Closed Bug 616762 Opened 10 years ago Closed 10 years ago

crash [@ js::GetFlatUpvar(JSContext*, JSObject*, int, js::Value*) ][@ js::GetFlatUpvar ]


(Core :: JavaScript Engine, defect)

Not set



Tracking Status
blocking2.0 --- beta8+


(Reporter: alice0775, Assigned: dvander)




(Keywords: crash, regression, Whiteboard: fixed-in-tracemonkey)

Crash Data


(2 files, 1 obsolete file)

Build Identifier: 
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101204 Firefox/4.0b8pre ID:20101204030328

See .
Browser crashes with crash reports.
On linux:
On Windows7:

Reproducible: Always

Steps to Reproduce:
1. Start Minefield with new profile
2. Open URL ( )

Regression window:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100911133215
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100911134652
blocking2.0: --- → ?
Severity: normal → critical
OS: Windows 7 → All
Hardware: x86 → All
Assignee: general → dvander
blocking2.0: ? → betaN+
Attached patch shell test case (obsolete) — Splinter Review
Some upvar operation is going wrong in jquery.em.compressed.js. Attached is a shell version that will break. It's not reduced yet, there's just enough shim DOM stuff to make the original file load.
Attached file reduced test case
Attachment #496058 - Attachment is obsolete: true
looks like this might have taken an extra spike yesterday, and has continuing high volume today.  this should probably block b8 since its the #5 top crash and moving up.

date     total    breakdown by build
         crashes  count build, count build, ...

20101201 4 4.0b8pre2010113003 
20101202 1 4.0b8pre2010120103 
20101204 11 4.0b8pre2010120403 	
20101205 17  	14 4.0b8pre2010120403, 
                 3 4.0b8pre2010120503, 
20101206 1 4.0b8pre2010120603 
20101207 1 4.0b8pre2010120603 	
20101208 2 4.0b8pre2010120703 	
20101209 2 4.0b8pre2010120903 
20101210 60 4.0b8pre2010121003
up one more position to #4 with 67 crashes yesterday.
and if you add in the linux version of the crash js::GetFlatUpvar which has spiked from 1-3 crashes per day to around 15 crashes per day that moves this to the #3 ranked crash.
Correlations show it is linked to Firebug (82% vs 3%).
bug 618549 is another crash in js with firebug related that rose over the weekend. is this also connected?
The call stack from Bug 618549 suggests it is not related.  
However both bugs seem to involve unusual code paths so this is what we should expect as JaegerMonkey settles in. Note that Firebug is essentially non-functional on FF4.0 still, see
This is not related to firebug. There's a shell test case in comment #2.
blocking2.0: betaN+ → beta8+
Attachment #496983 - Attachment is patch: false
Attached patch fixSplinter Review
Attachment #497466 - Flags: review?(brendan)
The bug is that the outermost function inside the eval'd text was marked as heavyweight, but as having one upvar ("$"). This caused an inner function to get the outer function on its scope chain, and resolve "$" on the outer call object dynamically. Since the function wasn't a flat closure, the callobj getter just crashed.

Like the analogous checks near the end of BindNameToSlot, after talking to Brendan I think all that's needed is to make sure we don't add upvars to heavyweight functions.
Confirm this bug. Crash report sending. Mozilla/5.0 (Windows NT 6.1; rv:2.0b8pre) Gecko/20101214 Firefox/4.0b8pre ID:20101214030322
Comment on attachment 497466 [details] [diff] [review]

Could you comment this new code with why eval making the eval'ed function code heavyweight poisons the well? Thanks,

Attachment #497466 - Flags: review?(brendan) → review+
Closed: 10 years ago
Resolution: --- → FIXED
The crash in this bug was fixed. If there are other crashes with this signature, please file a new bug. bug 592202 would be a likely dependency.
Filed bug 620099, please someone set dep to bug 592202 as I don't access to this bug
Duplicate of this bug: 620389
(In reply to comment #17)
> Not fixed, I guess

It's only "fixed" on the tracemonkey branch, not on Firefox nightly branch
did the fix make to to trunk yet?

Last crash I see post beta 8 is one on 4.0b9pre 2011 01 0603  , so maybe it has.

It should definitely go into beta9 since its the overall #6 topcrash on beta8 and maybe #2 or #3 if you just look at new regressions in beta8.
This bug is fixed on m-c now, right?

And see bug 592202 comment 58 -- bug 592202 is also fixed on m-c as of today.

Duplicate of this bug: 623957
Crash Signature: [@ js::GetFlatUpvar(JSContext*, JSObject*, int, js::Value*) ] [@ js::GetFlatUpvar ]
You need to log in before you can comment on or make changes to this bug.