Closed Bug 795104 Opened 12 years ago Closed 12 years ago

crash in _VEC_memcpy | js_NewStringCopyN

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
17 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox17 + fixed
firefox18 + verified
firefox19 --- verified
firefox20 --- fixed
firefox-esr17 --- fixed

People

(Reporter: marcia, Assigned: Benjamin)

References

(
URL
)

Details

(Keywords: crash, reproducible, topcrash)

Crash Data

Attachments

(6 files, 3 obsolete files)

Firebug test build (not using GetBindingURLs API)
1.95 MB, application/x-xpinstall
Details
load source if needed in JS_DecompileScript
1.52 KB, patch
jorendorff
: review+
Honza
: feedback-
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
lsblakk
: approval-mozilla-release+
lsblakk
: approval-mozilla-esr17+
Details | Diff | Splinter Review
Crash stack trace (Firefox build + load source if needed in JS_DecompileScript patch included)
26.39 KB, text/plain
Details
check if compression is running before aborting
3.74 KB, patch
jorendorff
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
lsblakk
: approval-mozilla-release+
lsblakk
: approval-mozilla-esr17+
Details | Diff | Splinter Review
Firebug + 1password crash stack 2
5.44 KB, text/plain
Details
don't lazily load special charsets
3.90 KB, patch
bzbarsky
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
lsblakk
: approval-mozilla-release+
lsblakk
: approval-mozilla-esr17+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-2e6683bc-2f1c-4743-9b7c-47e7d2120926 .
============================================================= 

Seen while viewing Aurora crash stats. This has been around in earlier releases, but volume seems to have increased in Aurora.  https://crash-stats.mozilla.com/report/list?signature=_VEC_memcpy%20|%20js_NewStringCopyN%28JSContext*,%20wchar_t%20const*,%20unsigned%20int%29

Most of the crashes seem to be on Win Vista:

Windows Vista 	73.913 %	68
Windows XP 	14.13 %	        13
Windows 7 	11.957 %	11 

Frame 	Module 	Signature 	Source
0 	msvcr100.dll 	_VEC_memcpy 	
1 	mozjs.dll 	js_NewStringCopyN 	js/src/jsstr.cpp:3344
2 	mozjs.dll 	js::ScriptSource::substring 	js/src/jsscript.cpp:1115
3 	mozjs.dll 	JSScript::sourceData 	js/src/jsscript.cpp:1043
4 	mozjs.dll 	JS_DecompileScript 	js/src/jsapi.cpp:5573
5 	xul.dll 	jsdScript::GetFunctionSource 	js/jsd/jsd_xpc.cpp:1335
6 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
7 	xul.dll 	XPCWrappedNative::GetAttribute 	js/xpconnect/src/xpcprivate.h:2822
8 	xul.dll 	XPC_WN_GetterSetter 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1526
9 	xul.dll 	nsXPConnect::GetXPConnect 	js/xpconnect/src/nsXPConnect.cpp:139
10 	xul.dll 	XPC_WN_NoHelper_Resolve 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:690
11 		@0x980ba9f
(In reply to Marcia Knous [:marcia] from comment #0)
> volume seems to have increased in Aurora.
In Aurora, it has been hit by a single user (same Install Time in a build, same graphics and processor configuration across builds).
OS: Windows NT → Windows Vista
It spiked across all affected versions on October 26.
It's #1 top browser crasher in 17.0b3 and 18.0a2 on Mac.

It's correlated to Firebug:
* 17.0:
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (30 crashes)
    100% (30/30) vs.  22% (79/352) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
          7% (2/30) vs.   4% (13/352) 1.10.4
         90% (27/30) vs.  18% (64/352) 1.10.5
          3% (1/30) vs.   0% (1/352) 1.11.0a5
     93% (28/30) vs.  18% (63/352) onepassword@agilebits.com
         17% (5/30) vs.   1% (5/352) 3.9.10.b1
         20% (6/30) vs.   2% (6/352) 3.9.8
         57% (17/30) vs.  13% (47/352) 3.9.9
  _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes)
    100% (140/140) vs.   1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
         11% (16/140) vs.   0% (203/57300) 1.10.4
         86% (120/140) vs.   1% (473/57300) 1.10.5
          3% (4/140) vs.   0% (16/57300) 1.7.3
     31% (43/140) vs.   0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271)
          0% (0/140) vs.   0% (1/57300) 2.7
         17% (24/140) vs.   0% (109/57300) 2.8
         14% (19/140) vs.   0% (35/57300) 2.8.1
     29% (41/140) vs.   0% (253/57300) OneClickDownloader@OneClickDownloader.com
          0% (0/140) vs.   0% (8/57300) 1.1
          0% (0/140) vs.   0% (1/57300) 1.2
          0% (0/140) vs.   0% (2/57300) 1.3
         29% (41/140) vs.   0% (242/57300) 1.5
     21% (30/140) vs.   0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2)

*18.0a2:
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (15 crashes)
    100% (15/15) vs.  54% (35/65) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
        100% (15/15) vs.  51% (33/65) 1.10.5
     73% (11/15) vs.  35% (23/65) onepassword@agilebits.com
         73% (11/15) vs.  34% (22/65) 3.9.9
  _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes)
    100% (140/140) vs.   1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
         11% (16/140) vs.   0% (203/57300) 1.10.4
         86% (120/140) vs.   1% (473/57300) 1.10.5
          3% (4/140) vs.   0% (16/57300) 1.7.3
     31% (43/140) vs.   0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271)
         17% (24/140) vs.   0% (109/57300) 2.8
         14% (19/140) vs.   0% (35/57300) 2.8.1
     29% (41/140) vs.   0% (253/57300) OneClickDownloader@OneClickDownloader.com
         29% (41/140) vs.   0% (242/57300) 1.5
     21% (30/140) vs.   0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2)

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x1a50
https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x12ec
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec]
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
Keywords: topcrash
OS: Windows Vista → All
Hardware: x86 → All
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40]
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40]
Marcia - can you take a stab at this with the listed versions of Firebug/1Password?

Naveed/David - can we get somebody to take a look?

Also including Jan to see if he knows who can take a look at this from the Firebug side. I'm confused because this crash didn't really crop up until 4 days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
Keywords: qawanted, steps-wanted
QA Contact: mozillamarcia.knous
While we're tracking this, I do want to say that I'm not super worried about this crash for release since it's highly correlated to Firebug. That doesn't mean we shouldn't investigate/fix as soon as possible for the sake of devs though.
tracking-firefox17: ?+
tracking-firefox18: ?+
(In reply to Alex Keybl [:akeybl] from comment #3)
> Marcia - can you take a stab at this with the listed versions of
> Firebug/1Password?

I see one comment saying "trying to log in to browserid with MozTrap" for signature : libsystem_c.dylib@0x1a50 ..May be we could start with this as well ?
> 
> Naveed/David - can we get somebody to take a look?
> 
> Also including Jan to see if he knows who can take a look at this from the
> Firebug side. I'm confused because this crash didn't really crop up until 4
> days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
Recent correlations show a version of One Password that is available on the trial download on their site - I will have to purchase a copy in the App Store which I will do when I get in the office.

Mac OS X
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (61 crashes)
     97% (59/61) vs.  20% (100/494) onepassword@agilebits.com
         18% (11/61) vs.   3% (13/494) 3.9.10.b1
         79% (48/61) vs.  17% (86/494) 3.9.9
          0% (0/61) vs.   0% (1/494) 3.9.9.b2
    100% (61/61) vs.  30% (146/494) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
          0% (0/61) vs.   0% (1/494) 1.10.2b1
         46% (28/61) vs.   7% (37/494) 1.10.4
         51% (31/61) vs.  20% (100/494) 1.10.5
          3% (2/61) vs.   1% (4/494) 1.11.0a5
          0% (0/61) vs.   1% (4/494) 1.9.0
Was able to reproduce this using the following steps:

1. Downloaded and installed One Password. Installed version 3.99 of the addon into the latest Firefox beta Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Firefox/17.0.
2. Install Firebug 1.10.5, Enable "one for all web pages" and "enable all panels"
3. Visit http://www.google.com/nexus/
4. Switch back and forth between Nexus 4, Nexus 7 and Nexus 10.
5. Crash

https://crash-stats.mozilla.com/report/index/bp-57353021-f01b-461c-8326-72b3f2121030

I am not sure whether One Password factors in or not, will have to disable some of the extensions to see.
Keywords: reproducible
Another way I have been able to repro is to do as follows:

1. Disable One Password
2. Visit the nexus site with the same panels enabled as in Comment 7 Step 2
3. Reable One Password
4. Navigate back to the nexus page.
5. Crash every time.

So in this case you One Password version 3.99 seems to be problematic in combination with Firebug.

Also, this bug will bite many web devs as I can see from the crash URLs that many web devs are crashing when they are testing their sites.
URL: http://www.google.com/nexus/
Glad we're able to repro Marcia. We still need to nail down if this regression is caused by new code in FF17, a 1Password version, or a specific Firebug version. Would also be great to take a look at bug 806192 at the same time.
Keywords: steps-wantedregressionwindow-wanted
(In reply to Jan Honza Odvarko from comment #10)
> Reported in Firebug issue list:
> http://code.google.com/p/fbug/issues/detail?id=6034
Sorry, this comment belongs to different bug

Honza
I was able to crash following the same steps in both Aurora and Firefox 16, so this crash is not unique to FF 17.

The correlations show this happens with two specific versions of Firebug - I reproduced with 1.10.5 which is the latest version on AMO:

46% (28/61) vs.   7% (37/494) 1.10.4
51% (31/61) vs.  20% (100/494) 1.10.5

As far as One Password, I will have to hunt down some older versions of the addon to see where that stands.

Since in Comment 8 I wasn't able to reproduce the crash with Firebug only, it would seem right now the suspect addon is One Password.
https://agilebits.com/onepassword/mac/release_notes has the version versions of One Password - the latest update happened in July.
Since this is seeming to be related to bug 806192 - hoping Jan can take a look here too.
Assignee: general → odvarko
Not able to reproduce with 1.10.3 of Firebug. When I perform an update to 1.10.6 via Addons, I can generate the crash by visting http://www.google.com/nexus/
and switching back and forth between Nexus 4, Nexus 7 and Nexus 10.
I can't reproduce the problem with Firebug 1.10.6, Firefox 16, 17, Win Vista.
(I am visiting http://www.google.com/nexus/ and switching back and forth between Nexus 4, Nexus 7 and Nexus 10)

Since this looks related to:
Bug 806192 - crash in inDOMUtils::GetBindingURLs with Firebug

I have search Firebug code base for 'GetBindingURLs' and found one place.
I removed the call and attached a test build 

Can you try to reproduce it again with it?

---

Also, it's not clear how to install onepassword extension

I downloaded Version 3.8.20 from here:
https://agilebits.com/onepassword/mac/release_notes

Unzipped and found couple of extension directories:
Contents\Extensions\firefox4@1password.com
Contents\Extensions\firefox5@1password.com

However, none of them is using onepassword@agilebits.com as the ID
and it isn't even compatible with Firefox 16

How should I install it?

Honza
Honza: I will try your test build momentarily.

I actually ended up purchasing One Password from the Mac App store - from there it installed the app on my machine.
Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached to the page. The stack I get is the same one that appears in Bug 806192. I ended up having to reload the page to generate the crash this time.

I also crash with Aurora and the latest Beta as well.

According to https://agilebits.com/extensions/mac/index.html, One Password is compatible with 16+.
(In reply to Jan Honza Odvarko from comment #16)
> How should I install it?
> 
> Honza

Please install from the Mac App Store as Marcia suggests and expense the purchase. Thanks!
(In reply to Alex Keybl [:akeybl] from comment #19)
> Please install from the Mac App Store as Marcia suggests and expense the
> purchase. Thanks!
Unfortunately, I don't have a Mac.

But, I don't know if I need One Password at all, I should be able to reproduce the crash with Firebug alone in the first place, no?

I tried Win XP, Vista, 7 and I don't see any crashes.

(In reply to Marcia Knous [:marcia] from comment #18)
> Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached
> to the page. The stack I get is the same one that appears in Bug 806192.
The attached build doesn't call GetBindingURLs at all, so there must be something else executing that function.

I searched mxr and I don't see any other Firefox API that would use that function
https://mxr.mozilla.org/mozilla-aurora/search?string=GetBindingURLs

So, how come the function is actually executed?

Honza
Honza: I wasn't able to reproduce just with Firebug in this case on the Mac - see my earlier comment 8. It seems to have something to do with the interaction of One Password and Firebug.

(In reply to Jan Honza Odvarko from comment #20)
> (In reply to Alex Keybl [:akeybl] from comment #19)
> > Please install from the Mac App Store as Marcia suggests and expense the
> > purchase. Thanks!
> Unfortunately, I don't have a Mac.
> 
> But, I don't know if I need One Password at all, I should be able to
> reproduce the crash with Firebug alone in the first place, no?
>
Do we have access to a copy of One Password? If it is reliably able to cause this crash that would be very helpful. The original bug appears to be Windows. Is that the OS you are able to reproduce the crash on?
Naveed: Honza was able to reproduce the bug on my Mac last evening. He is investigating the bug further - it is very easy to reproduce on the Mac and continues to be one of the top mac crashes in Beta. He thinks it is related to JSD and 1Password.

I purchased 1Password, but you can download a trial from their site.
I have been finally able to repro the crash (using 1password xpi copy).

My configuration:
Windows Vista, Firefox Nightly (Built from http://hg.mozilla.org/mozilla-central/rev/8671bfc8e9a8), Firebug 1.10.5

I am able to reliably reproduce the crash with Firebug 1.10.5 (not with 1.10.4, which also appears in the stats)

The crash appears since this commit:
https://github.com/firebug/firebug/commit/7227fc862207d0c5645d876a83c80a6054c06e20

Does it help?

Honza
The crash doesn't happen if JSD is disabled (ie. if the Console and Script panels are disabled).

Honza
My feeling is that the crash happens when accessing the win.parent (?) when scripts coming from 1password are compiled. Firebug hooks the script compilation (by setting a breakpoint on line 1 using JSD API)

Here is a stack trace just before the crash:

chrome://firebug/content/chrome/tabWatcher.js (692)
chrome://firebug/content/js/debugger.js (1073)
resource://firebug/firebug-service.js (3207)
resource://firebug/firebug-service.js (3132)
resource://firebug/firebug-service.js (2473)
resource://firebug/firebug-service.js (2516)
resource://firebug/firebug-service.js (2324)
resource://firebug/firebug-service.js (2074)
resource://firebug/firebug-service.js (4308)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/end.min.js (1)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js (43)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (292)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (233)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (437)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (207)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (198)
null (0)

---

I think that it would be great if somebody from JSD team could repro & debug the problem in Firefox debug build, to see what's going on in C++

Honza
Adding Dave Teare from 1Password.
At this point we're too close to FF17 ship, wontfixing.
status-firefox17: --- → wontfix
Just to note that the crash is somehow related to this code:

win.parent instanceof win.parent.Window

'instanceof' is applied on a type (Window) that might come from different compartment.

Does it make sense?

Honza
Boris, any tips what could be wrong here?

Honza
Well, so...  The crash is a null deref, right?  Benjamin, is it possible the chars are null?

Has anyone reproduced this in a debug build, perhaps?  That would be a good start: it might assert about something interesting.
Attached patch load source if needed in JS_DecompileScript (obsolete) — — Splinter Review 
Ah, the JSD gremlin haunts us still.

Jan, can you try this patch? If you need binaries, there will be ones on this try result soon: https://tbpl.mozilla.org/?tree=Try&rev=5255fa968c3a
Attachment #680712 - Flags: feedback?(odvarko)
Non-broken patch.
Assignee: odvarko → benjamin
Attachment #680712 - Attachment is obsolete: true
Attachment #680712 - Flags: feedback?(odvarko)
Attachment #680769 - Flags: feedback?(odvarko)
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Try build downloaded from here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/benjamin@python.org-941306cf172a/try-win32/

Tested with Firebug 1.10.6 + 1password 3.9.9

I can still repro the crash. Report here:
https://crash-stats.mozilla.com/report/index/958b57a5-e5c1-4ed4-8d55-fddda2121113

Honza
Attachment #680769 - Flags: feedback?(odvarko) → feedback-
Can you try with a debug build please? The stack is managled.
I'm running Linux, so I'm unable to test due to onepassword's platform requirements. If anyone could reproduce in a debug build that would be great.
@Marcia: could you try to repro the crash on your machine + using Firefox debug build? I can't since the try-debug build requires MSVC 10 (DLLs) and I don't have them.

Honza
I have built Firefox from:
http://hg.mozilla.org/integration/fx-team
Including the patch: load source if needed in JS_DecompileScript

---

When I install 1password extension (no Firebug) I am not event able to launch Firefox. It immediately crashes:

See the attached stack trace.

Unhandled exception at 0x775c15de in firefox.exe: 0xC0000005: Access violation writing location 0x00000000.

Note that there is mozJSSubScriptLoader::LoadSubScript on the stack trying to load "resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/popup.min.js"

Honza
That, apparently, is a different bug.
Attachment #681577 - Flags: review?(jorendorff)
(In reply to Benjamin Peterson [:benjamin] from comment #40)
> Created attachment 681577 [details] [diff] [review]
> check if compression is running before aborting
> 
> That, apparently, is a different bug.
Cool, the attached patch, helps to solve the start-up crash.

So, now I am attaching the stack I get if testing Firebug + 1password crash.

Note that I applied both patches:
- load source if needed in JS_DecompileScript 
- check if compression is running before aborting 

Honza
Does it print any message about an assertion failing?
I am seeing this in the OS console:

Assertion failure: src->length() > 0 && chars[0] == '(', at c:/src/mozilla.org/fx-team/js/src/jsfun.cpp:674


Honza
Also note that when loading the http://www.google.com/nexus/10/ I am seeing the following assertion (but I can successfully ignore it):

ASSERTION: Shouldn't be trying to restyle non-elements directly: '!aContent || aContent->IsElement()', file
c:/src/mozilla.org/fx-team/layout/base/nsStyleChangeList.cpp, line 65

I am not sure if it's related, but mentioning it here anyway.

Honza
Attached patch we can't handle weird charsets (obsolete) — — Splinter Review 
I think I finally got it!
If you need feedbacks, I can. Coz my firebug (the two latest versions) makes my firefox crash.
Tested with all three patches included:
- load source if needed in JS_DecompileScript 
- check if compression is running before aborting 
- we can't handle weird charsets

I see the following exception:

WARNING: Subdocument container has no frame: file c:/src/mozilla.org/fx-team/lay
out/base/nsDocumentViewer.cpp, line 2394
++DOMWINDOW == 55 (20758890) [serial = 73] [outer = 20758EB8]
###!!! ASSERTION: elements must implement nsIContent: 'content', file c:/src/moz
illa.org/fx-team/layout/inspector/src/inDOMUtils.cpp, line 246
###!!! ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr
 != 0', file c:\src\mozilla.org\fx-team\obj-i686-pc-mingw32\dist\include\nsCOMPt
r.h, line 781


The stack trace:

 	KernelBase.dll!75063219() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for KernelBase.dll]	
 	ntdll.dll!772715de() 	
 	ntdll.dll!7726014e() 	
>	mozglue.dll!mozilla::HashBytes(const void * bytes=0x0004ce9a, unsigned int length=1486476122)  Line 28 + 0xb bytes	C++
 	d0eb17a0()	
 	mozjs.dll!PRMJ_Now()  Line 398 + 0x12 bytes	C++


Honza
That assertion is certainly bogus in the sense that if the caller passes in some random JS object for that element, it will fail.  We should fix that, but the interesting thing for you is probably what the JS stack is to that point, not the C++ stack.
I managed to reproduce the crash and get the stack:

#0  nsCOMPtr<nsINodeInfo>::get () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:759
#1  nsCOMPtr<nsINodeInfo>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:784
#2  0x0000000101a428d2 in inDOMUtils::GetBindingURLs (this=<value temporarily unavailable, due to optimizations>, aElement=0x144b16e20, _retval=0x7fff5fbf3418) at /Users/benjamin/mozilla/inbound/layout/inspector/src/inDOMUtils.cpp:248
#3  0x0000000101b933e6 in nsCOMPtr<nsIContent>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:467

That's bug 806192, though, right?
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN(JSContext*, unsigned short const* unsigned long)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@…
Those should be fixed by the patches in this bug. I hope someone can confirm.
Attached patch don't lazily load special charsets (obsolete) — — Splinter Review 

        Attachment #682311 -
        Attachment is obsolete: true

        Attachment #683206 -
        Flags: review?(bzbarsky)

    
  

        Attachment #680769 -
        Flags: review?(jorendorff)

    
    

    
  


  
I forgot to add test file.

        Attachment #683206 -
        Attachment is obsolete: true

        Attachment #683206 -
        Flags: review?(bzbarsky)

        Attachment #683299 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 683299 [details] [diff] [review]
don't lazily load special charsets

r=me

        Attachment #683299 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Review of attachment 680769 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsapi.cpp
@@ +5474,5 @@
>          return JS_DecompileFunction(cx, fun, indent);
> +    bool haveSource = script->scriptSource()->hasSourceData();
> +    if (!haveSource && !JSScript::loadSource(cx, script, &haveSource))
> +        return NULL;
> +    return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]");

You need to refresh the local variable haveSource after calling JSScript::loadSource, right?

        Attachment #680769 -
        Flags: review?(jorendorff) → review+

    
    

    
  
(In reply to Jason Orendorff [:jorendorff] from comment #55)
> 
> ::: js/src/jsapi.cpp
> @@ +5474,5 @@
> >          return JS_DecompileFunction(cx, fun, indent);
> > +    bool haveSource = script->scriptSource()->hasSourceData();
> > +    if (!haveSource && !JSScript::loadSource(cx, script, &haveSource))
> > +        return NULL;
> > +    return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]");
> 
> You need to refresh the local variable haveSource after calling
> JSScript::loadSource, right?

What do you mean by refresh? |loadSource()| can change haveSource.

    
    

    
  
(In reply to :Benjamin Peterson from comment #56)
> What do you mean by refresh? |loadSource()| can change haveSource.

haveSource is a local variable. loadSource() doesn't change its value. But when loadSource() successfully loads some code, you want haveSource to become true... Right?

        Attachment #681577 -
        Flags: review?(jorendorff) → review+

    
    

    
  
(In reply to Jason Orendorff [:jorendorff] from comment #57)
> haveSource is a local variable. loadSource() doesn't change its value.

Oh, yes it does. Right there. Never mind, I'm dumb.

    
    

    
  
Comment on attachment 683299 [details] [diff] [review]
don't lazily load special charsets

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): This raises memory usage a bit when using loadSubScript with a charset. However, an addon search shows this is very rare. (I don't think it happens at all in the browser.)
String or UUID changes made by this patch: None

        Attachment #683299 -
        Flags: approval-mozilla-beta?

        Attachment #683299 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 681577 [details] [diff] [review]
check if compression is running before aborting

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Not risky
String or UUID changes made by this patch: None

        Attachment #681577 -
        Flags: approval-mozilla-beta?

        Attachment #681577 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Not risky
String or UUID changes made by this patch: None

        Attachment #680769 -
        Flags: approval-mozilla-beta?

        Attachment #680769 -
        Flags: approval-mozilla-aurora?

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b1cb8ff6e836
https://hg.mozilla.org/mozilla-central/rev/19c1fef93710
https://hg.mozilla.org/mozilla-central/rev/75821787b343
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20

    
    

    
  
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Triage Comment]
Approving for Aurora and Beta to fix a top Mac crasher. We'll leave this on the tracking-17 list for possible 17.0.1 inclusion (if one is necessary).

        Attachment #680769 -
        Flags: approval-mozilla-beta?

        Attachment #680769 -
        Flags: approval-mozilla-beta+

        Attachment #680769 -
        Flags: approval-mozilla-aurora?

        Attachment #680769 -
        Flags: approval-mozilla-aurora+

    
  

        Attachment #681577 -
        Flags: approval-mozilla-beta?

        Attachment #681577 -
        Flags: approval-mozilla-beta+

        Attachment #681577 -
        Flags: approval-mozilla-aurora?

        Attachment #681577 -
        Flags: approval-mozilla-aurora+

    
  

        Attachment #683299 -
        Flags: approval-mozilla-beta?

        Attachment #683299 -
        Flags: approval-mozilla-beta+

        Attachment #683299 -
        Flags: approval-mozilla-aurora?

        Attachment #683299 -
        Flags: approval-mozilla-aurora+

    
  

          status-firefox18:
          --- → fixed

          status-firefox19:
          --- → fixed

    
  
Crash Signature: unsigned long)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40] → unsigned long)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
[@ libsystem_c.dylib@0x27fa0]

    
    

    
  
We're going to spin a 17.0.1 so please prepare patches and/or nominate for mozilla-release and mozilla-esr17

    
    

    
  
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Approval Request Comment]
Same nomination comment as above with the extra information that this has been on m-i, m-b, m-a for nearly a week.

        Attachment #680769 -
        Flags: approval-mozilla-release?

        Attachment #680769 -
        Flags: approval-mozilla-esr17?

    
  

        Attachment #681577 -
        Flags: approval-mozilla-release?

        Attachment #681577 -
        Flags: approval-mozilla-esr17?

    
  

        Attachment #683299 -
        Flags: approval-mozilla-release?

        Attachment #683299 -
        Flags: approval-mozilla-esr17?

        Attachment #680769 -
        Flags: approval-mozilla-release?

        Attachment #680769 -
        Flags: approval-mozilla-release+

        Attachment #680769 -
        Flags: approval-mozilla-esr17?

        Attachment #680769 -
        Flags: approval-mozilla-esr17+

        Attachment #681577 -
        Flags: approval-mozilla-release?

        Attachment #681577 -
        Flags: approval-mozilla-release+

        Attachment #681577 -
        Flags: approval-mozilla-esr17?

        Attachment #681577 -
        Flags: approval-mozilla-esr17+

        Attachment #683299 -
        Flags: approval-mozilla-release?

        Attachment #683299 -
        Flags: approval-mozilla-release+

        Attachment #683299 -
        Flags: approval-mozilla-esr17?

        Attachment #683299 -
        Flags: approval-mozilla-esr17+

    
    

    
  
(In reply to :Benjamin Peterson from comment #68)
> 
> https://hg.mozilla.org/releases/mozilla-esr17/rev/69b6c96df199
> https://hg.mozilla.org/releases/mozilla-esr17/rev/54b7402713eb
> https://hg.mozilla.org/releases/mozilla-esr17/rev/e82181a10570

Sorry for not calling this out earlier - can you please land to esr17 relbranch too?  We've got fixes on default that we won't want to ship in this respin. GECKO170_2012111914_RELBRANCH

    
  
Crash Signature: unsigned long)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
[@ libsystem_c.dylib@0x27fa0] → unsigned long)]
[@ js_NewStringCopyN]
[@ memmove$VARIANT$sse42 | js_NewStringCopyN ]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
[@ libsystem_c.dylib@0x27fa0]

    
    

    
  
Reproduced the crash following steps from comment 7 and comment 8 for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 Beta 2
Build ID: 20121017073013

http://crash-stats.mozilla.com/report/index/bp-6bbc69a9-401e-4f67-b55f-b67de2121203
http://crash-stats.mozilla.com/report/index/bp-bb609119-f675-4fba-8c85-5e2d02121203


Verified on Firefox 18.0 Beta 2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Beta 2
Build ID: 20121128060531

and Latest Nightly
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121202 Firefox/20.0
Build ID: 20121202030723

no crashes for Firefox 18.0 Beta 2 and Latest Nightly while doing some exploratory on http://www.google.com/nexus with 1.10.5 then 1.10.6 Firebug and 1Password 3.9.9 extensions installed.

    
    

    
  
I am sorry that I have to reopen this, however, I can reproduce this crash signature with latest nightly.

https://crash-stats.mozilla.com/report/index/bp-26072cc0-c668-486f-ad3a-02f802121230

STR:
1. Install the https://addons.mozilla.org/de/firefox/addon/javascript-deobfuscator/ add-on.

2. Enable capturing and open http://grooveshark.com with it. It should take a while to load, hang, and then crash with the signature above.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Could you file a new bug, please? It's likely the same crash signature but a different underlying issue.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED

    
    

    
  
Verified the fix on Firefox 19.0 Beta 2 with Firebug 1.11.1 and 1Password 3.9.9 installed, following steps from comment 7 and comment 8.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID:  20130116072953

          status-firefox19:
          fixedverified

    
    

    
  
mass remove verifyme requests greater than 4 months old
Keywords: verifyme

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: