Closed Bug 612329 Opened 9 years ago Closed 9 years ago

[Mac] Firefox 4.0b7 crash in [@ ReplaceCallback ]


(Core :: JavaScript Engine, defect, critical)

Windows 7
Not set





(Reporter: marcia, Assigned: luke)



(Keywords: crash)

Crash Data


(1 file, 1 obsolete file)

Mac only crash seen while reviewing Beta 7 data. to the reports which are all x64.

One comments indicates: "Loading TinyMCE in my CMS"

Frame 	Module 	Signature [Expand] 	Source
0 		@0x7fffffe00800 	
1 	XUL 	ReplaceCallback 	js/src/jsstr.cpp:2238
2 	XUL 	DoMatch 	js/src/jsstr.cpp:1842
3 	XUL 	js::str_replace 	js/src/jsstr.cpp:2408
4 		@0x12edd1385 	
5 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:739
6 	XUL 	js::Invoke 	js/src/jsinterp.cpp:662
7 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2341
8 		@0x13bdac1b0 	
9 	XUL 	XUL@0xefa30f 	
10 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:739
11 	XUL 	js::Invoke 	js/src/jsinterp.cpp:662
12 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2341
13 		@0x13bdac1b0 	
14 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:739
15 	XUL 	js::Invoke 	js/src/jsinterp.cpp:662
16 	XUL 	js::ExternalInvoke 	js/src/jsinterp.cpp:881
17 	XUL 	JS_CallFunctionValue 	js/src/jsinterp.h:954
18 	XUL 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2171
19 	XUL 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:228
20 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1112
21 	XUL 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1208
22 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:146
23 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:628
24 	XUL 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6938
25 	XUL 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6787
26 	XUL 	nsEventStateManager::CheckForAndDispatchClick 	content/events/src/nsEventStateManager.cpp:4051
27 	XUL 	nsEventStateManager::PostHandleEvent 	content/events/src/nsEventStateManager.cpp:2959
28 	XUL 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6961
29 	XUL 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6772
30 	XUL 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6625
31 	XUL 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6382
32 	XUL 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:1092
33 	XUL 	HandleEvent 	view/src/nsView.cpp:161
34 	XUL 	nsChildView::DispatchEvent 	widget/src/cocoa/
35 	XUL 	nsChildView::DispatchWindowEvent 	widget/src/cocoa/
36 	XUL 	-[ChildView mouseUp:] 	widget/src/cocoa/
37 	AppKit 	AppKit@0x13d3d8 	
38 	CoreFoundation 	CoreFoundation@0x2232a 	
39 	CoreFoundation 	CoreFoundation@0x1052b 	
40 	libSystem.B.dylib 	libSystem.B.dylib@0x66b3 	
41 	CoreFoundation 	CoreFoundation@0x65f1 	
42 	CoreFoundation 	CoreFoundation@0xfcd6 	
43 	CoreFoundation 	CoreFoundation@0x1052b 	
44 	CoreFoundation 	CoreFoundation@0xfb2e 	
45 	CoreFoundation 	CoreFoundation@0xfcd6 	
46 	CoreFoundation 	CoreFoundation@0xfb2e 	
47 	libSystem.B.dylib 	libSystem.B.dylib@0x6bf9 	
48 	Foundation 	Foundation@0x61df 	
49 	libobjc.A.dylib 	libobjc.A.dylib@0x619f 	
50 	XUL 	-[ToolbarWindow sendEvent:] 	widget/src/cocoa/
51 	AppKit 	AppKit@0x72a85 	
52 	CoreFoundation 	CoreFoundation@0x24688 	
53 	AppKit 	AppKit@0x714a8 	
54 	AppKit 	AppKit@0x749ec7 	
55 	AppKit 	AppKit@0x749ec7 	
56 	AppKit 	AppKit@0x43ac5 	
57 	CoreFoundation 	CoreFoundation@0x1052b 	
58 	XUL 	NewBuiltinClassInstanceXML 	js/src/jsobjinlines.h:222
59 		@0x4093a7ffffffffff 	
60 	CoreFoundation 	CoreFoundation@0x24814 	
61 	AppKit 	AppKit@0x77e03f 	
62 	AppKit 	AppKit@0x94d9 	
63 	XUL 	nsAppShell::Run 	widget/src/cocoa/
64 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:191
65 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3682
66 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:158
67 	firefox-bin 	firefox-bin@0x1953
This crash happens at a random address called by ReplaceCallback.  The only indirect call I can find in an inlinable call below ReplaceCallback is the one to InvokeSessionGuard::invoke.  This could crash if code_ becomes invalid.  Checking with dvander, this can actually happen (script recompilation in debug mode), but its not likely to be the cause of this crash (none of the crash signatures show a debugger like Firebug loaded).  This patch fixes the bug (by not using the optimized Gatling-gun path if debug mode is on) and inserts a characteristic release-build assert to catch any other ways that somehow invokeEntry is changing.
Assignee: general → lw
Attachment #490716 - Flags: review?(dmandelin)
Attachment #490716 - Flags: approval2.0?
Attachment #490716 - Flags: review?(dmandelin)
Attachment #490716 - Flags: review+
Attachment #490716 - Flags: approval2.0?
Attachment #490716 - Flags: approval2.0+
I landed on tracemonkey, which should be merged to m-c pretty soon.  Then we can see if these crashes decrease and/or the release-mode assert is hitting.
Closed: 9 years ago
Resolution: --- → FIXED
The patch landed was a diagnostic and does not fix this crash.
Resolution: FIXED → ---
b8pre shows two crashes at the magic 0x101 address, so it seems that invokeEntry is still somehow changing.  In light of this and upcoming changes in bug 617656 the gatlin gun should not cache the code pointer.
Fortunately, this doesn't seem to hurt the overall speedup of the Gatling gun over normal Invoke (still around 30%).
Attachment #490716 - Attachment is obsolete: true
Attachment #498357 - Flags: review?(jwalden+bmo)
Attachment #498357 - Flags: review?(jwalden+bmo) → review+

I won't mark this fixed-in-tracemonkey yet.
It breaks builds with disable-methodjit.

+    if (!optimized() || !(code = script_->getJIT(false /* !constructing */)->invokeEntry))
         return Invoke(cx, args_, 0);

Error: getJIT is not a member of JSScript.
OS: Mac OS X → Windows 7
Depends on: 623277
(In reply to comment #8)
> It breaks builds with disable-methodjit.

Bug 623277 is fixing this.
This looks fixed; no b9pre crashes since the magic 0x101 went away.
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Crash Signature: [@ ReplaceCallback ]
You need to log in before you can comment on or make changes to this bug.