Closed
Bug 595208
Opened 15 years ago
Closed 14 years ago
Crash [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ] with Firebug, eventbug
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: scoobidiver, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, Whiteboard: [firebug-p1][hardblocker][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
828 bytes,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
Build : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100909 Firefox/4.0b6pre
This is a new crash signature which has been introduced by this build.
It is #1 TOP crasher for b6pre/20100910 build.
It is mainly a start-up crash.
* Start-up crash signature :
Signature js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*)
UUID 02bf07a9-f981-4183-8c88-f9d2a2100910
Time 2010-09-10 08:35:29.116052
Uptime 1
Last Crash 5 seconds before submission
Install Age 59 seconds since version was first installed.
Product Firefox
Version 4.0b6pre
Build ID 20100910041829
Branch 2.0
OS Windows NT
OS Version 6.1.7600
CPU x86
CPU Info GenuineIntel family 6 model 23 stepping 10
Crash Reason EXCEPTION_ACCESS_VIOLATION
Crash Address 0x0
App Notes AdapterVendorID: 10de, AdapterDeviceID: 0393
Crashing Thread
Frame Module Signature [Expand] Source
0 xul.dll js::PropertyCache::fullTest js/src/jspropertycache.cpp:345
1 xul.dll js::Interpret js/src/jsinterp.cpp:4742
2 xul.dll js::InvokeCommon<int > js/src/jsinterp.cpp:577
3 xul.dll js::Invoke js/src/jsinterp.cpp:696
4 xul.dll js::InternalInvoke js/src/jsinterp.cpp:736
5 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2174
6 xul.dll nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:228
7 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1112
8 xul.dll nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1208
9 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:341
10 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4153
* Other signature example :
Signature js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*)
UUID d5821551-9040-4443-b573-a44de2100910
Time 2010-09-10 08:17:19.726106
Uptime 197
Last Crash 222 seconds (3.7 minutes) before submission
Install Age 378 seconds (6.3 minutes) since version was first installed.
Product Firefox
Version 4.0b6pre
Build ID 20100910041829
Branch 2.0
OS Windows NT
OS Version 6.1.7600
CPU x86
CPU Info GenuineIntel family 6 model 23 stepping 6
Crash Reason EXCEPTION_ACCESS_VIOLATION
Crash Address 0x0
App Notes AdapterVendorID: 10de, AdapterDeviceID: 06ec
Crashing Thread
Frame Module Signature [Expand] Source
0 xul.dll js::PropertyCache::fullTest js/src/jspropertycache.cpp:345
1 xul.dll js::Interpret js/src/jsinterp.cpp:3985
2 xul.dll js::InvokeCommon<int > js/src/jsinterp.cpp:577
3 xul.dll js::Invoke js/src/jsinterp.cpp:696
4 xul.dll js::InternalInvoke js/src/jsinterp.cpp:736
5 xul.dll JS_CallFunctionValue js/src/jsapi.cpp:4874
6 xul.dll nsXBLProtoImplAnonymousMethod::Execute content/xbl/src/nsXBLProtoImplMethod.cpp:331
7 xul.dll nsXBLBinding::ExecuteAttachedHandler content/xbl/src/nsXBLBinding.cpp:979
8 xul.dll nsBindingManager::ProcessAttachedQueue content/xbl/src/nsBindingManager.cpp:1019
9 xul.dll nsDocument::MaybeEndOutermostXBLUpdate content/base/src/nsDocument.cpp:3961
10 xul.dll nsDocument::EndUpdate content/base/src/nsDocument.cpp:4003
11 xul.dll nsXULDocument::EndUpdate content/xul/document/src/nsXULDocument.cpp:3318
12 xul.dll mozAutoDocUpdate::~mozAutoDocUpdate content/base/src/mozAutoDocUpdate.h:66
13 xul.dll nsINode::doInsertChildAt content/base/src/nsGenericElement.cpp:3630
14 xul.dll nsGenericElement::InsertChildAt content/base/src/nsGenericElement.cpp:3541
15 xul.dll nsINode::ReplaceOrInsertBefore content/base/src/nsGenericElement.cpp:4301
16 xul.dll nsIDOMNode_AppendChild obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5452
17 xul.dll js::Interpret js/src/jsinterp.cpp:4696
18 xul.dll nsTArray_base::ShiftData obj-firefox/xpcom/build/nsTArray.cpp:164
19 xul.dll CallMethodHelper::~CallMethodHelper js/src/xpconnect/src/xpcwrappednative.cpp:2424
20 xul.dll XPC_WN_GetterSetter js/src/xpconnect/src/xpcwrappednativejsops.cpp:1783
More reports at :
http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A4.0b6pre&query_search=signature&query_type=exact&query=js%3A%3APropertyCache%3A%3AfullTest%28JSContext*%2C%20unsigned%20char*%2C%20JSObject**%2C%20JSObject**%2C%20js%3A%3APropertyCacheEntry*%29&date=09%2F10%2F2010%2009%3A08%3A00&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3APropertyCache%3A%3AfullTest%28JSContext*%2C%20unsigned%20char*%2C%20JSObject**%2C%20JSObject**%2C%20js%3A%3APropertyCacheEntry*%29
The regression range is :
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=36f5cf6b2d42&tochange=8e0fce7d5b49
Comment 1•15 years ago
|
||
Also reported by a Firebug user,
http://code.google.com/p/fbug/issues/detail?id=3922
Comment 2•15 years ago
|
||
Steps to reproduce:
1) install Firebug 1.7a8, http://getfirebug.com/releases/firebug/1.7X
2) Install eventbug http://getfirebug.com/releases/eventbug
3) Open http://getfirebug.com
4) Open firebug F12, enable all panels (right click on statusbar icon), reload page
5) Firebug > Events > click on the [+] in the main panel.
Whiteboard: [firebug-p1]
Comment 3•15 years ago
|
||
What does "enable all panels" mean? What am I supposed to select from the statusbar icon menu?
Comment 4•15 years ago
|
||
Ok, never mind, I reproduced it (or at least something).
JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
Assertion failure: regs && regs->fp, at ../../../js/src/jscntxt.h:1699
Comment 5•15 years ago
|
||
We call apply (which is a native, js_fun_apply) with an empty stack, and it does internally Invoke() and runs a script, but cx->regs is not set along this path. I am not sure how this is supposed to work. This is deep in luke territory. But this is definitely a bad bug (probably easy to fix though).
For the STR, statusbar icon is the icon on the very left bottom, not the firebug icon in the firebug window.
Updated•15 years ago
|
blocking2.0: --- → betaN+
Updated•15 years ago
|
Assignee: general → lw
![]() |
||
Comment 6•15 years ago
|
||
Andreas: if you already have it on hand, could you past the backtrace of that assert?
Comment 7•15 years ago
|
||
Assertion failure: regs && regs->fp, at ../../../js/src/jscntxt.h:1699
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000101a7ad2a in JS_Assert (s=0x101f5d810 "regs && regs->fp", file=0x101f5fce8 "../../../js/src/jscntxt.h", ln=1699) at ../../../js/src/jsutil.cpp:80
80 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */
(gdb) bt 10
#0 0x0000000101a7ad2a in JS_Assert (s=0x101f5d810 "regs && regs->fp", file=0x101f5fce8 "../../../js/src/jscntxt.h", ln=1699) at ../../../js/src/jsutil.cpp:80
#1 0x0000000101a68bf2 in JSContext::fp (this=0x1274f6d00) at jscntxt.h:1699
#2 0x0000000101a2268b in js::PropertyCache::fullTest (this=0x105dcc098, cx=0x1274f6d00, pc=0x1274ee276 ";", objp=0x7fff5fbf1f70, pobjp=0x7fff5fbf1d78, entry=0x105dd9458) at ../../../js/src/jspropertycache.cpp:327
#3 0x0000000101b855da in js::PropertyCache::test (this=0x105dcc098, cx=0x1274f6d00, pc=0x1274ee276 ";", obj=@0x7fff5fbf1f70, pobj=@0x7fff5fbf1d78, entry=@0x7fff5fbf1f58, atom=@0x7fff5fbf1c70) at jspropertycacheinlines.h:99
#4 0x000000010199c88e in js::Interpret () at ../../../js/src/jsinterp.cpp:4848
#5 0x00000001019aeb60 in js::RunScript (cx=0x1274f6d00, script=0x1281e2170, fp=0x1183088c8) at jsinterp.cpp:657
#6 0x00000001019af97a in js::Invoke (cx=0x1274f6d00, argsRef=@0x7fff5fbf2960, flags=0) at jsinterp.cpp:737
#7 0x000000010195ffc8 in js_fun_apply (cx=0x1274f6d00, argc=2, vp=0x118308878) at ../../../js/src/jsfun.cpp:2182
#8 0x00000001019b1927 in js::CallJSNative (cx=0x1274f6d00, native=0x10195fca6 <js_fun_apply(JSContext*, unsigned int, js::Value*)>, argc=2, vp=0x118308878) at jscntxtinlines.h:692
#9 0x000000010199c2af in js::Interpret () at ../../../js/src/jsinterp.cpp:4782
(More stack frames follow...)
![]() |
||
Comment 8•15 years ago
|
||
Thanks. cx->regs definitely gets set on entry to js::Interpret, so I don't think the js_fun_apply-on-empty-stack is the culprit. I'll investigate though.
Comment 9•15 years ago
|
||
(In reply to comment #3)
> What does "enable all panels" mean? What am I supposed to select from the
> statusbar icon menu?
Maybe FF4.0 calls the bar across the bottom something else? Or maybe you missed the "right click" in:
enable all panels (right click on statusbar icon),
Anyway sounds like you're set.
![]() |
||
Comment 10•15 years ago
|
||
The problem seems to be an unmatched call to JS_SaveFrameChain (which nulls cx->regs). The JS_SaveFrameChain happens here:
#0 JSContext::setCurrentRegs at jscntxt.h:1724
#1 JSContext::saveActiveSegment at jscntxt.cpp:2087
#2 JS_SaveFrameChain at jsapi.cpp:5143
#3 XPCJSContextStack::Push at xpcthreadcontext.cpp:176
#4 in nsXPConnect::Push at nsXPConnect.cpp:2510
#5 in nsEventListenerInfo::GetDebugObject at nsEventListenerService.cpp:177
#6 NS_InvokeByIndex_P
#7 CallMethodHelper::Invokethis=0xbfff6e74) at xpcwrappednative.cpp:3072
#8 CallMethodHelper::Call at xpcwrappednative.cpp:2334
#9 XPCWrappedNative::CallMethod at xpcwrappednative.cpp:2298
#10 0xb69273a3 in XPC_WN_CallMethod at xpcwrappednativejsops.cpp:1593
#11 0xb73ff992 in js::CallJSNative at jscntxtinlines.h:692
#12 0xb763301f in js::Interpret at jsinterp.cpp:4783
and the assert happens when control returns back to frame 12 without JS_RestoreFrameChain having been called.
Looking at GetDebugObject from frame 5, I don't see any Pop() matching Push(). Since frame 12 is eventbug, I don't see how this is eventbug's fault either. hg annotate for this code shows a recent change:
changeset: 58522:fc0384edf67b
user: Igor Bukanov <igor@mir2.org>
date: Fri Nov 26 15:11:14 2010 +0100
summary: Bug 614578 - Removal of nsAutoGCRoot. r=mrbkap
The other change in nsEventListenerService.cpp listed in http://hg.mozilla.org/tracemonkey/diff/fc0384edf67b/content/events/src/nsEventListenerService.cpp has a matching Pop(), so I'm guessing its simply missing from GetDebugObject?
![]() |
||
Updated•15 years ago
|
Assignee: lw → general
![]() |
||
Comment 11•15 years ago
|
||
oops, midair collision knocked out my motivational cc
Updated•15 years ago
|
Group: core-security
Comment 12•15 years ago
|
||
If GetDebugObject is reachable from content, this might be exploitable. Hidden until I get a chance to talk to mrbkap.
Comment 13•15 years ago
|
||
(In reply to comment #12)
> If GetDebugObject is reachable from content
It is not.
Assignee | ||
Updated•14 years ago
|
Whiteboard: [firebug-p1] → [firebug-p1][hardblocker]
Assignee | ||
Comment 15•14 years ago
|
||
Trivial fix given Luke's analysis.
At this point the comments have turned this bug into pretty much the Firebug version, so I'm going to morph to that. But for topcrashes, please file reproducible crashes with the same signature as a separate bug that blocks the topcrash. It helps us track these things better--keeping separate that case from the topcrash, in case they are not identical, but also reminding us to check on the topcrash after fixing the test case. (This time, we can just file a new bug on the topcrash if we need it.)
Assignee: general → dmandelin
Status: NEW → ASSIGNED
Attachment #505306 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•14 years ago
|
Summary: Crash [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ] → Crash [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ] with Firebug, eventbug
Updated•14 years ago
|
Attachment #505306 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Comment 16•14 years ago
|
||
Whiteboard: [firebug-p1][hardblocker] → [firebug-p1][hardblocker][fixed-in-tracemonkey]
Comment 17•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/5f815fe7434d
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Crash Signature: [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•