc0c0, aEvent=<optimized out>, aDOMEvent=<optimized out>, aPresContext=0x0, aEventStatus=0x7fffffffc4f4) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/EventDispatcher.cpp:723
#21 0x00007ffff335a92f in mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*) (this=<optimized out>, aEvent=<optimized out>, aRetVal=0x7fffffffc578) at /tmp/buildd/firefox-esr-45.0.1esr/dom/events/DOMEventTargetHelper.cpp:256
#22 0x00007ffff3625200 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchErrorEvent(mozilla::dom::indexedDB::IDBRequest*, nsresult, mozilla::dom::indexedDB::IDBTransaction*, nsIDOMEvent*) (aRequest=<optimized out>, aErrorCode=aErrorCode@entry=-2140798970, aTransaction=aTransaction@entry=0x0, aEvent=0x7fffbc1f8100) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:738
#23 0x00007ffff3625a6e in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse(nsresult) (this=this@entry=0x7fffc203b820, aResponse=-2140798970) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1281
#24 0x00007ffff362d976 in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&) (this=0x7fffc203b820, aResponse=...) at /tmp/buildd/firefox-esr-45.0.1esr/dom/indexedDB/ActorsChild.cpp:1371
#25 0x00007ffff2897aed in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) (this=0x7fffc203b830, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundIDBFactoryRequestChild.cpp:183
#26 0x00007ffff27e9b6e in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (this=0x7fffd47b6000, msg__=...) at /tmp/buildd/firefox-esr-45.0.1esr/build-browser/ipc/ipdl/PBackgroundChild.cpp:1721
#27 0x00007ffff27bf353 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1479
#28 0x00007ffff27c6411 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) (this=this@entry=0x7fffd47b6068, aMsg=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1414
#29 0x00007ffff27c7086 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() (this=0x7fffd47b6068) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessageChannel.cpp:1383
#30 0x00007ffff27acde1 in MessageLoop::RunTask(Task*) (this=0x7ffff6b914e0, task=0x7fffbbf4d4f0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:364
#31 0x00007ffff27b1423 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (this=<optimized out>, pending_task=...) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:372
#32 0x00007ffff27b1558 in MessageLoop::DoWork() (this=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:459
#33 0x00007ffff27bc714 in mozilla::ipc::DoWorkRunnable::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:220
#34 0x00007ffff25c1988 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7ffff6b66ae0, aMayWait=<optimized out>, aResult=0x7fffffffcaf7) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/threads/nsThread.cpp:972
#35 0x00007ffff25dd337 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /tmp/buildd/firefox-esr-45.0.1esr/xpcom/glue/nsThreadUtils.cpp:297
#36 0x00007ffff27bce1b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe7119680, aDelegate=0x7ffff6b914e0) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/glue/MessagePump.cpp:95
#37 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:227
#38 0x00007ffff27ace4e in MessageLoop::Run() (this=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/ipc/chromium/src/base/message_loop.cc:201
#39 0x00007ffff3789f55 in nsBaseAppShell::Run() (this=0x7fffe060f200) at /tmp/buildd/firefox-esr-45.0.1esr/widget/nsBaseAppShell.cpp:156
#40 0x00007ffff3d5db99 in nsAppStartup::Run() (this=0x7fffe0605150) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/components/startup/nsAppStartup.cpp:281
#41 0x00007ffff3d924f3 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffcd98) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4285
#42 0x00007ffff3d9279d in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffcd98, argc=argc@entry=4, argv=argv@entry=0x7fffffffe2b8, aAppData=aAppData@entry=0x7fffffffcfa8) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4382
#43 0x00007ffff3d929c0 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=4, argv=0x7fffffffe2b8, aAppData=0x7fffffffcfa8, aFlags=<optimized out>) at /tmp/buildd/firefox-esr-45.0.1esr/toolkit/xre/nsAppRunner.cpp:4484
#44 0x0000555555559321 in do_main(int, char**, nsIFile*) (argc=4, argv=0x7fffffffe2b8, xreDirectory=0x7ffff6b68840) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:212
#45 0x0000555555558a12 in main(int, char**) (argc=4, argv=0x7fffffffe2b8) at /tmp/buildd/firefox-esr-45.0.1esr/browser/app/nsBrowserApp.cpp:352
Does this reproduce with an official copy from mozilla.org ?
Component: General → JavaScript Engine
Flags: needinfo?(abacabadabacaba)
Product: Firefox → Core
Yes, I reproduced it with the official build of Firefox 45.0.1 for Linux x86_64.
Crash ID: bp-d8202795-683a-4acd-b8f0-623d22160322.
Flags: needinfo?(abacabadabacaba)
Jan or Nick, looks like you last touched the method in question, and this is apparently straightforward to reproduce. With about 200 crashes in the last week, not the most frequent, but still annoying... any chance you could look at this?
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jdemooij)
The crash address is 0xf8. Based on the stack, my guess is we call CaptureCurrentStack without having entered a compartment first, so cx->compartment() is nullptr.

I'll leave this to fitzgen.
Flags: needinfo?(jdemooij)
Another SavedStacks crash that I can't reproduce locally :(

Adding more assertions to see if I can find out anything more.

(In reply to Jan de Mooij [:jandem] from comment #4)
> The crash address is 0xf8. Based on the stack, my guess is we call
> CaptureCurrentStack without having entered a compartment first, so
> cx->compartment() is nullptr.

We assert that there is a compartment before we capture the stack: https://dxr.mozilla.org/mozilla-central/source/js/src/jsapi.cpp?from=CaptureCurrentStack#6284
Flags: needinfo?(nfitzgerald)
Also this assertion that we are in the SavedStacks' owning JSCompartment when saving a stack: https://dxr.mozilla.org/mozilla-central/source/js/src/vm/SavedStacks.cpp?from=saveCurrentStack#1010
(In reply to Nick Fitzgerald [:fitzgen] [⏰PDT; UTC-7] from comment #5)
> We assert that there is a compartment before we capture the stack:
> https://dxr.mozilla.org/mozilla-central/source/js/src/jsapi.
> cpp?from=CaptureCurrentStack#6284

Well that assert doesn't do much in an opt build right? We could upgrade it to a MOZ_RELEASE_ASSERT, or ask the reporter to try with a debug build.
Attachment #8734067 - Attachment is obsolete: true
Attachment #8734067 - Flags: review?(jdemooij)
See Also: → 1248948
Comment on attachment 8734073 [details] [diff] [review]
Part 0: Add more and stronger asserts that SavedStacks-related JSAPI methods are called correctly

Review of attachment 8734073 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks. We should check crash-stats a few days after this lands :)
Attachment #8734073 - Flags: review?(jdemooij) → review+
Assignee: nobody → nfitzgerald
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: checkin-needed
Thanks, jandem! ni myself to check crash stats in a couple days
Flags: needinfo?(nfitzgerald)
Looking through crash-stats, I don't find much, but this possibility jumped out
at me.
Attachment #8738270 - Flags: review?(jdemooij)
Comment on attachment 8738270 [details] [diff] [review]
Check for the existence of a global before checking if its standard classes are resolved

Review of attachment 8738270 [details] [diff] [review]:
-----------------------------------------------------------------

Based on the crash address (0xb8 etc) of some Aurora crashes on crash-stats this makes sense I think.
Attachment #8738270 - Flags: review?(jdemooij) → review+
Thanks for the review!
https://hg.mozilla.org/mozilla-central/rev/029c36687f2f
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.