TM: Going to NEW Facebook profile page causes crash. [@ FlushNativeStackFrame]

RESOLVED FIXED in mozilla1.9.1b1

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
10 years ago
7 years ago

People

(Reporter: Nick, Assigned: brendan)

Tracking

({crash})

unspecified
mozilla1.9.1b1
crash
Points:
---
Bug Flags:
in-testsuite -
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments, 4 obsolete attachments)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080913064101 Minefield/3.1b1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080913064101 Minefield/3.1b1pre

Enabling the NEW version of Facebook, and then opening your own profile page, causes a crash with the Tracemoney build.

Reproducible: Always

Steps to Reproduce:
1.Log into Facebook
2.Enable the NEW layout.
3.Surf to Profile page.
Actual Results:  
The browser crashed, every time.

Expected Results:  
Loaded the page, and not crashed.Adblock Plus 0.7.5.5
Better Gmail 2 0.6.1
Locationbar² 1.0.3
Menu Editor 1.2.6
Nightly Tester Tools 2.0.2
NoScript 1.8
Tabs Open Relative 0.3.3
Topper 0.2
TwitterFox 1.7

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080913064101 Minefield/3.1b1pre ID:20080913064101

Adblock Plus 0.7.5.5
Better Gmail 2 0.6.1
Locationbar² 1.0.3
Menu Editor 1.2.6
Nightly Tester Tools 2.0.2
NoScript 1.8
Tabs Open Relative 0.3.3
Topper 0.2
TwitterFox 1.7

Is my browser configuration.

Comment 2

10 years ago
http://crash-stats.mozilla.com/report/index/f9f1dbe1-81a9-11dd-a966-001cc45a2c28

Crashed for me with
  Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1pre) Gecko/20080912031847 Minefield/3.1b1pre 
and
  Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1pre) Gecko/20080913031911 Minefield/3.1b1pre

Couldn't get it to crash with a debug build.
Have you enabled TM ?
Please test with and without TM if you report a bug.

0  	js3250.dll  	FlushNativeStackFrame  	 js/src/jstracer.cpp:1249
1 	js3250.dll 	js_ExecuteTree 	js/src/jstracer.cpp:2454
2 	js3250.dll 	js_MonitorLoopEdge 	js/src/jstracer.cpp:2502
3 	js3250.dll 	js3250.dll@0x6963a 	
4 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1324
5 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1523
6 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:565
7 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
8 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
9 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1080
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Summary: Going to NEW Facebook profile page causes crash. → Going to NEW Facebook profile page causes crash. [ @FlushNativeStackFrame]
(Assignee)

Comment 4

10 years ago
I'll try to confirm once I get power enough to rebuild my Minefield. Feel free to beat me to it. (Walkabout in NYC atm.)

/be
Summary: Going to NEW Facebook profile page causes crash. [ @FlushNativeStackFrame] → TM: Going to NEW Facebook profile page causes crash. [ @FlushNativeStackFrame]
(Assignee)

Comment 5

10 years ago
Also if anyone can capture the script (call js_Disassemble(cx, cx->fp->script, 0, stdout) (on Mac use __stdoutp; not sure about Windows) and pc (cx->fp->regs->pc) or line number (call js_PCToLineNumber(cx, cx->fp->script, cx->fp->regs->pc)) that would be great.

/be

Comment 6

10 years ago
I give it a try.

Comment 7

10 years ago
I can confirm the crash. I have to build a DEBUG version to catch it in gdb.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 8

10 years ago
With my current build, with JIT:Content enabled (JIT:Chrome has no effect), it will crash every time, even in safe mode.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080913205356 Minefield/3.1b1pre ID:20080913205356


http://crash-stats.mozilla.com/report/index/c1c90028-8222-11dd-81fa-001a4bd43ef6
http://crash-stats.mozilla.com/report/index/1e8aedd9-8223-11dd-a0c3-001a4bd43e5c?p=1
(Assignee)

Comment 9

10 years ago
Need an assignee -- I'm getting set up to debug, but probably some folks not on the road could grab and diagnose this faster. Andreas, did you get anywhere with it? No worries if not -- just want to keep after unassigned bugs.

/be

Comment 10

10 years ago
This happens on OS X too.
Assignee: general → danderson
FlushNativeStackFrame is clobbering cx->fp->regs to 0x16 (undefined).  We're filling in missing arguments at calldepth=1.  vpname=missing, vpnum=0, nargs=3, args=2.
Created attachment 340020 [details] [diff] [review]
brendan's patch (not working, posting for reference)

Brendan tried digging into this for me today.  Looks like stack space is not being reserved correctly in synthesizing frames, something somewhere might not be compensating for the missing argument in the inner frame.
Assignee: danderson → brendan
(Assignee)

Updated

10 years ago
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b1
(Assignee)

Comment 13

10 years ago
Created attachment 340031 [details] [diff] [review]
proposed fix
Attachment #340020 - Attachment is obsolete: true
Attachment #340031 - Flags: review?(danderson)
(Assignee)

Comment 14

10 years ago
Created attachment 340045 [details] [diff] [review]
better fix
Attachment #340031 - Attachment is obsolete: true
Attachment #340045 - Flags: review?(danderson)
Attachment #340031 - Flags: review?(danderson)
(Assignee)

Updated

10 years ago
Attachment #340045 - Flags: review?(mrbkap)
(Assignee)

Updated

10 years ago
Depends on: 453024
(Assignee)

Comment 16

10 years ago
Created attachment 340109 [details] [diff] [review]
spot-fix, still duplicating a lot of inline_call: code from js_Interpret

May do a followup bug and patch to share code with a jsinterp.h static inline helper, if it can be done without too many params.

/be
Attachment #340045 - Attachment is obsolete: true
Attachment #340109 - Flags: review?(danderson)
Attachment #340045 - Flags: review?(mrbkap)
Attachment #340045 - Flags: review?(danderson)
(Assignee)

Comment 18

10 years ago
Created attachment 340223 [details] [diff] [review]
fixed spot-fix, exposes unrelated bug

The unrelated bug is the assertion in js_GetScopeChain:

    if (!obj) {
        /*
         * Don't force a call object for a lightweight function call, but do
         * insist that there is a call object for a heavyweight function call.
         */     
        JS_ASSERT(!fp->fun ||       
                  !(fp->fun->flags & JSFUN_HEAVYWEIGHT) ||
                  fp->callobj);

botching because we do not js_GetCallObject when reconstructing a frame for a heavyweight function call that the JIT inlined. Filing that now as bug 456875.

/be
Attachment #340109 - Attachment is obsolete: true
Attachment #340223 - Flags: review?(mrbkap)
Attachment #340109 - Flags: review?(danderson)
(Assignee)

Comment 19

10 years ago
Comment on attachment 340223 [details] [diff] [review]
fixed spot-fix, exposes unrelated bug

Bugzilla interdiff works. David, if could verify that this is the patch I wrote on your thinkpad that would be good for a second r+ -- thanks,

/be
Attachment #340223 - Flags: review?(danderson)
Attachment #340223 - Flags: review?(danderson) → review+

Updated

10 years ago
Attachment #340223 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 21

10 years ago
Fixed on m-c:

http://hg.mozilla.org/mozilla-central/rev/966828ea2d4d

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 22

10 years ago
Brendan, did you ever create a reduced testcase?  Would be nice not only for automated regression testing, but also to inform fuzzing efforts.

Comment 23

9 years ago
Firefox - 3.1b1pre  crashes everytime I login to new facebook.com 
The build id:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080929033431 Minefield/3.1b1pre

If I use a proxy like proxomitron, it doesn't crash. But crashes everytime without proxy.
(Assignee)

Comment 24

9 years ago
(In reply to comment #23)
> Firefox - 3.1b1pre  crashes everytime I login to new facebook.com 
> The build id:
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre)
> Gecko/20080929033431 Minefield/3.1b1pre
> 
> If I use a proxy like proxomitron, it doesn't crash. But crashes everytime
> without proxy.

Please file a new bug and cite breakpad crash report ids if you can. Thanks,

/be

Updated

9 years ago
Flags: in-testsuite-
Flags: in-litmus-

Updated

8 years ago
Keywords: crash
Summary: TM: Going to NEW Facebook profile page causes crash. [ @FlushNativeStackFrame] → TM: Going to NEW Facebook profile page causes crash. [@ FlushNativeStackFrame]
Crash Signature: [@ FlushNativeStackFrame]
You need to log in before you can comment on or make changes to this bug.