516203 - Crash [@TraceRecorder::scopeChainProp(JSObject*, int*&, nanojit::LIns*&, TraceRecorder::NameResult&) ]

Status: RESOLVED DUPLICATE of bug 505591

(Core :: JavaScript Engine, defect)

Description

[David Maza]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a2pre) Gecko/20090912 Firefox/3.1b3pre GTB5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a2pre) Gecko/20090912 Firefox/3.1b3pre GTB5 (.NET CLR 3.5.30729)

Firefox crashes after trying to perform a flight search at http://www.qantas.com.au/travel/airlines/home/au/en

Reproducible: Always

Steps to Reproduce:
1. Visit http://www.qantas.com.au/travel/airlines/home/au/en
2. Try to search for a flight
3. After submitting the form you'll be taken to http://www.qantas.com.au/regions/do/dyn/bookingNotification where Firefox will crash once it tries to redirect you after completing the flight search.
Actual Results:  
Firefox Crashes.

Expected Results:  
User is redirected to flight search results.

Comment 1

[timeless]

how did you manage to get a signature without a stack trace or incident id?

Comment 2

[David Maza]

Opps, sorry.

ID: e114fc7d-d700-4ca9-bc69-bd0c72090912

http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.6a2pre&query_search=signature&query_type=startswith&query=TraceRecorder%3A%3AscopeChainProp%28JSObject*%2C%20int*%26%2C%20nanojit%3A%3ALIns*%26%2C%20TraceRecorder%3A%3ANameResult%26%29&date=&range_value=1&range_unit=weeks&do_query=1&signature=TraceRecorder%3A%3AscopeChainProp%28JSObject*%2C%20int*%26%2C%20nanojit%3A%3ALIns*%26%2C%20TraceRecorder%3A%3ANameResult%26%29

Comment 3

[timeless]

Signature	TraceRecorder::scopeChainProp(JSObject*, int*&, nanojit::LIns*&, TraceRecorder::NameResult&)
UUID	e114fc7d-d700-4ca9-bc69-bd0c72090912
Time 	2009-09-12 21:03:11.66095
Uptime	115
Last Crash	142 seconds before submission
Product	Firefox
Version	3.6a2pre
Build ID	20090912053026
Branch	1.9.2
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0xc
User Comments	
Processor Notes 	
Related Bugs

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	js3250.dll 	TraceRecorder::scopeChainProp 	js/src/jstracer.cpp:6907
1 	js3250.dll 	TraceRecorder::name 	js/src/jstracer.cpp:10804
2 	js3250.dll 	TraceRecorder::record_JSOP_FORNAME 	js/src/jstracer.cpp:11445
3 	js3250.dll 	TraceRecorder::monitorRecording 	js/src/jsopcode.tbl:268
4 	js3250.dll 	js_Interpret 	js/src/jsops.cpp:79
5 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1610
6 	js3250.dll 	obj_eval 	js/src/jsobj.cpp:1499
7 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1371
8 	js3250.dll 	js_Interpret 	js/src/jsops.cpp:2199
9 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1610
10 	js3250.dll 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:5082
11 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1682
12 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:686
13 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:600
14 	xul.dll 	xul.dll@0x3e504c

Comment 4

[Tyler Downer [He/Him]]

Yep, see a crash. bp-9f28134f-3c60-4c41-abbf-754e72090913
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20090912 Minefield/3.7a1pre (.NET CLR 3.5.30729) ID:20090912042051

Comment 5

[David Mandelin [:dmandelin]]

I can't duplicate this. I did:

- load the URL http://www.qantas.com.au/travel/airlines/home/au/en
- enter "SFO" under destination, click on "San Francisco"
- click "Go"

I got to the "bookingNotification" page and was then forwarded to the results page without crashing.

But I may have some idea what's going on. The crash report in comment 4 shows the point of the crash as jstracer.cpp:6996 (from http://hg.mozilla.org/mozilla-central/file/7df4c375164f/js/src/jstracer.cpp#l6992):

  6992             // Compute number of scope chain links to result.
  6993             jsint scopeIndex = 0;
  6994             JSObject* tmp = JSVAL_TO_OBJECT(cx->fp->argv[-2]);
  6995             while (tmp != obj) {
  6996                 tmp = OBJ_GET_PARENT(cx, tmp);
  6997                 scopeIndex++;
  6998             }

My first guess would be that |tmp| becomes NULL before reaching |obj|. (This is backed up by the fact that the crash is for accessing address 0xc.) This would mean that js_FindProperty, for the |objp| and |pobjp| outparams, returns a call object that is not reachable by following parent links from the callee of the current frame. (Another possibility is that cx->fp->argv[-2] is NULL, but I'm told that doesn't happen.) This would seem to indicate that the scope chain contains a call object that is not reachable that way but can be the result of a name lookup. I don't have any idea how that would happen.

Next steps:

- David, could you try out my steps above, see if that crashes for you, and if not, provide some more detailed directions or other duplication help?

- If I can't duplicate it, I could still add the null check to that loop and it should fix the problem, but it would be unfortunate not to know the full cause.

Comment 6

[David Maza]

I tried entering 'SFO' in the destination box, selected San Fransisco, selected the departure date as the 17th of September, return date as the 21st, clicked 'Go', redirected to the pending search results page and then it crashed after trying to redirect me to the search results.

Comment 7

[David Mandelin [:dmandelin]]

I just discovered that this version is OK:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20090917 Minefield/3.7a1pre

But in this version I can duplicate the problem:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a2pre) Gecko/20090917 Namoroka/3.6a2pre

I guess I just need to find out what changeset fixed it and get that ported over to 1.9.2.

Comment 8

[David Mandelin [:dmandelin]]

The patch for bug 505591 fixes this.