487563 - Crash [@ js_Interpret]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: backtrace, full

try {
  !(Iterator((
    eval("\
      (function(){\
        (function a() { \
          new function(){\
            __iterator__ = a\
          }\
        }\
      )(); \
      return this\
      })")
  )()))
} catch(e) {}


crashes both opt and debug TM tip js shell without -j at js_Interpret near null.

autoBisect shows this is probably related to bug 452498 or http://hg.mozilla.org/tracemonkey/rev/2cf0bbe3772a :

The first bad revision is:
changeset:   26784:2cf0bbe3772a
user:        Brendan Eich
date:        Sun Apr 05 21:17:22 2009 -0700
summary:     upvar2, aka the big one take 2 (452598, r=mrbkap).


The attached stack looks similar to the one in bug 487417, and it may also be related to bug 487445. (Both real world scenarios)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #0)
> The attached stack looks similar to the one in bug 487417, and it may also be
> related to bug 487445. (Both real world scenarios)

My bad, bug 487417 seems unrelated, not sure about the second one.

Comment 2

[Benjamin Smedberg]

I think I'm crashing consistently on every page of washingtonpost.com with a stack that looks marvelously like this one: http://crash-stats.moz,illa.com/report/index/b1832a00-75b1-4a64-a026-205592090409

Comment 3

[Mike Shaver (:shaver -- probably not reading bugmail closely)]

(Fixed crash report URL: http://crash-stats.mozilla.com/report/index/b1832a00-75b1-4a64-a026-205592090409 )

Comment 4

[Bob Clary [:bc] (inactive)]

http://news.cnet.com/8301-1009_3-10215678-83.html reliably reproduces the first three frames as well.

Comment 5

[Ed Lee :Mardak]

Query to see more stacks/comments:
http://crash-stats.mozilla.com/report/list?version=Firefox%3A3.6a1pre&signature=js_Interpret

Comment 6

[Blake Kaplan (:mrbkap) (inactive)]

Slightly reduced testcase:

  (function a() { (function b() { print(a) })() })()

Comment 7

[Daniel Holbert [:dholbert]]

I'm hitting what looks like the same crash at this URL:
http://www.techcrunch.com/2009/04/08/ap-exec-doesnt-know-it-has-a-youtube-channel-threatens-affiliate-for-embedding-videos/

Comment 9

[Jim Jeffery not reading bug-mail 1/2/11]

(In reply to comment #8)
> *** Bug 487637 has been marked as a duplicate of this bug. ***

I was working on regression range when 487637 was duped here: 

Regression range: 

No crash in changeset: http://hg.mozilla.org/mozilla-central/rev/ad109d30c05e
Crashes in changeset: http://hg.mozilla.org/mozilla-central/rev/92ec42507769

This puts the crash with the merge from TM

Comment 10

[Brendan Eich [:brendan]]

Attachment: fix

Comment 11

[Brendan Eich [:brendan]]

Reduced testcase in comment 6.

/be

Comment 12

[Brendan Eich [:brendan]]

Comment on attachment 371967 [details] [diff] [review]
fix

Alterna-patch coming that is more righteous.

/be

Comment 13

[Brendan Eich [:brendan]]

Attachment: better fix

Thanks to mrbkap for pushing for it.

/be

Comment 14

[Brendan Eich [:brendan]]

Attachment: better fix, with off-by-one in assertion fixed

Comment 15

[Brendan Eich [:brendan]]

Attachment: refreshed to tm tip

Comment 16

[Brendan Eich [:brendan]]

Fixed in tm:

http://hg.mozilla.org/tracemonkey/rev/ad1270a07a31

/be

Comment 17

[Brendan Eich [:brendan]]

Followup fix for windows bustage:

http://hg.mozilla.org/tracemonkey/rev/83c32829c57e

/be

Comment 18

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/ad1270a07a31

Comment 19

[Michael Lefevre]

There's a new topcrash making branch builds pretty unusable, which looks to me like a dupe of this - bug 489004.  If so, can this fix be landed on branch soon?

Comment 20

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/403504f74d3e

Comment 22

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Verified fixed on trunk and 1.9.1 with builds on OS X and Windows:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090420 Minefield/3.6a1pre ID:20090420031158

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090420 Shiretoko/3.5b4pre ID:20090420031111

Since we don't have any testcase yet, I used the given URL's from the duped bug 489004.

Comment 23

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #22)
> Since we don't have any testcase yet, I used the given URL's from the duped bug
> 489004.

Comment #0 or comment #6 _is_ the testcase, unless you mean for testing in Fx, for which the conversion has 2 methods:

One, change the testcase into a one-liner and add "javascript:" in front, like this (for comment #6):

javascript:(function a() { (function b() { print(a) })() })()

or

javascript:{(function a() { (function b() { print(a) })() })()}

and copy and paste this into the location bar, then press enter, wait for crash and burn.

On the other hand, for cases like comment #0 where a one-liner's not obvious, add a <script> tag before and </script> tag after the testcase, then save as some arbitrary file, say test.html, then view the testcase in Fx. If it crashes, it's not fixed, but if it doesn't, then it is fixed, etc.

e.g. Save the following in a file, then open in Fx:

<script>
try {
  !(Iterator((
    eval("\
      (function(){\
        (function a() { \
          new function(){\
            __iterator__ = a\
          }\
        }\
      )(); \
      return this\
      })")
  )()))
} catch(e) {}
</script>

Comment 24

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929