Closed Bug 653631 Opened 13 years ago Closed 13 years ago

Crash [@ JSStackFrame::isDummyFrame] with mozRequestAnimationFrame

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox5 --- unaffected
firefox6 - ---

People

(Reporter: jruderman, Assigned: luke)

References

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
342 bytes, text/html
Details
stack trace
7.60 KB, text/plain
Details
fix
832 bytes, patch
mrbkap
: review+
Details | Diff | Splinter Review 
Related to bug 652401?
Attached file stack trace 

    
    

    
  
> Related to bug 652401?

Sorta.

So we crash because cx->hasfp() is true, cx->fp()->isDummyFrame() is true, and cx->fp->prev() is null.  So js::CurrentScriptFileAndLineSlow called from js::CurrentScriptFileAndLine called from Function() ends up crashing with a null-deref.

We push dummy frames on AutoCompartment::enter.  In this case that happens with this stack:

#0  js::AutoCompartment::enter (this=0x1da0cfe0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jswrapper.cpp:379
#1  0x04649d19 in JS_EnterCrossCompartmentCall (cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1210
#2  0x04649dc3 in JSAutoEnterCompartment::enter (this=0xbfffc324, cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1260
#3  0x00fa2d2c in GetContextFromObject (obj=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:569
#4  0x00fa39c7 in nsXPCWrappedJSClass::CallMethod (this=0x1da3a090, wrapper=0x1da2b8e0, methodIndex=3, info=0x58b97c8, nativeParams=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozil a/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1294
#5  0x00f9ba59 in nsXPCWrappedJS::CallMethod (this=0x1da2b8e0, methodIndex=3, info=0x58b97c8, params=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrap edjs.cpp:586

GetContextFromObject only starts entering compartments and the like if the JS context stack is empty.  So that's where bug 652401 comes in.

However this seems like a general bug in Function.  It seems to assume that if hasfp() then there is a non-dummy frame on the stack... but that's just not true.  Luke added this code a few days ago in bug 602994.
Blocks: 602994

          status-firefox5:
          --- → unaffected

          tracking-firefox6:
          --- → ?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
Argh, this is a failed specialization of js_GetScriptedCaller (missing "fp &&" conjunct).  I think I initially did this since sometimes eval is on the hot path and js_GetScriptedCaller is a call + LeaveTrace on every eval.  I don't think it really matters, though, so I'll just put js_GetScriptedCaller back.
Assignee: general → luke
Status: NEW → ASSIGNED

        Attachment #529130 -
        Flags: review?(mrbkap)

        Attachment #529130 -
        Flags: review?(mrbkap) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/e4861593d134
Whiteboard: fixed-in-tracemonkey
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Done, made the merge, not likely to back out, don't need to track for ff6

          tracking-firefox6:
          ?-
Crash Signature: [@ JSStackFrame::isDummyFrame]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: