Closed Bug 723445 Opened 13 years ago Closed 13 years ago

Crash in js::StackIter::settleOnNewState @ CrashIfInvalidSlot

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: scoobidiver, Assigned: luke)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

fix stack iter
1.15 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
It's #34 top crasher in the first days of 10.0. Signature CrashIfInvalidSlot More Reports Search UUID d3d85865-dd7a-4a22-a337-efbb72120202 Date Processed 2012-02-02 00:34:41 Uptime 1663 Last Crash 1.7 hours before submission Install Age 27.7 minutes since version was first installed. Install Time 2012-02-01 23:49:25 Product Firefox Version 13.0a1 Build ID 20120201031146 Release Channel nightly OS Mac OS X OS Version 10.7.2 11C74 Build Architecture amd64 Build Architecture Info family 6 model 23 stepping 10 Crash Reason EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash Address 0xbad App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x 8a3GL Context? GL Context+ GL Layers? GL Layers+ EMCheckCompatibility True Frame Module Signature Source 0 XUL CrashIfInvalidSlot js/src/vm/Stack.cpp:934 1 XUL js::StackIter::settleOnNewState js/src/vm/Stack.cpp:1022 2 XUL js::StackIter::operator++ js/src/vm/Stack.cpp:1084 3 XUL InitExnPrivate js/src/vm/Stack.h:1851 4 XUL js_ErrorToException js/src/jsexn.cpp:1171 5 XUL ReportError js/src/jscntxt.cpp:363 6 XUL js_ReportErrorNumberVA js/src/jscntxt.cpp:719 7 XUL JS_ReportErrorFlagsAndNumber js/src/jsapi.cpp:6227 8 XUL js_ReportIsNullOrUndefined js/src/jscntxt.cpp:805 9 XUL js::mjit::stubs::GetProp js/src/jsobjinlines.h:658 10 @0x110e7a89c 11 XUL js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1052 12 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:1111 13 XUL js::RunScript js/src/jsinterp.cpp:471 14 XUL js::InvokeKernel js/src/jsinterp.cpp:537 15 XUL js_fun_apply js/src/jsinterp.h:157 16 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:311 17 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:429 .... There's a strong correlation with Firebug: CrashIfInvalidSlot|EXCEPTION_ACCESS_VIOLATION_WRITE (39 crashes) 87% (34/39) vs. 3% (368/13378) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) Here are some useful comments: "Problem arrived when in firebug looking at added prototype function: String.prototype.namespace = function (separator) { this.split(separator || '.').inject(window, function (parent, child) { return parent[child] = parent[child] || { }; }); };" "simple jquery post call to server: $.post('http://192.168.23.2/timekeeper/save.php', timesJSON, function(resp) { $('#status').html(resp); }); " "Debugging teh following code with firebug: if ($(id).val().toLower() === 'true') { return $.validator.methods.required.call(this, value, element); }" "I was debugging JavaScript with Firebug 1.8.4. Using jQuery. Single stepping over this line crashed the browser: $("#" + this._leftValueFieldID).on("click", function (event) { alert("test"); });" More reports at: https://crash-stats.mozilla.com/report/list?signature=CrashIfInvalidSlot
The comments mention stepping through code. There are a lot of Google+ URLs in the crashes. CC'ing Honza to see if he has heard anything. STR here would probably let us knock out the problem quickly.
I can run a URL report and ferret out some of the URLs - it might help us get closer to a site where we can repro.
Keywords: needURLs
I opened maybe 30 today, but many are session-specific so I can't view them. A list of popular non-private URLs would be great.
I also have this crash when firebug is enabled. https://crash-stats.mozilla.com/report/index/bp-08e980e6-d010-424d-ae7c-8c8b62120202 PluralForm.jsm: Index #2 of 'Firebug's log limit has been reached. 0 entry not shown.;Firebug's log limit has been reached. 0 entries not shown.' for value 0 is invalid -- plural rule #9; called by *** nss-shared-helper: Shared database disabled (set NSS_USE_SHARED_DB to enable). PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by PluralForm.jsm: Index #2 of '0 Total Firebug;0 Total Firebugs' for value 0 is invalid -- plural rule #9; called by Assertion failure: rt->onOwnerThread(), at /home/abuild/rpmbuild/BUILD/mozilla/js/src/jsapi.cpp:6316 After install FF10 worked for a few hours, then I deleted message from Thubderbird(?) and both crashed. Firefox was opened with one blank tab. I couldn't start FF anymore with Firebug enabled. So to test behaviour, I created new profile and got the same. Couple hours, blank tab, no other tabs opened, FF crashed, can't start.
(In reply to Marek from comment #4) > I also have this crash when firebug is enabled. Related Firebug issue report http://code.google.com/p/fbug/issues/detail?id=5202 Honza
Some new reports that could be related to this crash available here: http://code.google.com/p/fbug/issues/detail?id=5202#c9 Honza
Possible related thread: https://groups.google.com/d/topic/firebug/CbPVBH31FM4/discussion Any progress on this issue? I am getting a lots of complaints. Honza
Since this code is a funnel for misbehavior in many parts of the code, it is difficult to find the problem without STR.
Could this be related: Bug 725619 ? (there are also some STR) Honza
I don't think this is only related to firebug. Clicking on Firebug's DOM tab is a sure crasher. Even with firebug disabled, for e.g. other addons such as Awesome Screeshot from Diigo. Take a screenshot -> click Done -> Close Tab and the browser crashes. Simply close the browser and it crashes. http://crash-stats.mozilla.com/report/index/bp-6ff8f906-cb26-4864-82ed-31db72120213 http://crash-stats.mozilla.com/report/index/bp-5a9ac084-5c83-42e9-9295-923132120213
The two linked crashes don't seem to be in settleOnNewState. A new bug seems appropriate.
See also bug 732496 which might be related and has a shell test.
(In reply to Christian Holler (:decoder) from comment #13) Unfortunately the call stacks in the crash reports don't look like it.
$ gunzip --stdout /data/security_group/crash_urls/20120307-crashdata.csv.gz | awk -W compat -F\t '$1 ~ /CrashIfInvalidSlot/ {print $2}' | sort | uniq -c | sort -nr 33 \N 24 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 6 http://www.facebook.com/ 6 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 6 5 https://www.google.com/settings/ 5 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 5 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 5 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 4 https://moncompte.bluepaid.com/admin/reversements-rev-calculs.htm 4 https://mail.google.com/mail/?shva=1 3 https://mail.google.com/mail/?shva=1#inbox 3 https://mail.google.com/mail/ 3 https://dev-bpm75.bi-telecom.local:9443/mum/enabler#pid... 3 http://localhost:63068/dev/epharma/move/Home 3 file:///C:/USBMS_Sandbox_MD_Defelsko101/Template/DetailTemplate.htm 2 https://www.facebook.com/login.php?login_attempt=1 2 https://plus.google.com/u/0/ 2 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 2 https://mail.google.com/mail/?rld=1&shva=1#inbox 2 https://centralapp.nursing.uic.edu/CORE/CORE.htm 2 http://localhost:8080/ACSCWeb11/templates/layout.faces 2 http://lh.afisha.ru/article/walter-isaacson-on-steve-jobs/ 2 http://intranet.aruba.it/technorail/serverdedicati/InvioEmailOptin.aspx?... 2 http://apps.facebook.com/170494249733664/ 1 wyciwyg://32/http://localhost:8080/sisp/documento.do?acao=edit&tipo=new 1 http://zaycev.net/pages/466/46667.shtml?miniplayer=true 1 http://www.zapjuegos.com/juego/goodgame-mafia.html 1 http://www.youtube.com/watch?v=chQjBZKWOOo 1 http://www.techimo.com/forum/graphic-design-digital-photography/12160-can-i-show-directory-list-using-html.html 1 http://www.tag-local.com/messages_delta.html 1 http://www.sitetrail.com/what/ 1 http://www.richptc.com/gpt.php?v=verify&buttonClicked=2&id=44030&type=ptc&... 1 http://www.leedsjewishcommunity.com/communal-diary.html 1 http://www.hotbollywoodactress.net/cat-tanushree-dutta-78.htm 1 http://www.google.com/ 1 http://www.fangchan.com/Admin/AddClientIntermediary.aspx 1 http://www.facebook.com/radiomagicfm?sk=app_4949752878 1 http://www.facebook.com/profile.php?sk=timeline 1 http://www.facebook.com/ajax/pagelet/generic.php/ProfileTimelineSectionPagelet?... 1 http://www.chinatme.com/jiaoge.asp?p_id=223 1 http://www.baimusic.ru/order/?mktime=1331125840 1 http://www1.skysports.com/football/news/11863/7577378/Abbiati-I-got-lucky 1 http://www1.prefpoa.com.br/proweb3/testador.php 1 http://www.160by2.com/SendSMSAction 1 http://wdfd00288086a.wdf.sap.corp:50078/sap/bc/gui/sap/its/webgui/!?=&sap-client=000&sap-language=DE 1 http://wave.webaim.org/toolbar 1 http://vkontakte.ru/ 1 http://vk.com/feed 1 http://v5.vvv.it.uu.se/internt/web/sandbox?action=save&lang=sv 1 http://tw.stock.yahoo.com/ 1 http://twitter.com/#!/stockswager 1 http://translate.google.co.id/#id|el|... 1 https://www.google.com/settings/privacy?tab=4 1 https://www.facebook.com/shirley.gaulton 1 https://www.facebook.com/ai.php?aed=... 1 https://vs-wb22/okayama-egis/print/print.asp 1 http://stress-art-app1:7209/jenkins/ 1 http://starasov.viacode.com/EnterpriseWebUI/Common/Pages/LoginPage.aspx?CheckPopUp=no 1 https://snafu.cr.usgs.gov/redmine/my/page_layout 1 https://release-dev.akamai.com/release_cr_json.html?releaseid=18904&v=2&m=a 1 https://rapnettest.ricoh.com.au/wps/myportal/dealers/bus/picform 1 https://quenby-win7/EdFiDashboardDevFreeze/LubbockISD/Schools/Evans-Middle-School/Staff/Lataria-Aguiar-3879 1 https://plusone.google.com/u/0/_/+1/hover?... 1 https://plusone.google.com/_/+1/hover?... 1 https://plusone.google.com/_/+1/hover?... 1 https://plus.google.com/u/0/stream 1 https://plus.google.com/u/0/photos/... 1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 1 https://plus.google.com/_/apps-static/_/js/nw/nw_i/rt=h/... 1 https://plus.google.com/114323796124194866952/posts 1 https://mail.google.com/mail/u/0/?shva=1#inbox 1 https://mail.google.com/mail/?shva=1#inbox/p2 1 http://site.com/admin/addproduct.aspx 1 https://apps.facebook.com/wordswithfriends/?... 1 https://apps.facebook.com/onthefarm/?... 1 https://apps.facebook.com/crimecitygame/streams/click/?... 1 http://rbm0-migration-pp.ra1.intra.groupama.fr/gtautostart.aspx 1 http://project.captivatecnologia.info/milestones/show?id=8 1 http://petroholru/hoteldesc266.html 1 http://new.fabuwood.com/videoGallery.aspx? 1 http://mydocs.local/pinboard2/boards/my/42 1 http://mpham3400/that/ 1 http://mips.elcom.com.au/MemberRenewals/MIPSMemberUpdateDetails.aspx?Mode=1&Record=... 1 http://melpyou.mentine.net/eventi/ 1 http://maps.google.com/maps/place?q=... 1 http://maps.google.com/ 1 http://localhost/Web/Approval/AppType/APP000190.aspx 1 http://localhost.t-mobile.com/Plan/Prepaid/PrePaid.aspx?unavid=plans 1 http://localhost/sp/htdocs/index.php?page_id=0&_layoutmode=on 1 http://localhost/Secure/party/companysearch.aspx 1 http://localhost/RtWebPartResources/TagSearch.aspx?... 1 http://localhost/projects/arena/root/Dev/crossTermWeb/content/order.htm 1 http://localhost/perf/dv 1 http://localhost/Machine_mail/admin/leads/ 1 http://localhost/index.php?action=classregister 1 http://localhost/dashboardchanges/AllOperations/Home/Home?&rt=... 1 http://localhost/cwp/index.php/useraccount/company_select 1 http://localhost/ContractRoom/Objetos/Croomer/Formularios/crfItem.aspx?... 1 http://localhost:9090/BCS/accountCard_add.html 1 http://localhost:8407/App/... 1 http://localhost:8084/ 1 http://localhost:8081/docente/mostra 1 http://localhost:8080/WVO_LiveSite/WVR/Components/Forms/ContactUs.page 1 http://localhost:8080/webportal/mall/number 1 http://localhost:8080/SearchMockup/SearchField.html 1 http://localhost:8080/news/index2.jsp 1 http://localhost:8080/massquote/view 1 http://localhost:8080/html/mainDebug.html?... 1 http://localhost:8080/hb-aiche/tadmin/ 1 http://localhost:8080/elevatormgr/WebClient/view3.0/index.html# 1 http://localhost:8080/auth/password.do 1 http://localhost:8080/apps/services/preview/ConfiguratorOSS/mobilewebapp/1.0/default/index.html 1 http://localhost:7788/Loan/EditListReadyToCertify?from=Dashboard 1 http://localhost:65501/DailySheet 1 http://localhost:64082/FIDA/National/Internal/NFIDACommunication.aspx 1 http://localhost:61386/Private 1 http://localhost:55555/_events/cbAnalytics.aspx 1 http://localhost:51984/Field/InspectionsAndObservations/ProjectActivity?activityId=160 1 http://localhost:50324/Competition 1 http://localhost:4952/test/file 1 http://localhost:49474/DisplayAssetsFlex.aspx?mode=performing 1 http://localhost:4866/AssignJob/Index/3 1 http://localhost:44454/d2l/eP/artifacts/wizard/form_response.d2l?formId=2&step=3&orgUnitId=&ou=6606 1 http://localhost:4067/Informes/Index 1 http://localhost:3122/NQFDashBoard.aspx 1 http://localhost:30091/ 1 http://localhost:3000/nectar/eshops/price-checker-results.eshops.htm#!&query=dress 1 http://localhost:2999/user/enterprise/newenterpriseinfo.aspx 1 http://localhost:28295/CadastroMotivoCancelamento/Acordo# 1 http://localhost:26087/sigre/Residuos.aspx 1 http://localhost:2383/Domain/ManageDomainLibraries 1 http://localhost:22770/shared/index.aspx 1 http://localhost:1997/ 1 http://localhost:13103/ 1 http://localhost:1145/PARTC/ElectronicSignature.aspx?setMasterPage=Root 1 http://local.cafe.naver.com/oskm.cafe?iframe_url=/ArticleRead.nhn%3Farticleid=951 1 http://f5mail.rediff.com/ajaxprism/container?... 1 http://en.wikipedia.org/wiki/Wink_Martindale 1 http://e-mex.net/ 1 http://ctvapppartnera.my.phpcloud.com/ctvapp/ 1 http://clck.yandex.ru/redir/... 1 http://clck.yandex.ru/redir/... 1 http://belkin.dev.paymo.biz/projects/index/page/1 1 http://automatyka-pl.p4/firm-profilepl/trainingpl/indexpl#... 1 http://apps.facebook.com/l.php?... 1 http://ad1a.tankionline.com/battle-ru23.html 1 http://192.168.126.128:8888/inet/pub/ticket#2 1 http://192.168.1.114/regsiter.aspx 1 http://172.16.0.190/zam/FileManager.aspx 1 http://127.0.0.1/cgi/lct.cgi 1 http://127.0.0.1:81/Contacts/Promote/64 1 http://127.0.0.1:8080/CherishPortal/orgtype.html 1 http://10.33.0.23:8080/spoc/template/registration%2CSearchClients.vm/action/registration%2CSearchClientsAction/np/registration%2CSearchClientResults.vm/i/1?formSField=12&formComp=1&formSData=123&cont=Search+Clients 1 http://10.33.0.23:8080/spoc/template/registration%2CSearchClients.vm 1 http://10.220.12.110/tapelib/buildup-hd.php 1 http://10.105.33.25:8082/profile/MyAccount/MyInformation/myInformation.jsp 1 file:///Users/my118c/Desktop/WebGL/WebGLTest.html 1 file:///F:/bam/practice/autocomplete/completing.html 1 file:///E:/CYBERXEED/Cyx/Web/Page/Xkw2110g.html 1 file:///D:/freelance/test/test.html 1 file:///D:/carifer/daaus/website/daaus-demo/innerpage.html 1 file:///D:/11.html 1 file:///C:/Users/marcelo/Desktop/scriptaculous/dragdrop.htm 1 file:///C:/temp/jsTableau/tablo.html 1 file:///C:/E-CSU/WebContent/Treeview_control.html 1 file:///C:/Documents%20and%20Settings/Yuri/Desktop/Archiviazione%20-%20dhtmlxGrid/index.html 1 file:///C:/Documents%20and%20Settings/gxsn/%E6%A1%8C%E9%9D%A2/Noname1.html 1 file:///C:/Documents%20and%20Settings/Administrator/%E6%A1%8C%E9%9D%A2/a.html 1 about:blank Pretty clear that most of those things are internal stuff and not too useful for trying to reproduce or so. I replaced parts of the URL with "..." where it felt like there would potentially be session IDs or other possibly privacy-related things.
Keywords: needURLs
There's a spike in crashes from March 20 in 14.0a1.
Depends on: 738279
I do not have Firebug installed, but I hit this crash almost every day on my older MacBook Pro (running OSX 10.6) but not on my newer MacBook Pro (running OSX 10.7). I first started seeing this crash on March 28, a few days after upgrading to 14.0a1.
If you can find any STR, that would be greatly appreciated.
I have found STR that can reliably crash Firefox 14.0a1 on my MacBook Pro (running Mac OS X 10.6): STR: 1. Disable all Add-ons 2. Install EFF's `HTTPS Everywhere` Add-on version 2.0.1 3. Load Google Reader using this URL: https://www.google.com/reader/view/#stream/ The crash goes away if I do any of the following: * "Disable All" sites in HTTPS Everywhere's preferences * Disable or uninstall the HTTPS Everywhere Add-on itself * Load Google Reader using https://www.google.com/reader/view/ (without "#stream") instead of https://www.google.com/reader/view/#stream/
Thanks for narrowing that down! Unfortunately I wasn't able to reproduce (I tried OS X 10.6 on a nightly and Linux debug custom build). I used a new profile (with the HTTPS addon installed); can you reproduce with a new profile? Also, it may just be my reader stream. If it isn't too much trouble, perhaps you could create a new google reader account (whose name/pass you wouldn't mind sending me) and get it crashing?
I think have found STR that can reproduce this crash with a new profile. I've tested two different MacBook Pros with new profiles and reproduced this crash 30 times this evening. 1. Create a new profile. 2. Install Ghostery addon. (This is the only addon I have installed, besides the bundled pdf.js addon. My hypothesis about the HTTPS Everywhere addon was a red herring.) 3. Load Google Reader. 4. Change Reader's view button from "# New Items" to "All Items" (so you'll still have headlines to view after step #5). 5. Click "Mark all as read" button a couple times. Nothing bad happens. 6. In a different tab, open about:config. 7. Set javascript.options.methodjit_always=true 8. Go back to Google Reader tab. 9. Click "Mark all as read" button twice. Firefox crashes here 100% for me. The crash goes away if I set javascript.options.methodjit_always=false (its default value) or if I disable or uninstall the Ghostery addon.
That does reproduce; thanks a lot for your investigation! The game is afoot.
So the testcase hits the (!inline_) assert (before crashing at CrashIfInvalid in release builds). The inlined frame is in a compartment different than cx->compartment (there must be a cross-compartment call in the callstack) so I think the bug is simply that StackIter::StackIter() calls ExpandInlineFrames only for cx->compartment and needs to expand *all* compartments' inline frames. Again, awesome job finding a reproducible testcase!
Attached patch fix stack iterSplinter Review
Simple fix iterates over all compartments. Following the STR and no more crash.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #612764 - Flags: review?(bhackett1024)
cc'ing Jesse for interesting fuzzer material.
Attachment #612764 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/698589979558
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
It's not fixed. See bp-0d114d02-950a-4e00-8e25-654b22120412.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
To be clear, the signature isn't fixed (it is a funnel for a lot of different bugs), but the particular bug reported in comment 21 and patched in comment 26 has been fixed.
Please file a new bug on the crash signature. Sorry for morphing your bug, but one-fix-per-bug is important.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: