Created attachment 529010 [details]
testcase (crashes Firefox when loaded)
Related to bug 652401?
Created attachment 529012 [details]
> Related to bug 652401?
So we crash because cx->hasfp() is true, cx->fp()->isDummyFrame() is true, and cx->fp->prev() is null. So js::CurrentScriptFileAndLineSlow called from js::CurrentScriptFileAndLine called from Function() ends up crashing with a null-deref.
We push dummy frames on AutoCompartment::enter. In this case that happens with this stack:
#0 js::AutoCompartment::enter (this=0x1da0cfe0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jswrapper.cpp:379
#1 0x04649d19 in JS_EnterCrossCompartmentCall (cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1210
#2 0x04649dc3 in JSAutoEnterCompartment::enter (this=0xbfffc324, cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1260
#3 0x00fa2d2c in GetContextFromObject (obj=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:569
#4 0x00fa39c7 in nsXPCWrappedJSClass::CallMethod (this=0x1da3a090, wrapper=0x1da2b8e0, methodIndex=3, info=0x58b97c8, nativeParams=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozil a/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1294
#5 0x00f9ba59 in nsXPCWrappedJS::CallMethod (this=0x1da2b8e0, methodIndex=3, info=0x58b97c8, params=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrap edjs.cpp:586
GetContextFromObject only starts entering compartments and the like if the JS context stack is empty. So that's where bug 652401 comes in.
However this seems like a general bug in Function. It seems to assume that if hasfp() then there is a non-dummy frame on the stack... but that's just not true. Luke added this code a few days ago in bug 602994.
Created attachment 529130 [details] [diff] [review]
Argh, this is a failed specialization of js_GetScriptedCaller (missing "fp &&" conjunct). I think I initially did this since sometimes eval is on the hot path and js_GetScriptedCaller is a call + LeaveTrace on every eval. I don't think it really matters, though, so I'll just put js_GetScriptedCaller back.
cdleary-bot mozilla-central merge info:
Done, made the merge, not likely to back out, don't need to track for ff6