Closed Bug 704460 Opened 8 years ago Closed 7 years ago

Crash in js_ValueToString with Firebug

Categories

(Core :: JavaScript Engine, defect, critical)

9 Branch
x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression, Whiteboard: [firebug-p1])

Crash Data

It's #15 top crasher on Mac OS X in 9.0b2, #59 in 10.0a2.

Signature	js_ValueToString
UUID	b3770d54-cf60-44f5-93bb-ef9b32111118
Date Processed	2011-11-18 16:26:28.876487
Uptime	22049
Last Crash	1.0 days before submission
Install Age	3.2 days since version was first installed.
Install Time	2011-11-15 18:36:29
Product	Firefox
Version	9.0
Build ID	20111109112850
Release Channel	beta
OS	Mac OS X
OS Version	10.5.8 9L30
Build Architecture	x86
Build Architecture Info	family 6 model 23 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0xffffffff8b000093
App Notes 	Renderers: 0x22600,0x20400

Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	js_ValueToString 	js/src/jsobj.h:1501
1 	XUL 	JS_ValueToString 	js/src/jsapi.cpp:492
2 	XUL 	jsd_GetValueString 	js/jsd/jsd_val.c:239
3 	XUL 	jsd_GetValueProperty 	js/jsd/jsd_val.c:594
4 	XUL 	jsdValue::GetProperty 	js/jsd/jsd_xpc.cpp:2425
5 	XUL 	XUL@0xfea62f 	
6 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3150
7 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1629
8 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:296
9 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:434
10 		@0x56b6c7b5 	
11 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:866
12 		@0x249b77cf 	
13 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:945
14 	XUL 	js::RunScript 	js/src/jsinterp.cpp:611
15 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:678
16 	XUL 	js_fun_apply 	js/src/jsinterp.h:167
17 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:296
18 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:434
19 		@0x35d0403d 	
20 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:866
21 		@0x249b7747 	
22 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:945
23 	XUL 	js::RunScript 	js/src/jsinterp.cpp:611
24 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:678
25 	XUL 	js::Invoke 	js/src/jsinterp.h:167
26 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5039
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js_ValueToString
This is inside JSD so presumably it's Firebug-related.
I believe, http://code.google.com/p/fbug/issues/detail?id=5075 is related to this.
It also describes a test case.

Sebastian
Whiteboard: [firebug-p1]
(In reply to David Mandelin from comment #1)
> This is inside JSD so presumably it's Firebug-related.
Confirmed by correlations in 9.0.1:
  js_ValueToString|EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE (28 crashes)
    100% (28/28) vs.  19% (456/2456) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
Summary: Crash in js_ValueToString → Crash in js_ValueToString with Firebug
Can anyone reproduce this with Nightly (12), Aurora (11), or Beta (10b5 or later -- not yet released, but should come out on Friday)? I'm suspecting bug 712289 (which you probably can't see, but the patch has landed on all branches now.)
I asked in the related Firebug issue, if someone can still reproduce this crash.

Sebastian
There have been no crashes for the last four weeks after 10.0.2.
Status: NEW → RESOLVED
Crash Signature: [@ js_ValueToString ] → [@ js_ValueToString ] [@ js_ValueToString(JSContext*, JS::Value const&) ]
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.