Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ JSStackFrame::isDummyFrame] with mozRequestAnimationFrame

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: luke)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86_64
Mac OS X
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox5 unaffected, firefox6-)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature)

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 529010 [details]
testcase (crashes Firefox when loaded)

Related to bug 652401?
(Reporter)

Comment 1

6 years ago
Created attachment 529012 [details]
stack trace

Comment 2

6 years ago
> Related to bug 652401?

Sorta.

So we crash because cx->hasfp() is true, cx->fp()->isDummyFrame() is true, and cx->fp->prev() is null.  So js::CurrentScriptFileAndLineSlow called from js::CurrentScriptFileAndLine called from Function() ends up crashing with a null-deref.

We push dummy frames on AutoCompartment::enter.  In this case that happens with this stack:

#0  js::AutoCompartment::enter (this=0x1da0cfe0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jswrapper.cpp:379
#1  0x04649d19 in JS_EnterCrossCompartmentCall (cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1210
#2  0x04649dc3 in JSAutoEnterCompartment::enter (this=0xbfffc324, cx=0x5131620, target=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/jsapi.cpp:1260
#3  0x00fa2d2c in GetContextFromObject (obj=0x217f0410) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:569
#4  0x00fa39c7 in nsXPCWrappedJSClass::CallMethod (this=0x1da3a090, wrapper=0x1da2b8e0, methodIndex=3, info=0x58b97c8, nativeParams=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozil a/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1294
#5  0x00f9ba59 in nsXPCWrappedJS::CallMethod (this=0x1da2b8e0, methodIndex=3, info=0x58b97c8, params=0xbfffc7e0) at /Users/bzbarsky/mozilla/vanilla/mozilla/js/src/xpconnect/src/xpcwrap edjs.cpp:586

GetContextFromObject only starts entering compartments and the like if the JS context stack is empty.  So that's where bug 652401 comes in.

However this seems like a general bug in Function.  It seems to assume that if hasfp() then there is a non-dummy frame on the stack... but that's just not true.  Luke added this code a few days ago in bug 602994.
Blocks: 602994
status-firefox5: --- → unaffected
tracking-firefox6: --- → ?
(Assignee)

Comment 3

6 years ago
Created attachment 529130 [details] [diff] [review]
fix

Argh, this is a failed specialization of js_GetScriptedCaller (missing "fp &&" conjunct).  I think I initially did this since sometimes eval is on the hot path and js_GetScriptedCaller is a call + LeaveTrace on every eval.  I don't think it really matters, though, so I'll just put js_GetScriptedCaller back.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #529130 - Flags: review?(mrbkap)

Updated

6 years ago
Attachment #529130 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 4

6 years ago
http://hg.mozilla.org/tracemonkey/rev/e4861593d134
Whiteboard: fixed-in-tracemonkey
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/e4861593d134
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Done, made the merge, not likely to back out, don't need to track for ff6
tracking-firefox6: ? → -
Crash Signature: [@ JSStackFrame::isDummyFrame]
You need to log in before you can comment on or make changes to this bug.