crashes [@ js_GetLocalNameArray] inside decompilation triggered by JSD

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: dbaron, Assigned: Brian Crowder)

Tracking

({crash, fixed1.9.1, topcrash})

Trunk
x86
All
crash, fixed1.9.1, topcrash
Points:
---
Bug Flags:
blocking1.9.1 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [firebug-p1], crash signature, URL)

Attachments

(1 attachment, 1 obsolete attachment)

I noticed there are a bunch of crashes showing up at http://crash-stats.mozilla.org/ for Firefox 3.1b2pre with stacks like this:

0  	libmozjs.dylib  	js_GetLocalNameArray  	 js/src/jsfun.cpp:2612
1 	libmozjs.dylib 	Decompile 	js/src/jsopcode.cpp:2753
2 	libmozjs.dylib 	DecompileCode 	js/src/jsopcode.cpp:4748
3 	libmozjs.dylib 	JS_DecompileScript 	js/src/jsapi.cpp:5024
4 	XUL 	jsdScript::GetFunctionSource 	js/jsd/jsd_xpc.cpp:1285
...

See, e.g.,
bp-010f6d0f-542e-4c61-b434-285c20081119
bp-2873f99d-c610-466c-9af5-6a3720081119
bp-4b008a36-96c7-4209-83e3-155b20081119

It's not clear when it started; crash-stats seems to slow to do queries going back more than 2 days right now.
Flags: blocking1.9.1?

Comment 1

9 years ago
I've been running the js tests locally with firebug installed but it doesn't activate the same way that venkman does, I think. I'll kick off a round with venkman and see if any js tests fail with it installed.

Updated

9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
I've been able to consistently reproduce this with firebug 1.4.0a6 enabled by visiting http://store.apple.com/us/browse/home/shop_mac/family/macbook?mco=MTE3MjA

Comment 3

9 years ago
my firefox always crash here, same bug
http://www.adobe.com/products/flashplayer/ 

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081128 Minefield/3.1b3pre

firebug@software.joehewitt.com:1.2.1

crash id
http://crash-stats.mozilla.com/report/index/d6756969-1658-44e4-acf9-6fc832081128

like it's crash on my mac, you should change to "all plateform"

Comment 4

9 years ago
I get the same crash in www.youtube.com after a few videos.
Firebug (1.3b4) is disabled but FF is still crashing.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre

Updated

9 years ago
Priority: -- → P1
(Assignee)

Updated

9 years ago
Assignee: general → crowder

Updated

9 years ago
Duplicate of this bug: 469824

Comment 6

9 years ago
Created attachment 353339 [details]
test extension to crash FF

This test case was developed by firebug extender Manoj.

Comment 7

9 years ago
Regarding comment 4, depending on how you disabled firebug, the jsd layer may still be active.
OS: Linux → All
Whiteboard: [firebug p1]

Updated

9 years ago
Attachment #353339 - Attachment is obsolete: true

Comment 8

9 years ago
Comment on attachment 353339 [details]
test extension to crash FF

wrong stack

Comment 9

9 years ago
Sorry I got mixed up. Manoj's test case is a different crasher.

Comment 10

9 years ago
Marking critical per duped bug...

Bug 469824 comment #0 says that they get this crash when navigating to cnn.com on both Linux and Windows Fx 3.1b2, when having an onScriptCreated hook that wants to have jsdScript.functionSource - in case that helps anyone to reproduce...
Severity: normal → critical

Comment 11

9 years ago
@John: I disabled Firebug from the add-ons menu, restarted FF and so on..
(Assignee)

Comment 12

9 years ago
Is this issue still occurring?

Comment 13

9 years ago
http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox:3.1b3pre&version=Firefox:3.2a1pre&query_search=signature&query_type=contains&query=js_GetLocalNameArray&date=&range_value=1&range_unit=weeks&do_query=1&signature=js_GetLocalNameArray

3.2a1pre	20081230033616	

please practice using crash-stats.

Updated

9 years ago
Whiteboard: [firebug p1] → [firebug-p1]

Comment 14

9 years ago
any news? because the last shiretoko nigtly still crash on http://www.adobe.com/go/getflashplayer/
http://www.tvn24.pl too
(Assignee)

Comment 16

9 years ago
In debug, the crash looks like this:

#1  0x0025d896 in Decompile (ss=0xbfffa0b4, pc=0x1d31dcbc "?", nb=29, nextop=JSOP_NOP) at /Users/crowder/mozilla/js/src/jsopcode.cpp:2757
#2  0x002679ae in DecompileCode (jp=0x1d332ac0, script=0x1d31dc50, pc=0x1d31dcbc "?", len=29, pcdepth=0) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4755
#3  0x00267c4b in js_DecompileScript (jp=0x1d332ac0, script=0x1d31dc50) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4780
#4  0x001c588b in JS_DecompileScript (cx=0xc70a00, script=0x1d31dc50, name=0x1bd649be "ppscript", indent=4) at /Users/crowder/mozilla/js/src/jsapi.cpp:5029
#5  0x1bd58dcc in jsdScript::GetFunctionSource (this=0x1d31dd10, aFunctionSource=@0xbfffa330) at /Users/crowder/mozilla/js/jsd/jsd_xpc.cpp:1265
#6  0x00490ba1 in NS_InvokeByIndex_P (that=0x1d31dd10, methodIndex=14, paramCount=1, params=0xbfffa3c4) at /Users/crowder/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
#7  0x111eae27 in XPCWrappedNative::CallMethod (ccx=@0xbfffa63c, mode=XPCWrappedNative::CALL_GETTER) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2424
#8  0x111f9bd5 in XPCWrappedNative::GetAttribute (ccx=@0xbfffa63c) at xpcprivate.h:2298
#9  0x111f58c6 in XPC_WN_GetterSetter (cx=0xb43400, obj=0x1793e700, argc=0, argv=0xe2bb74, vp=0xbfffa76c) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1511
#10 0x00237a3b in js_Invoke (cx=0xb43400, argc=0, vp=0xe2bb6c, flags=2) at jsinterp.cpp:1318
#11 0x00237d82 in js_InternalInvoke (cx=0xb43400, obj=0x1793e700, fval=411960448, flags=0, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1393
#12 0x00237fe3 in js_InternalGetOrSet (cx=0xb43400, obj=0x1793e700, id=442130668, fval=411960448, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1454
#13 0x0024d5d9 in js_NativeGet (cx=0xb43400, obj=0x1793e700, pobj=0x1793e700, sprop=0x20a20410, vp=0xbfffad98) at /Users/crowder/mozilla/js/src/jsobj.cpp:3739
#14 0x0024e46e in js_GetPropertyHelper (cx=0xb43400, obj=0x1793e700, id=442130668, vp=0xbfffad98, entryp=0xbfffaccc) at /Users/crowder/mozilla/js/src/jsobj.cpp:3890
#15 0x002216e1 in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4285
#16 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b944, flags=0) at jsinterp.cpp:1336
#17 0x00204f28 in js_fun_apply (cx=0xb43400, argc=3, vp=0xe2b910) at /Users/crowder/mozilla/js/src/jsfun.cpp:1732
#18 0x0022648c in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4994
#19 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b8f4, flags=0) at jsinterp.cpp:1336


More to come...
(Assignee)

Comment 17

9 years ago
Created attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee
(Assignee)

Updated

9 years ago
Attachment #358515 - Flags: review?(brendan)
(Assignee)

Comment 18

9 years ago
Comment on attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee

Thanks to Brendan and mrbkap for lots of help.
Comment on attachment 358515 [details] [diff] [review]
use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee

Why oh why did I advise graydon against this? Dunno, it's clearly right.

/be
Attachment #358515 - Flags: review?(brendan) → review+
(Assignee)

Comment 20

9 years ago
This deserves to land tonight, but I have daddy-detail.  I'll hit it much later, if no one else does.
Keywords: checkin-needed
I can check this in if you don't mind and will do do tinderbox watch
checked in as https://hg.mozilla.org/mozilla-central/rev/e6693f9fb089
Ergo: FIXED.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 24

9 years ago
still crash, is it normal?
(In reply to comment #24)
> still crash, is it normal?

What is your build id?

Comment 26

9 years ago
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090128 Shiretoko/3.1b3pre

http://crash-stats.mozilla.com/report/index/8cae72d4-cc71-4848-b6a9-696572090128
(In reply to comment #26)
> rv:1.9.1b3pre

You're on the 1.9.1 branch. You'll still crash until someone checks this patch into that branch and adds the fixed1.9.1 keyword.

Comment 28

9 years ago
ok, thanks :)
I figured that we should get this in sooner rather than later, since it's biting people, so: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ea2bc0ce0361
Keywords: fixed1.9.1
(Assignee)

Comment 30

9 years ago
Thanks!

Updated

9 years ago
Keywords: checkin-needed

Updated

9 years ago
Duplicate of this bug: 480286

Updated

9 years ago
Flags: in-testsuite-
Crash Signature: [@ js_GetLocalNameArray]
You need to log in before you can comment on or make changes to this bug.