Closed
Bug 1376090
Opened 7 years ago
Closed 7 years ago
Crash in FindScopeIndex
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1367896
People
(Reporter: philipp, Unassigned)
References
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is report bp-6740fa37-66ea-4c93-b978-ff6780170623. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll FindScopeIndex js/src/jsscript.cpp:299 1 xul.dll js::CloneScriptIntoFunction(JSContext*, JS::Handle<js::Scope*>, JS::Handle<JSFunction*>, JS::Handle<JSScript*>) js/src/jsscript.cpp:3665 2 xul.dll CloneInnerInterpretedFunction js/src/jsscript.cpp:3373 3 xul.dll JS::StructGCPolicy<JS::GCVector<js::IdValuePair, 0, js::TempAllocPolicy> >::trace(JSTracer*, JS::GCVector<js::IdValuePair, 0, js::TempAllocPolicy>*, char const*) obj-firefox/dist/include/js/GCPolicyAPI.h:87 4 xul.dll js::detail::CopyScript(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::GCVector<js::Scope*, 0, js::TempAllocPolicy> >) js/src/jsscript.cpp:3463 5 xul.dll js::detail::CopyScript(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::GCVector<js::Scope*, 0, js::TempAllocPolicy> >) js/src/jsscript.cpp:3463 6 xul.dll js::MallocProvider<JS::Zone>::pod_malloc<unsigned char>(unsigned int) js/src/vm/MallocProvider.h:89 7 xul.dll mozilla::Vector<char, 0, mozilla::MallocAllocPolicy>::convertToHeapStorage(unsigned int) obj-firefox/dist/include/mozilla/Vector.h:938 8 xul.dll js::CloneGlobalScript(JSContext*, js::ScopeKind, JS::Handle<JSScript*>) js/src/jsscript.cpp:3622 9 xul.dll js::CloneGlobalScript(JSContext*, js::ScopeKind, JS::Handle<JSScript*>) js/src/jsscript.cpp:3622 10 xul.dll JS::StructGCPolicy<JS::GCHashSet<jsid, js::DefaultHasher<jsid>, js::TempAllocPolicy> >::trace(JSTracer*, JS::GCHashSet<jsid, js::DefaultHasher<jsid>, js::TempAllocPolicy>*, char const*) obj-firefox/dist/include/js/GCPolicyAPI.h:87 11 xul.dll JS::CloneAndExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:4616 12 xul.dll mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) js/xpconnect/loader/mozJSComponentLoader.cpp:741 13 dxgi.dll _allmul 14 xul.dll mozJSComponentLoader::ImportInto(nsACString const&, JS::Handle<JSObject*>, JSContext*, JS::MutableHandle<JSObject*>) js/xpconnect/loader/mozJSComponentLoader.cpp:974 15 xul.dll mozJSComponentLoader::Import(nsACString const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) js/xpconnect/loader/mozJSComponentLoader.cpp:820 16 xul.dll nsXPCComponents_Utils::Import(nsACString const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) js/xpconnect/src/XPCComponents.cpp:2504 17 xul.dll NS_InvokeByIndex xpcom/reflect/xptcall/md/win32/xptcinvoke_asm_x86_msvc.asm:54 18 xul.dll XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:982 19 xul.dll js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:470 20 xul.dll InternalCall js/src/vm/Interpreter.cpp:515 21 xul.dll Interpret js/src/vm/Interpreter.cpp:3064 22 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:410 23 xul.dll js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:699 24 xul.dll js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:731 25 xul.dll mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) js/xpconnect/loader/mozJSComponentLoader.cpp:741 26 dxgi.dll _allmul this is a (low volume) signature from users on windows appearing since firefox 51 and with MOZ_CRASH("Scope not found");
Comment 1•7 years ago
|
||
Taking a glace at the code, it appears to me that the |GCPtrScope* vector| in CopyScript is a GC hazard. If we got hit by a compacting GC during Scope::clone, the vector would not point to right place anymore. This would explain why FindScopeIndex might fail. Steve, what do you think? Am I missing something special about scopes or GCPtr<T>*? And if I'm not crazy, why did hazard analysis miss it? https://searchfox.org/mozilla-central/rev/2ef8bd8a46a02c68ddbb1d5f25fa254dd7be1fbd/js/src/jsscript.cpp#3524 Also, https://searchfox.org/mozilla-central/rev/2ef8bd8a46a02c68ddbb1d5f25fa254dd7be1fbd/js/src/jsscript.cpp#718
Flags: needinfo?(sphink)
Priority: -- → P3
Comment 2•7 years ago
|
||
On IRC, :jonco explained that the vector itself is malloc'd memory and therefore doesn't move. Problem must be something else (or just random allocation problem due to an earlier corruption).
Flags: needinfo?(sphink)
Comment 3•7 years ago
|
||
I believe this is a duplicate of Bug 1367896. We somehow corrupt the JSScript::data buffer through use of XDR, resulting in scopes()->vector having bogus data and the MOZ_CRASH firing.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•