crash when typing javascript:this in the Web Console [@ js::PropertyTable::search(int, bool) ]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Scoobidiver (away), Assigned: mrbkap)

Tracking

(4 keywords)

Trunk
x86
Windows XP
crash, regression, reproducible, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 beta7+)

Details

(Whiteboard: see comment 28 for javascript:this bug, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b7pre) Gecko/20101006 Firefox/4.0b7pre

It is a new crash signature that exist in trunk builds.
It is #38 top crasher in 4.0b7pre build for the last week.

Signature	js::PropertyTable::search(int, bool)
UUID	3edaf174-b804-4eff-9651-6688c2101006
Time 	2010-10-06 06:58:42.715751
Uptime	0
Last Crash	93 seconds before submission
Install Age	320131 seconds (3.7 days) since version was first installed.
Product	Firefox
Version	4.0b7pre
Build ID	20101002041357
Branch	2.0
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 6 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x6c

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:363
1 	mozjs.dll 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:4620
2 	mozjs.dll 	js_SetPropertyHelper 	js/src/jsobj.cpp:5171
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4324
4 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
5 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:746
6 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:776
7 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4836
8 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1694
9 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:571
10 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
11 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
12 	xul.dll 	nsComponentManagerImpl::CreateInstance 	xpcom/components/nsComponentManager.cpp:1216
13 	xul.dll 	nsComponentManagerImpl::GetService 	xpcom/components/nsComponentManager.cpp:1468
14 	xul.dll 	nsJSCID::GetService 	js/src/xpconnect/src/xpcjsid.cpp:845
15 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
16 	xul.dll 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1752
17 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4625
18 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:638
19 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:746
20 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:776
21 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4836
22 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1694
23 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:571
24 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
25 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
26 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102

More reports at:
http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=js%3A%3APropertyTable%3A%3Asearch%28int%2C%20bool%29&version=Firefox%3A4.0b7pre

Updated

7 years ago
Summary: crash → crash [@ js::PropertyTable::search(int, bool) ]
Confirmed, just happened to me when i tried to sync.
Got this one:

http://crash-stats.mozilla.com/report/index/bp-2eb8299b-9f7c-46c6-8d1f-e69362101019

Related? Can reproduce it always. Offending line in my crash report seems to be "hash1 = HASH1(hash0, hashShift);"
Just got this myself: bp-c13be4c4-b84e-4a2b-9f7d-494b72101101

STR:

1) Type javascript:this in the Web Console on the about:home page.
2) Click on the resulting [object Window]
3) BOOM!
blocking2.0: --- → ?
Somewhat of a better query for this:

http://crash-stats.mozilla.com/report/list?product=Firefox&branch=2.0&query_search=signature&query_type=exact&range_value=4&range_unit=weeks&signature=js%3A%3APropertyTable%3A%3Asearch%28int%2C%20bool%29

(just takes away the 4.0b7pre because this happens on b8pre as well).
Currently top crasher number 43 for beta8pre.
Keywords: topcrash
Keywords: reproducible
Comment 3 suggests this-wrapping or something related to wrappers. Thoughts?

/be
(Assignee)

Comment 7

7 years ago
Created attachment 487473 [details] [diff] [review]
Fix

obj->getParent() can return null for global objects so we should use obj->getGlobal() which will always return non-null.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #487473 - Flags: review?(gal)
(Assignee)

Updated

7 years ago
Blocks: 608862

Updated

7 years ago
Attachment #487473 - Flags: review?(gal) → review+
Trivial and safe fix, we should get this in for beta7.
blocking2.0: ? → beta7+
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/mozilla-central/rev/addeb77512a8
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Reporter)

Comment 10

7 years ago
It is not fixed as it happens in the latest build.

See some reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3APropertyTable%3A%3Asearch%28int%2C%20bool%29
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
No crash here using the STR from comment #3 on today's nightly m-c build win32 running on Win7 x64

Comment 12

7 years ago
(In reply to comment #10)
> It is not fixed as it happens in the latest build.
> 

are you sure, Scoobidiver?  because I'm not getting any crashes so far with the latest trunk build of FF 4.0b8pre (20101104) on my WinXP x86 computer.

and Jim before me is not getting any crashes either with the latest mozilla-central FF4b8pre nightly build.

gonna try out the latest t-m (tracemonkey) build to also make sure shortly.

Comment 13

7 years ago
so far, no crashes with the latest t-m FF4.0b8pre nightly build of Nov. 4 that I've just tested.  I just can't get the darn thing to blow up, no matter what.

I'm still scratching my head as to why you are still experiencing crashes, Scoobidiver.  do the crashes still happen randomly on your computer even with the latest nightlies?
show us here (aka. steps to reproduce) on how the crash occurs on your machine with the recent b8pre nightlies.

Comment 14

7 years ago
on ubuntu, using comment3 STR
crash with latest tm nightly:
http://crash-stats.mozilla.com/report/index/5f930ce8-400e-4a98-867d-ac65d2101104
no crash in latest m-c nightly
(Reporter)

Comment 15

7 years ago
> I'm still scratching my head as to why you are still experiencing crashes,
> Scoobidiver.  do the crashes still happen randomly on your computer even with
> the latest nightlies?
It does not happen on my computer. The reopening is only based on crash stats.
Go to Graph tab of crash reports I gave in comment 10.
For the moment, there has been no crash in 4.0b8pre/20101104 build, but this build was released 2 hours ago.

Comment 16

7 years ago
Why not finally create the long overdue b7 builds, test the bug on them, and if the bug is really still there (as does not seem to be the case based on Comment 14) and it is required, do a respin?

Comment 17

7 years ago
(In reply to comment #14)
> on ubuntu, using comment3 STR
> crash with latest tm nightly:
> http://crash-stats.mozilla.com/report/index/5f930ce8-400e-4a98-867d-ac65d2101104
> no crash in latest m-c nightly

no crash in latest m-c linux hourly build (1288864761), either
Are crash-reports a valid indicator that something is not fixed ?

Not knowing the end-users config/addons etc when he crashed is a huge unknown, and may not, in my mind, be the same exact crasher as this bug.

Comment 19

7 years ago
ok.  can anyone with a Mac OS X reproduce the crash with the latest m-c and t-m nightlies?

Comment 20

7 years ago
RE: Comment 16, sounds like a good idea. That will accomplish two tasks, one to have a b7 build and second to test this bug!

Comment 21

7 years ago
(In reply to comment #18)
> Are crash-reports a valid indicator that something is not fixed ?
> 
> Not knowing the end-users config/addons etc when he crashed is a huge unknown,
> and may not, in my mind, be the same exact crasher as this bug.

let's see if Scoobidiver can answer your question, Jim.  after all, he was the one who reported this bug about a month ago.
tried to reproduce this on latest nightly on xp and didn't get a crash on about:home but with the link from comment 14 i got bug 609626...

Comment 23

7 years ago
(In reply to comment #20)
> RE: Comment 16, sounds like a good idea. That will accomplish two tasks, one to
> have a b7 build and second to test this bug!

Task #3: it's not very unlikely that other issues will show up that will force
respins, once the b7 builds are there. But there is no way of finding out about
those as long as there are no b7 builds.

Everything should be much easier if there is a "real thing" to test on.
The nightlies are as suitable for test as beta7, for purposes of checking this bug.  Please keep comments in this bug focused on the topic of the bug; you can post to mozilla.dev.planning if you want to discuss scheduling, or attend the development/product calls.
(In reply to comment #22)
> tried to reproduce this on latest nightly on xp and didn't get a crash on
> about:home but with the link from comment 14 i got bug 609626...

With the javascript:this Web Console instructions I get 609626 also. Windows Server 2003 R2 Standard Edition on VMWare, happens with latest nightly.
(Reporter)

Comment 26

7 years ago
> Are crash-reports a valid indicator that something is not fixed ?
One crash signature can be caused by several reasons.
For this particular case, crash reason is EXCEPTION_ACCESS_VIOLATION_READ. But if you analyze a lot of stack traces, the first three threads are various, so it can be considered as a meta bug.
Feel free to open a new bug for each different stack trace if you have a fix for each one.

Here are some examples of stack traces:
0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:316
1 	mozjs.dll 	JSObject::nativeLookup 	js/src/jsscope.h:645
2 	mozjs.dll 	js_DefineNativeProperty 	js/src/jsobj.cpp:4420

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:316
1 	mozjs.dll 	JSObject::nativeLookup 	js/src/jsscope.h:645
2 	mozjs.dll 	js_GetPropertyHelper 	js/src/jsobj.cpp:5064

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:325
1 	mozjs.dll 	js_AtomizeString 	js/src/jsatom.cpp:478
2 	mozjs.dll 	js_DefineProperty 	js/src/jsobj.cpp:4294

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:312
1 	mozjs.dll 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:4650
2 	mozjs.dll 	js_FindPropertyHelper 	js/src/jsobj.cpp:4676

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:312
1 	mozjs.dll 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:4650
2 	mozjs.dll 	js_FindClassObject 	js/src/jsobj.cpp:3988

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:325
1 	mozjs.dll 	js_LookupProperty 	js/src/jsobj.cpp:4640
2 	mozjs.dll 	js_HasOwnProperty 	js/src/jsobj.cpp:1416

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:366
1 	mozjs.dll 	js_LookupProperty 	js/src/jsobj.cpp:4640
2 	mozjs.dll 	JSObject::lookupProperty 	js/src/jsobj.h:1062

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:312
1 	mozjs.dll 	js_GetProperty 	js/src/jsobj.cpp:5071
2 	mozjs.dll 	js::mjit::ic::GetProp 	js/src/methodjit/PolyIC.cpp:1656

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:366
1 	mozjs.dll 	js::PropertyTable::change 	js/src/jsscope.cpp:427
2 	mozjs.dll 	JSObject::addPropertyInternal 	js/src/jsscope.cpp:763

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:312
1 	mozjs.dll 	js::proxy_Call 	js/src/jsproxy.cpp:1027
2 	mozjs.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:120

0 	mozjs.dll 	js::PropertyTable::search 	js/src/jsscope.cpp:312
1 	mozjs.dll 	JSContext::realloc 	js/src/jscntxt.h:2262
2 	mozjs.dll 	JSObject::allocSlot 	js/src/jsobj.cpp:4098

Comment 27

7 years ago
@Jim Jeffery and others: I got the recent nightlies to crash & burn.
my earlier comments were not clear enough to determine the whole picture so you can disregard them.

You're supposed to type "javascript:this" in the Web Console window, NOT the Address Bar.

CLEAR Steps to Reproduce:
1.  From the Menu bar, click on Tools and select Web Console
2.  From the Web Console prompt (NOT the Address bar) ">" type in javascript:this
3.  Click on the underlined [object window] link.

Actual Result: Crash
Expected Result: No crash

If you type javascript:this in the Address bar only, you won't get the crash.
The javascript:this bug has been moved to bug 608862.
Whiteboard: see comment 28 for javascript:this bug

Comment 29

7 years ago
Drat!  I forgot to mention that you have to go to a web site before opening the Web Console window.  The Web Console window will NOT show up on a blank browser tab.

Even CLEARER steps to reproduce:
1.  Type in any web site in the Address bar (ex. www.google.com, www.yahoo.com, etc.) and hit Enter to go to that site
2.  Click Tools and choose Web Console
3.  On the Web Console prompt only, type in javascript:this
3.  Click the [object window] link

the actual result should be a crash.

I was able to reproduce this in both the recent m-c and t-m FF4.0b8pre builds on my XP computer.
this is bug 609626 ...

Comment 31

7 years ago
Moving off to beta8 as we think that one of if the issues is solved, and bug 609626 is blocking beta8
blocking2.0: beta7+ → beta8+

Comment 32

7 years ago
I cannot reproduce this on: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b8pre) Gecko/20101103 Firefox/4.0b8pre
(Assignee)

Comment 33

7 years ago
Can we please file a new bug on the remaining crash? The patch in this bug definitely *did* fix *a* crash at PropertyTable::search and bugzilla + multiple patches make for long, sad bugs.

Comment 34

7 years ago
If you are coming here from crash stats, please file other bugs on remaining issues. The patch in this bug fixed one instance of a crash with this signature, but there may be more that map back to js::PropertyTable::search(int, bool) as well.

Closing this out as a b7 blocker, because that's what it was when we took the fix.
Status: REOPENED → RESOLVED
blocking2.0: beta8+ → beta7+
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
(Reporter)

Updated

7 years ago
Summary: crash [@ js::PropertyTable::search(int, bool) ] → crash when typing javascript:this in the Web Console [@ js::PropertyTable::search(int, bool) ]

Comment 35

7 years ago
Now I have a new crash: http://crash-stats.mozilla.com/report/index/bp-14637a4f-e6d1-440d-81b9-2f3fc2101108
(Reporter)

Comment 36

7 years ago
> Now I have a new crash:
> http://crash-stats.mozilla.com/report/index/bp-14637a4f-e6d1-440d-81b9-2f3fc2101108
Yakove, did you get this crash with the STR in comment 3? If not, please file a new bug.

Comment 37

7 years ago
No, there are no crash with the STR in comment 3
Depends on: 612836

Updated

7 years ago
Group: core-security

Comment 38

7 years ago
hiding until we are sure this is unrelated to bug 626631 or have a fix there.
Crash Signature: [@ js::PropertyTable::search(int, bool) ]
Group: core-security
You need to log in before you can comment on or make changes to this bug.