Last Comment Bug 715907 - crash in jsd_NewValue @ JSCompartment::wrap with Firebug
: crash in jsd_NewValue @ JSCompartment::wrap with Firebug
Status: RESOLVED FIXED
: crash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 9 Branch
: x86 Linux
: -- critical with 2 votes (vote)
: mozilla12
Assigned To: general
:
Mentors:
: 717550 (view as bug list)
Depends on: 712289
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-06 08:04 PST by Reuben Morais [:reuben]
Modified: 2012-04-03 12:36 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed


Attachments

Description Reuben Morais [:reuben] 2012-01-06 08:04:34 PST
This bug was filed from the Socorro interface and is 
report bp-f3d791f8-6814-4e22-b2ee-0a8282120106 .
============================================================= 

A friend of mine reported constant crashes with Firebug 1.8.4 or 1.9b5 on Linux.
He said introducing an error in the page can trigger the crash, but it's not 100% reliable.

Frame 	Module 	Signature 	Source
0 	libxul.so 	JSCompartment::wrap 	jscompartment.cpp:210
1 	libxul.so 	JS_WrapValue 	jsapi.cpp:1309
2 	libxul.so 	jsd_NewValue 	jsd_val.c:331
3 	libxul.so 	_newProperty 	jsd_val.c:412
4 	libxul.so 	_buildProps 	jsd_val.c:476
5 	libxul.so 	jsd_IterateProperties 	jsd_val.c:557
6 	libxul.so 	jsd_GetValueProperty 	jsd_val.c:592
7 	libxul.so 	jsdValue::GetProperty 	jsd_xpc.cpp:2425
8 	libxul.so 	libxul.so@0xd546b3 	
9 	libxul.so 	XPCWrappedNative::CallMethod 	xpcwrappednative.cpp:3147
10 	libxul.so 	XPC_WN_CallMethod 	xpcwrappednativejsops.cpp:1629
11 	libxul.so 	js::mjit::stubs::UncachedCallHelper 	jscntxtinlines.h:296
12 	libxul.so 	js::mjit::stubs::UncachedCall 	InvokeHelpers.cpp:434
13 		@0xabbe66a5 	
14 	libxul.so 	libxul.so@0x146a0c7 	
15 	libxul.so 	js::mjit::EnterMethodJIT 	MethodJIT.cpp:884
16 	libxul.so 	js::mjit::JaegerShot 	MethodJIT.cpp:945
17 	libxul.so 	js::RunScript 	jsinterp.cpp:611
18 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:678
19 	libxul.so 	js_fun_apply 	jsinterp.h:167
20 	libxul.so 	js::mjit::stubs::UncachedCallHelper 	jscntxtinlines.h:296
21 	libxul.so 	js::mjit::stubs::UncachedCall 	InvokeHelpers.cpp:434
22 		@0xac734605 	
23 	libxul.so 	libxul.so@0x146a0c7 	
24 	libxul.so 	js::mjit::EnterMethodJIT 	MethodJIT.cpp:884
25 	libxul.so 	js::mjit::JaegerShot 	MethodJIT.cpp:945
26 	libxul.so 	js::RunScript 	jsinterp.cpp:611
27 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:678
28 	libxul.so 	js::Invoke 	jsinterp.h:167
29 	libxul.so 	JS_CallFunctionValue 	jsapi.cpp:5039
30 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	xpcwrappedjsclass.cpp:1660
31 	libxul.so 	nsXPCWrappedJS::CallMethod 	xpcwrappedjs.cpp:585
32 	libxul.so 	PrepareAndDispatch 	xptcstubs_gcc_x86_unix.cpp:92
33 	libxul.so 	jsds_ExecutionHookProc 	jsd_xpc.cpp:694
34 	libxul.so 	jsd_CallExecutionHook 	jsd_hook.c:177
35 	libxul.so 	jsd_DebugErrorHook 	jsd_high.c:401
36 	libxul.so 	ReportError 	jscntxt.cpp:664
37 	libxul.so 	js_ReportErrorNumberVA 	jscntxt.cpp:1007
38 	libxul.so 	JS_ReportErrorFlagsAndNumber 	jsapi.cpp:5759
39 	libxul.so 	js_ReportValueErrorFlags 	jscntxt.cpp:1137
40 	libxul.so 	js_ReportIsNotFunction 	jsfun.cpp:2665
41 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:650
42 	libxul.so 	js::Interpret 	jsinterp.cpp:4036
43 	libxul.so 	js::InvokeKernel 	jsinterp.cpp:678
44 	libxul.so 	js::Invoke 	jsinterp.h:167
45 	libxul.so 	JS_CallFunctionValue 	jsapi.cpp:5039
46 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	xpcwrappedjsclass.cpp:1660
47 	libxul.so 	nsXPCWrappedJS::CallMethod 	xpcwrappedjs.cpp:585
48 	libxul.so 	PrepareAndDispatch 	xptcstubs_gcc_x86_unix.cpp:92
49 	libxul.so 	nsDOMEventListenerWrapper::HandleEvent 	nsDOMEventTargetHelper.cpp:65
50 	libxul.so 	nsEventListenerManager::HandleEventSubType 	nsEventListenerManager.cpp:722
51 	libxul.so 	nsEventListenerManager::HandleEventInternal 	nsEventListenerManager.cpp:776
52 	libxul.so 	nsEventTargetChainItem::HandleEvent 	nsEventDispatcher.cpp:215
53 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain 	nsEventDispatcher.cpp:344
54 	libxul.so 	nsEventDispatcher::Dispatch 	nsEventDispatcher.cpp:672
55 	libxul.so 	nsEventDispatcher::DispatchDOMEvent 	nsEventDispatcher.cpp:735
56 	libxul.so 	nsXMLHttpRequest::ChangeState 	nsXMLHttpRequest.cpp:2852
57 	libxul.so 	nsXMLHttpRequest::OnStopRequest 	nsXMLHttpRequest.cpp:2055
58 	libxul.so 	nsCORSListenerProxy::OnStopRequest 	nsCrossSiteListenerProxy.cpp:622
59 	libxul.so 	mozilla::net::nsStreamListenerWrapper::OnStopRequest 	HttpBaseChannel.cpp:1391
60 	libxul.so 	nsStreamListenerTee::OnStopRequest 	nsStreamListenerTee.cpp:71
61 	libxul.so 	nsHttpChannel::OnStopRequest 	nsHttpChannel.cpp:4253
62 	libxul.so 	nsInputStreamPump::OnStateStop 	nsInputStreamPump.cpp:578
63 	libxul.so 	nsInputStreamPump::OnInputStreamReady 	nsInputStreamPump.cpp:403
64 	libxul.so 	nsInputStreamReadyEvent::Run 	nsStreamUtils.cpp:114
65 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:631
66 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:245
67 	libxul.so 	mozilla::ipc::MessagePump::Run 	MessagePump.cpp:110
68 	libxul.so 	MessageLoop::RunInternal 	message_loop.cc:208
69 	libxul.so 	MessageLoop::Run 	message_loop.cc:201
70 	libxul.so 	nsBaseAppShell::Run 	nsBaseAppShell.cpp:189
71 	libxul.so 	nsAppStartup::Run 	nsAppStartup.cpp:228
72 	libxul.so 	XRE_main 	nsAppRunner.cpp:3557
73 	firefox 	main 	nsBrowserApp.cpp:198
74 	libc-2.13.so 	libc-2.13.so@0x16e36 	
75 	firefox 	firefox@0x1550 	
76 	firefox 	nsGetterAddRefs<nsILocalFile>::operator nsILocalFile** 	nsCOMPtr.h:874
77 		@0x0 	
78 	ld-2.13.so 	ld-2.13.so@0xea4f 	
79 	ld-2.13.so 	ld-2.13.so@0x1d917
Comment 1 Scoobidiver (away) 2012-01-08 05:46:20 PST
*** Bug 716268 has been marked as a duplicate of this bug. ***
Comment 2 JP Rosevear [:jpr] 2012-01-12 04:24:50 PST
It looks like I can pretty reliably get this crash in Zimbra on the Jan 11 nightly.
Comment 3 Scoobidiver (away) 2012-01-13 00:51:27 PST
*** Bug 717550 has been marked as a duplicate of this bug. ***
Comment 4 Wesley W. Garland 2012-01-16 07:57:08 PST
This looks pretty much like my stack, https://crash-stats.mozilla.com/report/index/bp-81c3defb-f358-4ebf-b794-278f82120116

It's crashing in code introduced here, where the jsd wrapping code tries to flatten the string:
http://hg.mozilla.org/releases/mozilla-release/diff/87dc60c12d24/js/jsd/jsd_val.c

The new code looks okay to me; I wonder if that jsval has been "bad" for a long time, and just never de-referenced until now?
Comment 5 Wesley W. Garland 2012-01-16 07:59:46 PST
Oh, I should mention, I'm on release Firefox 9 and release Firebug. No beta stuff. I have triggered this at least twice in the last 30 hours of work.  I use both the dev console and firebug extensively.  Firebug mostly for examining CSS.
Comment 6 Wesley W. Garland 2012-01-16 10:50:03 PST
...and I just crashed again.  This is going to bite any working web developer regularly, and is bad enough that we're going to need ship Firefox 9.0.1 IMO.

Wes
Comment 7 Scoobidiver (away) 2012-01-16 10:57:20 PST
It's fixed by bug 712289 that will land in 12.0a1/20120117 and maybe Aurora and Beta.
Comment 8 Wesley W. Garland 2012-01-16 11:07:56 PST
Ouch. So web developers on release browsers will have to tolerate regular crashes for 18 weeks?
Comment 9 Reuben Morais [:reuben] 2012-01-16 11:16:25 PST
(In reply to Wesley W. Garland from comment #8)
> Ouch. So web developers on release browsers will have to tolerate regular
> crashes for 18 weeks?

Approval for landing on Beta and Aurora has been requested, so possibly less than that.
Comment 10 Boris Zbarsky [:bz] (TPAC) 2012-01-16 11:52:21 PST
Firefox 10 ships in two weeks (well, 15 days).  I'm aiming to land the fix for bug 712289 in Firefox 10.
Comment 11 Reuben Morais [:reuben] 2012-04-03 11:43:00 PDT
Fixed by bug 712289.

Note You need to log in before you can comment on or make changes to this bug.