Last Comment Bug 795104 - crash in _VEC_memcpy | js_NewStringCopyN
: crash in _VEC_memcpy | js_NewStringCopyN
Status: RESOLVED FIXED
: crash, reproducible, topcrash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 17 Branch
: All All
: -- critical (vote)
: mozilla20
Assigned To: :Benjamin Peterson
: Marcia Knous [:marcia - use ni]
Mentors:
http://www.google.com/nexus/
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-27 14:10 PDT by Marcia Knous [:marcia - use ni]
Modified: 2014-01-10 10:39 PST (History)
17 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
verified
verified
fixed
fixed


Attachments
Firebug test build (not using GetBindingURLs API) (1.95 MB, application/x-xpinstall)
2012-11-01 02:56 PDT, Jan Honza Odvarko [:Honza]
no flags Details
load source if needed in JS_DecompileScript (1.52 KB, patch)
2012-11-12 11:16 PST, :Benjamin Peterson
no flags Details | Diff | Review
load source if needed in JS_DecompileScript (1.52 KB, patch)
2012-11-12 13:15 PST, :Benjamin Peterson
jorendorff: review+
odvarko: feedback-
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑release+
lukasblakk+bugs: approval‑mozilla‑esr17+
Details | Diff | Review
Crash stack trace (Firefox build + load source if needed in JS_DecompileScript patch included) (26.39 KB, text/plain)
2012-11-13 23:29 PST, Jan Honza Odvarko [:Honza]
no flags Details
check if compression is running before aborting (3.74 KB, patch)
2012-11-14 11:22 PST, :Benjamin Peterson
jorendorff: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑release+
lukasblakk+bugs: approval‑mozilla‑esr17+
Details | Diff | Review
Firebug + 1password crash stack 2 (5.44 KB, text/plain)
2012-11-15 00:31 PST, Jan Honza Odvarko [:Honza]
no flags Details
we can't handle weird charsets (877 bytes, patch)
2012-11-15 19:35 PST, :Benjamin Peterson
no flags Details | Diff | Review
don't lazily load special charsets (3.60 KB, patch)
2012-11-19 10:25 PST, :Benjamin Peterson
no flags Details | Diff | Review
don't lazily load special charsets (3.90 KB, patch)
2012-11-19 13:51 PST, :Benjamin Peterson
bzbarsky: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑release+
lukasblakk+bugs: approval‑mozilla‑esr17+
Details | Diff | Review

Description Marcia Knous [:marcia - use ni] 2012-09-27 14:10:18 PDT
This bug was filed from the Socorro interface and is 
report bp-2e6683bc-2f1c-4743-9b7c-47e7d2120926 .
============================================================= 

Seen while viewing Aurora crash stats. This has been around in earlier releases, but volume seems to have increased in Aurora.  https://crash-stats.mozilla.com/report/list?signature=_VEC_memcpy%20|%20js_NewStringCopyN%28JSContext*,%20wchar_t%20const*,%20unsigned%20int%29

Most of the crashes seem to be on Win Vista:

Windows Vista 	73.913 %	68
Windows XP 	14.13 %	        13
Windows 7 	11.957 %	11 

Frame 	Module 	Signature 	Source
0 	msvcr100.dll 	_VEC_memcpy 	
1 	mozjs.dll 	js_NewStringCopyN 	js/src/jsstr.cpp:3344
2 	mozjs.dll 	js::ScriptSource::substring 	js/src/jsscript.cpp:1115
3 	mozjs.dll 	JSScript::sourceData 	js/src/jsscript.cpp:1043
4 	mozjs.dll 	JS_DecompileScript 	js/src/jsapi.cpp:5573
5 	xul.dll 	jsdScript::GetFunctionSource 	js/jsd/jsd_xpc.cpp:1335
6 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
7 	xul.dll 	XPCWrappedNative::GetAttribute 	js/xpconnect/src/xpcprivate.h:2822
8 	xul.dll 	XPC_WN_GetterSetter 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1526
9 	xul.dll 	nsXPConnect::GetXPConnect 	js/xpconnect/src/nsXPConnect.cpp:139
10 	xul.dll 	XPC_WN_NoHelper_Resolve 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:690
11 		@0x980ba9f
Comment 1 Scoobidiver (away) 2012-09-27 23:50:29 PDT
(In reply to Marcia Knous [:marcia] from comment #0)
> volume seems to have increased in Aurora.
In Aurora, it has been hit by a single user (same Install Time in a build, same graphics and processor configuration across builds).
Comment 2 Scoobidiver (away) 2012-10-27 09:19:35 PDT
It spiked across all affected versions on October 26.
It's #1 top browser crasher in 17.0b3 and 18.0a2 on Mac.

It's correlated to Firebug:
* 17.0:
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (30 crashes)
    100% (30/30) vs.  22% (79/352) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
          7% (2/30) vs.   4% (13/352) 1.10.4
         90% (27/30) vs.  18% (64/352) 1.10.5
          3% (1/30) vs.   0% (1/352) 1.11.0a5
     93% (28/30) vs.  18% (63/352) onepassword@agilebits.com
         17% (5/30) vs.   1% (5/352) 3.9.10.b1
         20% (6/30) vs.   2% (6/352) 3.9.8
         57% (17/30) vs.  13% (47/352) 3.9.9
  _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes)
    100% (140/140) vs.   1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
         11% (16/140) vs.   0% (203/57300) 1.10.4
         86% (120/140) vs.   1% (473/57300) 1.10.5
          3% (4/140) vs.   0% (16/57300) 1.7.3
     31% (43/140) vs.   0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271)
          0% (0/140) vs.   0% (1/57300) 2.7
         17% (24/140) vs.   0% (109/57300) 2.8
         14% (19/140) vs.   0% (35/57300) 2.8.1
     29% (41/140) vs.   0% (253/57300) OneClickDownloader@OneClickDownloader.com
          0% (0/140) vs.   0% (8/57300) 1.1
          0% (0/140) vs.   0% (1/57300) 1.2
          0% (0/140) vs.   0% (2/57300) 1.3
         29% (41/140) vs.   0% (242/57300) 1.5
     21% (30/140) vs.   0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2)

*18.0a2:
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (15 crashes)
    100% (15/15) vs.  54% (35/65) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
        100% (15/15) vs.  51% (33/65) 1.10.5
     73% (11/15) vs.  35% (23/65) onepassword@agilebits.com
         73% (11/15) vs.  34% (22/65) 3.9.9
  _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes)
    100% (140/140) vs.   1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
         11% (16/140) vs.   0% (203/57300) 1.10.4
         86% (120/140) vs.   1% (473/57300) 1.10.5
          3% (4/140) vs.   0% (16/57300) 1.7.3
     31% (43/140) vs.   0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271)
         17% (24/140) vs.   0% (109/57300) 2.8
         14% (19/140) vs.   0% (35/57300) 2.8.1
     29% (41/140) vs.   0% (253/57300) OneClickDownloader@OneClickDownloader.com
         29% (41/140) vs.   0% (242/57300) 1.5
     21% (30/140) vs.   0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2)

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x1a50
https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x12ec
Comment 3 Alex Keybl [:akeybl] 2012-10-29 15:33:57 PDT
Marcia - can you take a stab at this with the listed versions of Firebug/1Password?

Naveed/David - can we get somebody to take a look?

Also including Jan to see if he knows who can take a look at this from the Firebug side. I'm confused because this crash didn't really crop up until 4 days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
Comment 4 Alex Keybl [:akeybl] 2012-10-29 15:34:47 PDT
While we're tracking this, I do want to say that I'm not super worried about this crash for release since it's highly correlated to Firebug. That doesn't mean we shouldn't investigate/fix as soon as possible for the sake of devs though.
Comment 5 bhavana bajaj [:bajaj] 2012-10-29 15:35:49 PDT
(In reply to Alex Keybl [:akeybl] from comment #3)
> Marcia - can you take a stab at this with the listed versions of
> Firebug/1Password?

I see one comment saying "trying to log in to browserid with MozTrap" for signature : libsystem_c.dylib@0x1a50 ..May be we could start with this as well ?
> 
> Naveed/David - can we get somebody to take a look?
> 
> Also including Jan to see if he knows who can take a look at this from the
> Firebug side. I'm confused because this crash didn't really crop up until 4
> days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
Comment 6 Marcia Knous [:marcia - use ni] 2012-10-30 08:38:00 PDT
Recent correlations show a version of One Password that is available on the trial download on their site - I will have to purchase a copy in the App Store which I will do when I get in the office.

Mac OS X
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (61 crashes)
     97% (59/61) vs.  20% (100/494) onepassword@agilebits.com
         18% (11/61) vs.   3% (13/494) 3.9.10.b1
         79% (48/61) vs.  17% (86/494) 3.9.9
          0% (0/61) vs.   0% (1/494) 3.9.9.b2
    100% (61/61) vs.  30% (146/494) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
          0% (0/61) vs.   0% (1/494) 1.10.2b1
         46% (28/61) vs.   7% (37/494) 1.10.4
         51% (31/61) vs.  20% (100/494) 1.10.5
          3% (2/61) vs.   1% (4/494) 1.11.0a5
          0% (0/61) vs.   1% (4/494) 1.9.0
Comment 7 Marcia Knous [:marcia - use ni] 2012-10-30 11:04:03 PDT
Was able to reproduce this using the following steps:

1. Downloaded and installed One Password. Installed version 3.99 of the addon into the latest Firefox beta Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Firefox/17.0.
2. Install Firebug 1.10.5, Enable "one for all web pages" and "enable all panels"
3. Visit http://www.google.com/nexus/
4. Switch back and forth between Nexus 4, Nexus 7 and Nexus 10.
5. Crash

https://crash-stats.mozilla.com/report/index/bp-57353021-f01b-461c-8326-72b3f2121030

I am not sure whether One Password factors in or not, will have to disable some of the extensions to see.
Comment 8 Marcia Knous [:marcia - use ni] 2012-10-30 11:18:53 PDT
Another way I have been able to repro is to do as follows:

1. Disable One Password
2. Visit the nexus site with the same panels enabled as in Comment 7 Step 2
3. Reable One Password
4. Navigate back to the nexus page.
5. Crash every time.

So in this case you One Password version 3.99 seems to be problematic in combination with Firebug.

Also, this bug will bite many web devs as I can see from the crash URLs that many web devs are crashing when they are testing their sites.
Comment 9 Alex Keybl [:akeybl] 2012-10-30 15:09:54 PDT
Glad we're able to repro Marcia. We still need to nail down if this regression is caused by new code in FF17, a 1Password version, or a specific Firebug version. Would also be great to take a look at bug 806192 at the same time.
Comment 10 Jan Honza Odvarko [:Honza] 2012-10-31 00:41:30 PDT
Reported in Firebug issue list:
http://code.google.com/p/fbug/issues/detail?id=6034

Honza
Comment 11 Jan Honza Odvarko [:Honza] 2012-10-31 00:42:24 PDT
(In reply to Jan Honza Odvarko from comment #10)
> Reported in Firebug issue list:
> http://code.google.com/p/fbug/issues/detail?id=6034
Sorry, this comment belongs to different bug

Honza
Comment 12 Marcia Knous [:marcia - use ni] 2012-10-31 08:27:33 PDT
I was able to crash following the same steps in both Aurora and Firefox 16, so this crash is not unique to FF 17.

The correlations show this happens with two specific versions of Firebug - I reproduced with 1.10.5 which is the latest version on AMO:

46% (28/61) vs.   7% (37/494) 1.10.4
51% (31/61) vs.  20% (100/494) 1.10.5

As far as One Password, I will have to hunt down some older versions of the addon to see where that stands.

Since in Comment 8 I wasn't able to reproduce the crash with Firebug only, it would seem right now the suspect addon is One Password.
Comment 13 Marcia Knous [:marcia - use ni] 2012-10-31 08:39:58 PDT
https://agilebits.com/onepassword/mac/release_notes has the version versions of One Password - the latest update happened in July.
Comment 14 Lukas Blakk [:lsblakk] use ?needinfo 2012-10-31 11:55:09 PDT
Since this is seeming to be related to bug 806192 - hoping Jan can take a look here too.
Comment 15 Marcia Knous [:marcia - use ni] 2012-10-31 16:17:46 PDT
Not able to reproduce with 1.10.3 of Firebug. When I perform an update to 1.10.6 via Addons, I can generate the crash by visting http://www.google.com/nexus/
and switching back and forth between Nexus 4, Nexus 7 and Nexus 10.
Comment 16 Jan Honza Odvarko [:Honza] 2012-11-01 02:56:39 PDT
Created attachment 677320 [details]
Firebug test build (not using GetBindingURLs API)

I can't reproduce the problem with Firebug 1.10.6, Firefox 16, 17, Win Vista.
(I am visiting http://www.google.com/nexus/ and switching back and forth between Nexus 4, Nexus 7 and Nexus 10)

Since this looks related to:
Bug 806192 - crash in inDOMUtils::GetBindingURLs with Firebug

I have search Firebug code base for 'GetBindingURLs' and found one place.
I removed the call and attached a test build 

Can you try to reproduce it again with it?

---

Also, it's not clear how to install onepassword extension

I downloaded Version 3.8.20 from here:
https://agilebits.com/onepassword/mac/release_notes

Unzipped and found couple of extension directories:
Contents\Extensions\firefox4@1password.com
Contents\Extensions\firefox5@1password.com

However, none of them is using onepassword@agilebits.com as the ID
and it isn't even compatible with Firefox 16

How should I install it?

Honza
Comment 17 Marcia Knous [:marcia - use ni] 2012-11-01 10:53:31 PDT
Honza: I will try your test build momentarily.

I actually ended up purchasing One Password from the Mac App store - from there it installed the app on my machine.
Comment 18 Marcia Knous [:marcia - use ni] 2012-11-01 11:20:05 PDT
Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached to the page. The stack I get is the same one that appears in Bug 806192. I ended up having to reload the page to generate the crash this time.

I also crash with Aurora and the latest Beta as well.

According to https://agilebits.com/extensions/mac/index.html, One Password is compatible with 16+.
Comment 19 Alex Keybl [:akeybl] 2012-11-01 12:42:51 PDT
(In reply to Jan Honza Odvarko from comment #16)
> How should I install it?
> 
> Honza

Please install from the Mac App Store as Marcia suggests and expense the purchase. Thanks!
Comment 20 Jan Honza Odvarko [:Honza] 2012-11-02 04:41:19 PDT
(In reply to Alex Keybl [:akeybl] from comment #19)
> Please install from the Mac App Store as Marcia suggests and expense the
> purchase. Thanks!
Unfortunately, I don't have a Mac.

But, I don't know if I need One Password at all, I should be able to reproduce the crash with Firebug alone in the first place, no?

I tried Win XP, Vista, 7 and I don't see any crashes.

(In reply to Marcia Knous [:marcia] from comment #18)
> Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached
> to the page. The stack I get is the same one that appears in Bug 806192.
The attached build doesn't call GetBindingURLs at all, so there must be something else executing that function.

I searched mxr and I don't see any other Firefox API that would use that function
https://mxr.mozilla.org/mozilla-aurora/search?string=GetBindingURLs

So, how come the function is actually executed?

Honza
Comment 21 Marcia Knous [:marcia - use ni] 2012-11-02 09:24:24 PDT
Honza: I wasn't able to reproduce just with Firebug in this case on the Mac - see my earlier comment 8. It seems to have something to do with the interaction of One Password and Firebug.

(In reply to Jan Honza Odvarko from comment #20)
> (In reply to Alex Keybl [:akeybl] from comment #19)
> > Please install from the Mac App Store as Marcia suggests and expense the
> > purchase. Thanks!
> Unfortunately, I don't have a Mac.
> 
> But, I don't know if I need One Password at all, I should be able to
> reproduce the crash with Firebug alone in the first place, no?
>
Comment 22 Naveed Ihsanullah [:naveed] 2012-11-07 10:05:53 PST
Do we have access to a copy of One Password? If it is reliably able to cause this crash that would be very helpful. The original bug appears to be Windows. Is that the OS you are able to reproduce the crash on?
Comment 23 Marcia Knous [:marcia - use ni] 2012-11-07 10:59:18 PST
Naveed: Honza was able to reproduce the bug on my Mac last evening. He is investigating the bug further - it is very easy to reproduce on the Mac and continues to be one of the top mac crashes in Beta. He thinks it is related to JSD and 1Password.

I purchased 1Password, but you can download a trial from their site.
Comment 24 Jan Honza Odvarko [:Honza] 2012-11-08 03:51:19 PST
I have been finally able to repro the crash (using 1password xpi copy).

My configuration:
Windows Vista, Firefox Nightly (Built from http://hg.mozilla.org/mozilla-central/rev/8671bfc8e9a8), Firebug 1.10.5

I am able to reliably reproduce the crash with Firebug 1.10.5 (not with 1.10.4, which also appears in the stats)

The crash appears since this commit:
https://github.com/firebug/firebug/commit/7227fc862207d0c5645d876a83c80a6054c06e20

Does it help?

Honza
Comment 25 Jan Honza Odvarko [:Honza] 2012-11-08 03:54:48 PST
The crash doesn't happen if JSD is disabled (ie. if the Console and Script panels are disabled).

Honza
Comment 26 Jan Honza Odvarko [:Honza] 2012-11-08 04:51:01 PST
My feeling is that the crash happens when accessing the win.parent (?) when scripts coming from 1password are compiled. Firebug hooks the script compilation (by setting a breakpoint on line 1 using JSD API)

Here is a stack trace just before the crash:

chrome://firebug/content/chrome/tabWatcher.js (692)
chrome://firebug/content/js/debugger.js (1073)
resource://firebug/firebug-service.js (3207)
resource://firebug/firebug-service.js (3132)
resource://firebug/firebug-service.js (2473)
resource://firebug/firebug-service.js (2516)
resource://firebug/firebug-service.js (2324)
resource://firebug/firebug-service.js (2074)
resource://firebug/firebug-service.js (4308)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/end.min.js (1)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js (43)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (292)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (233)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (437)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (207)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (198)
null (0)

---

I think that it would be great if somebody from JSD team could repro & debug the problem in Firefox debug build, to see what's going on in C++

Honza
Comment 27 Jorge Villalobos [:jorgev] 2012-11-08 14:49:43 PST
Adding Dave Teare from 1Password.
Comment 28 Lukas Blakk [:lsblakk] use ?needinfo 2012-11-09 10:22:44 PST
At this point we're too close to FF17 ship, wontfixing.
Comment 29 Jan Honza Odvarko [:Honza] 2012-11-12 03:21:09 PST
Just to note that the crash is somehow related to this code:

win.parent instanceof win.parent.Window

'instanceof' is applied on a type (Window) that might come from different compartment.

Does it make sense?

Honza
Comment 30 Jan Honza Odvarko [:Honza] 2012-11-12 03:21:40 PST
Boris, any tips what could be wrong here?

Honza
Comment 31 Boris Zbarsky [:bz] 2012-11-12 09:08:55 PST
Well, so...  The crash is a null deref, right?  Benjamin, is it possible the chars are null?

Has anyone reproduced this in a debug build, perhaps?  That would be a good start: it might assert about something interesting.
Comment 32 :Benjamin Peterson 2012-11-12 11:16:26 PST
Created attachment 680712 [details] [diff] [review]
load source if needed in JS_DecompileScript

Ah, the JSD gremlin haunts us still.

Jan, can you try this patch? If you need binaries, there will be ones on this try result soon: https://tbpl.mozilla.org/?tree=Try&rev=5255fa968c3a
Comment 33 :Benjamin Peterson 2012-11-12 13:15:02 PST
Created attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Non-broken patch.
Comment 34 :Benjamin Peterson 2012-11-12 13:15:36 PST
Binaries here: https://tbpl.mozilla.org/?tree=Try&rev=941306cf172a
Comment 35 Jan Honza Odvarko [:Honza] 2012-11-13 01:33:55 PST
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Try build downloaded from here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/benjamin@python.org-941306cf172a/try-win32/

Tested with Firebug 1.10.6 + 1password 3.9.9

I can still repro the crash. Report here:
https://crash-stats.mozilla.com/report/index/958b57a5-e5c1-4ed4-8d55-fddda2121113

Honza
Comment 36 :Benjamin Peterson 2012-11-13 06:22:47 PST
Can you try with a debug build please? The stack is managled.
Comment 37 :Benjamin Peterson 2012-11-13 08:49:43 PST
I'm running Linux, so I'm unable to test due to onepassword's platform requirements. If anyone could reproduce in a debug build that would be great.
Comment 38 Jan Honza Odvarko [:Honza] 2012-11-13 09:09:54 PST
@Marcia: could you try to repro the crash on your machine + using Firefox debug build? I can't since the try-debug build requires MSVC 10 (DLLs) and I don't have them.

Honza
Comment 39 Jan Honza Odvarko [:Honza] 2012-11-13 23:29:57 PST
Created attachment 681378 [details]
Crash stack trace (Firefox build + load source if needed in JS_DecompileScript patch included)

I have built Firefox from:
http://hg.mozilla.org/integration/fx-team
Including the patch: load source if needed in JS_DecompileScript

---

When I install 1password extension (no Firebug) I am not event able to launch Firefox. It immediately crashes:

See the attached stack trace.

Unhandled exception at 0x775c15de in firefox.exe: 0xC0000005: Access violation writing location 0x00000000.

Note that there is mozJSSubScriptLoader::LoadSubScript on the stack trying to load "resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/popup.min.js"

Honza
Comment 40 :Benjamin Peterson 2012-11-14 11:22:07 PST
Created attachment 681577 [details] [diff] [review]
check if compression is running before aborting

That, apparently, is a different bug.
Comment 41 Jan Honza Odvarko [:Honza] 2012-11-15 00:31:48 PST
Created attachment 681890 [details]
Firebug + 1password crash stack 2

(In reply to Benjamin Peterson [:benjamin] from comment #40)
> Created attachment 681577 [details] [diff] [review]
> check if compression is running before aborting
> 
> That, apparently, is a different bug.
Cool, the attached patch, helps to solve the start-up crash.

So, now I am attaching the stack I get if testing Firebug + 1password crash.

Note that I applied both patches:
- load source if needed in JS_DecompileScript 
- check if compression is running before aborting 

Honza
Comment 42 :Benjamin Peterson 2012-11-15 05:44:56 PST
Does it print any message about an assertion failing?
Comment 43 Jan Honza Odvarko [:Honza] 2012-11-15 05:54:52 PST
I am seeing this in the OS console:

Assertion failure: src->length() > 0 && chars[0] == '(', at c:/src/mozilla.org/fx-team/js/src/jsfun.cpp:674


Honza
Comment 44 Jan Honza Odvarko [:Honza] 2012-11-15 06:37:17 PST
Also note that when loading the http://www.google.com/nexus/10/ I am seeing the following assertion (but I can successfully ignore it):

ASSERTION: Shouldn't be trying to restyle non-elements directly: '!aContent || aContent->IsElement()', file
c:/src/mozilla.org/fx-team/layout/base/nsStyleChangeList.cpp, line 65

I am not sure if it's related, but mentioning it here anyway.

Honza
Comment 45 :Benjamin Peterson 2012-11-15 19:35:27 PST
Created attachment 682311 [details] [diff] [review]
we can't handle weird charsets

I think I finally got it!
Comment 46 Erwann Mest 2012-11-16 02:15:24 PST
If you need feedbacks, I can. Coz my firebug (the two latest versions) makes my firefox crash.
Comment 47 Jan Honza Odvarko [:Honza] 2012-11-16 03:16:03 PST
Tested with all three patches included:
- load source if needed in JS_DecompileScript 
- check if compression is running before aborting 
- we can't handle weird charsets

I see the following exception:

WARNING: Subdocument container has no frame: file c:/src/mozilla.org/fx-team/lay
out/base/nsDocumentViewer.cpp, line 2394
++DOMWINDOW == 55 (20758890) [serial = 73] [outer = 20758EB8]
###!!! ASSERTION: elements must implement nsIContent: 'content', file c:/src/moz
illa.org/fx-team/layout/inspector/src/inDOMUtils.cpp, line 246
###!!! ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr
 != 0', file c:\src\mozilla.org\fx-team\obj-i686-pc-mingw32\dist\include\nsCOMPt
r.h, line 781


The stack trace:

 	KernelBase.dll!75063219() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for KernelBase.dll]	
 	ntdll.dll!772715de() 	
 	ntdll.dll!7726014e() 	
>	mozglue.dll!mozilla::HashBytes(const void * bytes=0x0004ce9a, unsigned int length=1486476122)  Line 28 + 0xb bytes	C++
 	d0eb17a0()	
 	mozjs.dll!PRMJ_Now()  Line 398 + 0x12 bytes	C++


Honza
Comment 48 Boris Zbarsky [:bz] 2012-11-16 08:28:49 PST
That assertion is certainly bogus in the sense that if the caller passes in some random JS object for that element, it will fail.  We should fix that, but the interesting thing for you is probably what the JS stack is to that point, not the C++ stack.
Comment 49 :Benjamin Peterson 2012-11-16 12:19:05 PST
I managed to reproduce the crash and get the stack:

#0  nsCOMPtr<nsINodeInfo>::get () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:759
#1  nsCOMPtr<nsINodeInfo>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:784
#2  0x0000000101a428d2 in inDOMUtils::GetBindingURLs (this=<value temporarily unavailable, due to optimizations>, aElement=0x144b16e20, _retval=0x7fff5fbf3418) at /Users/benjamin/mozilla/inbound/layout/inspector/src/inDOMUtils.cpp:248
#3  0x0000000101b933e6 in nsCOMPtr<nsIContent>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:467

That's bug 806192, though, right?
Comment 51 :Benjamin Peterson 2012-11-19 08:36:41 PST
Those should be fixed by the patches in this bug. I hope someone can confirm.
Comment 52 :Benjamin Peterson 2012-11-19 10:25:27 PST
Created attachment 683206 [details] [diff] [review]
don't lazily load special charsets
Comment 53 :Benjamin Peterson 2012-11-19 13:51:32 PST
Created attachment 683299 [details] [diff] [review]
don't lazily load special charsets

I forgot to add test file.
Comment 54 Boris Zbarsky [:bz] 2012-11-19 21:06:41 PST
Comment on attachment 683299 [details] [diff] [review]
don't lazily load special charsets

r=me
Comment 55 Jason Orendorff [:jorendorff] 2012-11-20 07:26:30 PST
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Review of attachment 680769 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsapi.cpp
@@ +5474,5 @@
>          return JS_DecompileFunction(cx, fun, indent);
> +    bool haveSource = script->scriptSource()->hasSourceData();
> +    if (!haveSource && !JSScript::loadSource(cx, script, &haveSource))
> +        return NULL;
> +    return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]");

You need to refresh the local variable haveSource after calling JSScript::loadSource, right?
Comment 56 :Benjamin Peterson 2012-11-20 07:30:17 PST
(In reply to Jason Orendorff [:jorendorff] from comment #55)
> 
> ::: js/src/jsapi.cpp
> @@ +5474,5 @@
> >          return JS_DecompileFunction(cx, fun, indent);
> > +    bool haveSource = script->scriptSource()->hasSourceData();
> > +    if (!haveSource && !JSScript::loadSource(cx, script, &haveSource))
> > +        return NULL;
> > +    return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]");
> 
> You need to refresh the local variable haveSource after calling
> JSScript::loadSource, right?

What do you mean by refresh? |loadSource()| can change haveSource.
Comment 57 Jason Orendorff [:jorendorff] 2012-11-20 08:33:09 PST
(In reply to :Benjamin Peterson from comment #56)
> What do you mean by refresh? |loadSource()| can change haveSource.

haveSource is a local variable. loadSource() doesn't change its value. But when loadSource() successfully loads some code, you want haveSource to become true... Right?
Comment 58 Jason Orendorff [:jorendorff] 2012-11-20 09:16:10 PST
(In reply to Jason Orendorff [:jorendorff] from comment #57)
> haveSource is a local variable. loadSource() doesn't change its value.

Oh, yes it does. Right there. Never mind, I'm dumb.
Comment 60 :Benjamin Peterson 2012-11-20 11:52:09 PST
Comment on attachment 683299 [details] [diff] [review]
don't lazily load special charsets

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): This raises memory usage a bit when using loadSubScript with a charset. However, an addon search shows this is very rare. (I don't think it happens at all in the browser.)
String or UUID changes made by this patch: None
Comment 61 :Benjamin Peterson 2012-11-20 11:53:05 PST
Comment on attachment 681577 [details] [diff] [review]
check if compression is running before aborting

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Not risky
String or UUID changes made by this patch: None
Comment 62 :Benjamin Peterson 2012-11-20 11:53:49 PST
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Not risky
String or UUID changes made by this patch: None
Comment 64 Alex Keybl [:akeybl] 2012-11-21 13:03:30 PST
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Triage Comment]
Approving for Aurora and Beta to fix a top Mac crasher. We'll leave this on the tracking-17 list for possible 17.0.1 inclusion (if one is necessary).
Comment 66 Lukas Blakk [:lsblakk] use ?needinfo 2012-11-27 11:50:08 PST
We're going to spin a 17.0.1 so please prepare patches and/or nominate for mozilla-release and mozilla-esr17
Comment 67 :Benjamin Peterson 2012-11-27 12:06:07 PST
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Approval Request Comment]
Same nomination comment as above with the extra information that this has been on m-i, m-b, m-a for nearly a week.
Comment 69 Lukas Blakk [:lsblakk] use ?needinfo 2012-11-27 16:52:39 PST
(In reply to :Benjamin Peterson from comment #68)
> 
> https://hg.mozilla.org/releases/mozilla-esr17/rev/69b6c96df199
> https://hg.mozilla.org/releases/mozilla-esr17/rev/54b7402713eb
> https://hg.mozilla.org/releases/mozilla-esr17/rev/e82181a10570

Sorry for not calling this out earlier - can you please land to esr17 relbranch too?  We've got fixes on default that we won't want to ship in this respin. GECKO170_2012111914_RELBRANCH
Comment 71 Virgil Dicu [:virgil] [QA] 2012-12-03 05:26:09 PST
Reproduced the crash following steps from comment 7 and comment 8 for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 Beta 2
Build ID: 20121017073013

http://crash-stats.mozilla.com/report/index/bp-6bbc69a9-401e-4f67-b55f-b67de2121203
http://crash-stats.mozilla.com/report/index/bp-bb609119-f675-4fba-8c85-5e2d02121203


Verified on Firefox 18.0 Beta 2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Beta 2
Build ID: 20121128060531

and Latest Nightly
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121202 Firefox/20.0
Build ID: 20121202030723

no crashes for Firefox 18.0 Beta 2 and Latest Nightly while doing some exploratory on http://www.google.com/nexus with 1.10.5 then 1.10.6 Firebug and 1Password 3.9.9 extensions installed.
Comment 72 [retired] 2012-12-30 14:42:55 PST
I am sorry that I have to reopen this, however, I can reproduce this crash signature with latest nightly.

https://crash-stats.mozilla.com/report/index/bp-26072cc0-c668-486f-ad3a-02f802121230

STR:
1. Install the https://addons.mozilla.org/de/firefox/addon/javascript-deobfuscator/ add-on.

2. Enable capturing and open http://grooveshark.com with it. It should take a while to load, hang, and then crash with the signature above.
Comment 73 :Benjamin Peterson 2012-12-30 14:47:06 PST
Could you file a new bug, please? It's likely the same crash signature but a different underlying issue.
Comment 74 Virgil Dicu [:virgil] [QA] 2013-01-23 01:21:53 PST
Verified the fix on Firefox 19.0 Beta 2 with Firebug 1.11.1 and 1Password 3.9.9 installed, following steps from comment 7 and comment 8.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID:  20130116072953
Comment 75 Tracy Walker [:tracy] 2014-01-10 10:39:36 PST
mass remove verifyme requests greater than 4 months old

Note You need to log in before you can comment on or make changes to this bug.