The default bug view has changed. See this FAQ.

Firefox Crash [@ nsJSPrincipalsSubsume ]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
2 years ago

People

(Reporter: marcia, Unassigned)

Tracking

({crash, regression})

Trunk
crash, regression
Points:
---

Firefox Tracking Flags

(firefox6+ fixed)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Seen while reviewing trunk new crashes, but spans 3.6.x and 4.0.x as well. https://crash-stats.mozilla.com/report/list?signature=nsJSPrincipalsSubsume to the crashes across all versions.

Crashes on the trunk started showing using the 2011051300 build. Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2a0fbd6eedbd&tochange=ad1fa68dcaf5

https://crash-stats.mozilla.com/report/index/09c84d00-7caf-4ac8-944a-314522110514

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsJSPrincipalsSubsume 	caps/src/nsJSPrincipals.cpp:73
1 	mozjs.dll 	EvalKernel 	
2 	mozjs.dll 	js::PropertyCache::fill 	js/src/jspropertycache.cpp:154
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4673
4 		@0x0
Line 154 in jspropertycache.cpp there is:

if (!pobj->generic() && shape->hasDefaultGetter() && pobj->containsSlot(shape->slot)) {

which means that frames 0 and 1 are bogus-ish (as in, we jumped into lala-land in fill()).

Comment 2

6 years ago
Hmm, of those report I looked into from https://crash-stats.mozilla.com/report/list?signature=nsJSPrincipalsSubsume there seem to be a number of different stacks that lead to a crash in nsJSPrincipalsSubsume. The 3.6 and 4 ones are very different, but the ones from 6.0a1 for Windows have the top frames from comment #0 mostly (with js::PropertyCache::fill in there), but most from Mac and Linux as well as bp-b2394f9b-40a3-4402-ae5b-832f42110516 have those top frames (Mac and Linux are missing the one being #3 here but all have #0, #1, #2 the same, the #4 here is #3 for the others, I also found cases of #2 "missing"):

0 	xul.dll 	nsJSPrincipalsSubsume 	caps/src/nsJSPrincipals.cpp:73
1 	mozjs.dll 	EvalKernel 	
2 	mozjs.dll 	js::DirectEval 	js/src/jsobj.cpp:1303
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4673
4 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4580

Here a Mac example from bp-7a0aa18d-6f43-4a13-a531-e4bc72110515

0 	XUL 	nsJSPrincipalsSubsume 	caps/src/nsJSPrincipals.cpp:73
1 	XUL 	EvalKernel 	js/src/jsobj.cpp:990
2 	XUL 	js::DirectEval 	js/src/jsobj.cpp:1303
3 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4580

And a Linux one from bp-e53f9a90-0886-465a-a47d-a183e2110515

0 	libxul.so 	nsJSPrincipalsSubsume 	caps/src/nsJSPrincipals.cpp:73
1 	libxul.so 	EvalKernel 	js/src/jsobj.cpp:995
2 	libxul.so 	js::DirectEval 	js/src/jsobj.cpp:1303
3 	libxul.so 	js::Interpret 	js/src/jsinterp.cpp:4580

All are coming from EvalKernel to nsJSPrincipalsSubsume, all are going through the same line in js::Interpret before, but the way there seems different.
See the linked list for more examples.

We had zero crashes with that signature for a week on 6 until this came up on 2011-05-14 with ~30 crashes daily since then. All those seem to be on startup, so due to retries there are a number of those marked as "duplicates".
The first nightly I can consistently reproduce this in is 05-13 from the Tracemonkey branch (5ff15fe83e16). I saw a crash once testing 05-12 nightly, but didn't get a signature and can't reproduce it. As quite a lot of my users are reporting this, I can probably provide a method to reproduce it consistently.
To reproduce this crash with a nighly build simply use the example extension attached to bug 644856 (attachment 521690 [details]).
Keywords: regression, regressionwindow-wanted
Crash Signature: [@ nsJSPrincipalsSubsume ]

Comment 5

6 years ago
It is #3 top crasher in 6.0 and happens almost exclusively at startup.
Maybe related to incompatible add-ons.
tracking-firefox6: --- → ?
I don't think it's an issue with incompatible add-ons. In my case, it happens when evalInSandbox is called while a JSM is loading. I suspect it's only becoming more common in 6.0 because more people are using it with a wider variety of add-ons now that it's in beta.

Comment 7

6 years ago
Crashes are at 0x18 on 32-bit and 0x30 64-bit.  In both cases, this is offsetof(nsJPrincipals, nsIPrincipalPtr) so I think this is simply null 'jsprin'.  The only way to call 'subsume' from EvalKernel is through EvalCacheLookup, so hopefully this is just a simple fix.

Comment 8

6 years ago
Created attachment 545194 [details] [diff] [review]
test null

(Ideally, we'd just do bug 668558, but this is beta, so quickfix/safe for now.)
Attachment #545194 - Flags: review?(mrbkap)

Comment 9

6 years ago
For some reason this signature has risen in FF6 but appeared in FF5. We are going to track this with the assumption we will approve the null check for beta. We can verify the crashes go down.
tracking-firefox6: ? → +

Updated

6 years ago
Attachment #545194 - Flags: review?(mrbkap) → review+

Updated

6 years ago
Attachment #545194 - Flags: approval-mozilla-beta?
Attachment #545194 - Flags: approval-mozilla-aurora?

Updated

6 years ago
Attachment #545194 - Flags: approval-mozilla-beta?
Attachment #545194 - Flags: approval-mozilla-beta+
Attachment #545194 - Flags: approval-mozilla-aurora?
Attachment #545194 - Flags: approval-mozilla-aurora+

Comment 10

6 years ago
http://hg.mozilla.org/mozilla-central/rev/d6fa77966e7c
http://hg.mozilla.org/releases/mozilla-aurora/rev/32b68884f5c5
http://hg.mozilla.org/releases/mozilla-beta/rev/3615026f5272

Updated

6 years ago
status-firefox6: --- → fixed

Comment 11

6 years ago
The latest crashes on 7.0a2 (resp. 8.0a1) were with the build ID 20110712042004 (resp. 20110712030758), so it's verified that it's fixed.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

6 years ago
Status: RESOLVED → VERIFIED
I think this caused a massive, presumably shell-only regression on ss-date-format-tofte (visible on the awfy-regress page on TI, as the TM branch doesn't have this cset yet).  The principals are (I think?) always NULL in the shell, so we never use the eval cache when eval'ing the same scripts several hundred times.  Is there a way to modify the tests so that shell performance reflects browser performance better?

Comment 13

6 years ago
Ah, thanks.  File bug 672283.

Updated

6 years ago
Keywords: regressionwindow-wanted
You need to log in before you can comment on or make changes to this bug.