541832 - Firefox 3.6 crashes in Balloc in JS_strtod in JSCompiler::compileScript

Status: RESOLVED WORKSFORME

(Firefox :: General, defect)

Description

[Marcin Gryszkalis]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.295.0 Safari/532.8
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2) Gecko/20100124 Gentoo Firefox/3.6

Firefox 3.6 crashes on many .js files, full backtrace below.

Reproducible: Sometimes




Program received signal SIGSEGV, Segmentation fault.
0xb785af3d in Balloc (s00=0xbfff7dac "1", '0' <repeats 16 times>, se=0xbfff7dd0, err=0xbfff7dcc) at /usr/include/bits/string3.h:52
52        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) bt
#0  0xb785af3d in Balloc (s00=0xbfff7dac "1", '0' <repeats 16 times>, se=0xbfff7dd0, err=0xbfff7dcc) at /usr/include/bits/string3.h:52
#1  _strtod (s00=0xbfff7dac "1", '0' <repeats 16 times>, se=0xbfff7dd0, err=0xbfff7dcc) at dtoa.c:1959
#2  JS_strtod (s00=0xbfff7dac "1", '0' <repeats 16 times>, se=0xbfff7dd0, err=0xbfff7dcc) at jsdtoa.cpp:136
#3  0xb78946eb in js_strtod (cx=0x9a811e00, s=0xbfff8790, send=0xbfff87b4, ep=0xbfff829c, dp=0xbfff8294) at jsnum.cpp:1192
#4  0xb78e5ff9 in js_GetToken (cx=0x9a811e00, ts=0xbfff86b0) at jsscan.cpp:1204
#5  0xb78c5943 in UnaryExpr (cx=<value optimized out>, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:6097
#6  0xb78c5da1 in MulExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:6009
#7  AddExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5985
#8  0xb78c5f4b in ShiftExpr (cx=<value optimized out>, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5970
#9  RelExpr (cx=<value optimized out>, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5945
#10 0xb78c6105 in EqExpr (cx=<value optimized out>, ts=0x10, tc=0xbfff87f4) at jsparse.cpp:5923
#11 BitAndExpr (cx=<value optimized out>, ts=0x10, tc=0xbfff87f4) at jsparse.cpp:5911
#12 BitXorExpr (cx=<value optimized out>, ts=0x10, tc=0xbfff87f4) at jsparse.cpp:5898
#13 0xb78c6470 in BitOrExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5885
#14 AndExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5874
#15 OrExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5863
#16 CondExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5827
#17 AssignExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5739
#18 0xb78c6902 in AssignExpr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5801
#19 0xb78c6adf in Expr (cx=0x9a811e00, ts=0xbfff86b0, tc=0xbfff87f4) at jsparse.cpp:5693
#20 0xb78bfe82 in Statement (cx=<value optimized out>, ts=<value optimized out>, tc=0xbfff87f4) at jsparse.cpp:5440
#21 0xb78c919c in JSCompiler::compileScript (cx=0x9a811e00, scopeChain=0xafd88280, callerFrame=0x0, principals=0x9bb34d34, tcflags=24576, chars=0x9ae62008, length=928,
    file=0x0, filename=0x9df58608 "http://youtube.com/results?search_query=freebsd&search_type=&aq=f", lineno=3181, source=0x0) at jsparse.cpp:897
#22 0xb7835bc0 in JS_EvaluateUCScriptForPrincipals (cx=0x9a811e00, obj=0xafd88280, principals=0x9bb34d34, chars=0x9ae62008, length=928,
    filename=0x9df58608 "http://youtube.com/results?search_query=freebsd&search_type=&aq=f", lineno=3181, rval=0x0) at jsapi.cpp:5065
#23 0xb6e07c47 in nsJSContext::EvaluateString (this=0x99244d40, aScript=..., aScopeObject=0xafd88280, aPrincipal=0x9bb34d30,
    aURL=0x9df58608 "http://youtube.com/results?search_query=freebsd&search_type=&aq=f", aLineNo=3181, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfff8b10)
    at nsJSEnvironment.cpp:1713
#24 0xb6cf7a64 in nsScriptLoader::EvaluateScript (this=0x9e1a5dc0, aRequest=0xa83330d0, aScript=...) at nsScriptLoader.cpp:711
#25 0xb6cf7ba0 in nsScriptLoader::ProcessRequest (this=0x9e1a5dc0, aRequest=0xa83330d0) at nsScriptLoader.cpp:625
#26 0xb6cf8b71 in nsScriptLoader::ProcessScriptElement (this=0x9e1a5dc0, aElement=0x9d393d64) at nsScriptLoader.cpp:577
#27 0xb6cf691f in nsScriptElement::MaybeProcessScript (this=0x9d393d64) at nsScriptElement.cpp:193
#28 0xb6d6612a in nsHTMLScriptElement::MaybeProcessScript (this=0x9d393d40) at nsHTMLScriptElement.cpp:564
#29 0xb6d65078 in nsHTMLScriptElement::DoneAddingChildren (this=0x9d393d40, aHaveNotified=1) at nsHTMLScriptElement.cpp:489
#30 0xb6d81921 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x99872400, content=0x9d393d40, aMalformed=0) at nsHTMLContentSink.cpp:3094
#31 0xb6d82373 in SinkContext::CloseContainer (this=0x9e1a5e50, aTag=eHTMLTag_script, aMalformed=0) at nsHTMLContentSink.cpp:1013
#32 0xb6d82577 in HTMLContentSink::CloseContainer (this=0xb79800c4, aTag=eHTMLTag_body) at nsHTMLContentSink.cpp:2374
#33 0xb6b18645 in CNavDTD::CloseContainer (this=0x9d3c5cc0, aTag=eHTMLTag_script, aMalformed=0) at CNavDTD.cpp:2762
#34 0xb6b1b425 in CNavDTD::HandleEndToken (this=0x9d3c5cc0, aToken=0x9d7493f8) at CNavDTD.cpp:1641
#35 0xb6b1a71a in CNavDTD::HandleToken (this=0x9d3c5cc0, aToken=0x9d7493f8) at CNavDTD.cpp:721
#36 0xb6b1b788 in CNavDTD::BuildModel (this=0x9d3c5cc0, aTokenizer=0x9bbbdfb0, aCanInterrupt=1, aCountLines=1) at CNavDTD.cpp:304
#37 0xb6b21464 in nsParser::BuildModel (this=0x9e10d700) at nsParser.cpp:2456
#38 0xb6b251ea in nsParser::ResumeParse (this=0x9e10d700, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at nsParser.cpp:2337
#39 0xb6b24d70 in nsParser::OnDataAvailable (this=0x9e10d700, request=0xa290c5dc, aContext=0x0, pIStream=0x9aa7cf80, sourceOffset=12288, aLength=11623) at nsParser.cpp:2985
#40 0xb702e4d3 in nsDocumentOpenInfo::OnDataAvailable (this=0x9e1093d0, request=0xa290c5dc, aCtxt=0x0, inStr=0x9aa7cf80, sourceOffset=12288, count=11623)
    at nsURILoader.cpp:306
#41 0xb6accf0b in nsStreamListenerWrapper::OnDataAvailable (this=0x9d52c360, aRequest=0xa290c5dc, aContext=0x0, aInputStream=0x9aa7cf80, aOffset=12288, aCount=11623)
    at nsHttpChannel.cpp:5929
#42 0xb6a7760c in nsStreamListenerTee::OnDataAvailable (this=0x9aa60ca0, request=0xa290c5dc, context=0x0, input=0x9aa7cf60, offset=12288, count=11623)
    at nsStreamListenerTee.cpp:108
#43 0xb6a87de9 in nsHTTPCompressConv::do_OnDataAvailable (this=0x9e10e500, request=0xa290c5dc, context=0x0, offset=12288,
    buffer=0x9963c000 "ig%3DAGiWqtwHtV9iHJWBpogHoibg6ckiw50JmQ%26q%3Dhttp%3A%2F%2Fwww.vServerCenter.com%2Ffreebsd.html&amp;adtype=afs&amp;event=ad&amp;usg=K-S8Pk6TOyk73nLw5G2mFLH5wvI=\" dir=\"ltr\" class=\"afs-title\"><b>FreeBSD"..., count=11623) at nsHTTPCompressConv.cpp:375
#44 0xb6a880fc in nsHTTPCompressConv::OnDataAvailable (this=0x9e10e500, request=0xa290c5dc, aContext=0x0, iStr=0x9aa7cf40, aSourceOffset=12288, aCount=2848)
    at nsHTTPCompressConv.cpp:306
#45 0xb6a7760c in nsStreamListenerTee::OnDataAvailable (this=0x9aa7cee0, request=0xa290c5dc, context=0x0, input=0x9a676a28, offset=12288, count=2848)
    at nsStreamListenerTee.cpp:108
#46 0xb6ac11d2 in nsHttpChannel::OnDataAvailable (this=0xa290c5b0, request=0x9bb34560, ctxt=0x0, input=0x9a676a28, offset=12288, count=2848) at nsHttpChannel.cpp:5358
#47 0xb6a6207f in nsInputStreamPump::OnStateTransfer (this=0x9bb34560) at nsInputStreamPump.cpp:508
#48 0xb6a62194 in nsInputStreamPump::OnInputStreamReady (this=0x9bb34560, stream=0x9a676a28) at nsInputStreamPump.cpp:398
#49 0xb7250641 in nsInputStreamReadyEvent::Run (this=0x9aac7140) at nsStreamUtils.cpp:112
#50 0xb72646f5 in nsThread::ProcessNextEvent (this=0xb7a944c0, mayWait=1, result=0xbfff9780) at nsThread.cpp:527
#51 0xb7234774 in NS_ProcessNextEvent_P (thread=0xb79800c4, mayWait=1) at nsThreadUtils.cpp:250
#52 0xb7264a2c in nsThread::Shutdown (this=0x9bbfa970) at nsThread.cpp:468
#53 0xb727116b in NS_InvokeByIndex_P () from /usr/lib/xulrunner-1.9.2/libxul.so
#54 0xb72690d0 in nsProxyObjectCallInfo::Run (this=0x9e506af0) at nsProxyEvent.cpp:181
#55 0xb72646f5 in nsThread::ProcessNextEvent (this=0xb7a944c0, mayWait=1, result=0xbfff989c) at nsThread.cpp:527
#56 0xb7234774 in NS_ProcessNextEvent_P (thread=0xb79800c4, mayWait=1) at nsThreadUtils.cpp:250
#57 0xb71b758c in nsBaseAppShell::Run (this=0xb319d100) at nsBaseAppShell.cpp:170
#58 0xb70835ac in nsAppStartup::Run (this=0xb2f08820) at nsAppStartup.cpp:182
#59 0xb69ed19f in XRE_main (argc=1, argv=0xbfffef94, aAppData=0xb7a23940) at nsAppRunner.cpp:3506
#60 0x0804a1c7 in main (argc=1, argv=0xbfffef94) at nsXULStub.cpp:583



Some details:

#1  _strtod (s00=0xbfff7dac "1", '0' <repeats 16 times>, se=0xbfff7dd0, err=0xbfff7dcc) at dtoa.c:1959
1959                    bd = Balloc(bd0->k);

#2  JS_strtod (s00=0xbfff7dac "1", '0' <repeats 16 times>, se=0xbfff7dd0, err=0xbfff7dcc) at jsdtoa.cpp:136
136         retval = _strtod(s00, se);

(gdb) p s00
$4 = 0xbfff7dac "1", '0' <repeats 16 times>
(gdb) p *se
$6 = 0xbfff8200 "\364\257\227\267p;\346\232\364\207\377\277\\\202\377\277\245\245\213\267\364\207\377\277\020H\346\232\354\202\377\277p;暰\206\377\277\260\206\377\277L\202\377\277"

#3  0xb78946eb in js_strtod (cx=0x9a811e00, s=0xbfff8790, send=0xbfff87b4, ep=0xbfff829c, dp=0xbfff8294) at jsnum.cpp:1192
1192            d = JS_strtod(cstr, &estr, &err);

(gdb) p *cx
$10 = {operationCallbackFlag = 0, link = {next = 0x9ace0204, prev = 0xb1393a04}, xmlSettingFlags = 0 '\000', padding = 0 '\000', display = {0x0 <repeats 16 times>},
  version = 8192, options = 3081, localeCallbacks = 0xb77c5568, resolvingTable = 0x99033b60, rval2 = 0, rval2set = 0 '\000', generatingError = 0 '\000',
  insideGCMarkCallback = 0 '\000', throwing = 0 '\000', exception = 22, stackLimit = 3220673164, scriptStackQuota = 104832948, runtime = 0xb7a0f800, stackPool = {first = {
      next = 0x996f7000, base = 2592153224, limit = 2592153224, avail = 2592153224}, current = 0x996f7000, arenasize = 8192, mask = 3, quotap = 0x9a811e70}, fp = 0x0,
  tempPool = {first = {next = 0x9ae63800, base = 2592153264, limit = 2592153264, avail = 2592153264}, current = 0x9ae64800, arenasize = 1024, mask = 7, quotap = 0x9a811e70},
  globalObject = 0xb239c620, weakRoots = {newborn = {0xada8cd00, 0x0, 0xb19853b8, 0x0, 0x0, 0xb1944878, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, lastAtom = -1292572604,
    lastInternalResult = 0}, regExpStatics = {input = 0xb23fa450, multiline = 0, parenCount = 0, moreLength = 0, parens = {{length = 5, chars = 0x9dd7de4e}, {length = 1,
        chars = 0x9dd7de58}, {length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {length = 0, chars = 0x0}, {
        length = 0, chars = 0x0}, {length = 0, chars = 0x0}}, moreParens = 0x0, lastMatch = {length = 1, chars = 0x9a8d5510}, lastParen = {length = 0, chars = 0xb79809e0},
    leftContext = {length = 0, chars = 0x9a8d5510}, rightContext = {length = 0, chars = 0x9a8d5512}}, sharpObjectMap = {depth = 0, sharpgen = 0, table = 0x0},
  busyArrayTable = 0x99033aa0, argumentFormatMap = 0x99242200, lastMessage = 0x9946b9d0 "reference to undefined property c[d]",
  errorReporter = 0xb6e09699 <NS_ScriptErrorReporter(JSContext*, char const*, JSErrorReport*)>,
  operationCallback = 0xb6e08ab6 <nsJSContext::DOMOperationCallback(JSContext*)>, interpLevel = 0, data = 0x99244d40, data2 = 0x99411a90, dormantFrameChain = 0x0,
  thread = 0xb5719000, requestDepth = 1, outstandingRequests = 1, lockedSealedTitle = 0x0, threadLinks = {next = 0x9ace03b0, prev = 0xb1393bb0}, stackHeaders = 0x0,
  localRootStack = 0x0, tempValueRooters = 0xbfff87e8, doubleFreeList = 0xafbcc1a0, debugHooks = 0xb7a0f95c, securityCallbacks = 0x0, regexpPool = {first = {
      next = 0x9ae98000, base = 2592153568, limit = 2592153568, avail = 2592153568}, current = 0x9ae98000, arenasize = 12248, mask = 3, quotap = 0x9a811e70},
  resolveFlags = 0, interpState = 0x0, bailExit = 0x0, jitEnabled = false}

(gdb) p *s
$11 = 49

(gdb) p *send
$12 = 107

(gdb) p *ep
$14 = (const jschar *) 0x1d

(gdb) p *dp
$15 = 1.2806937895421016e-314

Comment 1

[Tyler Downer [He/Him]]

Reporter, are you still seeing this issue with Firefox 3.6.13 or later in safe mode? If not, please close. These links can help you in your testing.
http://support.mozilla.com/kb/Safe+Mode
http://support.mozilla.com/kb/Managing+profiles

You can also try to reproduce in Firefox 4 Beta 8 or later, there are many improvements in the new version, http://www.mozilla.com/en-US/firefox/all-beta.html

Comment 2

[Marcin Gryszkalis]

3.6 branch doesn't crash anymore (though I don't run debug builds anymore). Closing.