Closed Bug 506567 Opened 10 years ago Closed 10 years ago

Crash in 3.0.12 using watched variables [@ call_resolve]

Categories

(Core :: JavaScript Engine, defect, critical)

1.9.0 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: calin, Assigned: mrbkap)

References

()

Details

(4 keywords)

Crash Data

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.12) Gecko/2009070610 Firefox/3.0.12

The URL testcase crashes Firefox 3.0.12 when the 'Do It!' button is clicked, on both linux and windows.
It does not crash 3.0.11 or 3.5.1

Reproducible: Always

Steps to Reproduce:
1. browse to http://www.splitreflection.com/~calin/firefox3.0.12-crash-testcase.html
2. Click the 'Do It!' button

Actual Results:  
Browser crash

Expected Results:  
alert box showing 'undefined'
Signature	call_resolve
UUID	cfd68503-af68-47be-96e0-057e32090726
Time 	2009-07-26 12:11:38.359307
Uptime	343223
Product	Camino
Version	2.0b4pre
Build ID	2009071000
Branch	1.9.0
OS	Mac OS X
OS Version	10.5.7 9J61
CPU	x86
CPU Info	GenuineIntel family 6 model 7 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address	0x1034e87
User Comments	
Processor Notes 	
Related Bugs

DUPLICATE

        * Bug 394544 RESOLVED [@ call_resolve] Assertion failure: fp->scopeChain == parent, at /home/ajvincent/trunk/mozilla/js/src/jsfun.c:610

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	libmozjs.dylib 	call_resolve 	mozilla/js/src/jsfun.c:866
1 	libmozjs.dylib 	js_LookupPropertyWithFlags 	mozilla/js/src/jsobj.c:3350
2 	libmozjs.dylib 	js_FindProperty 	mozilla/js/src/jsobj.c:3250
3 	libmozjs.dylib 	call_enumerate 	mozilla/js/src/jsfun.c:708
4 	libmozjs.dylib 	js_PutCallObject 	mozilla/js/src/jsfun.c:637
5 	libmozjs.dylib 	js_watch_set 	mozilla/js/src/jsdbgapi.c:666
6 	libmozjs.dylib 	js_NativeSet 	mozilla/js/src/jsobj.c:3634
7 	libmozjs.dylib 	js_SetPropertyHelper 	mozilla/js/src/jsobj.c:3942
8 	libmozjs.dylib 	js_Interpret 	mozilla/js/src/jsinterp.c:4538
9 	libmozjs.dylib 	js_Invoke 	mozilla/js/src/jsinterp.c:1322
10 	libmozjs.dylib 	js_InternalInvoke 	mozilla/js/src/jsinterp.c:1378
11 	libmozjs.dylib 	JS_CallFunctionValue 	mozilla/js/src/jsapi.c:5052
12 	Camino 	nsJSContext::CallEventHandler 	mozilla/dom/src/base/nsJSEnvironment.cpp:1962
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: Crash in 3.0.12 using watched variables → Crash in 3.0.12 using watched variables [@ call_resolve]
Version: unspecified → 1.9.0 Branch
i'm hoping bug 469492 will fix this, could someone figure out if that's true? :)
Well, does not crash in Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090727 Minefield/3.6a1pre (.NET CLR 3.5.30729) ID:20090727044731, so maybe :)
John, can you upgrade to Firefox 3.5.1 and see if it crashes?
My original crash report says it does not crash 3.0.11 or 3.5.1
Confirming that this crashes 3.0.12 and does NOT crash 3.0.11.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.0.13?
good: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070105 GranParadiso/3.0.12pre
bad: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070205 GranParadiso/3.0.12pre

bug 501270?
This crash is still present in 3.0.13.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 469492
Would be good to attach the URL testcase to the bug (or better, to the bug this is a duplicate of).
Depends on: 469492
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.14?
Flags: blocking1.9.0.14+
Keywords: testcase-wanted
Keywords: qawanted
bclary: could you please turn the URL above into a reduced testcase for our regression suite. This appears to be a branch regression from bug 501270 that was pre-mitigated by 469492 on 1.9.1
crashes 3.0.12 @ call_resolve
asserts js shell with Assertion failure: fun->u.i.nvars == fp->nvars, at jsfun.c:857
Flags: in-testsuite?
Assignee: general → mrbkap
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Whiteboard: [fixed by 469492]
Whiteboard: [fixed by 469492]
Attached patch FixSplinter Review
This is analogous to bug 502449, except with frame.vars/nvars instead of frame.slots. That's also why I missed this on the 1.9.0 branch. I think it's Late (TM) where Igor is, and the freeze is tomorrow, so I'm requesting review from brendan in case he gets to it first.
Attachment #393607 - Flags: review?(igor)
Attachment #393607 - Flags: review?(brendan)
Comment on attachment 393607 [details] [diff] [review]
Fix

>@@ -593,26 +593,31 @@ js_watch_set(JSContext *cx, JSObject *ob
JSFUN_FAST_NATIVE);
>+                        varsStart = nslots;
>+                    } else {
>+                        varsStart = nslots;
>+                        nslots += fun->u.i.nvars;
>                     }
>                 }
> 
>+

Nit: extra blank line
Attachment #393607 - Flags: review?(igor) → review+
Attachment #393607 - Flags: review?(brendan) → approval1.9.0.14?
Comment on attachment 393607 [details] [diff] [review]
Fix

Approved for 1.9.0.14. a=ss for release-drivers
Attachment #393607 - Flags: approval1.9.0.14? → approval1.9.0.14+
Checking in js/src/jsdbgapi.c;
/cvsroot/mozilla/js/src/jsdbgapi.c,v  <--  jsdbgapi.c
new revision: 3.154; previous revision: 3.153
done
Keywords: fixed1.9.0.14
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
No longer depends on: 469492
http://hg.mozilla.org/tracemonkey/rev/496fddacf274
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-506567.js,v  <--  regress-506567.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
Verified fixed in 1.9.0.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729).
Status: RESOLVED → VERIFIED
Crash Signature: [@ call_resolve]
You need to log in before you can comment on or make changes to this bug.