Crash in [@ js_IsDensePrimitiveArray ]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: marcia, Assigned: gal)

Tracking

({crash, regression})

Trunk
crash, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature, URL)

Attachments

(1 attachment)

Seen while running Mozilla/5.0 (Windows; Windows NT 5.1; rv:2.0b3pre) Gecko/20100727 Minefield/4.0b3pre

STR:
1. Load site in URL.
2. Crash 100%

Does not crash using FF 3.6.8.

https://crash-stats.mozilla.com/report/index/bp-c422e063-cd6f-4a55-a7ef-f29152100727

Frame  	Module  	Signature [Expand]  	Source
0 	mozjs.dll 	js_IsDensePrimitiveArray 	js/src/jsarray.cpp:3328
1 	xul.dll 	nsContentUtils::ReparentClonedObjectToScope 	content/base/src/nsContentUtils.cpp:5878
2 	xul.dll 	nsDOMWorkerMessageEvent::GetData 	dom/src/threads/nsDOMWorkerEvents.cpp:299
3 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
4 	xul.dll 	XPC_WN_GetterSetter 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1840
5 	mozjs.dll 	Invoke<int > 	js/src/jsinterp.cpp:591
6 	mozjs.dll 	js_Invoke 	js/src/jsinterp.cpp:693
7 	mozjs.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:739
8 	mozjs.dll 	js_GetPropertyHelper 	js/src/jsobj.cpp:4922
9 	mozjs.dll 	js_Interpret 	js/src/jsops.cpp:1491
10 	mozjs.dll 	Invoke<int > 	js/src/jsinterp.cpp:602
11 	mozjs.dll 	js_Invoke 	js/src/jsinterp.cpp:693
12 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1689
13 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:570
14 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
15 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
16 	xul.dll 	nsDOMWorkerMessageHandler::DispatchEvent 	dom/src/threads/nsDOMWorkerMessageHandler.cpp:329
http://tinyurl.com/2ecxarh indicates there are a few Mac crashes as well, so changing to all.
OS: Windows XP → All
Hardware: x86 → All
Sounds like obj->dslots is null even though length is nonzero.  Gal has been in this code recently, I think.
(Assignee)

Comment 3

8 years ago
I don't think my code was merged yet, but yeah, I looked at this recently.
(Assignee)

Updated

8 years ago
Assignee: general → gal
(Assignee)

Comment 4

8 years ago
Wow, that code is totally wrong:

    jsuint length = obj->getArrayLength();
    for (jsuint i = 0; i < length; i++) {
        if (obj->dslots[i].isObject())
            return JS_FALSE;
    }
(Assignee)

Updated

8 years ago
Blocks: 559476
(Assignee)

Comment 5

8 years ago
Created attachment 460773 [details] [diff] [review]
patch

capacity is in fslots now, so its safe to always read it and its ok to ignore length, slots past length will be holes, which are primitive.
Attachment #460773 - Flags: review?(brendan)
Attachment #460773 - Flags: review?(brendan) → review+
(Assignee)

Comment 6

8 years ago
Marcia, thanks for the report. Was really easy to identify and fix based on the stack you posted.

http://hg.mozilla.org/tracemonkey/rev/d7c7ba27b84e
Whiteboard: fixed-in-tracemonkey

Comment 7

8 years ago
http://hg.mozilla.org/mozilla-central/rev/d7c7ba27b84e
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_IsDensePrimitiveArray ]
Issue is resolved - clearing old keywords - qa-wanted clean-up
Keywords: regressionwindow-wanted
You need to log in before you can comment on or make changes to this bug.