Crash [@ JS_GetMethodById ] and [@ libmozjs.dylib@0x4e48 ]

VERIFIED FIXED in mozilla1.9.1b3

Status

()

P1
critical
VERIFIED FIXED
10 years ago
7 years ago

People

(Reporter: jmjeffery, Assigned: mrbkap)

Tracking

(5 keywords)

Trunk
mozilla1.9.1b3
crash, regression, testcase, topcrash, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature, URL)

Attachments

(1 attachment)

Visit the URL and latest Minefield crashes.

http://crash-stats.mozilla.com/report/index/34d475fd-a965-41dd-88df-b13872081222?p=1

Also reported in the builds forum:
http://forums.mozillazine.org/viewtopic.php?p=5291695#p5291695

Disabling JIT.content does not make any difference, nor does a clean profile, still crashes.
Regression on 7 or 8 November 2008.
Severity: normal → critical
Keywords: regression

Updated

10 years ago
Duplicate of this bug: 470935

Comment 3

10 years ago
Currently ranked #12 in 3.1 beta2 topcrash reports.
Flags: blocking1.9.1?

Updated

10 years ago
Keywords: topcrash

Comment 4

10 years ago
on mac  Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081220 Shiretoko/3.1b3pre

I just tested and produced

http://crash-stats.mozilla.com/report/index/dc8a825b-221e-47ef-8a41-7bfc42081223?p=1

the stack signature there appears to be  [@ libmozjs.dylib@0x4e48 ]

0  	libmozjs.dylib  	libmozjs.dylib@0x4e48  	
1 	libmozjs.dylib 	libmozjs.dylib@0x463f8 	
2 	libmozjs.dylib 	libmozjs.dylib@0x3893b 	
3 	libmozjs.dylib 	libmozjs.dylib@0x43e44 	
4 	libmozjs.dylib 	libmozjs.dylib@0x50c0d 	
5 	libmozjs.dylib 	libmozjs.dylib@0x44a22 	
6 	libmozjs.dylib 	libmozjs.dylib@0x36f35 	
7 	libmozjs.dylib 	libmozjs.dylib@0x44a86 	
8 	libmozjs.dylib 	libmozjs.dylib@0x44c3a 	
9 	libmozjs.dylib 	libmozjs.dylib@0x32f9 	
10 	XUL 	XUL@0x52a24a 	
11 	XUL 	XUL@0x5633ef 	
12 	XUL 	XUL@0x3faf1a 	
13 	XUL 	XUL@0x3fb4fd 	
14 	XUL 	XUL@0x41a24b 	
15 	XUL 	XUL@0x41a480 	
16 	XUL 	XUL@0x41b1c2 	
17 	XUL 	XUL@0x1fc2ae 	
18 	XUL 	XUL@0x749bd5
...
...
...
Summary: Crash [@ JS_GetMethodById ] → Crash [@ JS_GetMethodById ] and [@ libmozjs.dylib@0x4e48 ]

Comment 5

10 years ago
windows stack from some of the 3.1b2 data is better.

0  	js3250.dll  	JS_GetMethodById  	js/src/jsapi.cpp:3641
1 	js3250.dll 	js_CallIteratorNext 	js/src/jsiter.cpp:611
2 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:3241
3 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1559
4 	js3250.dll 	obj_eval 	js/src/jsobj.cpp:1345
5 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1313
6 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:5135
7 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1331
8 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1388
9 	js3250.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5242
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/src/base/nsJSEnvironment.cpp:1979
11 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/src/base/nsGlobalWindow.cpp:7661
12 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/src/base/nsGlobalWindow.cpp:7993
13 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:420
14 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:512
15 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
16 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
17 	nspr4.dll 	PR_GetEnv 	
18 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:87
19 	firefox.exe 	firefox.exe@0x2197 	
20 	kernel32.dll 	kernel32.dll@0x17066

Comment 6

10 years ago
this crash also seen by several users on http://facebook.com and http://www.plaxo.com/
Reduced testcase: (function() { var k; eval("for (var k in {});") })()

This is upvar related.
Assignee: general → mrbkap
OS: Windows Vista → All
Created attachment 354344 [details] [diff] [review]
Spot fix

One casualty of this patch is in:
  (function(){var x;eval("for (x = 0; x < 5; x++);")})()
the |x| in the initializer won't get turned into an upvar. I don't know how important that is, though.
Attachment #354344 - Flags: review?(brendan)
Comment on attachment 354344 [details] [diff] [review]
Spot fix

Cite the bug# for convenience? Thanks for patching.

Better closures including upvars where the closure is called only, not passed as a funarg (up, down, or through the heap), coming soon in bug 452498.

/be
Attachment #354344 - Flags: review?(brendan) → review+

Updated

10 years ago
Status: NEW → ASSIGNED
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1b3

Updated

10 years ago
Depends on: 471044
No crash using the latest TM build:

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20081224 Minefield/3.2a1pre Firefox/3.0.4 ID:20081224021447

Comment 12

10 years ago
merged to mc
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: --- → FIXED
Verified on today's nightly following merge:

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20081226 Minefield/3.2a1pre Firefox/3.0.4 ID:20081226033733
Status: RESOLVED → VERIFIED

Updated

10 years ago
Keywords: testcase

Comment 15

10 years ago
Checking in js1_5/Regress/regress-470758-01.js;
Checking in js1_5/Regress/regress-470758-02.js;
http://hg.mozilla.org/mozilla-central/rev/2b3f17d46773
Flags: in-testsuite+
Flags: in-litmus-

Comment 16

10 years ago
v 1.9.1, 1.9.2
Keywords: fixed1.9.1 → verified1.9.1
Crash Signature: [@ JS_GetMethodById ] [@ libmozjs.dylib@0x4e48 ]
You need to log in before you can comment on or make changes to this bug.