Closed Bug 470758 Opened 16 years ago Closed 16 years ago

Crash [@ JS_GetMethodById ] and [@ libmozjs.dylib@0x4e48 ]


(Core :: JavaScript Engine, defect, P1)






(Reporter: jmjjeffery, Assigned: mrbkap)




(5 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data


(1 file)

Visit the URL and latest Minefield crashes.

Also reported in the builds forum:

Disabling JIT.content does not make any difference, nor does a clean profile, still crashes.
Regression on 7 or 8 November 2008.
Severity: normal → critical
Keywords: regression
Currently ranked #12 in 3.1 beta2 topcrash reports.
Flags: blocking1.9.1?
Keywords: topcrash
on mac  Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081220 Shiretoko/3.1b3pre

I just tested and produced

the stack signature there appears to be  [@ libmozjs.dylib@0x4e48 ]

0  	libmozjs.dylib  	libmozjs.dylib@0x4e48  	
1 	libmozjs.dylib 	libmozjs.dylib@0x463f8 	
2 	libmozjs.dylib 	libmozjs.dylib@0x3893b 	
3 	libmozjs.dylib 	libmozjs.dylib@0x43e44 	
4 	libmozjs.dylib 	libmozjs.dylib@0x50c0d 	
5 	libmozjs.dylib 	libmozjs.dylib@0x44a22 	
6 	libmozjs.dylib 	libmozjs.dylib@0x36f35 	
7 	libmozjs.dylib 	libmozjs.dylib@0x44a86 	
8 	libmozjs.dylib 	libmozjs.dylib@0x44c3a 	
9 	libmozjs.dylib 	libmozjs.dylib@0x32f9 	
10 	XUL 	XUL@0x52a24a 	
11 	XUL 	XUL@0x5633ef 	
12 	XUL 	XUL@0x3faf1a 	
13 	XUL 	XUL@0x3fb4fd 	
14 	XUL 	XUL@0x41a24b 	
15 	XUL 	XUL@0x41a480 	
16 	XUL 	XUL@0x41b1c2 	
17 	XUL 	XUL@0x1fc2ae 	
18 	XUL 	XUL@0x749bd5
Summary: Crash [@ JS_GetMethodById ] → Crash [@ JS_GetMethodById ] and [@ libmozjs.dylib@0x4e48 ]
windows stack from some of the 3.1b2 data is better.

0  	js3250.dll  	JS_GetMethodById  	js/src/jsapi.cpp:3641
1 	js3250.dll 	js_CallIteratorNext 	js/src/jsiter.cpp:611
2 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:3241
3 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1559
4 	js3250.dll 	obj_eval 	js/src/jsobj.cpp:1345
5 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1313
6 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:5135
7 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1331
8 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1388
9 	js3250.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5242
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/src/base/nsJSEnvironment.cpp:1979
11 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/src/base/nsGlobalWindow.cpp:7661
12 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/src/base/nsGlobalWindow.cpp:7993
13 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:420
14 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:512
15 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
16 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
17 	nspr4.dll 	PR_GetEnv 	
18 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
19 	firefox.exe 	firefox.exe@0x2197 	
20 	kernel32.dll 	kernel32.dll@0x17066
this crash also seen by several users on and
Reduced testcase: (function() { var k; eval("for (var k in {});") })()

This is upvar related.
Assignee: general → mrbkap
OS: Windows Vista → All
Attached patch Spot fixSplinter Review
One casualty of this patch is in:
  (function(){var x;eval("for (x = 0; x < 5; x++);")})()
the |x| in the initializer won't get turned into an upvar. I don't know how important that is, though.
Attachment #354344 - Flags: review?(brendan)
Comment on attachment 354344 [details] [diff] [review]
Spot fix

Cite the bug# for convenience? Thanks for patching.

Better closures including upvars where the closure is called only, not passed as a funarg (up, down, or through the heap), coming soon in bug 452498.

Attachment #354344 - Flags: review?(brendan) → review+
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1b3
Depends on: 471044
No crash using the latest TM build:

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20081224 Minefield/3.2a1pre Firefox/3.0.4 ID:20081224021447
merged to mc
Closed: 16 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: --- → FIXED
Verified on today's nightly following merge:

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20081226 Minefield/3.2a1pre Firefox/3.0.4 ID:20081226033733
Keywords: testcase
Checking in js1_5/Regress/regress-470758-01.js;
Checking in js1_5/Regress/regress-470758-02.js;
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.1, 1.9.2
Crash Signature: [@ JS_GetMethodById ] [@ libmozjs.dylib@0x4e48 ]
You need to log in before you can comment on or make changes to this bug.