Closed Bug 616762 Opened 9 years ago Closed 9 years ago
crash [@ js::Get
Flat Upvar(JSContext*, JSObject*, int, js::Value*) ][@ js::Get Flat Upvar ]
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101204 Firefox/4.0b8pre ID:20101204030328 See http://forums.mozillazine.org/viewtopic.php?p=10190153#p10190153 . Browser crashes with crash reports. On linux: bp-a4c72c43-9606-4cca-9d03-9be8f2101204 On Windows7: bp-a7438a1d-e543-4548-80ea-8c9712101204 Reproducible: Always Steps to Reproduce: 1. Start Minefield with new profile 2. Open URL ( http://www.deklomp.se/ ) Regression window: Works: http://hg.mozilla.org/mozilla-central/rev/16eac4b8b8e0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100911133215 Fails: http://hg.mozilla.org/mozilla-central/rev/f1bd314e64ac Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre ID:20100911134652 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=16eac4b8b8e0&tochange=f1bd314e64ac
Severity: normal → critical
OS: Windows 7 → All
Hardware: x86 → All
9 years ago
Assignee: general → dvander
blocking2.0: ? → betaN+
9 years ago
Status: NEW → ASSIGNED
Some upvar operation is going wrong in jquery.em.compressed.js. Attached is a shell version that will break. It's not reduced yet, there's just enough shim DOM stuff to make the original file load.
looks like this might have taken an extra spike yesterday, and has continuing high volume today. this should probably block b8 since its the #5 top crash and moving up. js::GetFlatUpvar.JSContext.,.JSObject.,.int,.js::Value.. date total breakdown by build crashes count build, count build, ... 20101201 4 4.0b8pre2010113003 20101202 1 4.0b8pre2010120103 20101203 20101204 11 4.0b8pre2010120403 20101205 17 14 4.0b8pre2010120403, 3 4.0b8pre2010120503, 20101206 1 4.0b8pre2010120603 20101207 1 4.0b8pre2010120603 20101208 2 4.0b8pre2010120703 20101209 2 4.0b8pre2010120903 20101210 60 4.0b8pre2010121003
up one more position to #4 with 67 crashes yesterday.
and if you add in the linux version of the crash js::GetFlatUpvar which has spiked from 1-3 crashes per day to around 15 crashes per day that moves this to the #3 ranked crash.
Another reproducible case, http://code.google.com/p/fbug/issues/detail?id=3798
Correlations show it is linked to Firebug (82% vs 3%).
bug 618549 is another crash in js with firebug related that rose over the weekend. is this also connected?
The call stack from Bug 618549 suggests it is not related. However both bugs seem to involve unusual code paths so this is what we should expect as JaegerMonkey settles in. Note that Firebug is essentially non-functional on FF4.0 still, see http://getfirebug.com/testresults.
This is not related to firebug. There's a shell test case in comment #2.
The bug is that the outermost function inside the eval'd text was marked as heavyweight, but as having one upvar ("$"). This caused an inner function to get the outer function on its scope chain, and resolve "$" on the outer call object dynamically. Since the function wasn't a flat closure, the callobj getter just crashed. Like the analogous checks near the end of BindNameToSlot, after talking to Brendan I think all that's needed is to make sure we don't add upvars to heavyweight functions.
Confirm this bug. Crash report sending. Mozilla/5.0 (Windows NT 6.1; rv:2.0b8pre) Gecko/20101214 Firefox/4.0b8pre ID:20101214030322
Comment on attachment 497466 [details] [diff] [review] fix Could you comment this new code with why eval making the eval'ed function code heavyweight poisons the well? Thanks, /be
Attachment #497466 - Flags: review?(brendan) → review+
http://hg.mozilla.org/tracemonkey/rev/364ca8970499 with comment
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
The crash in this bug was fixed. If there are other crashes with this signature, please file a new bug. bug 592202 would be a likely dependency.
(In reply to comment #17) > Not fixed, I guess > > http://crash-stats.mozilla.com/report/index/5b521399-2853-4e13-b2ca-c011f2101217 It's only "fixed" on the tracemonkey branch, not on Firefox nightly branch
did the fix make to to trunk yet? Last crash I see post beta 8 is one on 4.0b9pre 2011 01 0603 , so maybe it has. It should definitely go into beta9 since its the overall #6 topcrash on beta8 and maybe #2 or #3 if you just look at new regressions in beta8.
This bug is fixed on m-c now, right? http://hg.mozilla.org/mozilla-central/log?rev=616762 And see bug 592202 comment 58 -- bug 592202 is also fixed on m-c as of today. /be
Crash Signature: [@ js::GetFlatUpvar(JSContext*, JSObject*, int, js::Value*) ] [@ js::GetFlatUpvar ]
You need to log in before you can comment on or make changes to this bug.