Closed Bug 1705762 Opened 3 years ago Closed 3 years ago

Crash in [@ TraverseInnerLazyScriptsForLazyScript]

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

RESOLVED FIXED
90 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- wontfix
firefox88 --- fixed
firefox89 --- fixed
firefox90 --- fixed

People

(Reporter: sefeng, Assigned: arai)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/9f5949de-4b59-426a-a071-2e20d0210414

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL TraverseInnerLazyScriptsForLazyScript js/src/gc/PublicIterators.cpp:101
1 XUL TraverseInnerLazyScriptsForLazyScript js/src/gc/PublicIterators.cpp:111
2 XUL js::IterateScripts js/src/gc/PublicIterators.cpp:159
3 XUL js::Debugger::ScriptQuery::findScripts js/src/debugger/Debugger.cpp:5134
4 XUL js::Debugger::CallData::findScripts js/src/debugger/Debugger.cpp:5524
5 XUL bool js::Debugger::CallData::ToNative<&js::Debugger::CallData::findScripts js/src/debugger/Debugger.cpp:4109
6 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:520
7 XUL Interpret js/src/vm/Interpreter.cpp:3244
8 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:552
9 XUL js::jit::DoCallFallback js/src/jit/BaselineIC.cpp:1843

Ted would it make sense for you to look at this bug?

Flags: needinfo?(tcampbell)

This seems to be an issue with the debugger iterating over scripts; marking P3/S3 because it should only occur when the devtools are active.

Severity: -- → S3
Priority: -- → P3

This is showing a pretty noticeable volume in the early Fx88 release crashes, fwiw.

Looks like our patch for Bug 1697952 just kicked the crash down the line. This does reinforce our theory that the debugger is to blame. We can revisit our investigation.

See Also: → 1697952
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/b39fdd9aabab
Check null script when iterating and traversing lazy script in debugger. r=tcampbell
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

Comment on attachment 9217224 [details]
Bug 1705762 - Check null script when iterating and traversing lazy script in debugger. r?tcampbell!

Beta/Release Uplift Approval Request

  • User impact if declined: Yet another attempt to mitigate a null-deref crash, for the same issue as bug 1697952.
    Previous 2 patches fixes immediate crash at the end of script instantiation,
    and this patch fixes crash when using debugger after that point.

This doesn't have testcase, or manual test steps.
We'll monitor the crash stats for the effect.

  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This skips yet another possibly unexpected null-deref.
    This is still unexpected dereference, and can be skipped.
  • String changes made/needed: None
Attachment #9217224 - Flags: approval-mozilla-beta?

Comment on attachment 9217224 [details]
Bug 1705762 - Check null script when iterating and traversing lazy script in debugger. r?tcampbell!

Crash fix, low risk and we are early in the beta cycle, uplift approved for 89 Beta 3, thanks.

Attachment #9217224 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

The spot-fix seems to have removed crashes from beta.

Flags: needinfo?(tcampbell)

Please nominate this for release approval. Looks like it'd be a good ride-along given the crash volume and simplicity of the fix.

Flags: needinfo?(arai.unmht)

Comment on attachment 9217224 [details]
Bug 1705762 - Check null script when iterating and traversing lazy script in debugger. r?tcampbell!

Beta/Release Uplift Approval Request

  • User impact if declined: Yet another attempt to mitigate a null-deref crash, for the same issue as bug 1697952.
    The mitigation is confirmed to work on beta channel.
    This doesn't have testcase, or manual test steps.
    We'll continue monitoring the crash stats.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This skips yet another possibly unexpected null-deref.
    This is still unexpected dereference, and can be skipped.
  • String changes made/needed: None
Flags: needinfo?(arai.unmht)
Attachment #9217224 - Flags: approval-mozilla-release?

Comment on attachment 9217224 [details]
Bug 1705762 - Check null script when iterating and traversing lazy script in debugger. r?tcampbell!

Approved for 88.0.1.

Attachment #9217224 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: