Note: There are a few cases of duplicates in user autocompletion which are being worked on.

crash in _VEC_memcpy | js_NewStringCopyN

RESOLVED FIXED in Firefox 17

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: marcia, Assigned: Benjamin)

Tracking

({crash, reproducible, topcrash})

17 Branch
mozilla20
crash, reproducible, topcrash
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox17+ fixed, firefox18+ verified, firefox19 verified, firefox20 fixed, firefox-esr17 fixed)

Details

(crash signature, URL)

Attachments

(6 attachments, 3 obsolete attachments)

1.95 MB, application/x-xpinstall
Details
1.52 KB, patch
jorendorff
: review+
Honza
: feedback-
Details | Diff | Splinter Review
26.39 KB, text/plain
Details
3.74 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
5.44 KB, text/plain
Details
3.90 KB, patch
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-2e6683bc-2f1c-4743-9b7c-47e7d2120926 .
============================================================= 

Seen while viewing Aurora crash stats. This has been around in earlier releases, but volume seems to have increased in Aurora.  https://crash-stats.mozilla.com/report/list?signature=_VEC_memcpy%20|%20js_NewStringCopyN%28JSContext*,%20wchar_t%20const*,%20unsigned%20int%29

Most of the crashes seem to be on Win Vista:

Windows Vista 	73.913 %	68
Windows XP 	14.13 %	        13
Windows 7 	11.957 %	11 

Frame 	Module 	Signature 	Source
0 	msvcr100.dll 	_VEC_memcpy 	
1 	mozjs.dll 	js_NewStringCopyN 	js/src/jsstr.cpp:3344
2 	mozjs.dll 	js::ScriptSource::substring 	js/src/jsscript.cpp:1115
3 	mozjs.dll 	JSScript::sourceData 	js/src/jsscript.cpp:1043
4 	mozjs.dll 	JS_DecompileScript 	js/src/jsapi.cpp:5573
5 	xul.dll 	jsdScript::GetFunctionSource 	js/jsd/jsd_xpc.cpp:1335
6 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
7 	xul.dll 	XPCWrappedNative::GetAttribute 	js/xpconnect/src/xpcprivate.h:2822
8 	xul.dll 	XPC_WN_GetterSetter 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1526
9 	xul.dll 	nsXPConnect::GetXPConnect 	js/xpconnect/src/nsXPConnect.cpp:139
10 	xul.dll 	XPC_WN_NoHelper_Resolve 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:690
11 		@0x980ba9f

Comment 1

5 years ago
(In reply to Marcia Knous [:marcia] from comment #0)
> volume seems to have increased in Aurora.
In Aurora, it has been hit by a single user (same Install Time in a build, same graphics and processor configuration across builds).
OS: Windows NT → Windows Vista

Comment 2

5 years ago
It spiked across all affected versions on October 26.
It's #1 top browser crasher in 17.0b3 and 18.0a2 on Mac.

It's correlated to Firebug:
* 17.0:
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (30 crashes)
    100% (30/30) vs.  22% (79/352) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
          7% (2/30) vs.   4% (13/352) 1.10.4
         90% (27/30) vs.  18% (64/352) 1.10.5
          3% (1/30) vs.   0% (1/352) 1.11.0a5
     93% (28/30) vs.  18% (63/352) onepassword@agilebits.com
         17% (5/30) vs.   1% (5/352) 3.9.10.b1
         20% (6/30) vs.   2% (6/352) 3.9.8
         57% (17/30) vs.  13% (47/352) 3.9.9
  _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes)
    100% (140/140) vs.   1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
         11% (16/140) vs.   0% (203/57300) 1.10.4
         86% (120/140) vs.   1% (473/57300) 1.10.5
          3% (4/140) vs.   0% (16/57300) 1.7.3
     31% (43/140) vs.   0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271)
          0% (0/140) vs.   0% (1/57300) 2.7
         17% (24/140) vs.   0% (109/57300) 2.8
         14% (19/140) vs.   0% (35/57300) 2.8.1
     29% (41/140) vs.   0% (253/57300) OneClickDownloader@OneClickDownloader.com
          0% (0/140) vs.   0% (8/57300) 1.1
          0% (0/140) vs.   0% (1/57300) 1.2
          0% (0/140) vs.   0% (2/57300) 1.3
         29% (41/140) vs.   0% (242/57300) 1.5
     21% (30/140) vs.   0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2)

*18.0a2:
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (15 crashes)
    100% (15/15) vs.  54% (35/65) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
        100% (15/15) vs.  51% (33/65) 1.10.5
     73% (11/15) vs.  35% (23/65) onepassword@agilebits.com
         73% (11/15) vs.  34% (22/65) 3.9.9
  _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes)
    100% (140/140) vs.   1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
         11% (16/140) vs.   0% (203/57300) 1.10.4
         86% (120/140) vs.   1% (473/57300) 1.10.5
          3% (4/140) vs.   0% (16/57300) 1.7.3
     31% (43/140) vs.   0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271)
         17% (24/140) vs.   0% (109/57300) 2.8
         14% (19/140) vs.   0% (35/57300) 2.8.1
     29% (41/140) vs.   0% (253/57300) OneClickDownloader@OneClickDownloader.com
         29% (41/140) vs.   0% (242/57300) 1.5
     21% (30/140) vs.   0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2)

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x1a50
https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x12ec
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec]
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
Keywords: topcrash
OS: Windows Vista → All
Hardware: x86 → All

Updated

5 years ago
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40]

Updated

5 years ago
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40]

Comment 3

5 years ago
Marcia - can you take a stab at this with the listed versions of Firebug/1Password?

Naveed/David - can we get somebody to take a look?

Also including Jan to see if he knows who can take a look at this from the Firebug side. I'm confused because this crash didn't really crop up until 4 days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
Keywords: qawanted, steps-wanted
QA Contact: mozillamarcia.knous

Comment 4

5 years ago
While we're tracking this, I do want to say that I'm not super worried about this crash for release since it's highly correlated to Firebug. That doesn't mean we shouldn't investigate/fix as soon as possible for the sake of devs though.
tracking-firefox17: ? → +
tracking-firefox18: ? → +
(In reply to Alex Keybl [:akeybl] from comment #3)
> Marcia - can you take a stab at this with the listed versions of
> Firebug/1Password?

I see one comment saying "trying to log in to browserid with MozTrap" for signature : libsystem_c.dylib@0x1a50 ..May be we could start with this as well ?
> 
> Naveed/David - can we get somebody to take a look?
> 
> Also including Jan to see if he knows who can take a look at this from the
> Firebug side. I'm confused because this crash didn't really crop up until 4
> days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
(Reporter)

Comment 6

5 years ago
Recent correlations show a version of One Password that is available on the trial download on their site - I will have to purchase a copy in the App Store which I will do when I get in the office.

Mac OS X
  libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (61 crashes)
     97% (59/61) vs.  20% (100/494) onepassword@agilebits.com
         18% (11/61) vs.   3% (13/494) 3.9.10.b1
         79% (48/61) vs.  17% (86/494) 3.9.9
          0% (0/61) vs.   0% (1/494) 3.9.9.b2
    100% (61/61) vs.  30% (146/494) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
          0% (0/61) vs.   0% (1/494) 1.10.2b1
         46% (28/61) vs.   7% (37/494) 1.10.4
         51% (31/61) vs.  20% (100/494) 1.10.5
          3% (2/61) vs.   1% (4/494) 1.11.0a5
          0% (0/61) vs.   1% (4/494) 1.9.0
(Reporter)

Comment 7

5 years ago
Was able to reproduce this using the following steps:

1. Downloaded and installed One Password. Installed version 3.99 of the addon into the latest Firefox beta Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Firefox/17.0.
2. Install Firebug 1.10.5, Enable "one for all web pages" and "enable all panels"
3. Visit http://www.google.com/nexus/
4. Switch back and forth between Nexus 4, Nexus 7 and Nexus 10.
5. Crash

https://crash-stats.mozilla.com/report/index/bp-57353021-f01b-461c-8326-72b3f2121030

I am not sure whether One Password factors in or not, will have to disable some of the extensions to see.
Keywords: reproducible
(Reporter)

Comment 8

5 years ago
Another way I have been able to repro is to do as follows:

1. Disable One Password
2. Visit the nexus site with the same panels enabled as in Comment 7 Step 2
3. Reable One Password
4. Navigate back to the nexus page.
5. Crash every time.

So in this case you One Password version 3.99 seems to be problematic in combination with Firebug.

Also, this bug will bite many web devs as I can see from the crash URLs that many web devs are crashing when they are testing their sites.

Comment 9

5 years ago
Glad we're able to repro Marcia. We still need to nail down if this regression is caused by new code in FF17, a 1Password version, or a specific Firebug version. Would also be great to take a look at bug 806192 at the same time.
Keywords: steps-wanted → regressionwindow-wanted
Reported in Firebug issue list:
http://code.google.com/p/fbug/issues/detail?id=6034

Honza
(In reply to Jan Honza Odvarko from comment #10)
> Reported in Firebug issue list:
> http://code.google.com/p/fbug/issues/detail?id=6034
Sorry, this comment belongs to different bug

Honza
(Reporter)

Comment 12

5 years ago
I was able to crash following the same steps in both Aurora and Firefox 16, so this crash is not unique to FF 17.

The correlations show this happens with two specific versions of Firebug - I reproduced with 1.10.5 which is the latest version on AMO:

46% (28/61) vs.   7% (37/494) 1.10.4
51% (31/61) vs.  20% (100/494) 1.10.5

As far as One Password, I will have to hunt down some older versions of the addon to see where that stands.

Since in Comment 8 I wasn't able to reproduce the crash with Firebug only, it would seem right now the suspect addon is One Password.
(Reporter)

Comment 13

5 years ago
https://agilebits.com/onepassword/mac/release_notes has the version versions of One Password - the latest update happened in July.
Since this is seeming to be related to bug 806192 - hoping Jan can take a look here too.
Assignee: general → odvarko
(Reporter)

Comment 15

5 years ago
Not able to reproduce with 1.10.3 of Firebug. When I perform an update to 1.10.6 via Addons, I can generate the crash by visting http://www.google.com/nexus/
and switching back and forth between Nexus 4, Nexus 7 and Nexus 10.
Created attachment 677320 [details]
Firebug test build (not using GetBindingURLs API)

I can't reproduce the problem with Firebug 1.10.6, Firefox 16, 17, Win Vista.
(I am visiting http://www.google.com/nexus/ and switching back and forth between Nexus 4, Nexus 7 and Nexus 10)

Since this looks related to:
Bug 806192 - crash in inDOMUtils::GetBindingURLs with Firebug

I have search Firebug code base for 'GetBindingURLs' and found one place.
I removed the call and attached a test build 

Can you try to reproduce it again with it?

---

Also, it's not clear how to install onepassword extension

I downloaded Version 3.8.20 from here:
https://agilebits.com/onepassword/mac/release_notes

Unzipped and found couple of extension directories:
Contents\Extensions\firefox4@1password.com
Contents\Extensions\firefox5@1password.com

However, none of them is using onepassword@agilebits.com as the ID
and it isn't even compatible with Firefox 16

How should I install it?

Honza
(Reporter)

Comment 17

5 years ago
Honza: I will try your test build momentarily.

I actually ended up purchasing One Password from the Mac App store - from there it installed the app on my machine.
(Reporter)

Comment 18

5 years ago
Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached to the page. The stack I get is the same one that appears in Bug 806192. I ended up having to reload the page to generate the crash this time.

I also crash with Aurora and the latest Beta as well.

According to https://agilebits.com/extensions/mac/index.html, One Password is compatible with 16+.
(In reply to Jan Honza Odvarko from comment #16)
> How should I install it?
> 
> Honza

Please install from the Mac App Store as Marcia suggests and expense the purchase. Thanks!
(In reply to Alex Keybl [:akeybl] from comment #19)
> Please install from the Mac App Store as Marcia suggests and expense the
> purchase. Thanks!
Unfortunately, I don't have a Mac.

But, I don't know if I need One Password at all, I should be able to reproduce the crash with Firebug alone in the first place, no?

I tried Win XP, Vista, 7 and I don't see any crashes.

(In reply to Marcia Knous [:marcia] from comment #18)
> Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached
> to the page. The stack I get is the same one that appears in Bug 806192.
The attached build doesn't call GetBindingURLs at all, so there must be something else executing that function.

I searched mxr and I don't see any other Firefox API that would use that function
https://mxr.mozilla.org/mozilla-aurora/search?string=GetBindingURLs

So, how come the function is actually executed?

Honza
(Reporter)

Comment 21

5 years ago
Honza: I wasn't able to reproduce just with Firebug in this case on the Mac - see my earlier comment 8. It seems to have something to do with the interaction of One Password and Firebug.

(In reply to Jan Honza Odvarko from comment #20)
> (In reply to Alex Keybl [:akeybl] from comment #19)
> > Please install from the Mac App Store as Marcia suggests and expense the
> > purchase. Thanks!
> Unfortunately, I don't have a Mac.
> 
> But, I don't know if I need One Password at all, I should be able to
> reproduce the crash with Firebug alone in the first place, no?
>
Do we have access to a copy of One Password? If it is reliably able to cause this crash that would be very helpful. The original bug appears to be Windows. Is that the OS you are able to reproduce the crash on?
(Reporter)

Comment 23

5 years ago
Naveed: Honza was able to reproduce the bug on my Mac last evening. He is investigating the bug further - it is very easy to reproduce on the Mac and continues to be one of the top mac crashes in Beta. He thinks it is related to JSD and 1Password.

I purchased 1Password, but you can download a trial from their site.
I have been finally able to repro the crash (using 1password xpi copy).

My configuration:
Windows Vista, Firefox Nightly (Built from http://hg.mozilla.org/mozilla-central/rev/8671bfc8e9a8), Firebug 1.10.5

I am able to reliably reproduce the crash with Firebug 1.10.5 (not with 1.10.4, which also appears in the stats)

The crash appears since this commit:
https://github.com/firebug/firebug/commit/7227fc862207d0c5645d876a83c80a6054c06e20

Does it help?

Honza
The crash doesn't happen if JSD is disabled (ie. if the Console and Script panels are disabled).

Honza
My feeling is that the crash happens when accessing the win.parent (?) when scripts coming from 1password are compiled. Firebug hooks the script compilation (by setting a breakpoint on line 1 using JSD API)

Here is a stack trace just before the crash:

chrome://firebug/content/chrome/tabWatcher.js (692)
chrome://firebug/content/js/debugger.js (1073)
resource://firebug/firebug-service.js (3207)
resource://firebug/firebug-service.js (3132)
resource://firebug/firebug-service.js (2473)
resource://firebug/firebug-service.js (2516)
resource://firebug/firebug-service.js (2324)
resource://firebug/firebug-service.js (2074)
resource://firebug/firebug-service.js (4308)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/end.min.js (1)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js (43)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (292)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (233)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (437)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (207)
resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (198)
null (0)

---

I think that it would be great if somebody from JSD team could repro & debug the problem in Firefox debug build, to see what's going on in C++

Honza
Adding Dave Teare from 1Password.
At this point we're too close to FF17 ship, wontfixing.
status-firefox17: --- → wontfix
Just to note that the crash is somehow related to this code:

win.parent instanceof win.parent.Window

'instanceof' is applied on a type (Window) that might come from different compartment.

Does it make sense?

Honza
Boris, any tips what could be wrong here?

Honza

Comment 31

5 years ago
Well, so...  The crash is a null deref, right?  Benjamin, is it possible the chars are null?

Has anyone reproduced this in a debug build, perhaps?  That would be a good start: it might assert about something interesting.
(Assignee)

Comment 32

5 years ago
Created attachment 680712 [details] [diff] [review]
load source if needed in JS_DecompileScript

Ah, the JSD gremlin haunts us still.

Jan, can you try this patch? If you need binaries, there will be ones on this try result soon: https://tbpl.mozilla.org/?tree=Try&rev=5255fa968c3a
Attachment #680712 - Flags: feedback?(odvarko)
(Assignee)

Comment 33

5 years ago
Created attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Non-broken patch.
Assignee: odvarko → benjamin
Attachment #680712 - Attachment is obsolete: true
Attachment #680712 - Flags: feedback?(odvarko)
Attachment #680769 - Flags: feedback?(odvarko)
(Assignee)

Comment 34

5 years ago
Binaries here: https://tbpl.mozilla.org/?tree=Try&rev=941306cf172a
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Try build downloaded from here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/benjamin@python.org-941306cf172a/try-win32/

Tested with Firebug 1.10.6 + 1password 3.9.9

I can still repro the crash. Report here:
https://crash-stats.mozilla.com/report/index/958b57a5-e5c1-4ed4-8d55-fddda2121113

Honza
Attachment #680769 - Flags: feedback?(odvarko) → feedback-
(Assignee)

Comment 36

5 years ago
Can you try with a debug build please? The stack is managled.
(Assignee)

Comment 37

5 years ago
I'm running Linux, so I'm unable to test due to onepassword's platform requirements. If anyone could reproduce in a debug build that would be great.
@Marcia: could you try to repro the crash on your machine + using Firefox debug build? I can't since the try-debug build requires MSVC 10 (DLLs) and I don't have them.

Honza
Created attachment 681378 [details]
Crash stack trace (Firefox build + load source if needed in JS_DecompileScript patch included)

I have built Firefox from:
http://hg.mozilla.org/integration/fx-team
Including the patch: load source if needed in JS_DecompileScript

---

When I install 1password extension (no Firebug) I am not event able to launch Firefox. It immediately crashes:

See the attached stack trace.

Unhandled exception at 0x775c15de in firefox.exe: 0xC0000005: Access violation writing location 0x00000000.

Note that there is mozJSSubScriptLoader::LoadSubScript on the stack trying to load "resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/popup.min.js"

Honza
(Assignee)

Comment 40

5 years ago
Created attachment 681577 [details] [diff] [review]
check if compression is running before aborting

That, apparently, is a different bug.
Attachment #681577 - Flags: review?(jorendorff)
Created attachment 681890 [details]
Firebug + 1password crash stack 2

(In reply to Benjamin Peterson [:benjamin] from comment #40)
> Created attachment 681577 [details] [diff] [review]
> check if compression is running before aborting
> 
> That, apparently, is a different bug.
Cool, the attached patch, helps to solve the start-up crash.

So, now I am attaching the stack I get if testing Firebug + 1password crash.

Note that I applied both patches:
- load source if needed in JS_DecompileScript 
- check if compression is running before aborting 

Honza
(Assignee)

Comment 42

5 years ago
Does it print any message about an assertion failing?
I am seeing this in the OS console:

Assertion failure: src->length() > 0 && chars[0] == '(', at c:/src/mozilla.org/fx-team/js/src/jsfun.cpp:674


Honza
Also note that when loading the http://www.google.com/nexus/10/ I am seeing the following assertion (but I can successfully ignore it):

ASSERTION: Shouldn't be trying to restyle non-elements directly: '!aContent || aContent->IsElement()', file
c:/src/mozilla.org/fx-team/layout/base/nsStyleChangeList.cpp, line 65

I am not sure if it's related, but mentioning it here anyway.

Honza
(Assignee)

Comment 45

5 years ago
Created attachment 682311 [details] [diff] [review]
we can't handle weird charsets

I think I finally got it!

Comment 46

5 years ago
If you need feedbacks, I can. Coz my firebug (the two latest versions) makes my firefox crash.
Tested with all three patches included:
- load source if needed in JS_DecompileScript 
- check if compression is running before aborting 
- we can't handle weird charsets

I see the following exception:

WARNING: Subdocument container has no frame: file c:/src/mozilla.org/fx-team/lay
out/base/nsDocumentViewer.cpp, line 2394
++DOMWINDOW == 55 (20758890) [serial = 73] [outer = 20758EB8]
###!!! ASSERTION: elements must implement nsIContent: 'content', file c:/src/moz
illa.org/fx-team/layout/inspector/src/inDOMUtils.cpp, line 246
###!!! ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr
 != 0', file c:\src\mozilla.org\fx-team\obj-i686-pc-mingw32\dist\include\nsCOMPt
r.h, line 781


The stack trace:

 	KernelBase.dll!75063219() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for KernelBase.dll]	
 	ntdll.dll!772715de() 	
 	ntdll.dll!7726014e() 	
>	mozglue.dll!mozilla::HashBytes(const void * bytes=0x0004ce9a, unsigned int length=1486476122)  Line 28 + 0xb bytes	C++
 	d0eb17a0()	
 	mozjs.dll!PRMJ_Now()  Line 398 + 0x12 bytes	C++


Honza

Comment 48

5 years ago
That assertion is certainly bogus in the sense that if the caller passes in some random JS object for that element, it will fail.  We should fix that, but the interesting thing for you is probably what the JS stack is to that point, not the C++ stack.
(Assignee)

Comment 49

5 years ago
I managed to reproduce the crash and get the stack:

#0  nsCOMPtr<nsINodeInfo>::get () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:759
#1  nsCOMPtr<nsINodeInfo>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:784
#2  0x0000000101a428d2 in inDOMUtils::GetBindingURLs (this=<value temporarily unavailable, due to optimizations>, aElement=0x144b16e20, _retval=0x7fff5fbf3418) at /Users/benjamin/mozilla/inbound/layout/inspector/src/inDOMUtils.cpp:248
#3  0x0000000101b933e6 in nsCOMPtr<nsIContent>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:467

That's bug 806192, though, right?

Updated

5 years ago
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c.dylib@0x12ac] [@ libsystem_c.dylib@0x27d40] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN(JSContext*, unsigned short const* unsigned long)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c&hellip;

Comment 50

5 years ago
There are still crashes after the fix of bug 806192:
https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A19.0a1&platform=mac&signature=libsystem_c.dylib%400x27d40
https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A19.0a1&signature=_VEC_memcpy%20|%20js_NewStringCopyN%28JSContext*%2C%20wchar_t%20const*%2C%20unsigned%20int%29
(Assignee)

Comment 51

5 years ago
Those should be fixed by the patches in this bug. I hope someone can confirm.
(Assignee)

Comment 52

5 years ago
Created attachment 683206 [details] [diff] [review]
don't lazily load special charsets
Attachment #682311 - Attachment is obsolete: true
Attachment #683206 - Flags: review?(bzbarsky)
(Assignee)

Updated

5 years ago
Attachment #680769 - Flags: review?(jorendorff)
(Assignee)

Comment 53

5 years ago
Created attachment 683299 [details] [diff] [review]
don't lazily load special charsets

I forgot to add test file.
Attachment #683206 - Attachment is obsolete: true
Attachment #683206 - Flags: review?(bzbarsky)
Attachment #683299 - Flags: review?(bzbarsky)

Comment 54

5 years ago
Comment on attachment 683299 [details] [diff] [review]
don't lazily load special charsets

r=me
Attachment #683299 - Flags: review?(bzbarsky) → review+
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

Review of attachment 680769 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsapi.cpp
@@ +5474,5 @@
>          return JS_DecompileFunction(cx, fun, indent);
> +    bool haveSource = script->scriptSource()->hasSourceData();
> +    if (!haveSource && !JSScript::loadSource(cx, script, &haveSource))
> +        return NULL;
> +    return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]");

You need to refresh the local variable haveSource after calling JSScript::loadSource, right?
Attachment #680769 - Flags: review?(jorendorff) → review+
(Assignee)

Comment 56

5 years ago
(In reply to Jason Orendorff [:jorendorff] from comment #55)
> 
> ::: js/src/jsapi.cpp
> @@ +5474,5 @@
> >          return JS_DecompileFunction(cx, fun, indent);
> > +    bool haveSource = script->scriptSource()->hasSourceData();
> > +    if (!haveSource && !JSScript::loadSource(cx, script, &haveSource))
> > +        return NULL;
> > +    return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]");
> 
> You need to refresh the local variable haveSource after calling
> JSScript::loadSource, right?

What do you mean by refresh? |loadSource()| can change haveSource.
(In reply to :Benjamin Peterson from comment #56)
> What do you mean by refresh? |loadSource()| can change haveSource.

haveSource is a local variable. loadSource() doesn't change its value. But when loadSource() successfully loads some code, you want haveSource to become true... Right?
Attachment #681577 - Flags: review?(jorendorff) → review+
(In reply to Jason Orendorff [:jorendorff] from comment #57)
> haveSource is a local variable. loadSource() doesn't change its value.

Oh, yes it does. Right there. Never mind, I'm dumb.
(Assignee)

Comment 59

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b1cb8ff6e836
https://hg.mozilla.org/integration/mozilla-inbound/rev/19c1fef93710
https://hg.mozilla.org/integration/mozilla-inbound/rev/75821787b343

Thanks for reviews.
(Assignee)

Comment 60

5 years ago
Comment on attachment 683299 [details] [diff] [review]
don't lazily load special charsets

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): This raises memory usage a bit when using loadSubScript with a charset. However, an addon search shows this is very rare. (I don't think it happens at all in the browser.)
String or UUID changes made by this patch: None
Attachment #683299 - Flags: approval-mozilla-beta?
Attachment #683299 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 61

5 years ago
Comment on attachment 681577 [details] [diff] [review]
check if compression is running before aborting

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Not risky
String or UUID changes made by this patch: None
Attachment #681577 - Flags: approval-mozilla-beta?
Attachment #681577 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 62

5 years ago
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 761723
User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Not risky
String or UUID changes made by this patch: None
Attachment #680769 - Flags: approval-mozilla-beta?
Attachment #680769 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

5 years ago
status-firefox17: wontfix → affected
status-firefox20: --- → fixed
https://hg.mozilla.org/mozilla-central/rev/b1cb8ff6e836
https://hg.mozilla.org/mozilla-central/rev/19c1fef93710
https://hg.mozilla.org/mozilla-central/rev/75821787b343
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Triage Comment]
Approving for Aurora and Beta to fix a top Mac crasher. We'll leave this on the tracking-17 list for possible 17.0.1 inclusion (if one is necessary).
Attachment #680769 - Flags: approval-mozilla-beta?
Attachment #680769 - Flags: approval-mozilla-beta+
Attachment #680769 - Flags: approval-mozilla-aurora?
Attachment #680769 - Flags: approval-mozilla-aurora+

Updated

5 years ago
Attachment #681577 - Flags: approval-mozilla-beta?
Attachment #681577 - Flags: approval-mozilla-beta+
Attachment #681577 - Flags: approval-mozilla-aurora?
Attachment #681577 - Flags: approval-mozilla-aurora+

Updated

5 years ago
Attachment #683299 - Flags: approval-mozilla-beta?
Attachment #683299 - Flags: approval-mozilla-beta+
Attachment #683299 - Flags: approval-mozilla-aurora?
Attachment #683299 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 65

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/913623f9e6c0
https://hg.mozilla.org/releases/mozilla-aurora/rev/1793670c21f1
https://hg.mozilla.org/releases/mozilla-aurora/rev/5cc17a8167b0

https://hg.mozilla.org/releases/mozilla-beta/rev/7b8645ae4286
https://hg.mozilla.org/releases/mozilla-beta/rev/5480177df44f
https://hg.mozilla.org/releases/mozilla-beta/rev/667c8643ee52

Updated

5 years ago
status-firefox-esr17: --- → affected
tracking-firefox-esr17: --- → ?
(Assignee)

Updated

5 years ago
status-firefox18: --- → fixed
status-firefox19: --- → fixed

Updated

5 years ago
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN(JSContext*, unsigned short const* unsigned long)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c&hellip; → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN(JSContext*, unsigned short const* unsigned long)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c&hellip;
We're going to spin a 17.0.1 so please prepare patches and/or nominate for mozilla-release and mozilla-esr17
(Assignee)

Comment 67

5 years ago
Comment on attachment 680769 [details] [diff] [review]
load source if needed in JS_DecompileScript

[Approval Request Comment]
Same nomination comment as above with the extra information that this has been on m-i, m-b, m-a for nearly a week.
Attachment #680769 - Flags: approval-mozilla-release?
Attachment #680769 - Flags: approval-mozilla-esr17?
(Assignee)

Updated

5 years ago
Attachment #681577 - Flags: approval-mozilla-release?
Attachment #681577 - Flags: approval-mozilla-esr17?
(Assignee)

Updated

5 years ago
Attachment #683299 - Flags: approval-mozilla-release?
Attachment #683299 - Flags: approval-mozilla-esr17?
Attachment #680769 - Flags: approval-mozilla-release?
Attachment #680769 - Flags: approval-mozilla-release+
Attachment #680769 - Flags: approval-mozilla-esr17?
Attachment #680769 - Flags: approval-mozilla-esr17+
Attachment #681577 - Flags: approval-mozilla-release?
Attachment #681577 - Flags: approval-mozilla-release+
Attachment #681577 - Flags: approval-mozilla-esr17?
Attachment #681577 - Flags: approval-mozilla-esr17+
Attachment #683299 - Flags: approval-mozilla-release?
Attachment #683299 - Flags: approval-mozilla-release+
Attachment #683299 - Flags: approval-mozilla-esr17?
Attachment #683299 - Flags: approval-mozilla-esr17+
(Assignee)

Comment 68

5 years ago
https://hg.mozilla.org/releases/mozilla-release/rev/6654e39790e4
https://hg.mozilla.org/releases/mozilla-release/rev/2d045a528108
https://hg.mozilla.org/releases/mozilla-release/rev/7ed2ba689d4e

https://hg.mozilla.org/releases/mozilla-esr17/rev/69b6c96df199
https://hg.mozilla.org/releases/mozilla-esr17/rev/54b7402713eb
https://hg.mozilla.org/releases/mozilla-esr17/rev/e82181a10570
status-firefox17: affected → fixed
status-firefox-esr17: affected → fixed
tracking-firefox-esr17: ? → ---
(In reply to :Benjamin Peterson from comment #68)
> 
> https://hg.mozilla.org/releases/mozilla-esr17/rev/69b6c96df199
> https://hg.mozilla.org/releases/mozilla-esr17/rev/54b7402713eb
> https://hg.mozilla.org/releases/mozilla-esr17/rev/e82181a10570

Sorry for not calling this out earlier - can you please land to esr17 relbranch too?  We've got fixes on default that we won't want to ship in this respin. GECKO170_2012111914_RELBRANCH
(Assignee)

Comment 70

5 years ago
https://hg.mozilla.org/releases/mozilla-esr17/rev/f958d557746d
https://hg.mozilla.org/releases/mozilla-esr17/rev/9f0bfbceaccc
https://hg.mozilla.org/releases/mozilla-esr17/rev/f5defbd8813b

Updated

5 years ago
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN(JSContext*, unsigned short const* unsigned long)] [@ js_NewStringCopyN] [@ libsystem_c.dylib@0x1a50] [@ libsystem_c.dylib@0x12ec] [@ libsystem_c&hellip; → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] [@ js_NewStringCopyN(JSContext*, unsigned short const* unsigned long)] [@ js_NewStringCopyN] [@ memmove$VARIANT$sse42 | js_NewStringCopyN ] [@ libsystem_c.dylib@0x1a5&hellip;
Reproduced the crash following steps from comment 7 and comment 8 for
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 Beta 2
Build ID: 20121017073013

http://crash-stats.mozilla.com/report/index/bp-6bbc69a9-401e-4f67-b55f-b67de2121203
http://crash-stats.mozilla.com/report/index/bp-bb609119-f675-4fba-8c85-5e2d02121203


Verified on Firefox 18.0 Beta 2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Beta 2
Build ID: 20121128060531

and Latest Nightly
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121202 Firefox/20.0
Build ID: 20121202030723

no crashes for Firefox 18.0 Beta 2 and Latest Nightly while doing some exploratory on http://www.google.com/nexus with 1.10.5 then 1.10.6 Firebug and 1Password 3.9.9 extensions installed.
status-firefox18: fixed → verified
Keywords: verifyme
Keywords: qawanted, regressionwindow-wanted
I am sorry that I have to reopen this, however, I can reproduce this crash signature with latest nightly.

https://crash-stats.mozilla.com/report/index/bp-26072cc0-c668-486f-ad3a-02f802121230

STR:
1. Install the https://addons.mozilla.org/de/firefox/addon/javascript-deobfuscator/ add-on.

2. Enable capturing and open http://grooveshark.com with it. It should take a while to load, hang, and then crash with the signature above.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 73

5 years ago
Could you file a new bug, please? It's likely the same crash signature but a different underlying issue.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
Verified the fix on Firefox 19.0 Beta 2 with Firebug 1.11.1 and 1Password 3.9.9 installed, following steps from comment 7 and comment 8.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID:  20130116072953
status-firefox19: fixed → verified
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.