Closed Bug 600304 Opened 9 years ago Closed 9 years ago

Segfault [ @ scopeChain] (on galaxy s)

Categories

(Core :: JavaScript Engine, defect, critical)

ARM
Android
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
fennec 2.0+ ---

People

(Reporter: cjones, Unassigned)

References

Details

Attachments

(1 file)

STR
 (1) Navigate to http://wikipedia.org
 (2) Search for "Thurgood marshall", hit enter

Crash when loading the page.

Program received signal SIGSEGV, Segmentation fault.
0x81a3e00e in scopeChain (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.h:461
(gdb) bt
#0  0x81a3e00e in scopeChain (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.h:461
#1  NewBuiltinClassInstance (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsobjinlines.h:916
#2  js_PrimitiveToObject (cx=0x419ebaf8, vp=0x419ebb00) at /home/cjones/mozilla/mozilla-central/js/src/jsobj.cpp:5895
#3  0x81a29e28 in js::ComputeThisFromArgv (cx=0x419ebaf8, argv=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.cpp:323
#4  0x81a1e360 in ComputeThisFromVp (cx=0x419ebaf8, argc=3, vp=0x419ebaf8) at /home/cjones/mozilla/mozilla-central/js/src/jsinterp.h:822
#5  js_fun_call (cx=0x419ebaf8, argc=3, vp=0x419ebaf8) at /home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp:2218
#6  0x4017750c in ?? ()
Cannot access memory at address 0x3ffa
(gdb) p scopeChain_
Cannot access memory at address 0xc

I can reproduce this very easily.
This is with m-c 4d7110bb65ec, m-b 521d4a65ef9b.  Sorry, can't get output from DumpJSStack() because this is android :(.
tracking-fennec: --- → ?
Just got the exciting iloop-looking

Thread 1 (Thread 9200):
#0  0xfffefb4c in y0 () from /home/cjones/android/gdb/lib/libm.so
#1  0xffff0006 in j0f () from /home/cjones/android/gdb/lib/libm.so
#2  0xffff0006 in j0f () from /home/cjones/android/gdb/lib/libm.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

I patched xpconnect for a little DumpJSStack() love, but it doesn't appear to be working properly:

I/Gecko   ( 9200): 0 anonymous() ["http://bits.wikimedia.org/skins-1.5/common/jquery.min.js?283u":2]
I/Gecko   ( 9200):     genFx = [function]
I/Gecko   ( 9200):     fxAttrs = undefined
I/Gecko   ( 9200):     timerId = undefined
I/Gecko   ( 9200):     elemdisplay = undefined
I/Gecko   ( 9200):     jsc = undefined
I/Gecko   ( 9200):     styleFloat = undefined
I/Gecko   ( 9200):     bindReady = [function]
I/Gecko   ( 9200):     readyBound = false
I/Gecko   ( 9200):     liveConvert = [function]
I/Gecko   ( 9200):     liveHandler = [function]
I/Gecko   ( 9200):     withinElement = [function]
I/Gecko   ( 9200):     returnTrue = [function]
I/Gecko   ( 9200):     returnFalse = [function]
I/Gecko   ( 9200):     windowData = [object Object]
I/Gecko   ( 9200):     uuid = 0
I/Gecko   ( 9200):     expando = "jQuery1285703527039"
I/Gecko   ( 9200):     num = [function]
I/Gecko   ( 9200):     userAgent = "mozilla/5.0 (android; linux armv7l; rv:2.0b7pre) gecko/ firefox/4.0b7pre fennec/2.0b1pre"
I/Gecko   ( 9200):     toString = [function]
I/Gecko   ( 9200):     defaultView = [object Window]
I/Gecko   ( 9200):     exclude = /z-?index|font-?weight|opacity|zoom|line-?height/i
I/Gecko   ( 9200):     now = [function]
I/Gecko   ( 9200):     evalScript = [function]
I/Gecko   ( 9200):     isSimple = /^.[^:#\[\.,]*$/
I/Gecko   ( 9200):     quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#([\w-]+)$/
I/Gecko   ( 9200):     jQuery = [function]
I/Gecko   ( 9200):     _$ = undefined
I/Gecko   ( 9200):     _jQuery = undefined
I/Gecko   ( 9200):     undefined = undefined
I/Gecko   ( 9200):     window = [object Window]
I/Gecko   ( 9200):     thi

At least now we know jquery looks to be involved, possibly.
I have a PrintJSStack() method now, but hit a crash on wikipedia with

Program received signal SIGSEGV, Segmentation fault.
js_PCToLineNumber (cx=0x410e5720, fp=0x41400270) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1476
(gdb) bt
#0  js_PCToLineNumber (cx=0x410e5720, fp=0x41400270) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1476
#1  js_FramePCToLineNumber (cx=0x410e5720, fp=0x41400270) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1439
#2  0x819fd3e4 in PopulateReportBlame (cx=0x410e5720, flags=<value optimized out>, callback=0x819fb585 <js_GetErrorMessage(void*, char const*, uintN const)>, userRef=0x0, errorNumber=1, charArgs=1, ap=...) at /home/cjones/mozilla/mozilla-central/js/src/jscntxt.cpp:1361
#3  js_ReportErrorNumberVA (cx=0x410e5720, flags=<value optimized out>, callback=0x819fb585 <js_GetErrorMessage(void*, char const*, uintN const)>, userRef=0x0, errorNumber=1, charArgs=1, ap=...) at /home/cjones/mozilla/mozilla-central/js/src/jscntxt.cpp:1685
#4  0x819eaa46 in JS_ReportErrorNumber (cx=0x3b, errorCallback=0x819fd324 <js_ReportErrorNumberVA(JSContext*, uintN, JSErrorCallback, void*, uintN const, JSBool, va_list)+16>, userRef=0x9aea0000, errorNumber=1091336930) at /home/cjones/mozilla/mozilla-central/js/src/jsapi.cpp:5312
#5  0x819fbaa0 in js_ReportIsNotDefined (cx=0x3b, name=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/jscntxt.cpp:1748
#6  0x81b42b4e in js::mjit::ReportAtomNotDefined (cx=0x410e5720, atom=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/methodjit/StubCalls-inl.h:74
#7  0x81b44f04 in NameOp (f=..., obj=0x42834c60, callname=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/methodjit/StubCalls.cpp:376
#8  0x81b44fa4 in js::mjit::stubs::Name (f=...) at /home/cjones/mozilla/mozilla-central/js/src/methodjit/StubCalls.cpp:418
#9  0x81ae7b4a in JaegerStubVeneer () from libxul.so
#10 0x81ae7b4a in JaegerStubVeneer () from libxul.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) p PrintJSStack()

Program received signal SIGSEGV, Segmentation fault.
js_PCToLineNumber (cx=0x410e5720, script=0xffff0005, pc=<value optimized out>) at /home/cjones/mozilla/mozilla-central/js/src/jsscript.cpp:1476


So ... no JS stack yet.  Will keep trying.
Best so far ...

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? () from /home/cjones/android/gdb/lib/libm.so
(gdb) bt
#0  0x00000000 in ?? () from /home/cjones/android/gdb/lib/libm.so
#1  0x40180b04 in ?? ()
Cannot access memory at address 0x3ffa
(gdb) p PrintJSStack()
$1 = 0x42c7c800 "0 anonymous(args = undefined, callback = [function], object = [object Object]) [\"http://en.m.wikipedia.org/javascripts/jquery.js\":20]\n    value = undefined\n    length = undefined\n    i = 0\n    name = "...
(gdb) set print elements 0
(gdb) printf "%s", $1
0 anonymous(args = undefined, callback = [function], object = [object Object]) ["http://en.m.wikipedia.org/javascripts/jquery.js":20]
    value = undefined
    length = undefined
    i = 0
    name = "next"
    this = function (selector, context) {
    return new jQuery.fn.init(selector, context);
}
1 anonymous() ["http://en.m.wikipedia.org/javascripts/jquery.js":25]
    queue = undefined
    jsc = undefined
    withinElement = undefined
    bindReady = [function]
    readyBound = undefined
    quickClass = undefined
    quickID = undefined
    quickChild = undefined
    chars = undefined
    num = [function]
    styleFloat = "cssFloat"
    userAgent = "mozilla/5.0 (android; linux armv7l; rv:2.0b7pre) gecko/ firefox/4.0b7pre fennec/2.0b1pre"
    defaultView = [object Window]
    exclude = /z-?index|font-?weight|opacity|zoom|line-?height/i
    windowData = [object Object]
    uuid = 0
    expando = "jQuery1285709276542"
    now = [function]
    evalScript = [function]
    undefined = undefined
    isSimple = /^.[^:#\[\.]*$/
    quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#(\w+)$/
    jQuery = [function]
    _$ = undefined
    _jQuery = undefined
    this = [object Window]
2 <TOP LEVEL> ["http://en.m.wikipedia.org/javascripts/jquery.js":11]
    this = [object Window]
Got the crash in comment 4 by loading fennec, navigating to bing.com, navigating to wikipedia.org, and searching for and opening "Thurgood marshall".  Not 100% reproducible, and I get different crashes/iloops when repro'ing.  Have also been able to trigger crashes on http://jqueryui.com/demos/.
This is very useful on android where we don't have stdout and would otherwise need some awkward gymnastics to log the JS stack.  Android has an __android_log_print() function, but it limits the length of the printed string.

However, I think this function is generally useful (if one doesn't care about leaking memory).  It partially solves the old problem of "Where did my DumpJSStack() go?"
Attachment #479179 - Flags: review?
Attachment #479179 - Flags: review? → review?(jorendorff)
tracking-fennec: ? → 2.0b1+
(In reply to comment #4)
> 
> 1 anonymous() ["http://en.m.wikipedia.org/javascripts/jquery.js":25]

Do the jquery/ajax tests pass on Fennec?
OK, I can reproduce this on my Nexus One, I think. Is the symptom of a hanging content process just a gray screen in the content area?
cjones, does this work now?
answer: no, it doesn't.
Comment on attachment 479179 [details] [diff] [review]
Add a PrintJSStack() friend of DumpJSStack() that returns a newly-allocated string instead of printing to stdout

Absolutely!
Attachment #479179 - Flags: review?(jorendorff) → review+
tracking-fennec: 2.0b1+ → 2.0b2+
tracking-fennec: 2.0b2+ → 2.0+
cjones, we can close right?  tm should have landed a few times on mc already.
This was fixed by us disabling method jit on 2.1 Galaxy S phones
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Anyone on a Galaxy able to verify this is resolved?
(In reply to comment #15)
> Anyone on a Galaxy able to verify this is resolved?
I haven't hit it in forever
You need to log in before you can comment on or make changes to this bug.