Closed Bug 660905 Opened 14 years ago Closed 8 years ago

Crash in js_XDRFunctionObject mainly with Load Tabs Progressively 1.6

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox6 + ---

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [strong correlation w/ add-on "Load Tabs Progressively" 1.6])

Crash Data

Seen while reviewing crash stats. Seen across all versions. https://crash-stats.mozilla.com/report/list?signature=js_XDRFunctionObject%28JSXDRState*,%20JSObject**%29 to the reports. https://crash-stats.mozilla.com/report/index/8223cda0-d6a1-4d0a-b44a-1f1a52110531 No correlations showing and very few comments. Frame Module Signature [Expand] Source 0 mozjs.dll js_XDRFunctionObject js/src/jsfun.cpp:1864 1 mozjs.dll js_XDRScript js/src/jsscript.cpp:673 2 mozjs.dll js_CloneScript js/src/jsscript.cpp:1841 3 mozjs.dll js_CloneFunctionObject js/src/jsfun.cpp:2788 4 mozjs.dll JSObject::methodReadBarrier js/src/jsobjinlines.h:223 5 mozjs.dll js::StackFrame::getValidCalleeObject js/src/jsfun.cpp:1488 6 mozjs.dll fun_getProperty js/src/jsfun.cpp:1629 7 mozjs.dll js::Shape::get js/src/jsscopeinlines.h:283 8 mozjs.dll js_GetPropertyHelper js/src/jsobj.cpp:5411 9 mozjs.dll InlineGetProp js/src/methodjit/StubCalls.cpp:1883 10 mozjs.dll js::mjit::stubs::GetProp js/src/methodjit/StubCalls.cpp:1895 11 mozjs.dll JSCompartment::wrap js/src/jscompartment.cpp:358 12 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:685 13 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:732 14 mozjs.dll js::RunScript js/src/jsinterp.cpp:610 15 mozjs.dll js::Invoke js/src/jsinterp.cpp:694 16 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:816 17 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5080 18 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1662 19 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:586 20 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 21 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 22 xul.dll nsBrowserStatusFilter::OnStateChange toolkit/components/statusfilter/nsBrowserStatusFilter.cpp:183 23 xul.dll nsDocLoader::FireOnStateChange uriloader/base/nsDocLoader.cpp:1339 24 xul.dll nsDocLoader::OnStartRequest uriloader/base/nsDocLoader.cpp:565 25 xul.dll nsLoadGroup::AddRequest netwerk/base/src/nsLoadGroup.cpp:595 26 xul.dll imgLoader::LoadImage modules/libpr0n/src/imgLoader.cpp:1723 27 xul.dll NS_CheckContentLoadPolicy obj-firefox/dist/include/nsContentPolicyUtils.h:221 28 xul.dll xul.dll@0xe0d3fb 29 xul.dll nsCSSValue::Image::Image layout/style/nsCSSValue.cpp:1324 30 xul.dll nsCSSValue::StartImageLoad layout/style/nsCSSValue.cpp:551 31 xul.dll TryToStartImageLoad layout/style/nsCSSDataBlock.cpp:148 32 xul.dll TryToStartImageLoad layout/style/nsCSSDataBlock.cpp:140 33 xul.dll nsCSSCompressedDataBlock::MapRuleInfoInto layout/style/nsCSSDataBlock.cpp:190 34 xul.dll nsCSSFrameConstructor::ConstructBlock layout/base/nsCSSFrameConstructor.cpp:10675 35 xul.dll nsRuleNode::WalkRuleTree layout/style/nsRuleNode.cpp:1811 36 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem layout/base/nsCSSFrameConstructor.cpp:5453 37 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:9486 38 xul.dll nsCSSFrameConstructor::ProcessChildren layout/base/nsCSSFrameConstructor.cpp:9626 39 xul.dll nsCSSFrameConstructor::ConstructBlock layout/base/nsCSSFrameConstructor.cpp:10672 40 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal layout/base/nsCSSFrameConstructor.cpp:3708 41 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem layout/base/nsCSSFrameConstructor.cpp:5476 42 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:9486 43 xul.dll nsCSSFrameConstructor::ContentAppended layout/base/nsCSSFrameConstructor.cpp:6673 44 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6328 45 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 46 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 47 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 48 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 49 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 50 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 51 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 52 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 53 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 54 xul.dll nsCSSFrameConstructor::CreateNeededFrames layout/base/nsCSSFrameConstructor.cpp:6338 55 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4822 56 xul.dll nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6376 57 xul.dll nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6371 58 xul.dll nsGenericElement::GetPrimaryFrame content/base/src/nsGenericElement.cpp:3777 59 xul.dll nsGenericElement::GetStyledFrame content/base/src/nsGenericElement.cpp:1569 60 xul.dll nsGenericHTMLElement::GetOffsetRect content/html/content/src/nsGenericHTMLElement.cpp:511 61 xul.dll nsGenericHTMLElement::GetOffsetHeight content/html/content/src/nsGenericHTMLElement.cpp:654 62 xul.dll nsIDOMNSHTMLElement_GetOffsetHeight obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:21918 63 mozjs.dll js::Shape::get js/src/jsscopeinlines.h:283 64 mozjs.dll js_GetPropertyHelper js/src/jsobj.cpp:5411 65 mozjs.dll js::Interpret js/src/jsinterp.cpp:4095 66 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:732 67 mozjs.dll js::RunScript js/src/jsinterp.cpp:613 68 mozjs.dll js::Invoke js/src/jsinterp.cpp:694 69 mozjs.dll js_fun_apply js/src/jsfun.cpp:2205 70 mozjs.dll js::Interpret js/src/jsinterp.cpp:4685 71 xul.dll nsHttpChannel::QueryInterface netwerk/protocol/http/nsHttpChannel.cpp:3552 72 mozjs.dll js::RunScript js/src/jsinterp.cpp:613 73 mozjs.dll js::Invoke js/src/jsinterp.cpp:694 74 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:816 75 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5080 76 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:1900 77 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:9211 78 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:9556 79 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424 80 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 81 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:618 82 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:134 83 xul.dll xul.dll@0xb625d7 84 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 85 xul.dll xul.dll@0x36e58f 86 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176 87 xul.dll nsCSSExpandedDataBlock::nsCSSExpandedDataBlock layout/style/nsCSSDataBlock.cpp:324 88 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189 89 xul.dll nsAppShell::Run widget/src/windows/nsAppShell.cpp:249
OS: All → Windows XP
Hardware: All → x86
Crash Signature: [@ js_XDRFunctionObject(JSXDRState*, JSObject**) ]
It is #7 top crasher in 6.0.
tracking-firefox6: --- → ?
This seems to have risen in volume for FF6. We had about 85 of these yesterday for 6.0b1 as compared to 32 in one week for FF5. Probably worth some investigation since there might be a regression.
Igor, any idea?
(In reply to comment #4) > Igor, any idea? No, I will look into it the next weak.
There's a strong correlation with Load Tabs Progressively 1.6: 98% (58/59) vs. 0% (109/23789) loadTabsProgressively@ithinc.cn
Crash Signature: [@ js_XDRFunctionObject(JSXDRState*, JSObject**) ] → [@ js_XDRFunctionObject(JSXDRState*, JSObject**) ] [@ js_XDRFunctionObject ]
Summary: Firefox Crash [@ js_XDRFunctionObject(JSXDRState*, JSObject**) ] → Crash in js_XDRFunctionObject
OS: Windows XP → All
Whiteboard: [strong correlation w/ add-on "Load Tabs Progressively" 1.6]
Crash Signature: [@ js_XDRFunctionObject(JSXDRState*, JSObject**) ] [@ js_XDRFunctionObject ] → [@ js_XDRFunctionObject(JSXDRState*, JSObject**) ] [@ js_XDRFunctionObject ]
Does this mean we should be blocking something? Igor, have you had time to look into this yet?
(In reply to comment #8) > Does this mean we should be blocking something? Igor, have you had time to > look into this yet? I am back from vacation and will look at it today.
It's now only #15 top browser crasher in 6.0b2.
Summary: Crash in js_XDRFunctionObject → Crash in js_XDRFunctionObject mainly with Load Tabs Progressively
I installed https://addons.mozilla.org/en-US/firefox/addon/load-tabs-progressively/ and was able to reproduce this on FF 5.0.1 running on 10.7.
Igor, is it their problem or our problem? Can we work with them to get an update for this top crasher?
(In reply to comment #12) > Igor, is it their problem or our problem? Can we work with them to get an > update for this top crasher? Comment 1 is right on that is a null dereference with null coming from JSObject::private in a function object that represents a compiled function stored in a script. This must be a bug that triggered JSObject::setPrivate(null) on the function object. But we never do that intentionally and those function objects should not be manipulated or accessed by scripts. So I suppose there is a bug in the addon that triggered that.
https://addons.mozilla.org/en-US/firefox/addon/load-tabs-progressively/developers doesn't have any contact information for the developer - who can help us get that?
Adding the add-on developer to the CC list.
I reverted the compatibility information for version 1.6 to maxVersion = 5.*. It was us who automatically bumped the add-on compatibility to 6.* and 7.*. The add-on does lots of monkey patching in the tab loading code; it's likely that something changed there that broke the add-on badly. I also noticed versions 1.6.1pre and 1.6.1pre2 on AMO that have higher compatibility by default and have beta status. Is there any data about these versions crashing as well?
(In reply to Marcia Knous [:marcia] from comment #11) > I installed > https://addons.mozilla.org/en-US/firefox/addon/load-tabs-progressively/ and > was able to reproduce this on FF 5.0.1 running on 10.7. Could you please provide the steps to reproduce it? Thanks.
(In reply to Igor Bukanov from comment #13) > (In reply to comment #12) > > Igor, is it their problem or our problem? Can we work with them to get an > > update for this top crasher? > > Comment 1 is right on that is a null dereference with null coming from > JSObject::private in a function object that represents a compiled function > stored in a script. This must be a bug that triggered > JSObject::setPrivate(null) on the function object. But we never do that > intentionally and those function objects should not be manipulated or > accessed by scripts. > > So I suppose there is a bug in the addon that triggered that. Thank you for your insights. LTP changes little with Firefox upgrading from 3.6 to 4.0+. Could arguments.callee.caller trigger that? Otherwise I suppose it's some Firefox change leads to that. I'm using LTP mainly with Firefox 5.0 and I've never encountered this crash. LTP 1.6.1pre2 removed the call to arguments.callee.caller. I'm also interested in any data about this version.
I was just testing Firefox 6.0 and noticed I could install the Load Tabs Progressively Addon (version 1.6). Although it notes that it will be disabled, after restart it is not shown as disabled. The same thing happens with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0) Gecko/20100101 Firefox/7. I noticed that this signature is in the #9 top crash in the early 6.0 data, that is why I was testing it.
I just hit this deleting emails in Gmail using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:6.0) Gecko/20100101 Firefox/6.0. I did have the Load Tabs extension installed in my profile. The crash comments do mention crashing while deleting emails and performing other Gmail operations.
never had a crash with this extension, on any version of firefox.
I can reproduce this crash every time (100% occurrence) on Facebook.com when attempting to play a YouTube video from the homepage News Feed. With Load Tabs Progressively the crash does not occur, but happens again when I re-enable the Add-on. This happens with LTP as the only Add-on installed. Firefox 6, Win7 32-bit.
Its probably caused by that old version you're using, 1.6 was never meant to be used on anything over firefox 4, 1.61 is the latest, i've been using the pre2 version up till today but am updating to the final now https://addons.mozilla.org/en-US/firefox/addon/load-tabs-progressively/versions/1.6.1
Summary: Crash in js_XDRFunctionObject mainly with Load Tabs Progressively → Crash in js_XDRFunctionObject mainly with Load Tabs Progressively 1.6
alright, done that, tested a youtube video in the facebook news feed. no crash. I do recall crashes in 5.0b however which was resolved by updating all my extensions to the at the time latest dev versions, which LTP was at 1.61pre1 at the time.
(In reply to Danial Horton from comment #23) > Its probably caused by that old version you're using, 1.6 was never meant to > be used on anything over firefox 4, > > 1.61 is the latest, i've been using the pre2 version up till today but am > updating to the final now 1.6.1pre2 or 1.6.1 doesn't include a fix against this, but I'm interested to know if it plays differently than 1.6.
Well, i haven't had a crash since 5.0b that i could blame on extensions.
(In reply to Martin Poirier from comment #22) > I can reproduce this crash every time (100% occurrence) on Facebook.com when > attempting to play a YouTube video from the homepage News Feed. With Load > Tabs Progressively the crash does not occur, but happens again when I > re-enable the Add-on. This happens with LTP as the only Add-on installed. > > Firefox 6, Win7 32-bit. Can you post the direct url of the video if a sign-in is not needed? You may also update LTP to 1.6.1 to have another test. Thanks.
Obviously I meant "Without Load Tabs Progressively the crash does not occur..." and not "With Load Tabs Progressively...". The links I tested all seem to require login, but I'll try to hunt one down that does not require it. However, oddly enough I am not getting the crash with v1.6.1 when performing the exact same steps.
Thanks, then 1.6.1 should have solved the problem. Can you have a test with Version 1.6.1pre - https://addons.mozilla.org/firefox/addon/load-tabs-progressively/versions/1.6.1pre and Version 1.6.1pre2 - https://addons.mozilla.org/firefox/addon/load-tabs-progressively/versions/1.6.1pre2 respectively? It will help to identify the problem.
Crashes with 1.61.pre1 when trying to open a flash video in the facebook news feed No crash with 1.61.pre2
@Moz devs, can someone get a wire to one of the Add-on's reviewers and get 1.6.1 verified so everyone can get the update notification.
Jorge: I assume I need an addons login to be able to get the 1.6.1 version?
NM - found them at https://addons.mozilla.org/en-US/firefox/addon/load-tabs-progressively/versions/ (In reply to Marcia Knous [:marcia] from comment #32) > Jorge: I assume I need an addons login to be able to get the 1.6.1 version?
Version 1.6.1 has been reviewed and approved for the public. It should take a couple of days for the stats to show the impact of the update.
Assignee: general → nobody
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) in Firefox (except some obsolete Fx <11).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.