Closed Bug 1315592 Opened 8 years ago Closed 8 years ago

Crash in JSScript::module

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: n.nethercote, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 1 obsolete file)

Handle JS compilation errors in the async subscript loader.
21.83 KB, patch
bholley
: review+
Details | Diff | Splinter Review
Uplift patch
21.79 KB, patch
jcristau
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-58124a69-d297-4eb1-96b1-6ddd42161104.
=============================================================

New crash, first showed up in Nightly 20161104030212, and has occurred 25 times across 6 installations. It's the #13 topcrash in Nightly 20161104030212.

The crash address is always 0x4 (32-bit) or 0x8 (64-bit). Looks like we call script->module() with a null |this|, and we call bodyScope() which ends up in scopes() which accesses |data| which is one word into the JSScript.

Shu, any ideas about the cause of this one?
Flags: needinfo?(shu)
(In reply to Nicholas Nethercote [:njn] from comment #0)
> This bug was filed from the Socorro interface and is 
> report bp-58124a69-d297-4eb1-96b1-6ddd42161104.
> =============================================================
> 
> New crash, first showed up in Nightly 20161104030212, and has occurred 25
> times across 6 installations. It's the #13 topcrash in Nightly
> 20161104030212.
> 
> The crash address is always 0x4 (32-bit) or 0x8 (64-bit). Looks like we call
> script->module() with a null |this|, and we call bodyScope() which ends up
> in scopes() which accesses |data| which is one word into the JSScript.
> 
> Shu, any ideas about the cause of this one?

Not really. I agree with your diagnosis that it looks like a nullptr script. Looking at the stack in that crash report though, it seems like it's getting a nullptr script when trying to execute some global script. That script was supposed to be compiled by PrepareScript [1]. But that function looks very suspect, since it doesn't even check if JS::Compile fails or not, as those XXXbz comments point out. I don't understand how this can work right now at all -- if the script isn't successfully compiled, how can we just go ahead and try to execute it?

Who owns the subscript loader?

[1] http://searchfox.org/mozilla-central/source/js/xpconnect/loader/mozJSSubScriptLoader.cpp#170
Flags: needinfo?(shu)
Okay, I mean... I have tested with an xpcshell test that if you try to loadSubScriptWithOptions(pathToFile, { async: true }), and the file at the pathToFile has an early error, the process just crashes, because what do you know, we don't check the return value of JS::Compile.
Comment on attachment 8808856 [details] [diff] [review]
Handle JS compilation errors in the async subscript loader.

Review of attachment 8808856 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/loader/mozJSSubScriptLoader.cpp
@@ +374,5 @@
>  
>      rv = PrepareScript(uri, cx, target_obj, spec.get(), mCharset,
>                         reinterpret_cast<const char*>(aBuf), aLength,
>                         mReuseGlobal, &script, &function);
> +    if (NS_FAILED(rv) || (!script && !function)) {

I think it would be better to change the return value of PrepareScript to be a bool (a la standard JSAPI), propagated false in the normal way, and check that here.

::: js/xpconnect/tests/unit/test_asyncLoadSubScriptError.js
@@ +12,5 @@
> +  do_test_finished();
> +}
> +
> +function error() {
> +  ok(true, "loading script with early error asynchronously resulted in error.");

Can you pass the error and regexp it to make sure it's the right one?
Attachment #8808856 - Flags: review?(bobbyholley) → review-
Comment on attachment 8808856 [details] [diff] [review]
Handle JS compilation errors in the async subscript loader.

Review of attachment 8808856 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/loader/mozJSSubScriptLoader.cpp
@@ +374,5 @@
>  
>      rv = PrepareScript(uri, cx, target_obj, spec.get(), mCharset,
>                         reinterpret_cast<const char*>(aBuf), aLength,
>                         mReuseGlobal, &script, &function);
> +    if (NS_FAILED(rv) || (!script && !function)) {

This kind of error checking is in line with what's currently done for the non-async subscript loader [1]. Would you prefer I change both sites?

[1] http://searchfox.org/mozilla-central/source/js/xpconnect/loader/mozJSSubScriptLoader.cpp#681
Comment on attachment 8808856 [details] [diff] [review]
Handle JS compilation errors in the async subscript loader.

Review of attachment 8808856 [details] [diff] [review]:
-----------------------------------------------------------------

(In reply to Shu-yu Guo [:shu] from comment #5)
> This kind of error checking is in line with what's currently done for the
> non-async subscript loader [1]. Would you prefer I change both sites?

Ideally yes. My general view is that anything that takes a cx (and therefore has an AutoJSAPI or AutoEntryScript upstack) should use the JSAPI calling convention and report errors on the cx. But that's a fair amount of scope creep, so if you don't want to do it I'm ok with the original patch modulo the test change.
Attachment #8808856 - Flags: review- → review+
Also:
 - Convert error handling of JSContext-taking functions to signal error by bool.
 - Pass the pending exception, if any, to the rejection handler of the async
   subscript loader promise.
Attachment #8808856 - Attachment is obsolete: true
Attachment #8811093 - Flags: review?(bobbyholley)
Comment on attachment 8811093 [details] [diff] [review]
Handle JS compilation errors in the async subscript loader.

Review of attachment 8811093 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/loader/mozJSSubScriptLoader.cpp
@@ +180,3 @@
>          }
>      }
> +    return true;

Looks like all the control paths return a value - do we need this?

@@ +198,4 @@
>      if (function) {
> +        if (!JS_CallFunction(cx, target_obj, function, JS::HandleValueArray::empty(),
> +                             retval))
> +        {

- I think the brace should go on the previous line given the "visual separation" heuristic?

@@ +320,5 @@
> +        if (mPromise) {
> +            JSContext* cx = mAutoEntryScript.cx();
> +            RootedValue rejectionValue(cx, JS::UndefinedValue());
> +            if (mAutoEntryScript.HasException()) {
> +                (void) mAutoEntryScript.PeekException(&rejectionValue);

nit: should probably use mozilla::unused here.

@@ +698,5 @@
>      } else {
>          cache = nullptr;
>      }
>  
> +    (void) EvalScript(cx, targetObj, retval, uri, !!cache, script, function);

mozilla::unused here as well.

Also, can we MOZ_ASSERT script || function now, given that we don't appear to check that case anymore?
Attachment #8811093 - Flags: review?(bobbyholley) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d2c5b6581d6a
Handle JS compilation errors in the async subscript loader. (r=bholley)
https://hg.mozilla.org/mozilla-central/rev/d2c5b6581d6a
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
According to comment 0, this first showed up on 52. Shu, could you put this up for Aurora approval? I do see some crashes with this signature there. Thanks.
status-firefox51: --- → unaffected
status-firefox52: --- → affected
Flags: needinfo?(shu)
Attached patch Uplift patchSplinter Review 

    
    

    
  
Comment on attachment 8818983 [details] [diff] [review]
Uplift patch

Approval Request Comment
[Feature/Bug causing the regression]: Dunno, the async loader has had this bug since it first landed. Unsure why crashes started recently.
[User impact if declined]: Crashes
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]: Yes
[Needs manual test from QE? If yes, steps to reproduce]: From what?
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No, bug fix only.
[Why is the change risky/not risky?]: Bug fix only.
[String changes made/needed]: None.
Flags: needinfo?(shu)

        Attachment #8818983 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8818983 [details] [diff] [review]
Uplift patch

crash fix for aurora52

        Attachment #8818983 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
the uplift patch needs rebasing
Flags: needinfo?(shu)
Flags: needinfo?(shu)

    
    

    
  
Wait, did someone else rebase it?

    
    

    
  
It was an xpcshell.ini conflict, so yes, I did.

    
    

    
  
(In reply to Ryan VanderMeulen [:RyanVM] from comment #20)
> It was an xpcshell.ini conflict, so yes, I did.

Thank you!
Depends on: 1347523

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: