crashes [@ js_GetLocalNameArray] inside decompilation triggered by JSD




JavaScript Engine
9 years ago
7 years ago


(Reporter: dbaron, Assigned: Brian Crowder)


({crash, fixed1.9.1, topcrash})

crash, fixed1.9.1, topcrash
Bug Flags:
blocking1.9.1 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [firebug-p1], crash signature, URL)


(1 attachment, 1 obsolete attachment)

I noticed there are a bunch of crashes showing up at for Firefox 3.1b2pre with stacks like this:

0  	libmozjs.dylib  	js_GetLocalNameArray  	 js/src/jsfun.cpp:2612
1 	libmozjs.dylib 	Decompile 	js/src/jsopcode.cpp:2753
2 	libmozjs.dylib 	DecompileCode 	js/src/jsopcode.cpp:4748
3 	libmozjs.dylib 	JS_DecompileScript 	js/src/jsapi.cpp:5024
4 	XUL 	jsdScript::GetFunctionSource 	js/jsd/jsd_xpc.cpp:1285

See, e.g.,

It's not clear when it started; crash-stats seems to slow to do queries going back more than 2 days right now.
Flags: blocking1.9.1?

Comment 1

9 years ago
I've been running the js tests locally with firebug installed but it doesn't activate the same way that venkman does, I think. I'll kick off a round with venkman and see if any js tests fail with it installed.


9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
I've been able to consistently reproduce this with firebug 1.4.0a6 enabled by visiting

Comment 3

9 years ago
my firefox always crash here, same bug 

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081128 Minefield/3.1b3pre

crash id

like it's crash on my mac, you should change to "all plateform"

Comment 4

9 years ago
I get the same crash in after a few videos.
Firebug (1.3b4) is disabled but FF is still crashing.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre


9 years ago
Priority: -- → P1


9 years ago
Assignee: general → crowder


9 years ago
Duplicate of this bug: 469824

Comment 6

9 years ago
Created attachment 353339 [details]
test extension to crash FF

This test case was developed by firebug extender Manoj.

Comment 7

9 years ago
Regarding comment 4, depending on how you disabled firebug, the jsd layer may still be active.
OS: Linux → All
Whiteboard: [firebug p1]


9 years ago
Attachment #353339 - Attachment is obsolete: true

Comment 8

9 years ago
Comment on attachment 353339 [details]
test extension to crash FF

wrong stack

Comment 9

9 years ago
Sorry I got mixed up. Manoj's test case is a different crasher.

Comment 10

9 years ago
Marking critical per duped bug...

Bug 469824 comment #0 says that they get this crash when navigating to on both Linux and Windows Fx 3.1b2, when having an onScriptCreated hook that wants to have jsdScript.functionSource - in case that helps anyone to reproduce...
Severity: normal → critical

Comment 11

9 years ago
@John: I disabled Firebug from the add-ons menu, restarted FF and so on..

Comment 12

9 years ago
Is this issue still occurring?

Comment 13

9 years ago

3.2a1pre	20081230033616	

please practice using crash-stats.


9 years ago
Whiteboard: [firebug p1] → [firebug-p1]

Comment 14

9 years ago
any news? because the last shiretoko nigtly still crash on too

Comment 16

9 years ago
In debug, the crash looks like this:

#1  0x0025d896 in Decompile (ss=0xbfffa0b4, pc=0x1d31dcbc "?", nb=29, nextop=JSOP_NOP) at /Users/crowder/mozilla/js/src/jsopcode.cpp:2757
#2  0x002679ae in DecompileCode (jp=0x1d332ac0, script=0x1d31dc50, pc=0x1d31dcbc "?", len=29, pcdepth=0) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4755
#3  0x00267c4b in js_DecompileScript (jp=0x1d332ac0, script=0x1d31dc50) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4780
#4  0x001c588b in JS_DecompileScript (cx=0xc70a00, script=0x1d31dc50, name=0x1bd649be "ppscript", indent=4) at /Users/crowder/mozilla/js/src/jsapi.cpp:5029
#5  0x1bd58dcc in jsdScript::GetFunctionSource (this=0x1d31dd10, aFunctionSource=@0xbfffa330) at /Users/crowder/mozilla/js/jsd/jsd_xpc.cpp:1265
#6  0x00490ba1 in NS_InvokeByIndex_P (that=0x1d31dd10, methodIndex=14, paramCount=1, params=0xbfffa3c4) at /Users/crowder/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
#7  0x111eae27 in XPCWrappedNative::CallMethod (ccx=@0xbfffa63c, mode=XPCWrappedNative::CALL_GETTER) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2424
#8  0x111f9bd5 in XPCWrappedNative::GetAttribute (ccx=@0xbfffa63c) at xpcprivate.h:2298
#9  0x111f58c6 in XPC_WN_GetterSetter (cx=0xb43400, obj=0x1793e700, argc=0, argv=0xe2bb74, vp=0xbfffa76c) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1511
#10 0x00237a3b in js_Invoke (cx=0xb43400, argc=0, vp=0xe2bb6c, flags=2) at jsinterp.cpp:1318
#11 0x00237d82 in js_InternalInvoke (cx=0xb43400, obj=0x1793e700, fval=411960448, flags=0, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1393
#12 0x00237fe3 in js_InternalGetOrSet (cx=0xb43400, obj=0x1793e700, id=442130668, fval=411960448, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1454
#13 0x0024d5d9 in js_NativeGet (cx=0xb43400, obj=0x1793e700, pobj=0x1793e700, sprop=0x20a20410, vp=0xbfffad98) at /Users/crowder/mozilla/js/src/jsobj.cpp:3739
#14 0x0024e46e in js_GetPropertyHelper (cx=0xb43400, obj=0x1793e700, id=442130668, vp=0xbfffad98, entryp=0xbfffaccc) at /Users/crowder/mozilla/js/src/jsobj.cpp:3890
#15 0x002216e1 in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4285
#16 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b944, flags=0) at jsinterp.cpp:1336
#17 0x00204f28 in js_fun_apply (cx=0xb43400, argc=3, vp=0xe2b910) at /Users/crowder/mozilla/js/src/jsfun.cpp:1732
#18 0x0022648c in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4994
#19 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b8f4, flags=0) at jsinterp.cpp:1336

More to come...

Comment 17

9 years ago
Created attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee


9 years ago
Attachment #358515 - Flags: review?(brendan)

Comment 18

9 years ago
Comment on attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee

Thanks to Brendan and mrbkap for lots of help.
Comment on attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee

Why oh why did I advise graydon against this? Dunno, it's clearly right.

Attachment #358515 - Flags: review?(brendan) → review+

Comment 20

9 years ago
This deserves to land tonight, but I have daddy-detail.  I'll hit it much later, if no one else does.
Keywords: checkin-needed
I can check this in if you don't mind and will do do tinderbox watch
checked in as
Ergo: FIXED.
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 24

9 years ago
still crash, is it normal?
(In reply to comment #24)
> still crash, is it normal?

What is your build id?

Comment 26

9 years ago
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090128 Shiretoko/3.1b3pre
(In reply to comment #26)
> rv:1.9.1b3pre

You're on the 1.9.1 branch. You'll still crash until someone checks this patch into that branch and adds the fixed1.9.1 keyword.

Comment 28

9 years ago
ok, thanks :)
I figured that we should get this in sooner rather than later, since it's biting people, so:
Keywords: fixed1.9.1

Comment 30

9 years ago


9 years ago
Keywords: checkin-needed


9 years ago
Duplicate of this bug: 480286


9 years ago
Flags: in-testsuite-
Crash Signature: [@ js_GetLocalNameArray]
You need to log in before you can comment on or make changes to this bug.