Closed
Bug 600304
Opened 14 years ago
Closed 13 years ago
Segfault [ @ scopeChain] (on galaxy s)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
fennec | 2.0+ | --- |
People
(Reporter: cjones, Unassigned)
References
Details
Attachments
(1 file)
STR (1) Navigate to http://wikipedia.org (2) Search for "Thurgood marshall", hit enter Crash when loading the page. Program received signal SIGSEGV, Segmentation fault. 0x81a3e00e in scopeChain (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.h:461 (gdb) bt #0 0x81a3e00e in scopeChain (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.h:461 #1 NewBuiltinClassInstance (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsobjinlines.h:916 #2 js_PrimitiveToObject (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsobj.cpp:5895 #3 0x81a29e28 in js::ComputeThisFromArgv (cx=0x419ebaf8, argv=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.cpp:323 #4 0x81a1e360 in ComputeThisFromVp (cx=0x419ebaf8, argc=3, vp=0x419ebaf8) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.h:822 #5 js_fun_call (cx=0x419ebaf8, argc=3, vp=0x419ebaf8) at /home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp:2218 #6 0x4017750c in ?? () Cannot access memory at address 0x3ffa (gdb) p scopeChain_ Cannot access memory at address 0xc I can reproduce this very easily.
Reporter | ||
Comment 1•14 years ago
|
||
This is with m-c 4d7110bb65ec, m-b 521d4a65ef9b. Sorry, can't get output from DumpJSStack() because this is android :(.
Reporter | ||
Updated•14 years ago
|
tracking-fennec: --- → ?
Reporter | ||
Comment 2•14 years ago
|
||
Just got the exciting iloop-looking Thread 1 (Thread 9200): #0 0xfffefb4c in y0 () from /home/cjones/android/gdb/lib/libm.so #1 0xffff0006 in j0f () from /home/cjones/android/gdb/lib/libm.so #2 0xffff0006 in j0f () from /home/cjones/android/gdb/lib/libm.so Backtrace stopped: previous frame identical to this frame (corrupt stack?) I patched xpconnect for a little DumpJSStack() love, but it doesn't appear to be working properly: I/Gecko ( 9200): 0 anonymous() ["http://bits.wikimedia.org/skins-1.5/common/jquery.min.js?283u":2] I/Gecko ( 9200): genFx = [function] I/Gecko ( 9200): fxAttrs = undefined I/Gecko ( 9200): timerId = undefined I/Gecko ( 9200): elemdisplay = undefined I/Gecko ( 9200): jsc = undefined I/Gecko ( 9200): styleFloat = undefined I/Gecko ( 9200): bindReady = [function] I/Gecko ( 9200): readyBound = false I/Gecko ( 9200): liveConvert = [function] I/Gecko ( 9200): liveHandler = [function] I/Gecko ( 9200): withinElement = [function] I/Gecko ( 9200): returnTrue = [function] I/Gecko ( 9200): returnFalse = [function] I/Gecko ( 9200): windowData = [object Object] I/Gecko ( 9200): uuid = 0 I/Gecko ( 9200): expando = "jQuery1285703527039" I/Gecko ( 9200): num = [function] I/Gecko ( 9200): userAgent = "mozilla/5.0 (android; linux armv7l; rv:2.0b7pre) gecko/ firefox/4.0b7pre fennec/2.0b1pre" I/Gecko ( 9200): toString = [function] I/Gecko ( 9200): defaultView = [object Window] I/Gecko ( 9200): exclude = /z-?index|font-?weight|opacity|zoom|line-?height/i I/Gecko ( 9200): now = [function] I/Gecko ( 9200): evalScript = [function] I/Gecko ( 9200): isSimple = /^.[^:#\[\.,]*$/ I/Gecko ( 9200): quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#([\w-]+)$/ I/Gecko ( 9200): jQuery = [function] I/Gecko ( 9200): _$ = undefined I/Gecko ( 9200): _jQuery = undefined I/Gecko ( 9200): undefined = undefined I/Gecko ( 9200): window = [object Window] I/Gecko ( 9200): thi At least now we know jquery looks to be involved, possibly.
Reporter | ||
Comment 3•14 years ago
|
||
I have a PrintJSStack() method now, but hit a crash on wikipedia with Program received signal SIGSEGV, Segmentation fault. js_PCToLineNumber (cx=0x410e5720, fp=0x41400270) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1476 (gdb) bt #0 js_PCToLineNumber (cx=0x410e5720, fp=0x41400270) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1476 #1 js_FramePCToLineNumber (cx=0x410e5720, fp=0x41400270) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1439 #2 0x819fd3e4 in PopulateReportBlame (cx=0x410e5720, flags=<value optimized out>, callback=0x819fb585 <js_GetErrorMessage(void*, char const*, uintN const)>, userRef=0x0, errorNumber=1, charArgs=1, ap=...) at /home/cjones/mozilla/mozilla-central/js/src/jscntxt.cpp:1361 #3 js_ReportErrorNumberVA (cx=0x410e5720, flags=<value optimized out>, callback=0x819fb585 <js_GetErrorMessage(void*, char const*, uintN const)>, userRef=0x0, errorNumber=1, charArgs=1, ap=...) at /home/cjones/mozilla/mozilla-central/js/src/jscntxt.cpp:1685 #4 0x819eaa46 in JS_ReportErrorNumber (cx=0x3b, errorCallback=0x819fd324 <js_ReportErrorNumberVA(JSContext*, uintN, JSErrorCallback, void*, uintN const, JSBool, va_list)+16>, userRef=0x9aea0000, errorNumber=1091336930) at /home/cjones/mozilla/mozilla-central/js/src/jsapi.cpp:5312 #5 0x819fbaa0 in js_ReportIsNotDefined (cx=0x3b, name=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/jscntxt.cpp:1748 #6 0x81b42b4e in js::mjit::ReportAtomNotDefined (cx=0x410e5720, atom=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/methodjit/StubCalls-inl.h:74 #7 0x81b44f04 in NameOp (f=..., obj=0x42834c60, callname=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/methodjit/StubCalls.cpp:376 #8 0x81b44fa4 in js::mjit::stubs::Name (f=...) at /home/cjones/mozilla/mozilla-central/js/src/methodjit/StubCalls.cpp:418 #9 0x81ae7b4a in JaegerStubVeneer () from libxul.so #10 0x81ae7b4a in JaegerStubVeneer () from libxul.so Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) p PrintJSStack() Program received signal SIGSEGV, Segmentation fault. js_PCToLineNumber (cx=0x410e5720, script=0xffff0005, pc=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1476 So ... no JS stack yet. Will keep trying.
Reporter | ||
Comment 4•14 years ago
|
||
Best so far ... Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () from /home/cjones/android/gdb/lib/libm.so (gdb) bt #0 0x00000000 in ?? () from /home/cjones/android/gdb/lib/libm.so #1 0x40180b04 in ?? () Cannot access memory at address 0x3ffa (gdb) p PrintJSStack() $1 = 0x42c7c800 "0 anonymous(args = undefined, callback = [function], object = [object Object]) [\"http://en.m.wikipedia.org/javascripts/jquery.js\":20]\n value = undefined\n length = undefined\n i = 0\n name = "... (gdb) set print elements 0 (gdb) printf "%s", $1 0 anonymous(args = undefined, callback = [function], object = [object Object]) ["http://en.m.wikipedia.org/javascripts/jquery.js":20] value = undefined length = undefined i = 0 name = "next" this = function (selector, context) { return new jQuery.fn.init(selector, context); } 1 anonymous() ["http://en.m.wikipedia.org/javascripts/jquery.js":25] queue = undefined jsc = undefined withinElement = undefined bindReady = [function] readyBound = undefined quickClass = undefined quickID = undefined quickChild = undefined chars = undefined num = [function] styleFloat = "cssFloat" userAgent = "mozilla/5.0 (android; linux armv7l; rv:2.0b7pre) gecko/ firefox/4.0b7pre fennec/2.0b1pre" defaultView = [object Window] exclude = /z-?index|font-?weight|opacity|zoom|line-?height/i windowData = [object Object] uuid = 0 expando = "jQuery1285709276542" now = [function] evalScript = [function] undefined = undefined isSimple = /^.[^:#\[\.]*$/ quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#(\w+)$/ jQuery = [function] _$ = undefined _jQuery = undefined this = [object Window] 2 <TOP LEVEL> ["http://en.m.wikipedia.org/javascripts/jquery.js":11] this = [object Window]
Reporter | ||
Comment 5•14 years ago
|
||
Got the crash in comment 4 by loading fennec, navigating to bing.com, navigating to wikipedia.org, and searching for and opening "Thurgood marshall". Not 100% reproducible, and I get different crashes/iloops when repro'ing. Have also been able to trigger crashes on http://jqueryui.com/demos/.
Reporter | ||
Comment 6•14 years ago
|
||
This is very useful on android where we don't have stdout and would otherwise need some awkward gymnastics to log the JS stack. Android has an __android_log_print() function, but it limits the length of the printed string. However, I think this function is generally useful (if one doesn't care about leaking memory). It partially solves the old problem of "Where did my DumpJSStack() go?"
Attachment #479179 -
Flags: review?
Reporter | ||
Updated•14 years ago
|
Attachment #479179 -
Flags: review? → review?(jorendorff)
Updated•14 years ago
|
tracking-fennec: ? → 2.0b1+
Comment 7•14 years ago
|
||
(In reply to comment #4) > > 1 anonymous() ["http://en.m.wikipedia.org/javascripts/jquery.js":25] Do the jquery/ajax tests pass on Fennec?
Comment 8•14 years ago
|
||
OK, I can reproduce this on my Nexus One, I think. Is the symptom of a hanging content process just a gray screen in the content area?
Comment 9•14 years ago
|
||
cjones, does this work now?
Comment 10•14 years ago
|
||
answer: no, it doesn't.
Comment 11•14 years ago
|
||
Comment on attachment 479179 [details] [diff] [review] Add a PrintJSStack() friend of DumpJSStack() that returns a newly-allocated string instead of printing to stdout Absolutely!
Attachment #479179 -
Flags: review?(jorendorff) → review+
Updated•14 years ago
|
tracking-fennec: 2.0b1+ → 2.0b2+
Reporter | ||
Comment 12•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/cd6c7304c066
Updated•14 years ago
|
tracking-fennec: 2.0b2+ → 2.0+
Comment 13•14 years ago
|
||
cjones, we can close right? tm should have landed a few times on mc already.
Comment 14•13 years ago
|
||
This was fixed by us disabling method jit on 2.1 Galaxy S phones
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 15•13 years ago
|
||
Anyone on a Galaxy able to verify this is resolved?
Comment 16•13 years ago
|
||
(In reply to comment #15) > Anyone on a Galaxy able to verify this is resolved? I haven't hit it in forever
You need to log in
before you can comment on or make changes to this bug.
Description
•