Closed
Bug 595208
Opened 14 years ago
Closed 14 years ago
Crash [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ] with Firebug, eventbug
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: scoobidiver, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, Whiteboard: [firebug-p1][hardblocker][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
828 bytes,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
Build : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100909 Firefox/4.0b6pre This is a new crash signature which has been introduced by this build. It is #1 TOP crasher for b6pre/20100910 build. It is mainly a start-up crash. * Start-up crash signature : Signature js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) UUID 02bf07a9-f981-4183-8c88-f9d2a2100910 Time 2010-09-10 08:35:29.116052 Uptime 1 Last Crash 5 seconds before submission Install Age 59 seconds since version was first installed. Product Firefox Version 4.0b6pre Build ID 20100910041829 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x0 App Notes AdapterVendorID: 10de, AdapterDeviceID: 0393 Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll js::PropertyCache::fullTest js/src/jspropertycache.cpp:345 1 xul.dll js::Interpret js/src/jsinterp.cpp:4742 2 xul.dll js::InvokeCommon<int > js/src/jsinterp.cpp:577 3 xul.dll js::Invoke js/src/jsinterp.cpp:696 4 xul.dll js::InternalInvoke js/src/jsinterp.cpp:736 5 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2174 6 xul.dll nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:228 7 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1112 8 xul.dll nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1208 9 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:341 10 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4153 * Other signature example : Signature js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) UUID d5821551-9040-4443-b573-a44de2100910 Time 2010-09-10 08:17:19.726106 Uptime 197 Last Crash 222 seconds (3.7 minutes) before submission Install Age 378 seconds (6.3 minutes) since version was first installed. Product Firefox Version 4.0b6pre Build ID 20100910041829 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x0 App Notes AdapterVendorID: 10de, AdapterDeviceID: 06ec Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll js::PropertyCache::fullTest js/src/jspropertycache.cpp:345 1 xul.dll js::Interpret js/src/jsinterp.cpp:3985 2 xul.dll js::InvokeCommon<int > js/src/jsinterp.cpp:577 3 xul.dll js::Invoke js/src/jsinterp.cpp:696 4 xul.dll js::InternalInvoke js/src/jsinterp.cpp:736 5 xul.dll JS_CallFunctionValue js/src/jsapi.cpp:4874 6 xul.dll nsXBLProtoImplAnonymousMethod::Execute content/xbl/src/nsXBLProtoImplMethod.cpp:331 7 xul.dll nsXBLBinding::ExecuteAttachedHandler content/xbl/src/nsXBLBinding.cpp:979 8 xul.dll nsBindingManager::ProcessAttachedQueue content/xbl/src/nsBindingManager.cpp:1019 9 xul.dll nsDocument::MaybeEndOutermostXBLUpdate content/base/src/nsDocument.cpp:3961 10 xul.dll nsDocument::EndUpdate content/base/src/nsDocument.cpp:4003 11 xul.dll nsXULDocument::EndUpdate content/xul/document/src/nsXULDocument.cpp:3318 12 xul.dll mozAutoDocUpdate::~mozAutoDocUpdate content/base/src/mozAutoDocUpdate.h:66 13 xul.dll nsINode::doInsertChildAt content/base/src/nsGenericElement.cpp:3630 14 xul.dll nsGenericElement::InsertChildAt content/base/src/nsGenericElement.cpp:3541 15 xul.dll nsINode::ReplaceOrInsertBefore content/base/src/nsGenericElement.cpp:4301 16 xul.dll nsIDOMNode_AppendChild obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5452 17 xul.dll js::Interpret js/src/jsinterp.cpp:4696 18 xul.dll nsTArray_base::ShiftData obj-firefox/xpcom/build/nsTArray.cpp:164 19 xul.dll CallMethodHelper::~CallMethodHelper js/src/xpconnect/src/xpcwrappednative.cpp:2424 20 xul.dll XPC_WN_GetterSetter js/src/xpconnect/src/xpcwrappednativejsops.cpp:1783 More reports at : http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A4.0b6pre&query_search=signature&query_type=exact&query=js%3A%3APropertyCache%3A%3AfullTest%28JSContext*%2C%20unsigned%20char*%2C%20JSObject**%2C%20JSObject**%2C%20js%3A%3APropertyCacheEntry*%29&date=09%2F10%2F2010%2009%3A08%3A00&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3APropertyCache%3A%3AfullTest%28JSContext*%2C%20unsigned%20char*%2C%20JSObject**%2C%20JSObject**%2C%20js%3A%3APropertyCacheEntry*%29 The regression range is : http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=36f5cf6b2d42&tochange=8e0fce7d5b49
Comment 1•14 years ago
|
||
Also reported by a Firebug user, http://code.google.com/p/fbug/issues/detail?id=3922
Comment 2•14 years ago
|
||
Steps to reproduce: 1) install Firebug 1.7a8, http://getfirebug.com/releases/firebug/1.7X 2) Install eventbug http://getfirebug.com/releases/eventbug 3) Open http://getfirebug.com 4) Open firebug F12, enable all panels (right click on statusbar icon), reload page 5) Firebug > Events > click on the [+] in the main panel.
Whiteboard: [firebug-p1]
Comment 3•14 years ago
|
||
What does "enable all panels" mean? What am I supposed to select from the statusbar icon menu?
Comment 4•14 years ago
|
||
Ok, never mind, I reproduced it (or at least something). JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null Assertion failure: regs && regs->fp, at ../../../js/src/jscntxt.h:1699
Comment 5•14 years ago
|
||
We call apply (which is a native, js_fun_apply) with an empty stack, and it does internally Invoke() and runs a script, but cx->regs is not set along this path. I am not sure how this is supposed to work. This is deep in luke territory. But this is definitely a bad bug (probably easy to fix though). For the STR, statusbar icon is the icon on the very left bottom, not the firebug icon in the firebug window.
Updated•14 years ago
|
blocking2.0: --- → betaN+
Updated•14 years ago
|
Assignee: general → lw
Comment 6•14 years ago
|
||
Andreas: if you already have it on hand, could you past the backtrace of that assert?
Comment 7•14 years ago
|
||
Assertion failure: regs && regs->fp, at ../../../js/src/jscntxt.h:1699 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 0x0000000101a7ad2a in JS_Assert (s=0x101f5d810 "regs && regs->fp", file=0x101f5fce8 "../../../js/src/jscntxt.h", ln=1699) at ../../../js/src/jsutil.cpp:80 80 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */ (gdb) bt 10 #0 0x0000000101a7ad2a in JS_Assert (s=0x101f5d810 "regs && regs->fp", file=0x101f5fce8 "../../../js/src/jscntxt.h", ln=1699) at ../../../js/src/jsutil.cpp:80 #1 0x0000000101a68bf2 in JSContext::fp (this=0x1274f6d00) at jscntxt.h:1699 #2 0x0000000101a2268b in js::PropertyCache::fullTest (this=0x105dcc098, cx=0x1274f6d00, pc=0x1274ee276 ";", objp=0x7fff5fbf1f70, pobjp=0x7fff5fbf1d78, entry=0x105dd9458) at ../../../js/src/jspropertycache.cpp:327 #3 0x0000000101b855da in js::PropertyCache::test (this=0x105dcc098, cx=0x1274f6d00, pc=0x1274ee276 ";", obj=@0x7fff5fbf1f70, pobj=@0x7fff5fbf1d78, entry=@0x7fff5fbf1f58, atom=@0x7fff5fbf1c70) at jspropertycacheinlines.h:99 #4 0x000000010199c88e in js::Interpret () at ../../../js/src/jsinterp.cpp:4848 #5 0x00000001019aeb60 in js::RunScript (cx=0x1274f6d00, script=0x1281e2170, fp=0x1183088c8) at jsinterp.cpp:657 #6 0x00000001019af97a in js::Invoke (cx=0x1274f6d00, argsRef=@0x7fff5fbf2960, flags=0) at jsinterp.cpp:737 #7 0x000000010195ffc8 in js_fun_apply (cx=0x1274f6d00, argc=2, vp=0x118308878) at ../../../js/src/jsfun.cpp:2182 #8 0x00000001019b1927 in js::CallJSNative (cx=0x1274f6d00, native=0x10195fca6 <js_fun_apply(JSContext*, unsigned int, js::Value*)>, argc=2, vp=0x118308878) at jscntxtinlines.h:692 #9 0x000000010199c2af in js::Interpret () at ../../../js/src/jsinterp.cpp:4782 (More stack frames follow...)
Comment 8•14 years ago
|
||
Thanks. cx->regs definitely gets set on entry to js::Interpret, so I don't think the js_fun_apply-on-empty-stack is the culprit. I'll investigate though.
Comment 9•14 years ago
|
||
(In reply to comment #3) > What does "enable all panels" mean? What am I supposed to select from the > statusbar icon menu? Maybe FF4.0 calls the bar across the bottom something else? Or maybe you missed the "right click" in: enable all panels (right click on statusbar icon), Anyway sounds like you're set.
Comment 10•14 years ago
|
||
The problem seems to be an unmatched call to JS_SaveFrameChain (which nulls cx->regs). The JS_SaveFrameChain happens here: #0 JSContext::setCurrentRegs at jscntxt.h:1724 #1 JSContext::saveActiveSegment at jscntxt.cpp:2087 #2 JS_SaveFrameChain at jsapi.cpp:5143 #3 XPCJSContextStack::Push at xpcthreadcontext.cpp:176 #4 in nsXPConnect::Push at nsXPConnect.cpp:2510 #5 in nsEventListenerInfo::GetDebugObject at nsEventListenerService.cpp:177 #6 NS_InvokeByIndex_P #7 CallMethodHelper::Invokethis=0xbfff6e74) at xpcwrappednative.cpp:3072 #8 CallMethodHelper::Call at xpcwrappednative.cpp:2334 #9 XPCWrappedNative::CallMethod at xpcwrappednative.cpp:2298 #10 0xb69273a3 in XPC_WN_CallMethod at xpcwrappednativejsops.cpp:1593 #11 0xb73ff992 in js::CallJSNative at jscntxtinlines.h:692 #12 0xb763301f in js::Interpret at jsinterp.cpp:4783 and the assert happens when control returns back to frame 12 without JS_RestoreFrameChain having been called. Looking at GetDebugObject from frame 5, I don't see any Pop() matching Push(). Since frame 12 is eventbug, I don't see how this is eventbug's fault either. hg annotate for this code shows a recent change: changeset: 58522:fc0384edf67b user: Igor Bukanov <igor@mir2.org> date: Fri Nov 26 15:11:14 2010 +0100 summary: Bug 614578 - Removal of nsAutoGCRoot. r=mrbkap The other change in nsEventListenerService.cpp listed in http://hg.mozilla.org/tracemonkey/diff/fc0384edf67b/content/events/src/nsEventListenerService.cpp has a matching Pop(), so I'm guessing its simply missing from GetDebugObject?
Updated•14 years ago
|
Assignee: lw → general
Comment 11•14 years ago
|
||
oops, midair collision knocked out my motivational cc
Updated•14 years ago
|
Group: core-security
Comment 12•14 years ago
|
||
If GetDebugObject is reachable from content, this might be exploitable. Hidden until I get a chance to talk to mrbkap.
Comment 13•14 years ago
|
||
(In reply to comment #12) > If GetDebugObject is reachable from content It is not.
Assignee | ||
Updated•14 years ago
|
Whiteboard: [firebug-p1] → [firebug-p1][hardblocker]
Assignee | ||
Comment 15•14 years ago
|
||
Trivial fix given Luke's analysis. At this point the comments have turned this bug into pretty much the Firebug version, so I'm going to morph to that. But for topcrashes, please file reproducible crashes with the same signature as a separate bug that blocks the topcrash. It helps us track these things better--keeping separate that case from the topcrash, in case they are not identical, but also reminding us to check on the topcrash after fixing the test case. (This time, we can just file a new bug on the topcrash if we need it.)
Assignee: general → dmandelin
Status: NEW → ASSIGNED
Attachment #505306 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•14 years ago
|
Summary: Crash [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ] → Crash [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ] with Firebug, eventbug
Updated•14 years ago
|
Attachment #505306 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Comment 16•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/5f815fe7434d
Whiteboard: [firebug-p1][hardblocker] → [firebug-p1][hardblocker][fixed-in-tracemonkey]
Comment 17•14 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/5f815fe7434d
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•