Closed Bug 465808 Opened 16 years ago Closed 16 years ago

crashes [@ js_GetLocalNameArray] inside decompilation triggered by JSD

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dbaron, Assigned: crowderbt)

References

(
URL
)

Details

(Keywords: crash, fixed1.9.1, topcrash, Whiteboard: [firebug-p1])

Crash Data

Attachments

(1 file, 1 obsolete file)

use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee
904 bytes, patch
brendan
: review+
Details | Diff | Splinter Review 
I noticed there are a bunch of crashes showing up at http://crash-stats.mozilla.org/ for Firefox 3.1b2pre with stacks like this:

0  	libmozjs.dylib  	js_GetLocalNameArray  	 js/src/jsfun.cpp:2612
1 	libmozjs.dylib 	Decompile 	js/src/jsopcode.cpp:2753
2 	libmozjs.dylib 	DecompileCode 	js/src/jsopcode.cpp:4748
3 	libmozjs.dylib 	JS_DecompileScript 	js/src/jsapi.cpp:5024
4 	XUL 	jsdScript::GetFunctionSource 	js/jsd/jsd_xpc.cpp:1285
...

See, e.g.,
bp-010f6d0f-542e-4c61-b434-285c20081119
bp-2873f99d-c610-466c-9af5-6a3720081119
bp-4b008a36-96c7-4209-83e3-155b20081119

It's not clear when it started; crash-stats seems to slow to do queries going back more than 2 days right now.
Flags: blocking1.9.1?
I've been running the js tests locally with firebug installed but it doesn't activate the same way that venkman does, I think. I'll kick off a round with venkman and see if any js tests fail with it installed.
Flags: blocking1.9.1? → blocking1.9.1+
I've been able to consistently reproduce this with firebug 1.4.0a6 enabled by visiting http://store.apple.com/us/browse/home/shop_mac/family/macbook?mco=MTE3MjA
my firefox always crash here, same bug
http://www.adobe.com/products/flashplayer/ 

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081128 Minefield/3.1b3pre

firebug@software.joehewitt.com:1.2.1

crash id
http://crash-stats.mozilla.com/report/index/d6756969-1658-44e4-acf9-6fc832081128

like it's crash on my mac, you should change to "all plateform"
I get the same crash in www.youtube.com after a few videos.
Firebug (1.3b4) is disabled but FF is still crashing.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
Priority: -- → P1
Assignee: general → crowder
Attached file test extension to crash FF (obsolete) — 
This test case was developed by firebug extender Manoj.
Regarding comment 4, depending on how you disabled firebug, the jsd layer may still be active.
OS: Linux → All
Whiteboard: [firebug p1]
Attachment #353339 - Attachment is obsolete: true
Comment on attachment 353339 [details]
test extension to crash FF

wrong stack
Sorry I got mixed up. Manoj's test case is a different crasher.
Marking critical per duped bug...

Bug 469824 comment #0 says that they get this crash when navigating to cnn.com on both Linux and Windows Fx 3.1b2, when having an onScriptCreated hook that wants to have jsdScript.functionSource - in case that helps anyone to reproduce...
Severity: normal → critical
@John: I disabled Firebug from the add-ons menu, restarted FF and so on..
Is this issue still occurring?
Whiteboard: [firebug p1] → [firebug-p1]
any news? because the last shiretoko nigtly still crash on http://www.adobe.com/go/getflashplayer/
In debug, the crash looks like this:

#1  0x0025d896 in Decompile (ss=0xbfffa0b4, pc=0x1d31dcbc "?", nb=29, nextop=JSOP_NOP) at /Users/crowder/mozilla/js/src/jsopcode.cpp:2757
#2  0x002679ae in DecompileCode (jp=0x1d332ac0, script=0x1d31dc50, pc=0x1d31dcbc "?", len=29, pcdepth=0) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4755
#3  0x00267c4b in js_DecompileScript (jp=0x1d332ac0, script=0x1d31dc50) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4780
#4  0x001c588b in JS_DecompileScript (cx=0xc70a00, script=0x1d31dc50, name=0x1bd649be "ppscript", indent=4) at /Users/crowder/mozilla/js/src/jsapi.cpp:5029
#5  0x1bd58dcc in jsdScript::GetFunctionSource (this=0x1d31dd10, aFunctionSource=@0xbfffa330) at /Users/crowder/mozilla/js/jsd/jsd_xpc.cpp:1265
#6  0x00490ba1 in NS_InvokeByIndex_P (that=0x1d31dd10, methodIndex=14, paramCount=1, params=0xbfffa3c4) at /Users/crowder/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
#7  0x111eae27 in XPCWrappedNative::CallMethod (ccx=@0xbfffa63c, mode=XPCWrappedNative::CALL_GETTER) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2424
#8  0x111f9bd5 in XPCWrappedNative::GetAttribute (ccx=@0xbfffa63c) at xpcprivate.h:2298
#9  0x111f58c6 in XPC_WN_GetterSetter (cx=0xb43400, obj=0x1793e700, argc=0, argv=0xe2bb74, vp=0xbfffa76c) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1511
#10 0x00237a3b in js_Invoke (cx=0xb43400, argc=0, vp=0xe2bb6c, flags=2) at jsinterp.cpp:1318
#11 0x00237d82 in js_InternalInvoke (cx=0xb43400, obj=0x1793e700, fval=411960448, flags=0, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1393
#12 0x00237fe3 in js_InternalGetOrSet (cx=0xb43400, obj=0x1793e700, id=442130668, fval=411960448, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1454
#13 0x0024d5d9 in js_NativeGet (cx=0xb43400, obj=0x1793e700, pobj=0x1793e700, sprop=0x20a20410, vp=0xbfffad98) at /Users/crowder/mozilla/js/src/jsobj.cpp:3739
#14 0x0024e46e in js_GetPropertyHelper (cx=0xb43400, obj=0x1793e700, id=442130668, vp=0xbfffad98, entryp=0xbfffaccc) at /Users/crowder/mozilla/js/src/jsobj.cpp:3890
#15 0x002216e1 in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4285
#16 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b944, flags=0) at jsinterp.cpp:1336
#17 0x00204f28 in js_fun_apply (cx=0xb43400, argc=3, vp=0xe2b910) at /Users/crowder/mozilla/js/src/jsfun.cpp:1732
#18 0x0022648c in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4994
#19 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b8f4, flags=0) at jsinterp.cpp:1336


More to come...
Attachment #358515 - Flags: review?(brendan)
Comment on attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee

Thanks to Brendan and mrbkap for lots of help.
Comment on attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee

Why oh why did I advise graydon against this? Dunno, it's clearly right.

/be
Attachment #358515 - Flags: review?(brendan) → review+
This deserves to land tonight, but I have daddy-detail.  I'll hit it much later, if no one else does.
Keywords: checkin-needed
I can check this in if you don't mind and will do do tinderbox watch
Ergo: FIXED.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
still crash, is it normal?
(In reply to comment #24)
> still crash, is it normal?

What is your build id?
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090128 Shiretoko/3.1b3pre

http://crash-stats.mozilla.com/report/index/8cae72d4-cc71-4848-b6a9-696572090128
(In reply to comment #26)
> rv:1.9.1b3pre

You're on the 1.9.1 branch. You'll still crash until someone checks this patch into that branch and adds the fixed1.9.1 keyword.
ok, thanks :)
I figured that we should get this in sooner rather than later, since it's biting people, so: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ea2bc0ce0361
Keywords: fixed1.9.1
Thanks!
Keywords: checkin-needed
Flags: in-testsuite-
Crash Signature: [@ js_GetLocalNameArray]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: