1637886 - Crash in [@ JS::GetScriptPrivate]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Calixte Denizet (:calixte)]

This bug is for crash report bp-ab57428c-f6b9-4494-a439-24ecd0200513.

Top 10 frames of crashing thread:

0 xul.dll JS::GetScriptPrivate js/src/jsapi.cpp:3700
1 xul.dll mozilla::dom::ScriptLoader::EvaluateScript dom/script/ScriptLoader.cpp:2873
2 xul.dll mozilla::dom::ScriptLoader::ProcessRequest dom/script/ScriptLoader.cpp:2379
3 xul.dll mozilla::dom::ScriptLoader::ProcessOffThreadRequest dom/script/ScriptLoader.cpp:2066
4 xul.dll mozilla::dom::`anonymous namespace'::NotifyOffThreadScriptLoadCompletedRunnable::Run dom/script/ScriptLoader.cpp:2093
5 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:146
6 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1211
7 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:501
8 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
9 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:308

There are 8 crashes (from 7 installations) in nightly 78 with buildid 20200513094918. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1501608.

[1] https://hg.mozilla.org/mozilla-central/rev?node=554b7637fe60

Comment 1

[Denis Palmeiro [:denispal]]

I believe this is due to a missing null check on the JSScript.

Comment 2

[Pulsebot]

Pushed by dpalmeiro@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/566430349999
Check for valid JSScript* before getting private value r=smaug

Comment 3

[Denis Palmeiro [:denispal]]

Attachment: Check for valid JSScript* before getting private value

Missing check to see if the JSScript coming from exec.GetScript() is valid.

Comment 4

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/566430349999