Closed
Bug 465808
Opened 16 years ago
Closed 16 years ago
crashes [@ js_GetLocalNameArray] inside decompilation triggered by JSD
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dbaron, Assigned: crowderbt)
References
()
Details
(Keywords: crash, fixed1.9.1, topcrash, Whiteboard: [firebug-p1])
Crash Data
Attachments
(1 file, 1 obsolete file)
904 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
I noticed there are a bunch of crashes showing up at http://crash-stats.mozilla.org/ for Firefox 3.1b2pre with stacks like this: 0 libmozjs.dylib js_GetLocalNameArray js/src/jsfun.cpp:2612 1 libmozjs.dylib Decompile js/src/jsopcode.cpp:2753 2 libmozjs.dylib DecompileCode js/src/jsopcode.cpp:4748 3 libmozjs.dylib JS_DecompileScript js/src/jsapi.cpp:5024 4 XUL jsdScript::GetFunctionSource js/jsd/jsd_xpc.cpp:1285 ... See, e.g., bp-010f6d0f-542e-4c61-b434-285c20081119 bp-2873f99d-c610-466c-9af5-6a3720081119 bp-4b008a36-96c7-4209-83e3-155b20081119 It's not clear when it started; crash-stats seems to slow to do queries going back more than 2 days right now.
Flags: blocking1.9.1?
Comment 1•16 years ago
|
||
I've been running the js tests locally with firebug installed but it doesn't activate the same way that venkman does, I think. I'll kick off a round with venkman and see if any js tests fail with it installed.
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 2•16 years ago
|
||
I've been able to consistently reproduce this with firebug 1.4.0a6 enabled by visiting http://store.apple.com/us/browse/home/shop_mac/family/macbook?mco=MTE3MjA
my firefox always crash here, same bug http://www.adobe.com/products/flashplayer/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081128 Minefield/3.1b3pre firebug@software.joehewitt.com:1.2.1 crash id http://crash-stats.mozilla.com/report/index/d6756969-1658-44e4-acf9-6fc832081128 like it's crash on my mac, you should change to "all plateform"
I get the same crash in www.youtube.com after a few videos. Firebug (1.3b4) is disabled but FF is still crashing. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
Updated•16 years ago
|
Priority: -- → P1
Assignee | ||
Updated•16 years ago
|
Assignee: general → crowder
Comment 6•16 years ago
|
||
This test case was developed by firebug extender Manoj.
Comment 7•16 years ago
|
||
Regarding comment 4, depending on how you disabled firebug, the jsd layer may still be active.
OS: Linux → All
Whiteboard: [firebug p1]
Updated•16 years ago
|
Attachment #353339 -
Attachment is obsolete: true
Comment 8•16 years ago
|
||
Comment on attachment 353339 [details]
test extension to crash FF
wrong stack
Comment 9•16 years ago
|
||
Sorry I got mixed up. Manoj's test case is a different crasher.
Comment 10•16 years ago
|
||
Marking critical per duped bug... Bug 469824 comment #0 says that they get this crash when navigating to cnn.com on both Linux and Windows Fx 3.1b2, when having an onScriptCreated hook that wants to have jsdScript.functionSource - in case that helps anyone to reproduce...
Severity: normal → critical
Comment 11•16 years ago
|
||
@John: I disabled Firebug from the add-ons menu, restarted FF and so on..
Assignee | ||
Comment 12•16 years ago
|
||
Is this issue still occurring?
Comment 13•16 years ago
|
||
http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox:3.1b3pre&version=Firefox:3.2a1pre&query_search=signature&query_type=contains&query=js_GetLocalNameArray&date=&range_value=1&range_unit=weeks&do_query=1&signature=js_GetLocalNameArray 3.2a1pre 20081230033616 please practice using crash-stats.
Updated•16 years ago
|
Whiteboard: [firebug p1] → [firebug-p1]
Comment 14•16 years ago
|
||
any news? because the last shiretoko nigtly still crash on http://www.adobe.com/go/getflashplayer/
Comment 15•16 years ago
|
||
http://www.tvn24.pl too
Assignee | ||
Comment 16•16 years ago
|
||
In debug, the crash looks like this: #1 0x0025d896 in Decompile (ss=0xbfffa0b4, pc=0x1d31dcbc "?", nb=29, nextop=JSOP_NOP) at /Users/crowder/mozilla/js/src/jsopcode.cpp:2757 #2 0x002679ae in DecompileCode (jp=0x1d332ac0, script=0x1d31dc50, pc=0x1d31dcbc "?", len=29, pcdepth=0) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4755 #3 0x00267c4b in js_DecompileScript (jp=0x1d332ac0, script=0x1d31dc50) at /Users/crowder/mozilla/js/src/jsopcode.cpp:4780 #4 0x001c588b in JS_DecompileScript (cx=0xc70a00, script=0x1d31dc50, name=0x1bd649be "ppscript", indent=4) at /Users/crowder/mozilla/js/src/jsapi.cpp:5029 #5 0x1bd58dcc in jsdScript::GetFunctionSource (this=0x1d31dd10, aFunctionSource=@0xbfffa330) at /Users/crowder/mozilla/js/jsd/jsd_xpc.cpp:1265 #6 0x00490ba1 in NS_InvokeByIndex_P (that=0x1d31dd10, methodIndex=14, paramCount=1, params=0xbfffa3c4) at /Users/crowder/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 #7 0x111eae27 in XPCWrappedNative::CallMethod (ccx=@0xbfffa63c, mode=XPCWrappedNative::CALL_GETTER) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2424 #8 0x111f9bd5 in XPCWrappedNative::GetAttribute (ccx=@0xbfffa63c) at xpcprivate.h:2298 #9 0x111f58c6 in XPC_WN_GetterSetter (cx=0xb43400, obj=0x1793e700, argc=0, argv=0xe2bb74, vp=0xbfffa76c) at /Users/crowder/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1511 #10 0x00237a3b in js_Invoke (cx=0xb43400, argc=0, vp=0xe2bb6c, flags=2) at jsinterp.cpp:1318 #11 0x00237d82 in js_InternalInvoke (cx=0xb43400, obj=0x1793e700, fval=411960448, flags=0, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1393 #12 0x00237fe3 in js_InternalGetOrSet (cx=0xb43400, obj=0x1793e700, id=442130668, fval=411960448, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffad98) at jsinterp.cpp:1454 #13 0x0024d5d9 in js_NativeGet (cx=0xb43400, obj=0x1793e700, pobj=0x1793e700, sprop=0x20a20410, vp=0xbfffad98) at /Users/crowder/mozilla/js/src/jsobj.cpp:3739 #14 0x0024e46e in js_GetPropertyHelper (cx=0xb43400, obj=0x1793e700, id=442130668, vp=0xbfffad98, entryp=0xbfffaccc) at /Users/crowder/mozilla/js/src/jsobj.cpp:3890 #15 0x002216e1 in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4285 #16 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b944, flags=0) at jsinterp.cpp:1336 #17 0x00204f28 in js_fun_apply (cx=0xb43400, argc=3, vp=0xe2b910) at /Users/crowder/mozilla/js/src/jsfun.cpp:1732 #18 0x0022648c in js_Interpret (cx=0xb43400) at /Users/crowder/mozilla/js/src/jsinterp.cpp:4994 #19 0x00237acc in js_Invoke (cx=0xb43400, argc=3, vp=0xe2b8f4, flags=0) at jsinterp.cpp:1336 More to come...
Assignee | ||
Comment 17•16 years ago
|
||
Assignee | ||
Updated•16 years ago
|
Attachment #358515 -
Flags: review?(brendan)
Assignee | ||
Comment 18•16 years ago
|
||
Comment on attachment 358515 [details] [diff] [review] use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee Thanks to Brendan and mrbkap for lots of help.
Comment 19•16 years ago
|
||
Comment on attachment 358515 [details] [diff] [review] use FUN_OBJECT(callerFrame->fun) instead of potentially cloned callerFrame->callee Why oh why did I advise graydon against this? Dunno, it's clearly right. /be
Attachment #358515 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 20•16 years ago
|
||
This deserves to land tonight, but I have daddy-detail. I'll hit it much later, if no one else does.
Keywords: checkin-needed
Comment 21•16 years ago
|
||
I can check this in if you don't mind and will do do tinderbox watch
Comment 22•16 years ago
|
||
checked in as https://hg.mozilla.org/mozilla-central/rev/e6693f9fb089
Ergo: FIXED.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 24•15 years ago
|
||
still crash, is it normal?
Comment 25•15 years ago
|
||
(In reply to comment #24) > still crash, is it normal? What is your build id?
Comment 26•15 years ago
|
||
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090128 Shiretoko/3.1b3pre http://crash-stats.mozilla.com/report/index/8cae72d4-cc71-4848-b6a9-696572090128
Comment 27•15 years ago
|
||
(In reply to comment #26) > rv:1.9.1b3pre You're on the 1.9.1 branch. You'll still crash until someone checks this patch into that branch and adds the fixed1.9.1 keyword.
Comment 28•15 years ago
|
||
ok, thanks :)
Comment 29•15 years ago
|
||
I figured that we should get this in sooner rather than later, since it's biting people, so: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ea2bc0ce0361
Keywords: fixed1.9.1
Assignee | ||
Comment 30•15 years ago
|
||
Thanks!
Updated•15 years ago
|
Keywords: checkin-needed
Updated•15 years ago
|
Flags: in-testsuite-
Updated•13 years ago
|
Crash Signature: [@ js_GetLocalNameArray]
You need to log in
before you can comment on or make changes to this bug.
Description
•