595208 - Crash [@ js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*) ] with Firebug, eventbug

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

Build : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100909 Firefox/4.0b6pre

This is a new crash signature which has been introduced by this build.
It is #1 TOP crasher for b6pre/20100910 build.
It is mainly a start-up crash.

* Start-up crash signature :
Signature	js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*)
UUID	02bf07a9-f981-4183-8c88-f9d2a2100910
Time 	2010-09-10 08:35:29.116052
Uptime	1
Last Crash	5 seconds before submission
Install Age	59 seconds since version was first installed.
Product	Firefox
Version	4.0b6pre
Build ID	20100910041829
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0393

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js::PropertyCache::fullTest 	js/src/jspropertycache.cpp:345
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:4742
2 	xul.dll 	js::InvokeCommon<int > 	js/src/jsinterp.cpp:577
3 	xul.dll 	js::Invoke 	js/src/jsinterp.cpp:696
4 	xul.dll 	js::InternalInvoke 	js/src/jsinterp.cpp:736
5 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2174
6 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:228
7 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1112
8 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1208
9 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:341
10 	mozcrt19.dll 	arena_dalloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4153

* Other signature example :
Signature	js::PropertyCache::fullTest(JSContext*, unsigned char*, JSObject**, JSObject**, js::PropertyCacheEntry*)
UUID	d5821551-9040-4443-b573-a44de2100910
Time 	2010-09-10 08:17:19.726106
Uptime	197
Last Crash	222 seconds (3.7 minutes) before submission
Install Age	378 seconds (6.3 minutes) since version was first installed.
Product	Firefox
Version	4.0b6pre
Build ID	20100910041829
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 06ec

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js::PropertyCache::fullTest 	js/src/jspropertycache.cpp:345
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:3985
2 	xul.dll 	js::InvokeCommon<int > 	js/src/jsinterp.cpp:577
3 	xul.dll 	js::Invoke 	js/src/jsinterp.cpp:696
4 	xul.dll 	js::InternalInvoke 	js/src/jsinterp.cpp:736
5 	xul.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4874
6 	xul.dll 	nsXBLProtoImplAnonymousMethod::Execute 	content/xbl/src/nsXBLProtoImplMethod.cpp:331
7 	xul.dll 	nsXBLBinding::ExecuteAttachedHandler 	content/xbl/src/nsXBLBinding.cpp:979
8 	xul.dll 	nsBindingManager::ProcessAttachedQueue 	content/xbl/src/nsBindingManager.cpp:1019
9 	xul.dll 	nsDocument::MaybeEndOutermostXBLUpdate 	content/base/src/nsDocument.cpp:3961
10 	xul.dll 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:4003
11 	xul.dll 	nsXULDocument::EndUpdate 	content/xul/document/src/nsXULDocument.cpp:3318
12 	xul.dll 	mozAutoDocUpdate::~mozAutoDocUpdate 	content/base/src/mozAutoDocUpdate.h:66
13 	xul.dll 	nsINode::doInsertChildAt 	content/base/src/nsGenericElement.cpp:3630
14 	xul.dll 	nsGenericElement::InsertChildAt 	content/base/src/nsGenericElement.cpp:3541
15 	xul.dll 	nsINode::ReplaceOrInsertBefore 	content/base/src/nsGenericElement.cpp:4301
16 	xul.dll 	nsIDOMNode_AppendChild 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5452
17 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:4696
18 	xul.dll 	nsTArray_base::ShiftData 	obj-firefox/xpcom/build/nsTArray.cpp:164
19 	xul.dll 	CallMethodHelper::~CallMethodHelper 	js/src/xpconnect/src/xpcwrappednative.cpp:2424
20 	xul.dll 	XPC_WN_GetterSetter 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1783

More reports at :
http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A4.0b6pre&query_search=signature&query_type=exact&query=js%3A%3APropertyCache%3A%3AfullTest%28JSContext*%2C%20unsigned%20char*%2C%20JSObject**%2C%20JSObject**%2C%20js%3A%3APropertyCacheEntry*%29&date=09%2F10%2F2010%2009%3A08%3A00&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3APropertyCache%3A%3AfullTest%28JSContext*%2C%20unsigned%20char*%2C%20JSObject**%2C%20JSObject**%2C%20js%3A%3APropertyCacheEntry*%29

The regression range is :
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=36f5cf6b2d42&tochange=8e0fce7d5b49

Comment 1

[John J. Barton]

Also reported by a Firebug user,
http://code.google.com/p/fbug/issues/detail?id=3922

Comment 2

[John J. Barton]

Steps to reproduce:
1) install Firebug 1.7a8, http://getfirebug.com/releases/firebug/1.7X
2) Install eventbug http://getfirebug.com/releases/eventbug
3) Open http://getfirebug.com
4) Open firebug F12, enable all panels (right click on statusbar icon), reload page
5) Firebug > Events > click on the [+] in the main panel.

Comment 3

[Andreas Gal :gal]

What does "enable all panels" mean? What am I supposed to select from the statusbar icon menu?

Comment 4

[Andreas Gal :gal]

Ok, never mind, I reproduced it (or at least something).

JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
JavaScript error: chrome://firebug/content/lib.js, line 2139: context is null
Assertion failure: regs && regs->fp, at ../../../js/src/jscntxt.h:1699

Comment 5

[Andreas Gal :gal]

We call apply (which is a native, js_fun_apply) with an empty stack, and it does internally Invoke() and runs a script, but cx->regs is not set along this path. I am not sure how this is supposed to work. This is deep in luke territory. But this is definitely a bad bug (probably easy to fix though).

For the STR, statusbar icon is the icon on the very left bottom, not the firebug icon in the firebug window.

Comment 6

[Luke Wagner [:luke]]

Andreas: if you already have it on hand, could you past the backtrace of that assert?

Comment 7

[Andreas Gal :gal]

Assertion failure: regs && regs->fp, at ../../../js/src/jscntxt.h:1699

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000101a7ad2a in JS_Assert (s=0x101f5d810 "regs && regs->fp", file=0x101f5fce8 "../../../js/src/jscntxt.h", ln=1699) at ../../../js/src/jsutil.cpp:80
80	    *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt 10
#0  0x0000000101a7ad2a in JS_Assert (s=0x101f5d810 "regs && regs->fp", file=0x101f5fce8 "../../../js/src/jscntxt.h", ln=1699) at ../../../js/src/jsutil.cpp:80
#1  0x0000000101a68bf2 in JSContext::fp (this=0x1274f6d00) at jscntxt.h:1699
#2  0x0000000101a2268b in js::PropertyCache::fullTest (this=0x105dcc098, cx=0x1274f6d00, pc=0x1274ee276 ";", objp=0x7fff5fbf1f70, pobjp=0x7fff5fbf1d78, entry=0x105dd9458) at ../../../js/src/jspropertycache.cpp:327
#3  0x0000000101b855da in js::PropertyCache::test (this=0x105dcc098, cx=0x1274f6d00, pc=0x1274ee276 ";", obj=@0x7fff5fbf1f70, pobj=@0x7fff5fbf1d78, entry=@0x7fff5fbf1f58, atom=@0x7fff5fbf1c70) at jspropertycacheinlines.h:99
#4  0x000000010199c88e in js::Interpret () at ../../../js/src/jsinterp.cpp:4848
#5  0x00000001019aeb60 in js::RunScript (cx=0x1274f6d00, script=0x1281e2170, fp=0x1183088c8) at jsinterp.cpp:657
#6  0x00000001019af97a in js::Invoke (cx=0x1274f6d00, argsRef=@0x7fff5fbf2960, flags=0) at jsinterp.cpp:737
#7  0x000000010195ffc8 in js_fun_apply (cx=0x1274f6d00, argc=2, vp=0x118308878) at ../../../js/src/jsfun.cpp:2182
#8  0x00000001019b1927 in js::CallJSNative (cx=0x1274f6d00, native=0x10195fca6 <js_fun_apply(JSContext*, unsigned int, js::Value*)>, argc=2, vp=0x118308878) at jscntxtinlines.h:692
#9  0x000000010199c2af in js::Interpret () at ../../../js/src/jsinterp.cpp:4782
(More stack frames follow...)

Comment 8

[Luke Wagner [:luke]]

Thanks.  cx->regs definitely gets set on entry to js::Interpret, so I don't think the js_fun_apply-on-empty-stack is the culprit.  I'll investigate though.

Comment 9

[John J. Barton]

(In reply to comment #3)
> What does "enable all panels" mean? What am I supposed to select from the
> statusbar icon menu?

Maybe FF4.0 calls the bar across the bottom something else?  Or maybe you missed the "right click" in:
enable all panels (right click on statusbar icon),
Anyway sounds like you're set.

Comment 10

[Luke Wagner [:luke]]

The problem seems to be an unmatched call to JS_SaveFrameChain (which nulls cx->regs).  The JS_SaveFrameChain happens here:

#0  JSContext::setCurrentRegs at jscntxt.h:1724
#1  JSContext::saveActiveSegment at jscntxt.cpp:2087
#2  JS_SaveFrameChain at jsapi.cpp:5143
#3  XPCJSContextStack::Push at xpcthreadcontext.cpp:176
#4  in nsXPConnect::Push at nsXPConnect.cpp:2510
#5  in nsEventListenerInfo::GetDebugObject at nsEventListenerService.cpp:177
#6  NS_InvokeByIndex_P
#7  CallMethodHelper::Invokethis=0xbfff6e74) at xpcwrappednative.cpp:3072
#8  CallMethodHelper::Call at xpcwrappednative.cpp:2334
#9  XPCWrappedNative::CallMethod at xpcwrappednative.cpp:2298
#10 0xb69273a3 in XPC_WN_CallMethod at xpcwrappednativejsops.cpp:1593
#11 0xb73ff992 in js::CallJSNative at jscntxtinlines.h:692
#12 0xb763301f in js::Interpret at jsinterp.cpp:4783

and the assert happens when control returns back to frame 12 without JS_RestoreFrameChain having been called.

Looking at GetDebugObject from frame 5, I don't see any Pop() matching Push().  Since frame 12 is eventbug, I don't see how this is eventbug's fault either.  hg annotate for this code shows a recent change:

changeset:   58522:fc0384edf67b
user:        Igor Bukanov <igor@mir2.org>
date:        Fri Nov 26 15:11:14 2010 +0100
summary:     Bug 614578 - Removal of nsAutoGCRoot. r=mrbkap

The other change in nsEventListenerService.cpp listed in http://hg.mozilla.org/tracemonkey/diff/fc0384edf67b/content/events/src/nsEventListenerService.cpp has a matching Pop(), so I'm guessing its simply missing from GetDebugObject?

Comment 11

[Luke Wagner [:luke]]

oops, midair collision knocked out my motivational cc

Comment 12

[Andreas Gal :gal]

If GetDebugObject is reachable from content, this might be exploitable. Hidden until I get a chance to talk to mrbkap.

Comment 13

[Olli Pettay [:smaug]]

(In reply to comment #12)
> If GetDebugObject is reachable from content
It is not.

Comment 14

[David Mandelin [:dmandelin]]

Unhiding per comment 13.

Comment 15

[David Mandelin [:dmandelin]]

Attachment: Patch

Trivial fix given Luke's analysis.

At this point the comments have turned this bug into pretty much the Firebug version, so I'm going to morph to that. But for topcrashes, please file reproducible crashes with the same signature as a separate bug that blocks the topcrash. It helps us track these things better--keeping separate that case from the topcrash, in case they are not identical, but also reminding us to check on the topcrash after fixing the test case. (This time, we can just file a new bug on the topcrash if we need it.)

Comment 16

[David Mandelin [:dmandelin]]

http://hg.mozilla.org/tracemonkey/rev/5f815fe7434d

Comment 17

[Chris Leary [:cdleary] (not checking bugmail)]

cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/5f815fe7434d