Last Comment Bug 715561 - Startup crash with some extensions
: Startup crash with some extensions
Status: RESOLVED FIXED
startupcrash
: crash, regression, reproducible
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 12 Branch
: All All
: -- critical with 1 vote (vote)
: mozilla12
Assigned To: Luke Wagner [:luke]
:
:
Mentors:
: 717447 717703 (view as bug list)
Depends on:
Blocks: 692274
  Show dependency treegraph
 
Reported: 2012-01-05 10:26 PST by Kyle Machulis [:kmachulis] [:qdot]
Modified: 2012-01-13 03:03 PST (History)
13 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
tidy js_XDRStaticBlockObject in preparation for actual fix (4.45 KB, patch)
2012-01-09 10:25 PST, Luke Wagner [:luke]
jorendorff: review+
Details | Diff | Splinter Review
fix (4.77 KB, patch)
2012-01-09 10:51 PST, Luke Wagner [:luke]
jorendorff: review+
Details | Diff | Splinter Review

Description Kyle Machulis [:kmachulis] [:qdot] 2012-01-05 10:26:55 PST
Platform: Ubuntu 11.04, x86-64
Browser: Firefox 12 (built from trunk @ b0e65467c4c8)

Repro:

- Install Keysnail Extension (http://www.github.com/mooz/keysnail) in Firefox 12
- Restart firefox 12

Expected:

- Firefox loads with keysnail active

Current:

- Firefox crashes in js_XDRStaticBlockObject

Stack:

#0  0x00007f333174e5ad in nanosleep () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f333174e43c in sleep () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f332e2eee8f in ah_crap_handler (signum=6) at /home/kmachulis/code/mozbuild/mozilla-central/toolkit/xre/nsSigHandlers.cpp:121
#3  0x00007f332e2f495d in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fff7cc600b0, context=0x7fff7cc5ff80)
    at /home/kmachulis/code/mozbuild/mozilla-central/obj-debug/toolkit/profile/nsProfileLock.cpp:226
#4  <signal handler called>
#5  0x00007f33323e9b3b in raise () from /lib/x86_64-linux-gnu/libpthread.so.0
#6  0x00007f332ffa8ff6 in CrashInJS () at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsutil.cpp:98
#7  0x00007f332ffa904e in JS_Assert (s=0x7f3330729565 "JSID_IS_ATOM(propid)", file=0x7f3330729328 "/home/kmachulis/code/mozbuild/mozilla-central/js/src/vm/ScopeObject.cpp", ln=719)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsutil.cpp:115
#8  0x00007f332ffd6cf4 in js_XDRStaticBlockObject (xdr=0x7f330627f320, objp=0x7fff7cc607a8) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/vm/ScopeObject.cpp:719
#9  0x00007f332ff6ede2 in js_XDRScript (xdr=0x7f330627f320, scriptp=0x7fff7cc60938) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsscript.cpp:670
#10 0x00007f332fe7fc01 in js_XDRFunctionObject (xdr=0x7f330627f320, objp=0x7fff7cc60a48) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsfun.cpp:1369
#11 0x00007f332ff6ed68 in js_XDRScript (xdr=0x7f330627f320, scriptp=0x7fff7cc60bb0) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsscript.cpp:664
#12 0x00007f332ffb84df in JS_XDRScript (xdr=0x7f330627f320, scriptp=0x7fff7cc60bf0) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsxdrapi.cpp:742
#13 0x00007f332f2f7471 in WriteScriptToStream (cx=0x7f330d01fac0, script=0x7f330739d180, stream=0x7f3306810e80)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/loader/mozJSLoaderUtils.cpp:115
#14 0x00007f332f2f7846 in WriteCachedScript (cache=0x7f331fa847f0, uri=..., cx=0x7f330d01fac0, script=0x7f330739d180)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/loader/mozJSLoaderUtils.cpp:180
#15 0x00007f332f2f7113 in mozJSSubScriptLoader::LoadSubScript (this=0x7f330f0e9a80, url=..., target=..., charset=..., cx=0x7f330d01fac0, retval=0x7fff7cc61460)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/loader/mozJSSubScriptLoader.cpp:363
#16 0x00007f332f9c5d7c in NS_InvokeByIndex_P (that=0x7f330f0e9a80, methodIndex=3, paramCount=5, params=0x7fff7cc61400)
    at /home/kmachulis/code/mozbuild/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
#17 0x00007f332f230521 in CallMethodHelper::Invoke (this=0x7fff7cc613c0) at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2899
#18 0x00007f332f22e349 in CallMethodHelper::Call (this=0x7fff7cc613c0) at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2230
#19 0x00007f332f22e1e0 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2196
#20 0x00007f332f23b6be in XPC_WN_CallMethod (cx=0x7f330d01fac0, argc=2, vp=0x7f331b6fe2f0)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1541
#21 0x00007f332fee96e5 in js::CallJSNative (cx=0x7f330d01fac0, native=0x7f332f23b460 <XPC_WN_CallMethod(JSContext*, uintN, jsval*)>, args=...)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jscntxtinlines.h:311
#22 0x00007f332fecc060 in js::InvokeKernel (cx=0x7f330d01fac0, args=..., construct=js::NO_CONSTRUCT) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsinterp.cpp:523
#23 0x00007f332fedaf34 in js::Interpret (cx=0x7f330d01fac0, entryFrame=0x7f331b6fe038, interpMode=js::JSINTERP_NORMAL)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsinterp.cpp:3356
#24 0x00007f332fecbe14 in js::RunScript (cx=0x7f330d01fac0, script=0x7f330f592350, fp=0x7f331b6fe038) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsinterp.cpp:478
#25 0x00007f332fecc151 in js::InvokeKernel (cx=0x7f330d01fac0, args=..., construct=js::NO_CONSTRUCT) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsinterp.cpp:541
#26 0x00007f332fe34a35 in js::Invoke (cx=0x7f330d01fac0, args=..., construct=js::NO_CONSTRUCT) at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsinterp.h:157
#27 0x00007f332fecc33a in js::Invoke (cx=0x7f330d01fac0, thisv=..., fval=..., argc=1, argv=0x7fff7cc62f40, rval=0x7fff7cc62c00)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsinterp.cpp:573
#28 0x00007f332fe11889 in JS_CallFunctionValue (cx=0x7f330d01fac0, obj=0x7f33152da8c0, fval=..., argc=1, argv=0x7fff7cc62f40, rval=0x7fff7cc62c00)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/src/jsapi.cpp:5441
#29 0x00007f332f223fa9 in nsXPCWrappedJSClass::CallMethod (this=0x7f3316561ba0, wrapper=0x7f330a255400, methodIndex=3, info=0x7f331fcb3928, nativeParams=0x7fff7cc63070)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/src/XPCWrappedJSClass.cpp:1528
#30 0x00007f332f21a889 in nsXPCWrappedJS::CallMethod (this=0x7f330a255400, methodIndex=3, info=0x7f331fcb3928, params=0x7fff7cc63070)
    at /home/kmachulis/code/mozbuild/mozilla-central/js/xpconnect/src/XPCWrappedJS.cpp:611
#31 0x00007f332f9c6c21 in PrepareAndDispatch (self=0x7f330a3b7b60, methodIndex=3, args=0x7fff7cc631f0, gpregs=0x7fff7cc63170, fpregs=0x7fff7cc631a0)
    at /home/kmachulis/code/mozbuild/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#32 0x00007f332f9c5ddf in SharedStub () from /home/kmachulis/code/mozbuild/mozilla-central/obj-debug/dist/bin/libxul.so
#33 0x00007f332eadb934 in nsEventListenerManager::HandleEventSubType (this=0x7f330a371aa0, aListenerStruct=0x7f33067e3808, aListener=0x7f330a3b7b60, aDOMEvent=0x7f3306223510, 
    aCurrentTarget=0x7f330a36ac90, aPhaseFlags=6, aPusher=0x7fff7cc634e0) at /home/kmachulis/code/mozbuild/mozilla-central/content/events/src/nsEventListenerManager.cpp:734
#34 0x00007f332eadbbbd in nsEventListenerManager::HandleEventInternal (this=0x7f330a371aa0, aPresContext=0x7f330a2e0800, aEvent=0x7fff7cc635f0, aDOMEvent=0x7fff7cc634c0, 
    aCurrentTarget=0x7f330a36ac90, aFlags=6, aEventStatus=0x7fff7cc634c8, aPusher=0x7fff7cc634e0)
    at /home/kmachulis/code/mozbuild/mozilla-central/content/events/src/nsEventListenerManager.cpp:791
#35 0x00007f332eb05c6e in nsEventListenerManager::HandleEvent (this=0x7f330a371aa0, aPresContext=0x7f330a2e0800, aEvent=0x7fff7cc635f0, aDOMEvent=0x7fff7cc634c0, 
    aCurrentTarget=0x7f330a36ac90, aFlags=6, aEventStatus=0x7fff7cc634c8, aPusher=0x7fff7cc634e0)
    at /home/kmachulis/code/mozbuild/mozilla-central/content/events/src/nsEventListenerManager.h:168
#36 0x00007f332eb061a4 in nsEventTargetChainItem::HandleEvent (this=0x7f331a9a7038, aVisitor=..., aFlags=6, aMayHaveNewListenerManagers=false, aPusher=0x7fff7cc634e0)
    at /home/kmachulis/code/mozbuild/mozilla-central/content/events/src/nsEventDispatcher.cpp:215
#37 0x00007f332eb066a8 in nsEventTargetChainItem::HandleEventTargetChain (this=0x7f331a9a71f8, aVisitor=..., aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=false, 
    aPusher=0x7fff7cc634e0) at /home/kmachulis/code/mozbuild/mozilla-central/content/events/src/nsEventDispatcher.cpp:347
#38 0x00007f332eb078ba in nsEventDispatcher::Dispatch (aTarget=0x7f330a369c00, aPresContext=0x7f330a2e0800, aEvent=0x7fff7cc635f0, aDOMEvent=0x0, aEventStatus=0x7fff7cc63664, 
    aCallback=0x0, aTargets=0x0) at /home/kmachulis/code/mozbuild/mozilla-central/content/events/src/nsEventDispatcher.cpp:681
#39 0x00007f332e629317 in DocumentViewerImpl::LoadComplete (this=0x7f331a9ac5c0, aStatus=0) at /home/kmachulis/code/mozbuild/mozilla-central/layout/base/nsDocumentViewer.cpp:1049
#40 0x00007f332f31e04a in nsDocShell::EndPageLoad (this=0x7f330a369000, aProgress=0x7f330a369028, aChannel=0x7f331a9b26d0, aStatus=0)
    at /home/kmachulis/code/mozbuild/mozilla-central/docshell/base/nsDocShell.cpp:6139
#41 0x00007f332f31d705 in nsDocShell::OnStateChange (this=0x7f330a369000, aProgress=0x7f330a369028, aRequest=0x7f331a9b26d0, aStateFlags=131088, aStatus=0)
    at /home/kmachulis/code/mozbuild/mozilla-central/docshell/base/nsDocShell.cpp:5978
#42 0x00007f332f34babf in nsDocLoader::DoFireOnStateChange (this=0x7f330a369000, aProgress=0x7f330a369028, aRequest=0x7f331a9b26d0, aStateFlags=@0x7fff7cc63cc4, aStatus=0)
    at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.cpp:1383
#43 0x00007f332f34a7ea in nsDocLoader::doStopDocumentLoad (this=0x7f330a369000, request=0x7f331a9b26d0, aStatus=0)
    at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.cpp:963
#44 0x00007f332f34a35f in nsDocLoader::DocLoaderIsEmpty (this=0x7f330a369000, aFlushLayout=true) at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.cpp:852
#45 0x00007f332f34818b in nsDocLoader::ChildDoneWithOnload (this=0x7f330a369000, aChild=0x7f33079e6800) at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.h:225
#46 0x00007f332f34a390 in nsDocLoader::DocLoaderIsEmpty (this=0x7f33079e6800, aFlushLayout=true) at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.cpp:855
#47 0x00007f332f34818b in nsDocLoader::ChildDoneWithOnload (this=0x7f33079e6800, aChild=0x7f3307869400) at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.h:225
#48 0x00007f332f34a390 in nsDocLoader::DocLoaderIsEmpty (this=0x7f3307869400, aFlushLayout=true) at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.cpp:855
#49 0x00007f332f349e65 in nsDocLoader::OnStopRequest (this=0x7f3307869400, aRequest=0x7f331923bb40, aCtxt=0x0, aStatus=0)
    at /home/kmachulis/code/mozbuild/mozilla-central/uriloader/base/nsDocLoader.cpp:736
#50 0x00007f332e341d5c in nsLoadGroup::RemoveRequest (this=0x7f33069e6b70, request=0x7f331923bb40, ctxt=0x0, aStatus=0)
    at /home/kmachulis/code/mozbuild/mozilla-central/netwerk/base/src/nsLoadGroup.cpp:731
#51 0x00007f332e9a1441 in nsDocument::DoUnblockOnload (this=0x7f33066df000) at /home/kmachulis/code/mozbuild/mozilla-central/content/base/src/nsDocument.cpp:7192
#52 0x00007f332e9a119f in nsDocument::UnblockOnload (this=0x7f33066df000, aFireSync=true) at /home/kmachulis/code/mozbuild/mozilla-central/content/base/src/nsDocument.cpp:7134
#53 0x00007f332e996c1c in nsDocument::DispatchContentLoadedEvents (this=0x7f33066df000) at /home/kmachulis/code/mozbuild/mozilla-central/content/base/src/nsDocument.cpp:4219
#54 0x00007f332e34fe1a in nsRunnableMethodImpl<void (nsPACMan::*)(), true>::Run (this=0x7f3306227400) at ../../../dist/include/nsThreadUtils.h:345
#55 0x00007f332f99ec31 in nsThread::ProcessNextEvent (this=0x7f3331554e20, mayWait=false, result=0x7fff7cc6443f)
    at /home/kmachulis/code/mozbuild/mozilla-central/xpcom/threads/nsThread.cpp:660
#56 0x00007f332f9330b9 in NS_ProcessNextEvent_P (thread=0x7f3331554e20, mayWait=false) at /home/kmachulis/code/mozbuild/mozilla-central/obj-debug/xpcom/build/nsThreadUtils.cpp:245
#57 0x00007f332f80ea40 in mozilla::ipc::MessagePump::Run (this=0x7f3324b59bc0, aDelegate=0x7f33315d08f0) at /home/kmachulis/code/mozbuild/mozilla-central/ipc/glue/MessagePump.cpp:110
#58 0x00007f332f9edabd in MessageLoop::RunInternal (this=0x7f33315d08f0) at /home/kmachulis/code/mozbuild/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
#59 0x00007f332f9eda4e in MessageLoop::RunHandler (this=0x7f33315d08f0) at /home/kmachulis/code/mozbuild/mozilla-central/ipc/chromium/src/base/message_loop.cc:201
#60 0x00007f332f9eda27 in MessageLoop::Run (this=0x7f33315d08f0) at /home/kmachulis/code/mozbuild/mozilla-central/ipc/chromium/src/base/message_loop.cc:175
#61 0x00007f332f6ad414 in nsBaseAppShell::Run (this=0x7f331fb1eef0) at /home/kmachulis/code/mozbuild/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:189
#62 0x00007f332f3fe054 in nsAppStartup::Run (this=0x7f331fb1b060) at /home/kmachulis/code/mozbuild/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:220
#63 0x00007f332e2e1a5d in XRE_main (argc=2, argv=0x7fff7cc670d8, aAppData=0x422c20) at /home/kmachulis/code/mozbuild/mozilla-central/toolkit/xre/nsAppRunner.cpp:3537
#64 0x0000000000402413 in do_main (exePath=0x7fff7cc65fd0 "/home/kmachulis/code/mozbuild/mozilla-central/obj-debug/dist/bin/", argc=2, argv=0x7fff7cc670d8)
    at /home/kmachulis/code/mozbuild/mozilla-central/browser/app/nsBrowserApp.cpp:205
#65 0x000000000040267a in main (argc=2, argv=0x7fff7cc670d8) at /home/kmachulis/code/mozbuild/mozilla-central/browser/app/nsBrowserApp.cpp:295
Comment 1 Masafumi Oyamada 2012-01-05 19:03:46 PST
Seemingly, this is because an assertion failure at http://hg.mozilla.org/mozilla-central/diff/f0d76403ae9c/js/src/vm/ScopeObject.cpp#l1.700 which is added for Bug #713311.

Maybe the Bug #687398 is similar to this problem?
Comment 2 Scoobidiver (away) 2012-01-07 06:26:06 PST
This crash signature is applicable to more extensions.
It first appeared in 12.0a1/20111224. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c5b90ea7e475&tochange=f63a99195987

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JS_XDRString
Comment 3 Alice0775 White 2012-01-08 08:40:16 PST
Regression windoe(m-i)
No crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/f75ee6fa2587
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20111222 Firefox/12.0a1 ID:20111222033735
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/6707b2415598
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20111222 Firefox/12.0a1 ID:20111222081210
Pushlog
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f75ee6fa2587&tochange=6707b2415598

In local build, first bad changeset:
38344f96b3e3	Luke Wagner — Bug Bug 692274, part 4 - Rewrite parsing, emitting and decompiling of let to fix scoping properly (r=jorendorff)
Comment 4 Luke Wagner [:luke] 2012-01-08 15:51:40 PST
Ah!  Simple bug.  The XDR code needs to be updated to match block objects (which can now contain integer ids).
Comment 5 Luke Wagner [:luke] 2012-01-09 10:25:23 PST
Created attachment 587034 [details] [diff] [review]
tidy js_XDRStaticBlockObject in preparation for actual fix
Comment 6 Luke Wagner [:luke] 2012-01-09 10:51:12 PST
Created attachment 587048 [details] [diff] [review]
fix

Simple fix.  Also, update testLet.js so that this would have been caught.
Comment 7 Jason Orendorff [:jorendorff] 2012-01-12 12:32:08 PST
Comment on attachment 587034 [details] [diff] [review]
tidy js_XDRStaticBlockObject in preparation for actual fix

In vm/ScopeObject.cpp:
>+        const Shape *shape = NULL;
>         for (Shape::Range r(obj->lastProperty()); !r.empty(); r.popFront()) {
>             shape = &r.front();
>             shapes[shape->shortid()] = shape;
>         }
> 
>         /*
>          * XDR the block object's properties. We know that there are 'count'
>          * properties to XDR, stored as id/shortid pairs.
>          */
>         for (uintN i = 0; i < count; i++) {
>             shape = shapes[i];

Nit: maybe declare 'shape' on initialization inside each of the two loops.
Comment 8 Jason Orendorff [:jorendorff] 2012-01-12 12:53:24 PST
Comment on attachment 587048 [details] [diff] [review]
fix

Don't forget to bump JSXDR_BYTECODE_VERSION!

You could send the empty string as code for NULL, I think.
Comment 9 Luke Wagner [:luke] 2012-01-12 13:28:24 PST
Nice
Comment 11 Luke Wagner [:luke] 2012-01-12 18:21:12 PST
*** Bug 717447 has been marked as a duplicate of this bug. ***
Comment 12 Scoobidiver (away) 2012-01-12 23:58:56 PST
*** Bug 717703 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.