crash in jsd_NewValue @ JSCompartment::wrap with Firebug

RESOLVED FIXED in Firefox 11

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: reuben, Unassigned)

Tracking

({crash})

9 Branch
mozilla12
x86
Linux
crash
Points:
---

Firefox Tracking Flags

(firefox11 fixed)

Details

(crash signature)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-f3d791f8-6814-4e22-b2ee-0a8282120106 .
============================================================= 

A friend of mine reported constant crashes with Firebug 1.8.4 or 1.9b5 on Linux.
He said introducing an error in the page can trigger the crash, but it's not 100% reliable.

Frame 	Module 	Signature 	Source
0 	libxul.so 	JSCompartment::wrap 	jscompartment.cpp:210
1 	libxul.so 	JS_WrapValue 	jsapi.cpp:1309
2 	libxul.so 	jsd_NewValue 	jsd_val.c:331
3 	libxul.so 	_newProperty 	jsd_val.c:412
4 	libxul.so 	_buildProps 	jsd_val.c:476
5 	libxul.so 	jsd_IterateProperties 	jsd_val.c:557
6 	libxul.so 	jsd_GetValueProperty 	jsd_val.c:592
7 	libxul.so 	jsdValue::GetProperty 	jsd_xpc.cpp:2425
8 	libxul.so 	libxul.so@0xd546b3 	
9 	libxul.so 	XPCWrappedNative::CallMethod 	xpcwrappednative.cpp:3147
10 	libxul.so 	XPC_WN_CallMethod 	xpcwrappednativejsops.cpp:1629
11 	libxul.so 	js::mjit::stubs::UncachedCallHelper 	jscntxtinlines.h:296
12 	libxul.so 	js::mjit::stubs::UncachedCall 	InvokeHelpers.cpp:434
13 		@0xabbe66a5 	
14 	libxul.so 	libxul.so@0x146a0c7 	
15 	libxul.so 	js::mjit::EnterMethodJIT 	MethodJIT.cpp:884
16 	libxul.so 	js::mjit::JaegerShot 	MethodJIT.cpp:945
17 	libxul.so 	js::RunScript 	jsinterp.cpp:611
18 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:678
19 	libxul.so 	js_fun_apply 	jsinterp.h:167
20 	libxul.so 	js::mjit::stubs::UncachedCallHelper 	jscntxtinlines.h:296
21 	libxul.so 	js::mjit::stubs::UncachedCall 	InvokeHelpers.cpp:434
22 		@0xac734605 	
23 	libxul.so 	libxul.so@0x146a0c7 	
24 	libxul.so 	js::mjit::EnterMethodJIT 	MethodJIT.cpp:884
25 	libxul.so 	js::mjit::JaegerShot 	MethodJIT.cpp:945
26 	libxul.so 	js::RunScript 	jsinterp.cpp:611
27 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:678
28 	libxul.so 	js::Invoke 	jsinterp.h:167
29 	libxul.so 	JS_CallFunctionValue 	jsapi.cpp:5039
30 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	xpcwrappedjsclass.cpp:1660
31 	libxul.so 	nsXPCWrappedJS::CallMethod 	xpcwrappedjs.cpp:585
32 	libxul.so 	PrepareAndDispatch 	xptcstubs_gcc_x86_unix.cpp:92
33 	libxul.so 	jsds_ExecutionHookProc 	jsd_xpc.cpp:694
34 	libxul.so 	jsd_CallExecutionHook 	jsd_hook.c:177
35 	libxul.so 	jsd_DebugErrorHook 	jsd_high.c:401
36 	libxul.so 	ReportError 	jscntxt.cpp:664
37 	libxul.so 	js_ReportErrorNumberVA 	jscntxt.cpp:1007
38 	libxul.so 	JS_ReportErrorFlagsAndNumber 	jsapi.cpp:5759
39 	libxul.so 	js_ReportValueErrorFlags 	jscntxt.cpp:1137
40 	libxul.so 	js_ReportIsNotFunction 	jsfun.cpp:2665
41 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:650
42 	libxul.so 	js::Interpret 	jsinterp.cpp:4036
43 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:678
44 	libxul.so 	js::Invoke 	jsinterp.h:167
45 	libxul.so 	JS_CallFunctionValue 	jsapi.cpp:5039
46 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	xpcwrappedjsclass.cpp:1660
47 	libxul.so 	nsXPCWrappedJS::CallMethod 	xpcwrappedjs.cpp:585
48 	libxul.so 	PrepareAndDispatch 	xptcstubs_gcc_x86_unix.cpp:92
49 	libxul.so 	nsDOMEventListenerWrapper::HandleEvent 	nsDOMEventTargetHelper.cpp:65
50 	libxul.so 	nsEventListenerManager::HandleEventSubType 	nsEventListenerManager.cpp:722
51 	libxul.so 	nsEventListenerManager::HandleEventInternal 	nsEventListenerManager.cpp:776
52 	libxul.so 	nsEventTargetChainItem::HandleEvent 	nsEventDispatcher.cpp:215
53 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain 	nsEventDispatcher.cpp:344
54 	libxul.so 	nsEventDispatcher::Dispatch 	nsEventDispatcher.cpp:672
55 	libxul.so 	nsEventDispatcher::DispatchDOMEvent 	nsEventDispatcher.cpp:735
56 	libxul.so 	nsXMLHttpRequest::ChangeState 	nsXMLHttpRequest.cpp:2852
57 	libxul.so 	nsXMLHttpRequest::OnStopRequest 	nsXMLHttpRequest.cpp:2055
58 	libxul.so 	nsCORSListenerProxy::OnStopRequest 	nsCrossSiteListenerProxy.cpp:622
59 	libxul.so 	mozilla::net::nsStreamListenerWrapper::OnStopRequest 	HttpBaseChannel.cpp:1391
60 	libxul.so 	nsStreamListenerTee::OnStopRequest 	nsStreamListenerTee.cpp:71
61 	libxul.so 	nsHttpChannel::OnStopRequest 	nsHttpChannel.cpp:4253
62 	libxul.so 	nsInputStreamPump::OnStateStop 	nsInputStreamPump.cpp:578
63 	libxul.so 	nsInputStreamPump::OnInputStreamReady 	nsInputStreamPump.cpp:403
64 	libxul.so 	nsInputStreamReadyEvent::Run 	nsStreamUtils.cpp:114
65 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:631
66 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:245
67 	libxul.so 	mozilla::ipc::MessagePump::Run 	MessagePump.cpp:110
68 	libxul.so 	MessageLoop::RunInternal 	message_loop.cc:208
69 	libxul.so 	MessageLoop::Run 	message_loop.cc:201
70 	libxul.so 	nsBaseAppShell::Run 	nsBaseAppShell.cpp:189
71 	libxul.so 	nsAppStartup::Run 	nsAppStartup.cpp:228
72 	libxul.so 	XRE_main 	nsAppRunner.cpp:3557
73 	firefox 	main 	nsBrowserApp.cpp:198
74 	libc-2.13.so 	libc-2.13.so@0x16e36 	
75 	firefox 	firefox@0x1550 	
76 	firefox 	nsGetterAddRefs<nsILocalFile>::operator nsILocalFile** 	nsCOMPtr.h:874
77 		@0x0 	
78 	ld-2.13.so 	ld-2.13.so@0xea4f 	
79 	ld-2.13.so 	ld-2.13.so@0x1d917

Updated

5 years ago
Summary: crash @ JSCompartment::wrap → crash in JS_WrapValue @ JSCompartment::wrap

Updated

5 years ago
Duplicate of this bug: 716268

Comment 2

5 years ago
It looks like I can pretty reliably get this crash in Zimbra on the Jan 11 nightly.

Updated

5 years ago
Crash Signature: [@ JSCompartment::wrap] → [@ JSCompartment::wrap] [@ JSRope::flatten]
Summary: crash in JS_WrapValue @ JSCompartment::wrap → crash in JS_WrapValue @ JSCompartment::wrap with Firebug

Updated

5 years ago
Duplicate of this bug: 717550

Updated

5 years ago
Summary: crash in JS_WrapValue @ JSCompartment::wrap with Firebug → crash in jsd_NewValue @ JSCompartment::wrap with Firebug

Updated

5 years ago
Depends on: 712289

Comment 4

5 years ago
This looks pretty much like my stack, https://crash-stats.mozilla.com/report/index/bp-81c3defb-f358-4ebf-b794-278f82120116

It's crashing in code introduced here, where the jsd wrapping code tries to flatten the string:
http://hg.mozilla.org/releases/mozilla-release/diff/87dc60c12d24/js/jsd/jsd_val.c

The new code looks okay to me; I wonder if that jsval has been "bad" for a long time, and just never de-referenced until now?

Comment 5

5 years ago
Oh, I should mention, I'm on release Firefox 9 and release Firebug. No beta stuff. I have triggered this at least twice in the last 30 hours of work.  I use both the dev console and firebug extensively.  Firebug mostly for examining CSS.

Comment 6

5 years ago
...and I just crashed again.  This is going to bite any working web developer regularly, and is bad enough that we're going to need ship Firefox 9.0.1 IMO.

Wes

Comment 7

5 years ago
It's fixed by bug 712289 that will land in 12.0a1/20120117 and maybe Aurora and Beta.

Comment 8

5 years ago
Ouch. So web developers on release browsers will have to tolerate regular crashes for 18 weeks?
(Reporter)

Comment 9

5 years ago
(In reply to Wesley W. Garland from comment #8)
> Ouch. So web developers on release browsers will have to tolerate regular
> crashes for 18 weeks?

Approval for landing on Beta and Aurora has been requested, so possibly less than that.
Firefox 10 ships in two weeks (well, 15 days).  I'm aiming to land the fix for bug 712289 in Firefox 10.
(Reporter)

Comment 11

5 years ago
Fixed by bug 712289.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
status-firefox11: --- → fixed
Target Milestone: --- → mozilla12
You need to log in before you can comment on or make changes to this bug.