JS parser coredumps in js::frontend::ParseNode::append

NEW
Unassigned

Status

()

6 years ago
4 years ago

People

(Reporter: jduell, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:p3])

Attachments

(1 attachment)

Once again it's segmentation's fault!

As of today my nightly linux-x86_64 build is segfaulting at startup.   It only happens with a particular add-on (vimperator), and it appears to be while JS is parsing a file from the vimperator .xpi addon zip file.

I can file this as a bug with the addon, but figure that JS coredumping while parsing is not really the addons fault?  Correct me if I'm wrong.

Here's the stack trace at segfault time, from running with a debug build of m-c:

Program received signal SIGSEGV, Segmentation fault.
0x00007f328c1d18e4 in js::frontend::ParseNode::append (this=0x7f3279c9c020, pn=0x7f3279c9c218)
    at /home/jj/hg/in/t/js/src/frontend/ParseNode.h:865
865             JS_ASSERT(pn->pn_pos.begin >= pn_pos.begin);

> bt
#0  0x00007f328c1d18e4 in js::frontend::ParseNode::append (this=0x7f3279c9c020,
    pn=0x7f3279c9c218) at /home/jj/hg/in/t/js/src/frontend/ParseNode.h:865
#1  0x00007f328c21c627 in js::frontend::Parser::xmlElementOrList (this=0x7fff0b0bca80,
    allowList=false) at /home/jj/hg/in/t/js/src/frontend/Parser.cpp:6270
#2  0x00007f328c21c910 in js::frontend::Parser::xmlElementOrListRoot (this=0x7fff0b0bca80,
    allowList=false) at /home/jj/hg/in/t/js/src/frontend/Parser.cpp:6315
#3  0x00007f328c21ca74 in js::frontend::Parser::parseXMLText (this=0x7fff0b0bca80,
    chain=0x7f326a664200, allowList=false) at /home/jj/hg/in/t/js/src/frontend/Parser.cpp:6342
#4  0x00007f328c17526e in ParseXMLSource (cx=0x7f326c084f00, src=...)
    at /home/jj/hg/in/t/js/src/jsxml.cpp:1772
#5  0x00007f328c175af6 in ToXMLList (cx=0x7f326c084f00, v=...)
    at /home/jj/hg/in/t/js/src/jsxml.cpp:1954
#6  0x00007f328c18ac70 in js_ValueToXMLListObject (cx=0x7f326c084f00, v=...)
    at /home/jj/hg/in/t/js/src/jsxml.cpp:7976
#7  0x00007f328c0609f0 in js::Interpret (cx=0x7f326c084f00, entryFrame=0x7f3278fff258,
    interpMode=js::JSINTERP_NORMAL) at /home/jj/hg/in/t/js/src/jsinterp.cpp:3541
#8  0x00007f328c04a415 in js::RunScript (cx=0x7f326c084f00, script=0x7f326a5a38c8,
    fp=0x7f3278fff258) at /home/jj/hg/in/t/js/src/jsinterp.cpp:301
#9  0x00007f328c04b2a7 in js::ExecuteKernel (cx=0x7f326c084f00, script=..., scopeChain=...,
    thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x7fff0b0beca0)
    at /home/jj/hg/in/t/js/src/jsinterp.cpp:486
#10 0x00007f328c04b4ef in js::Execute (cx=0x7f326c084f00, script=..., scopeChainArg=...,
    rval=0x7fff0b0beca0) at /home/jj/hg/in/t/js/src/jsinterp.cpp:524
#11 0x00007f328bf7c963 in JS_ExecuteScript (cx=0x7f326c084f00, objArg=0x7f326a664200,
    scriptArg=0x7f326a5a38c8, rval=0x7fff0b0beca0) at /home/jj/hg/in/t/js/src/jsapi.cpp:5662
#12 0x00007f328bf7ca1c in JS_ExecuteScriptVersion (cx=0x7f326c084f00, objArg=0x7f326a664200,
    script=0x7f326a5a38c8, rval=0x7fff0b0beca0, version=JSVERSION_1_8)
    at /home/jj/hg/in/t/js/src/jsapi.cpp:5671
#13 0x00007f328ad52e92 in mozJSSubScriptLoader::LoadSubScript (this=0x7f3276a4c500, url=...,
    target=..., charset=..., cx=0x7f326c084f00, retval=0x7fff0b0beca0)
    at /home/jj/hg/in/t/js/xpconnect/loader/mozJSSubScriptLoader.cpp:298
#14 0x00007f328b5909f5 in NS_InvokeByIndex_P (that=0x7f3276a4c500, methodIndex=3,
    paramCount=5, params=0x7fff0b0bec40)
    at /home/jj/hg/in/t/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
#15 0x00007f328ac526e5 in CallMethodHelper::Invoke (this=0x7fff0b0bec00)
    at /home/jj/hg/in/t/js/xpconnect/src/XPCWrappedNative.cpp:3105
#16 0x00007f328ac505af in CallMethodHelper::Call (this=0x7fff0b0bec00)
    at /home/jj/hg/in/t/js/xpconnect/src/XPCWrappedNative.cpp:2439
#17 0x00007f328ac50451 in XPCWrappedNative::CallMethod (ccx=...,
    mode=XPCWrappedNative::CALL_METHOD)
    at /home/jj/hg/in/t/js/xpconnect/src/XPCWrappedNative.cpp:2405
#18 0x00007f328ac5d8d5 in XPC_WN_CallMethod (cx=0x7f326c084f00, argc=2, vp=0x7f3278fff228)
    at /home/jj/hg/in/t/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
#19 0x00007f328c042742 in js::CallJSNative (cx=0x7f326c084f00,
    native=0x7f328ac5d67a <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/jj/hg/in/t/js/src/jscntxtinlines.h:372
#20 0x00007f328c04a8b2 in js::InvokeKernel (cx=0x7f326c084f00, args=...,
    construct=js::NO_CONSTRUCT) at /home/jj/hg/in/t/js/src/jsinterp.cpp:344
#21 0x00007f328c057e21 in js::Interpret (cx=0x7f326c084f00, entryFrame=0x7f3278fff1a0,
    interpMode=js::JSINTERP_NORMAL) at /home/jj/hg/in/t/js/src/jsinterp.cpp:2405
#22 0x00007f328c04a415 in js::RunScript (cx=0x7f326c084f00, script=0x7f326a7b8e08,
    fp=0x7f3278fff1a0) at /home/jj/hg/in/t/js/src/jsinterp.cpp:301
#23 0x00007f328c04a978 in js::InvokeKernel (cx=0x7f326c084f00, args=...,
    construct=js::NO_CONSTRUCT) at /home/jj/hg/in/t/js/src/jsinterp.cpp:355
#24 0x00007f328bf8e32a in js::Invoke (cx=0x7f326c084f00, args=..., construct=js::NO_CONSTRUCT)
    at /home/jj/hg/in/t/js/src/jsinterp.h:119
#25 0x00007f328bfa3571 in array_readonlyCommon<ArrayForEachBehavior> (cx=0x7f326c084f00,
    args=...) at /home/jj/hg/in/t/js/src/jsarray.cpp:3108
#26 0x00007f328bf9e74f in array_forEach (cx=0x7f326c084f00, argc=1, vp=0x7f3278fff148)
    at /home/jj/hg/in/t/js/src/jsarray.cpp:3145
#27 0x00007f328c042742 in js::CallJSNative (cx=0x7f326c084f00,
    native=0x7f328bf9e714 <array_forEach(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/jj/hg/in/t/js/src/jscntxtinlines.h:372
#28 0x00007f328c04a8b2 in js::InvokeKernel (cx=0x7f326c084f00, args=...,
    construct=js::NO_CONSTRUCT) at /home/jj/hg/in/t/js/src/jsinterp.cpp:344
#29 0x00007f328c057e21 in js::Interpret (cx=0x7f326c084f00, entryFrame=0x7f3278fff030,
    interpMode=js::JSINTERP_NORMAL) at /home/jj/hg/in/t/js/src/jsinterp.cpp:2405
#30 0x00007f328c04a415 in js::RunScript (cx=0x7f326c084f00, script=0x7f326a7b8f58,
    fp=0x7f3278fff030) at /home/jj/hg/in/t/js/src/jsinterp.cpp:301
#31 0x00007f328c04b2a7 in js::ExecuteKernel (cx=0x7f326c084f00, script=..., scopeChain=...,
    thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x7fff0b0c1d60)
    at /home/jj/hg/in/t/js/src/jsinterp.cpp:486
#32 0x00007f328c04b4ef in js::Execute (cx=0x7f326c084f00, script=..., scopeChainArg=...,
    rval=0x7fff0b0c1d60) at /home/jj/hg/in/t/js/src/jsinterp.cpp:524
#33 0x00007f328bf7c963 in JS_ExecuteScript (cx=0x7f326c084f00, objArg=0x7f326b82f060,
    scriptArg=0x7f326a675040, rval=0x7fff0b0c1d60) at /home/jj/hg/in/t/js/src/jsapi.cpp:5662
#34 0x00007f328a5db7f5 in nsJSContext::ExecuteScript (this=0x7f326b5f2700,
    aScriptObject=0x7f326a675040, aScopeObject=0x7f326b82f060, aRetValue=0x0,
    aIsUndefined=0x0) at /home/jj/hg/in/t/dom/base/nsJSEnvironment.cpp:1639
#35 0x00007f328a5ac780 in nsXULDocument::ExecuteScript (this=0x7f32750db000,
    aContext=0x7f326b5f2700, aScriptObject=0x7f326a675040)
    at /home/jj/hg/in/t/content/xul/document/src/nsXULDocument.cpp:3588
#36 0x00007f328a5ac99e in nsXULDocument::ExecuteScript (this=0x7f32750db000, aScript=
    0x7f3277359290) at /home/jj/hg/in/t/content/xul/document/src/nsXULDocument.cpp:3608
#37 0x00007f328a5ac2f7 in nsXULDocument::OnStreamComplete (this=0x7f32750db000,
    aLoader=0x7f3269b75400, context=0x0, aStatus=0, stringLen=1927,
    string=0x7f3268245000 "// Copyright (c) 2008-2009 Kris Maglione <maglione.k at Gmail>\n//\n// This work is licensed for reuse under an MIT license. Details are\n// given in the License.txt file included with this file.\n\n(funct"...)
    at /home/jj/hg/in/t/content/xul/document/src/nsXULDocument.cpp:3485
#38 0x00007f3289b182fb in nsStreamLoader::OnStopRequest (this=0x7f3269b75400,
    request=0x7f326b6867c0, ctxt=0x0, aStatus=0)
    at /home/jj/hg/in/t/netwerk/base/src/nsStreamLoader.cpp:95
#39 0x00007f3289cc1630 in nsJARChannel::OnStopRequest (this=0x7f326b6867c0,
    req=0x7f32767f2200, ctx=0x0, status=0)
    at /home/jj/hg/in/t/modules/libjar/nsJARChannel.cpp:875
#40 0x00007f3289adacfb in nsInputStreamPump::OnStateStop (this=0x7f32767f2200)
    at /home/jj/hg/in/t/netwerk/base/src/nsInputStreamPump.cpp:559
#41 0x00007f3289ada47f in nsInputStreamPump::OnInputStreamReady (this=0x7f32767f2200, stream=
    0x7f3276c123b8) at /home/jj/hg/in/t/netwerk/base/src/nsInputStreamPump.cpp:374
#42 0x00007f328b546c71 in nsInputStreamReadyEvent::Run (this=0x7f3269b755c0)
    at /home/jj/hg/in/t/xpcom/io/nsStreamUtils.cpp:82
#43 0x00007f328b56a290 in nsThread::ProcessNextEvent (this=0x7f328f16f160, mayWait=false,
    result=0x7fff0b0c21cf) at /home/jj/hg/in/t/xpcom/threads/nsThread.cpp:624
Created attachment 659122 [details]
vimperator add-on xpi file that causes JS parser to dump core.

Note: from the output start text of the buffer in the stack trace:
 
   // Copyright (c) 2008-2009 Kris Maglione 

I can tell that the file that's being parsed when we dump is either

  common/content/liberator-overlay.js
or
  components/protocols.js

within vimperator@mozdev.org.xpi, which is the attachment.
More fun:  I can't repro this on a clean profile just by installing vimperator.   And in my existing, crashing profile, it doesn't seem to crash any more if I abandon my existing tabs at recovery startup.   So I guess it's some subtle, complicated thing.  I guess I'll get rid of my tabs and move along with life.

I've got a backup of my whole profile that reliably exhibits the crash if anyone wants to repro this--it's 230MB bzipped.
Whiteboard: [js:p3]
(Assignee)

Updated

4 years ago
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.