Closed
Bug 795104
Opened 12 years ago
Closed 12 years ago
crash in _VEC_memcpy | js_NewStringCopyN
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: marcia, Assigned: Benjamin)
References
()
Details
(Keywords: crash, reproducible, topcrash)
Crash Data
Attachments
(6 files, 3 obsolete files)
1.95 MB,
application/x-xpinstall
|
Details | |
1.52 KB,
patch
|
jorendorff
:
review+
Honza
:
feedback-
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-release+
lsblakk
:
approval-mozilla-esr17+
|
Details | Diff | Splinter Review |
26.39 KB,
text/plain
|
Details | |
3.74 KB,
patch
|
jorendorff
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-release+
lsblakk
:
approval-mozilla-esr17+
|
Details | Diff | Splinter Review |
5.44 KB,
text/plain
|
Details | |
3.90 KB,
patch
|
bzbarsky
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-release+
lsblakk
:
approval-mozilla-esr17+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-2e6683bc-2f1c-4743-9b7c-47e7d2120926 . ============================================================= Seen while viewing Aurora crash stats. This has been around in earlier releases, but volume seems to have increased in Aurora. https://crash-stats.mozilla.com/report/list?signature=_VEC_memcpy%20|%20js_NewStringCopyN%28JSContext*,%20wchar_t%20const*,%20unsigned%20int%29 Most of the crashes seem to be on Win Vista: Windows Vista 73.913 % 68 Windows XP 14.13 % 13 Windows 7 11.957 % 11 Frame Module Signature Source 0 msvcr100.dll _VEC_memcpy 1 mozjs.dll js_NewStringCopyN js/src/jsstr.cpp:3344 2 mozjs.dll js::ScriptSource::substring js/src/jsscript.cpp:1115 3 mozjs.dll JSScript::sourceData js/src/jsscript.cpp:1043 4 mozjs.dll JS_DecompileScript js/src/jsapi.cpp:5573 5 xul.dll jsdScript::GetFunctionSource js/jsd/jsd_xpc.cpp:1335 6 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70 7 xul.dll XPCWrappedNative::GetAttribute js/xpconnect/src/xpcprivate.h:2822 8 xul.dll XPC_WN_GetterSetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1526 9 xul.dll nsXPConnect::GetXPConnect js/xpconnect/src/nsXPConnect.cpp:139 10 xul.dll XPC_WN_NoHelper_Resolve js/xpconnect/src/XPCWrappedNativeJSOps.cpp:690 11 @0x980ba9f
Comment 1•12 years ago
|
||
(In reply to Marcia Knous [:marcia] from comment #0) > volume seems to have increased in Aurora. In Aurora, it has been hit by a single user (same Install Time in a build, same graphics and processor configuration across builds).
OS: Windows NT → Windows Vista
Comment 2•12 years ago
|
||
It spiked across all affected versions on October 26. It's #1 top browser crasher in 17.0b3 and 18.0a2 on Mac. It's correlated to Firebug: * 17.0: libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (30 crashes) 100% (30/30) vs. 22% (79/352) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 7% (2/30) vs. 4% (13/352) 1.10.4 90% (27/30) vs. 18% (64/352) 1.10.5 3% (1/30) vs. 0% (1/352) 1.11.0a5 93% (28/30) vs. 18% (63/352) onepassword@agilebits.com 17% (5/30) vs. 1% (5/352) 3.9.10.b1 20% (6/30) vs. 2% (6/352) 3.9.8 57% (17/30) vs. 13% (47/352) 3.9.9 _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes) 100% (140/140) vs. 1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 11% (16/140) vs. 0% (203/57300) 1.10.4 86% (120/140) vs. 1% (473/57300) 1.10.5 3% (4/140) vs. 0% (16/57300) 1.7.3 31% (43/140) vs. 0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271) 0% (0/140) vs. 0% (1/57300) 2.7 17% (24/140) vs. 0% (109/57300) 2.8 14% (19/140) vs. 0% (35/57300) 2.8.1 29% (41/140) vs. 0% (253/57300) OneClickDownloader@OneClickDownloader.com 0% (0/140) vs. 0% (8/57300) 1.1 0% (0/140) vs. 0% (1/57300) 1.2 0% (0/140) vs. 0% (2/57300) 1.3 29% (41/140) vs. 0% (242/57300) 1.5 21% (30/140) vs. 0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2) *18.0a2: libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (15 crashes) 100% (15/15) vs. 54% (35/65) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 100% (15/15) vs. 51% (33/65) 1.10.5 73% (11/15) vs. 35% (23/65) onepassword@agilebits.com 73% (11/15) vs. 34% (22/65) 3.9.9 _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (140 crashes) 100% (140/140) vs. 1% (713/57300) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 11% (16/140) vs. 0% (203/57300) 1.10.4 86% (120/140) vs. 1% (473/57300) 1.10.5 3% (4/140) vs. 0% (16/57300) 1.7.3 31% (43/140) vs. 0% (145/57300) {6AC85730-7D0F-4de0-B3FA-21142DD85326} (ColorZilla, https://addons.mozilla.org/addon/271) 17% (24/140) vs. 0% (109/57300) 2.8 14% (19/140) vs. 0% (35/57300) 2.8.1 29% (41/140) vs. 0% (253/57300) OneClickDownloader@OneClickDownloader.com 29% (41/140) vs. 0% (242/57300) 1.5 21% (30/140) vs. 0% (160/57300) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) (1.2.2) More reports also at: https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x1a50 https://crash-stats.mozilla.com/report/list?signature=libsystem_c.dylib%400x12ec
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → ?
Keywords: topcrash
OS: Windows Vista → All
Hardware: x86 → All
Updated•12 years ago
|
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
Updated•12 years ago
|
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
Comment 3•12 years ago
|
||
Marcia - can you take a stab at this with the listed versions of Firebug/1Password? Naveed/David - can we get somebody to take a look? Also including Jan to see if he knows who can take a look at this from the Firebug side. I'm confused because this crash didn't really crop up until 4 days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
Keywords: qawanted,
steps-wanted
QA Contact: mozillamarcia.knous
Comment 4•12 years ago
|
||
While we're tracking this, I do want to say that I'm not super worried about this crash for release since it's highly correlated to Firebug. That doesn't mean we shouldn't investigate/fix as soon as possible for the sake of devs though.
Comment 5•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #3) > Marcia - can you take a stab at this with the listed versions of > Firebug/1Password? I see one comment saying "trying to log in to browserid with MozTrap" for signature : libsystem_c.dylib@0x1a50 ..May be we could start with this as well ? > > Naveed/David - can we get somebody to take a look? > > Also including Jan to see if he knows who can take a look at this from the > Firebug side. I'm confused because this crash didn't really crop up until 4 > days after Firebug 1.10.5 was released, and 2 days after FF16b3 was released.
Reporter | ||
Comment 6•12 years ago
|
||
Recent correlations show a version of One Password that is available on the trial download on their site - I will have to purchase a copy in the App Store which I will do when I get in the office. Mac OS X libsystem_c.dylib@0x1a50|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (61 crashes) 97% (59/61) vs. 20% (100/494) onepassword@agilebits.com 18% (11/61) vs. 3% (13/494) 3.9.10.b1 79% (48/61) vs. 17% (86/494) 3.9.9 0% (0/61) vs. 0% (1/494) 3.9.9.b2 100% (61/61) vs. 30% (146/494) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 0% (0/61) vs. 0% (1/494) 1.10.2b1 46% (28/61) vs. 7% (37/494) 1.10.4 51% (31/61) vs. 20% (100/494) 1.10.5 3% (2/61) vs. 1% (4/494) 1.11.0a5 0% (0/61) vs. 1% (4/494) 1.9.0
Reporter | ||
Comment 7•12 years ago
|
||
Was able to reproduce this using the following steps: 1. Downloaded and installed One Password. Installed version 3.99 of the addon into the latest Firefox beta Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Firefox/17.0. 2. Install Firebug 1.10.5, Enable "one for all web pages" and "enable all panels" 3. Visit http://www.google.com/nexus/ 4. Switch back and forth between Nexus 4, Nexus 7 and Nexus 10. 5. Crash https://crash-stats.mozilla.com/report/index/bp-57353021-f01b-461c-8326-72b3f2121030 I am not sure whether One Password factors in or not, will have to disable some of the extensions to see.
Keywords: reproducible
Reporter | ||
Comment 8•12 years ago
|
||
Another way I have been able to repro is to do as follows: 1. Disable One Password 2. Visit the nexus site with the same panels enabled as in Comment 7 Step 2 3. Reable One Password 4. Navigate back to the nexus page. 5. Crash every time. So in this case you One Password version 3.99 seems to be problematic in combination with Firebug. Also, this bug will bite many web devs as I can see from the crash URLs that many web devs are crashing when they are testing their sites.
Comment 9•12 years ago
|
||
Glad we're able to repro Marcia. We still need to nail down if this regression is caused by new code in FF17, a 1Password version, or a specific Firebug version. Would also be great to take a look at bug 806192 at the same time.
Keywords: steps-wanted → regressionwindow-wanted
Comment 10•12 years ago
|
||
Reported in Firebug issue list: http://code.google.com/p/fbug/issues/detail?id=6034 Honza
Comment 11•12 years ago
|
||
(In reply to Jan Honza Odvarko from comment #10) > Reported in Firebug issue list: > http://code.google.com/p/fbug/issues/detail?id=6034 Sorry, this comment belongs to different bug Honza
Reporter | ||
Comment 12•12 years ago
|
||
I was able to crash following the same steps in both Aurora and Firefox 16, so this crash is not unique to FF 17. The correlations show this happens with two specific versions of Firebug - I reproduced with 1.10.5 which is the latest version on AMO: 46% (28/61) vs. 7% (37/494) 1.10.4 51% (31/61) vs. 20% (100/494) 1.10.5 As far as One Password, I will have to hunt down some older versions of the addon to see where that stands. Since in Comment 8 I wasn't able to reproduce the crash with Firebug only, it would seem right now the suspect addon is One Password.
Reporter | ||
Comment 13•12 years ago
|
||
https://agilebits.com/onepassword/mac/release_notes has the version versions of One Password - the latest update happened in July.
Comment 14•12 years ago
|
||
Since this is seeming to be related to bug 806192 - hoping Jan can take a look here too.
Assignee: general → odvarko
Reporter | ||
Comment 15•12 years ago
|
||
Not able to reproduce with 1.10.3 of Firebug. When I perform an update to 1.10.6 via Addons, I can generate the crash by visting http://www.google.com/nexus/ and switching back and forth between Nexus 4, Nexus 7 and Nexus 10.
Comment 16•12 years ago
|
||
I can't reproduce the problem with Firebug 1.10.6, Firefox 16, 17, Win Vista. (I am visiting http://www.google.com/nexus/ and switching back and forth between Nexus 4, Nexus 7 and Nexus 10) Since this looks related to: Bug 806192 - crash in inDOMUtils::GetBindingURLs with Firebug I have search Firebug code base for 'GetBindingURLs' and found one place. I removed the call and attached a test build Can you try to reproduce it again with it? --- Also, it's not clear how to install onepassword extension I downloaded Version 3.8.20 from here: https://agilebits.com/onepassword/mac/release_notes Unzipped and found couple of extension directories: Contents\Extensions\firefox4@1password.com Contents\Extensions\firefox5@1password.com However, none of them is using onepassword@agilebits.com as the ID and it isn't even compatible with Firefox 16 How should I install it? Honza
Reporter | ||
Comment 17•12 years ago
|
||
Honza: I will try your test build momentarily. I actually ended up purchasing One Password from the Mac App store - from there it installed the app on my machine.
Reporter | ||
Comment 18•12 years ago
|
||
Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached to the page. The stack I get is the same one that appears in Bug 806192. I ended up having to reload the page to generate the crash this time. I also crash with Aurora and the latest Beta as well. According to https://agilebits.com/extensions/mac/index.html, One Password is compatible with 16+.
Comment 19•12 years ago
|
||
(In reply to Jan Honza Odvarko from comment #16) > How should I install it? > > Honza Please install from the Mac App Store as Marcia suggests and expense the purchase. Thanks!
Comment 20•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #19) > Please install from the Mac App Store as Marcia suggests and expense the > purchase. Thanks! Unfortunately, I don't have a Mac. But, I don't know if I need One Password at all, I should be able to reproduce the crash with Firebug alone in the first place, no? I tried Win XP, Vista, 7 and I don't see any crashes. (In reply to Marcia Knous [:marcia] from comment #18) > Honza: Using Mac 16.0.2, I still crash with the Firebug test build attached > to the page. The stack I get is the same one that appears in Bug 806192. The attached build doesn't call GetBindingURLs at all, so there must be something else executing that function. I searched mxr and I don't see any other Firefox API that would use that function https://mxr.mozilla.org/mozilla-aurora/search?string=GetBindingURLs So, how come the function is actually executed? Honza
Reporter | ||
Comment 21•12 years ago
|
||
Honza: I wasn't able to reproduce just with Firebug in this case on the Mac - see my earlier comment 8. It seems to have something to do with the interaction of One Password and Firebug. (In reply to Jan Honza Odvarko from comment #20) > (In reply to Alex Keybl [:akeybl] from comment #19) > > Please install from the Mac App Store as Marcia suggests and expense the > > purchase. Thanks! > Unfortunately, I don't have a Mac. > > But, I don't know if I need One Password at all, I should be able to > reproduce the crash with Firebug alone in the first place, no? >
Comment 22•12 years ago
|
||
Do we have access to a copy of One Password? If it is reliably able to cause this crash that would be very helpful. The original bug appears to be Windows. Is that the OS you are able to reproduce the crash on?
Reporter | ||
Comment 23•12 years ago
|
||
Naveed: Honza was able to reproduce the bug on my Mac last evening. He is investigating the bug further - it is very easy to reproduce on the Mac and continues to be one of the top mac crashes in Beta. He thinks it is related to JSD and 1Password. I purchased 1Password, but you can download a trial from their site.
Comment 24•12 years ago
|
||
I have been finally able to repro the crash (using 1password xpi copy). My configuration: Windows Vista, Firefox Nightly (Built from http://hg.mozilla.org/mozilla-central/rev/8671bfc8e9a8), Firebug 1.10.5 I am able to reliably reproduce the crash with Firebug 1.10.5 (not with 1.10.4, which also appears in the stats) The crash appears since this commit: https://github.com/firebug/firebug/commit/7227fc862207d0c5645d876a83c80a6054c06e20 Does it help? Honza
Comment 25•12 years ago
|
||
The crash doesn't happen if JSD is disabled (ie. if the Console and Script panels are disabled). Honza
Comment 26•12 years ago
|
||
My feeling is that the crash happens when accessing the win.parent (?) when scripts coming from 1password are compiled. Firebug hooks the script compilation (by setting a breakpoint on line 1 using JSD API) Here is a stack trace just before the crash: chrome://firebug/content/chrome/tabWatcher.js (692) chrome://firebug/content/js/debugger.js (1073) resource://firebug/firebug-service.js (3207) resource://firebug/firebug-service.js (3132) resource://firebug/firebug-service.js (2473) resource://firebug/firebug-service.js (2516) resource://firebug/firebug-service.js (2324) resource://firebug/firebug-service.js (2074) resource://firebug/firebug-service.js (4308) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/end.min.js (1) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js (43) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (292) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (233) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/content/worker.js (437) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/traits.js (110) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (207) resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/addon-kit/lib/page-mod.js (198) null (0) --- I think that it would be great if somebody from JSD team could repro & debug the problem in Firefox debug build, to see what's going on in C++ Honza
Comment 27•12 years ago
|
||
Adding Dave Teare from 1Password.
Comment 28•12 years ago
|
||
At this point we're too close to FF17 ship, wontfixing.
status-firefox17:
--- → wontfix
Comment 29•12 years ago
|
||
Just to note that the crash is somehow related to this code: win.parent instanceof win.parent.Window 'instanceof' is applied on a type (Window) that might come from different compartment. Does it make sense? Honza
Comment 30•12 years ago
|
||
Boris, any tips what could be wrong here? Honza
Comment 31•12 years ago
|
||
Well, so... The crash is a null deref, right? Benjamin, is it possible the chars are null? Has anyone reproduced this in a debug build, perhaps? That would be a good start: it might assert about something interesting.
Assignee | ||
Comment 32•12 years ago
|
||
Ah, the JSD gremlin haunts us still. Jan, can you try this patch? If you need binaries, there will be ones on this try result soon: https://tbpl.mozilla.org/?tree=Try&rev=5255fa968c3a
Attachment #680712 -
Flags: feedback?(odvarko)
Assignee | ||
Comment 33•12 years ago
|
||
Non-broken patch.
Assignee: odvarko → benjamin
Attachment #680712 -
Attachment is obsolete: true
Attachment #680712 -
Flags: feedback?(odvarko)
Attachment #680769 -
Flags: feedback?(odvarko)
Assignee | ||
Comment 34•12 years ago
|
||
Binaries here: https://tbpl.mozilla.org/?tree=Try&rev=941306cf172a
Comment 35•12 years ago
|
||
Comment on attachment 680769 [details] [diff] [review] load source if needed in JS_DecompileScript Try build downloaded from here: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/benjamin@python.org-941306cf172a/try-win32/ Tested with Firebug 1.10.6 + 1password 3.9.9 I can still repro the crash. Report here: https://crash-stats.mozilla.com/report/index/958b57a5-e5c1-4ed4-8d55-fddda2121113 Honza
Attachment #680769 -
Flags: feedback?(odvarko) → feedback-
Assignee | ||
Comment 36•12 years ago
|
||
Can you try with a debug build please? The stack is managled.
Assignee | ||
Comment 37•12 years ago
|
||
I'm running Linux, so I'm unable to test due to onepassword's platform requirements. If anyone could reproduce in a debug build that would be great.
Comment 38•12 years ago
|
||
@Marcia: could you try to repro the crash on your machine + using Firefox debug build? I can't since the try-debug build requires MSVC 10 (DLLs) and I don't have them. Honza
Comment 39•12 years ago
|
||
I have built Firefox from: http://hg.mozilla.org/integration/fx-team Including the patch: load source if needed in JS_DecompileScript --- When I install 1password extension (no Firebug) I am not event able to launch Firefox. It immediately crashes: See the attached stack trace. Unhandled exception at 0x775c15de in firefox.exe: 0xC0000005: Access violation writing location 0x00000000. Note that there is mozJSSubScriptLoader::LoadSubScript on the stack trying to load "resource://onepassword-at-agilebits-dot-com/api-utils/lib/loader.js -> resource://onepassword-at-agilebits-dot-com/api-utils/lib/sandbox.js -> resource://onepassword-at-agilebits-dot-com/onepassword/data/src/popup.min.js" Honza
Assignee | ||
Comment 40•12 years ago
|
||
That, apparently, is a different bug.
Attachment #681577 -
Flags: review?(jorendorff)
Comment 41•12 years ago
|
||
(In reply to Benjamin Peterson [:benjamin] from comment #40) > Created attachment 681577 [details] [diff] [review] > check if compression is running before aborting > > That, apparently, is a different bug. Cool, the attached patch, helps to solve the start-up crash. So, now I am attaching the stack I get if testing Firebug + 1password crash. Note that I applied both patches: - load source if needed in JS_DecompileScript - check if compression is running before aborting Honza
Assignee | ||
Comment 42•12 years ago
|
||
Does it print any message about an assertion failing?
Comment 43•12 years ago
|
||
I am seeing this in the OS console: Assertion failure: src->length() > 0 && chars[0] == '(', at c:/src/mozilla.org/fx-team/js/src/jsfun.cpp:674 Honza
Comment 44•12 years ago
|
||
Also note that when loading the http://www.google.com/nexus/10/ I am seeing the following assertion (but I can successfully ignore it): ASSERTION: Shouldn't be trying to restyle non-elements directly: '!aContent || aContent->IsElement()', file c:/src/mozilla.org/fx-team/layout/base/nsStyleChangeList.cpp, line 65 I am not sure if it's related, but mentioning it here anyway. Honza
Assignee | ||
Comment 45•12 years ago
|
||
I think I finally got it!
Comment 46•12 years ago
|
||
If you need feedbacks, I can. Coz my firebug (the two latest versions) makes my firefox crash.
Comment 47•12 years ago
|
||
Tested with all three patches included:
- load source if needed in JS_DecompileScript
- check if compression is running before aborting
- we can't handle weird charsets
I see the following exception:
WARNING: Subdocument container has no frame: file c:/src/mozilla.org/fx-team/lay
out/base/nsDocumentViewer.cpp, line 2394
++DOMWINDOW == 55 (20758890) [serial = 73] [outer = 20758EB8]
###!!! ASSERTION: elements must implement nsIContent: 'content', file c:/src/moz
illa.org/fx-team/layout/inspector/src/inDOMUtils.cpp, line 246
###!!! ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr
!= 0', file c:\src\mozilla.org\fx-team\obj-i686-pc-mingw32\dist\include\nsCOMPt
r.h, line 781
The stack trace:
KernelBase.dll!75063219()
[Frames below may be incorrect and/or missing, no symbols loaded for KernelBase.dll]
ntdll.dll!772715de()
ntdll.dll!7726014e()
> mozglue.dll!mozilla::HashBytes(const void * bytes=0x0004ce9a, unsigned int length=1486476122) Line 28 + 0xb bytes C++
d0eb17a0()
mozjs.dll!PRMJ_Now() Line 398 + 0x12 bytes C++
Honza
Comment 48•12 years ago
|
||
That assertion is certainly bogus in the sense that if the caller passes in some random JS object for that element, it will fail. We should fix that, but the interesting thing for you is probably what the JS stack is to that point, not the C++ stack.
Assignee | ||
Comment 49•12 years ago
|
||
I managed to reproduce the crash and get the stack: #0 nsCOMPtr<nsINodeInfo>::get () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:759 #1 nsCOMPtr<nsINodeInfo>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:784 #2 0x0000000101a428d2 in inDOMUtils::GetBindingURLs (this=<value temporarily unavailable, due to optimizations>, aElement=0x144b16e20, _retval=0x7fff5fbf3418) at /Users/benjamin/mozilla/inbound/layout/inspector/src/inDOMUtils.cpp:248 #3 0x0000000101b933e6 in nsCOMPtr<nsIContent>::operator-> () at /Users/benjamin/mozilla/inbound/obj-x86_64-apple-darwin11.4.2/dist/include/nsCOMPtr.h:467 That's bug 806192, though, right?
Updated•12 years ago
|
Crash Signature: [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40] → [@ _VEC_memcpy | js_NewStringCopyN(JSContext*, wchar_t const*, unsigned int)]
[@ js_NewStringCopyN(JSContext*, unsigned short const* unsigned long)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@…
Comment 50•12 years ago
|
||
There are still crashes after the fix of bug 806192: https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A19.0a1&platform=mac&signature=libsystem_c.dylib%400x27d40 https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A19.0a1&signature=_VEC_memcpy%20|%20js_NewStringCopyN%28JSContext*%2C%20wchar_t%20const*%2C%20unsigned%20int%29
Assignee | ||
Comment 51•12 years ago
|
||
Those should be fixed by the patches in this bug. I hope someone can confirm.
Assignee | ||
Comment 52•12 years ago
|
||
Attachment #682311 -
Attachment is obsolete: true
Attachment #683206 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•12 years ago
|
Attachment #680769 -
Flags: review?(jorendorff)
Assignee | ||
Comment 53•12 years ago
|
||
I forgot to add test file.
Attachment #683206 -
Attachment is obsolete: true
Attachment #683206 -
Flags: review?(bzbarsky)
Attachment #683299 -
Flags: review?(bzbarsky)
Comment 54•12 years ago
|
||
Comment on attachment 683299 [details] [diff] [review] don't lazily load special charsets r=me
Attachment #683299 -
Flags: review?(bzbarsky) → review+
Comment 55•12 years ago
|
||
Comment on attachment 680769 [details] [diff] [review] load source if needed in JS_DecompileScript Review of attachment 680769 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsapi.cpp @@ +5474,5 @@ > return JS_DecompileFunction(cx, fun, indent); > + bool haveSource = script->scriptSource()->hasSourceData(); > + if (!haveSource && !JSScript::loadSource(cx, script, &haveSource)) > + return NULL; > + return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]"); You need to refresh the local variable haveSource after calling JSScript::loadSource, right?
Attachment #680769 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 56•12 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #55) > > ::: js/src/jsapi.cpp > @@ +5474,5 @@ > > return JS_DecompileFunction(cx, fun, indent); > > + bool haveSource = script->scriptSource()->hasSourceData(); > > + if (!haveSource && !JSScript::loadSource(cx, script, &haveSource)) > > + return NULL; > > + return haveSource ? script->sourceData(cx) : js_NewStringCopyZ(cx, "[no source]"); > > You need to refresh the local variable haveSource after calling > JSScript::loadSource, right? What do you mean by refresh? |loadSource()| can change haveSource.
Comment 57•12 years ago
|
||
(In reply to :Benjamin Peterson from comment #56) > What do you mean by refresh? |loadSource()| can change haveSource. haveSource is a local variable. loadSource() doesn't change its value. But when loadSource() successfully loads some code, you want haveSource to become true... Right?
Updated•12 years ago
|
Attachment #681577 -
Flags: review?(jorendorff) → review+
Comment 58•12 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #57) > haveSource is a local variable. loadSource() doesn't change its value. Oh, yes it does. Right there. Never mind, I'm dumb.
Assignee | ||
Comment 59•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b1cb8ff6e836 https://hg.mozilla.org/integration/mozilla-inbound/rev/19c1fef93710 https://hg.mozilla.org/integration/mozilla-inbound/rev/75821787b343 Thanks for reviews.
Assignee | ||
Comment 60•12 years ago
|
||
Comment on attachment 683299 [details] [diff] [review] don't lazily load special charsets [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 761723 User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere. Testing completed (on m-c, etc.): On m-i now Risk to taking this patch (and alternatives if risky): This raises memory usage a bit when using loadSubScript with a charset. However, an addon search shows this is very rare. (I don't think it happens at all in the browser.) String or UUID changes made by this patch: None
Attachment #683299 -
Flags: approval-mozilla-beta?
Attachment #683299 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 61•12 years ago
|
||
Comment on attachment 681577 [details] [diff] [review] check if compression is running before aborting [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 761723 User impact if declined: Crashes w/Firebug. Testing completed (on m-c, etc.): On m-i now Risk to taking this patch (and alternatives if risky): Not risky String or UUID changes made by this patch: None
Attachment #681577 -
Flags: approval-mozilla-beta?
Attachment #681577 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 62•12 years ago
|
||
Comment on attachment 680769 [details] [diff] [review] load source if needed in JS_DecompileScript [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 761723 User impact if declined: Crashes w/Firebug and 1 password. There's no reason it couldn't crash elsewhere. Testing completed (on m-c, etc.): On m-i now Risk to taking this patch (and alternatives if risky): Not risky String or UUID changes made by this patch: None
Attachment #680769 -
Flags: approval-mozilla-beta?
Attachment #680769 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•12 years ago
|
status-firefox20:
--- → fixed
Comment 63•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b1cb8ff6e836 https://hg.mozilla.org/mozilla-central/rev/19c1fef93710 https://hg.mozilla.org/mozilla-central/rev/75821787b343
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Comment 64•12 years ago
|
||
Comment on attachment 680769 [details] [diff] [review] load source if needed in JS_DecompileScript [Triage Comment] Approving for Aurora and Beta to fix a top Mac crasher. We'll leave this on the tracking-17 list for possible 17.0.1 inclusion (if one is necessary).
Attachment #680769 -
Flags: approval-mozilla-beta?
Attachment #680769 -
Flags: approval-mozilla-beta+
Attachment #680769 -
Flags: approval-mozilla-aurora?
Attachment #680769 -
Flags: approval-mozilla-aurora+
Updated•12 years ago
|
Attachment #681577 -
Flags: approval-mozilla-beta?
Attachment #681577 -
Flags: approval-mozilla-beta+
Attachment #681577 -
Flags: approval-mozilla-aurora?
Attachment #681577 -
Flags: approval-mozilla-aurora+
Updated•12 years ago
|
Attachment #683299 -
Flags: approval-mozilla-beta?
Attachment #683299 -
Flags: approval-mozilla-beta+
Attachment #683299 -
Flags: approval-mozilla-aurora?
Attachment #683299 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 65•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/913623f9e6c0 https://hg.mozilla.org/releases/mozilla-aurora/rev/1793670c21f1 https://hg.mozilla.org/releases/mozilla-aurora/rev/5cc17a8167b0 https://hg.mozilla.org/releases/mozilla-beta/rev/7b8645ae4286 https://hg.mozilla.org/releases/mozilla-beta/rev/5480177df44f https://hg.mozilla.org/releases/mozilla-beta/rev/667c8643ee52
Updated•12 years ago
|
status-firefox-esr17:
--- → affected
tracking-firefox-esr17:
--- → ?
Assignee | ||
Updated•12 years ago
|
status-firefox18:
--- → fixed
status-firefox19:
--- → fixed
Updated•12 years ago
|
Crash Signature: unsigned long)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40] → unsigned long)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
[@ libsystem_c.dylib@0x27fa0]
Comment 66•12 years ago
|
||
We're going to spin a 17.0.1 so please prepare patches and/or nominate for mozilla-release and mozilla-esr17
Assignee | ||
Comment 67•12 years ago
|
||
Comment on attachment 680769 [details] [diff] [review] load source if needed in JS_DecompileScript [Approval Request Comment] Same nomination comment as above with the extra information that this has been on m-i, m-b, m-a for nearly a week.
Attachment #680769 -
Flags: approval-mozilla-release?
Attachment #680769 -
Flags: approval-mozilla-esr17?
Assignee | ||
Updated•12 years ago
|
Attachment #681577 -
Flags: approval-mozilla-release?
Attachment #681577 -
Flags: approval-mozilla-esr17?
Assignee | ||
Updated•12 years ago
|
Attachment #683299 -
Flags: approval-mozilla-release?
Attachment #683299 -
Flags: approval-mozilla-esr17?
Updated•12 years ago
|
Attachment #680769 -
Flags: approval-mozilla-release?
Attachment #680769 -
Flags: approval-mozilla-release+
Attachment #680769 -
Flags: approval-mozilla-esr17?
Attachment #680769 -
Flags: approval-mozilla-esr17+
Updated•12 years ago
|
Attachment #681577 -
Flags: approval-mozilla-release?
Attachment #681577 -
Flags: approval-mozilla-release+
Attachment #681577 -
Flags: approval-mozilla-esr17?
Attachment #681577 -
Flags: approval-mozilla-esr17+
Updated•12 years ago
|
Attachment #683299 -
Flags: approval-mozilla-release?
Attachment #683299 -
Flags: approval-mozilla-release+
Attachment #683299 -
Flags: approval-mozilla-esr17?
Attachment #683299 -
Flags: approval-mozilla-esr17+
Assignee | ||
Comment 68•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-release/rev/6654e39790e4 https://hg.mozilla.org/releases/mozilla-release/rev/2d045a528108 https://hg.mozilla.org/releases/mozilla-release/rev/7ed2ba689d4e https://hg.mozilla.org/releases/mozilla-esr17/rev/69b6c96df199 https://hg.mozilla.org/releases/mozilla-esr17/rev/54b7402713eb https://hg.mozilla.org/releases/mozilla-esr17/rev/e82181a10570
Comment 69•12 years ago
|
||
(In reply to :Benjamin Peterson from comment #68) > > https://hg.mozilla.org/releases/mozilla-esr17/rev/69b6c96df199 > https://hg.mozilla.org/releases/mozilla-esr17/rev/54b7402713eb > https://hg.mozilla.org/releases/mozilla-esr17/rev/e82181a10570 Sorry for not calling this out earlier - can you please land to esr17 relbranch too? We've got fixes on default that we won't want to ship in this respin. GECKO170_2012111914_RELBRANCH
Assignee | ||
Comment 70•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr17/rev/f958d557746d https://hg.mozilla.org/releases/mozilla-esr17/rev/9f0bfbceaccc https://hg.mozilla.org/releases/mozilla-esr17/rev/f5defbd8813b
Updated•12 years ago
|
Crash Signature: unsigned long)]
[@ js_NewStringCopyN]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
[@ libsystem_c.dylib@0x27fa0] → unsigned long)]
[@ js_NewStringCopyN]
[@ memmove$VARIANT$sse42 | js_NewStringCopyN ]
[@ libsystem_c.dylib@0x1a50]
[@ libsystem_c.dylib@0x12ec]
[@ libsystem_c.dylib@0x12ac]
[@ libsystem_c.dylib@0x27d40]
[@ libsystem_c.dylib@0x27fa0]
Comment 71•12 years ago
|
||
Reproduced the crash following steps from comment 7 and comment 8 for Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 Beta 2 Build ID: 20121017073013 http://crash-stats.mozilla.com/report/index/bp-6bbc69a9-401e-4f67-b55f-b67de2121203 http://crash-stats.mozilla.com/report/index/bp-bb609119-f675-4fba-8c85-5e2d02121203 Verified on Firefox 18.0 Beta 2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Beta 2 Build ID: 20121128060531 and Latest Nightly Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121202 Firefox/20.0 Build ID: 20121202030723 no crashes for Firefox 18.0 Beta 2 and Latest Nightly while doing some exploratory on http://www.google.com/nexus with 1.10.5 then 1.10.6 Firebug and 1Password 3.9.9 extensions installed.
Updated•12 years ago
|
Keywords: qawanted,
regressionwindow-wanted
Comment 72•12 years ago
|
||
I am sorry that I have to reopen this, however, I can reproduce this crash signature with latest nightly. https://crash-stats.mozilla.com/report/index/bp-26072cc0-c668-486f-ad3a-02f802121230 STR: 1. Install the https://addons.mozilla.org/de/firefox/addon/javascript-deobfuscator/ add-on. 2. Enable capturing and open http://grooveshark.com with it. It should take a while to load, hang, and then crash with the signature above.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 73•12 years ago
|
||
Could you file a new bug, please? It's likely the same crash signature but a different underlying issue.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Comment 74•11 years ago
|
||
Verified the fix on Firefox 19.0 Beta 2 with Firebug 1.11.1 and 1Password 3.9.9 installed, following steps from comment 7 and comment 8. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0 Build ID: 20130116072953
You need to log in
before you can comment on or make changes to this bug.
Description
•