If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

crash in JSObject::global

RESOLVED FIXED in Firefox 19

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: nbp)

Tracking

(5 keywords)

19 Branch
mozilla21
x86
All
assertion, crash, regression, reproducible, topcrash
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox18 unaffected, firefox19+ verified, firefox20+ verified, firefox21 verified)

Details

(Whiteboard: [js:inv:p2], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
It's a low volume crash but it started spiking from 19.0a1/20121012030610. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=99898ec9976a&tochange=1301a72b1c39
It's likely a regression from bug 797977.

Signature 	JSObject::global() More Reports Search
UUID	36900b50-ff18-4251-a95a-08ad22121028
Date Processed	2012-10-28 11:02:53
Uptime	5910
Last Crash	1.4 weeks before submission
Install Age	1.6 hours since version was first installed.
Install Time	2012-10-28 08:40:22
Product	Firefox
Version	19.0a1
Build ID	20121027030611
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 6 stepping 3
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9712, AdapterSubsysID: 394917aa, AdapterDriverVersion: 8.712.0.0
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+ 
EMCheckCompatibility	True
Adapter Device ID	0x9712
Total Virtual Memory	4294836224
Available Virtual Memory	3602018304
System Memory Use Percentage	46
Available Page File	4282822656
Available Physical Memory	1582616576

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JSObject::global 	js/src/jsobjinlines.h:1203
1 	mozjs.dll 	JS_GetScriptedGlobal 	js/src/jsapi.cpp:7328
2 	xul.dll 	nsGlobalWindow::CallerGlobal 	dom/base/nsGlobalWindow.cpp:6082
3 	xul.dll 	nsGlobalWindow::CallerInnerWindow 	dom/base/nsGlobalWindow.cpp:6095
4 	xul.dll 	nsGlobalWindow::PostMessageMoz 	dom/base/nsGlobalWindow.cpp:6414
5 	xul.dll 	nsGlobalWindow::PostMessageMoz 	dom/base/nsGlobalWindow.cpp:6403
6 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
7 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2418
8 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
9 		@0x1a77312f 	
10 		@0xffffff81 	
11 	mozjs.dll 	EnterIon 	js/src/ion/Ion.cpp:1427
12 	mozjs.dll 	js::ion::CanEnter 	js/src/ion/Ion.cpp:1338
13 	mozjs.dll 	JS_WrapObject 	js/src/jsapi.cpp:1501
14 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:319
15 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:412
16 	mozjs.dll 	mozjs.dll@0x102c4f 	
17 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1420
18 	xul.dll 	nsCOMPtr_base::assign_with_AddRef 	obj-firefox/xpcom/build/nsCOMPtr.cpp:49
19 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3Aglobal%28%29
Whiteboard: [js:inv:p2]

Comment 1

5 years ago
According to https://bugzilla.mozilla.org/show_bug.cgi?id=826035#c0 :

STR: open http://vi.raptor.ebaydesc.com/ws/eBayISAPI.dll?ViewItemDescV4&item=230904967513&t=0&tid=10&category=48&seller=historicimages05&excSoj=1&rptdesc=1&excTrk=1&tto=3500&lsite=0#IMAGE3URL#

Result: crash https://crash-stats.mozilla.com/report/index/bp-503b3358-49f0-40bd-a968-13ce22130104

Regression range:
m-c
good=2012-10-11
bad=2012-10-12
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=99898ec9976a&tochange=1301a72b1c39
tracking-firefox19: --- → ?
tracking-firefox20: --- → ?

Comment 2

5 years ago
Created attachment 698049 [details]
Reduced testcase (blank page, crash with FF19+)

Updated

5 years ago
Attachment #698049 - Attachment description: Reduced testcase → Reduced testcase (blank page, crash with FF19+)

Updated

5 years ago
Duplicate of this bug: 826035

Comment 4

5 years ago
We agree that bug 826035 sounds like a dupe, so we've tentatively marked it as such. Also, this has risen in the FF19 crash list, so marking appropriately.
Crash Signature: [@ JSObject::global()] → [@ JSObject::global()] [@ JS_GetScriptedGlobal(JSContext*)]
status-firefox20: --- → affected
tracking-firefox19: ? → +
tracking-firefox20: ? → +
Keywords: reproducible, topcrash

Comment 5

5 years ago
Regression window
Last Good: 79e5f4ec83ae
First Bad: ebeca12019a2
Triggered by:
ebeca12019a2	Nicolas B. Pierron — Bug 797977 - Rename StackIter::fp() to StackIter::interpFrame(). r=luke
(Reporter)

Updated

5 years ago
Crash Signature: [@ JSObject::global()] [@ JS_GetScriptedGlobal(JSContext*)] → [@ JSObject::global()] [@ JS_GetScriptedGlobal(JSContext*)] [@ JSObject::global() const]
OS: Windows 7 → All
Hardware: x86 → All

Comment 6

5 years ago
Nicolas - Firefox 19 is now on beta, and we've only got a couple of weeks to resolve. Can you take a look as soon as possible?
Assignee: general → nicolas.b.pierron
(Assignee)

Comment 7

5 years ago
I cannot reproduce this bug with the attached test case on both beta and nightly.

Comment 8

5 years ago
I tried the latest Nightly and it crashed.
Are you on Windows?
(Assignee)

Comment 9

5 years ago
I am testing on Linux, with my own build as I cannot run any of the build produced by tbpl.

Comment 10

5 years ago
Maybe the bug is Windows-specific.
(Assignee)

Comment 11

5 years ago
I have been able to reproduce this bug on Linux x86 (first bad revision, debug build), with the provided test case.

Assertion failure: v.isObject(), at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:1040

Program received signal SIGSEGV, Segmentation fault.
0xf6b0059c in js::ion::InlineFrameIterator::scopeChain (this=0xffff6a0c)
    at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:1040
1040        JS_ASSERT(v.isObject());

(gdb) bt
#0  0xf6b0059c in js::ion::InlineFrameIterator::scopeChain (this=0xffff6a0c)
    at /home/nicolas/mozilla/ionmonkey/js/src/ion/IonFrames.cpp:1040
#1  0xf69574e3 in js::StackIter::scopeChain (this=0xffff69c0) at /home/nicolas/mozilla/ionmonkey/js/src/vm/Stack.cpp:1702
#2  0xf66fde4b in JS_GetScriptedGlobal (cx=0xe415be40) at /home/nicolas/mozilla/ionmonkey/js/src/jsapi.cpp:7320
#3  0xf4ce450c in nsGlobalWindow::CallerGlobal (this=0xe0aa7170) at /home/nicolas/mozilla/ionmonkey/dom/base/nsGlobalWindow.cpp:6080
#4  0xf4ce457b in nsGlobalWindow::CallerInnerWindow (this=0xe0aa7170)
    at /home/nicolas/mozilla/ionmonkey/dom/base/nsGlobalWindow.cpp:6093
#5  0xf4ce56af in nsGlobalWindow::PostMessageMoz (this=0xe0aa7170, aMessage=..., aOrigin=..., aCx=0xe415be40)
    at /home/nicolas/mozilla/ionmonkey/dom/base/nsGlobalWindow.cpp:6412
#6  0xf4ce569d in nsGlobalWindow::PostMessageMoz (this=0xda2f8e20, aMessage=..., aOrigin=..., aCx=0xe415be40)
    at /home/nicolas/mozilla/ionmonkey/dom/base/nsGlobalWindow.cpp:6400
#7  0xf5c32ba4 in NS_InvokeByIndex_P () from /home/nicolas/mozilla/ionmonkey/_build/t/bug806206/x86/gcc45/dbg/dist/bin/libxul.so
#8  0xf53041ba in CallMethodHelper::Invoke (this=0xffff6f20)
    at /home/nicolas/mozilla/ionmonkey/js/xpconnect/src/XPCWrappedNative.cpp:3108
#9  0xf530229e in CallMethodHelper::Call (this=0xffff6f20)
    at /home/nicolas/mozilla/ionmonkey/js/xpconnect/src/XPCWrappedNative.cpp:2442
#10 0xf5302153 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /home/nicolas/mozilla/ionmonkey/js/xpconnect/src/XPCWrappedNative.cpp:2408
#11 0xf530eb5a in XPC_WN_CallMethod (cx=0xe415be40, argc=2, vp=0xffff70fc)
    at /home/nicolas/mozilla/ionmonkey/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
#12 0xea190ff6 in ?? ()
Cannot access memory at address 0xffffff8b

(gdb) f 11
#11 0xf530eb5a in XPC_WN_CallMethod (cx=0xe415be40, argc=2, vp=0xffff70fc)
    at /home/nicolas/mozilla/ionmonkey/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
1488        return XPCWrappedNative::CallMethod(ccx);
(gdb) call js_DumpBacktrace(cx)
#0 ???
#1          (nil)   http://ir.ebaystatic.com/z/au/b2o4ckknqq4vhch2fknpv0hgt.js:6 (0xdb028600 @ 133)
#2          (nil)   http://ir.ebaystatic.com/z/au/b2o4ckknqq4vhch2fknpv0hgt.js:6 (0xdb028580 @ 29)
#3          (nil)   http://ir.ebaystatic.com/z/au/b2o4ckknqq4vhch2fknpv0hgt.js:6 (0xdb028480 @ 13)

The problem can be a wrong snapshot, or a scope chain which is not defined as expected.
Keywords: assertion
Hardware: All → x86
(Assignee)

Comment 12

5 years ago
Ok, the problem is likely coming from the fact that the script which is making the native function call does not have any scope chain, and the analysis reports that we don't need any scope chain so we bake in the undefined constant in the scope chain.  When reading the scope chain in js::ion::InlineFrameIterator::scopeChain, we read undefined and not an object as expected.

The solution would be to add a global() function on StackIter which either takes it from the scopeChain in case of an interpreter frame or from the IonActivation's compartment.
(Assignee)

Comment 13

5 years ago
Created attachment 699488 [details] [diff] [review]
InlineFrameIterator: provide default scope chain value if unused.

Duplicate the behavior of StackFrame in case where the scope chain is not defined, which is to use the callee.environment as a substitute for the missing scope chain.

The major difference is that when the scope chain is observed on the StackFrame, it is cached there and we cannot do so with an Ion frame because the undefined constant is hard coded in the snapshot.

This patch is made on top of the first bad changeset.
Attachment #699488 - Flags: review?(dvander)
Attachment #699488 - Flags: review?(dvander) → review+
(Assignee)

Comment 14

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/e16c82303ab3
https://hg.mozilla.org/mozilla-central/rev/e16c82303ab3
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
(Assignee)

Comment 16

5 years ago
Comment on attachment 699488 [details] [diff] [review]
InlineFrameIterator: provide default scope chain value if unused.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 797977.

User impact if declined: crash.

Testing completed (on m-c, etc.): https://hg.mozilla.org/mozilla-central/rev/e16c82303ab3

Risk to taking this patch (and alternatives if risky): Small, as this copy the current behavior of js::StackFrame.

String or UUID changes made by this patch: N/A
Attachment #699488 - Flags: approval-mozilla-beta?
Attachment #699488 - Flags: approval-mozilla-aurora?
Comment on attachment 699488 [details] [diff] [review]
InlineFrameIterator: provide default scope chain value if unused.

Approving on aurora, and in preparation fr beta landing based on lowering of crash volume.
Lets keep a close eye to see the crashes go down  on aurora and no new regressions are caused before taking on beta.
Attachment #699488 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/28a906b30f59
status-firefox20: affected → fixed
status-firefox21: --- → fixed

Updated

5 years ago
Attachment #699488 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/releases/mozilla-beta/rev/a3a53705cbb0
status-firefox19: affected → fixed
Flags: in-testsuite?

Comment 20

5 years ago
Verified as fixed on Firefox 19 Beta 3 (20130123083802) with the reduced testcase:
Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Mozilla/5.0 (X11; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0

While there are no post-fix crashes for the other two signatures, there are some for JSObject::global() - https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3Aglobal%28%29.

The stack trace seems to the same as for the initial crashes, so this bug might not have been fully fixed.

Can someone that worked on this fix please look at the recent crashes and confirm/infirm it's the same bug?
Whiteboard: [js:inv:p2] → [js:inv:p2][qa?]
(Reporter)

Comment 21

5 years ago
(In reply to Ioana Budnar [QA] from comment #20)
> While there are no post-fix crashes for the other two signatures, there are
> some for JSObject::global() -
> https://crash-stats.mozilla.com/report/
> list?signature=JSObject%3A%3Aglobal%28%29.
I haven't seen post-fix crashes. Please provide a crash ID.

Comment 22

5 years ago
https://crash-stats.mozilla.com/report/index/8f865bd0-e4af-497f-959f-c35d22130122

There are more in the link I gave in comment 20.
(Reporter)

Comment 23

5 years ago
(In reply to Ioana Budnar [QA] from comment #22)
> https://crash-stats.mozilla.com/report/index/8f865bd0-e4af-497f-959f-
> c35d22130122
Nightly elm is still in 20.0 and doesn't contain the fix.

Comment 24

5 years ago
(In reply to Scoobidiver from comment #23)
> (In reply to Ioana Budnar [QA] from comment #22)
> > https://crash-stats.mozilla.com/report/index/8f865bd0-e4af-497f-959f-
> > c35d22130122
> Nightly elm is still in 20.0 and doesn't contain the fix.

Thanks for the info. Apparently all the crashes with buildIDs post-fix are for elm.
status-firefox19: fixed → verified
Whiteboard: [js:inv:p2][qa?] → [js:inv:p2]

Updated

5 years ago
QA Contact: ioana.budnar

Comment 25

5 years ago
Verified as fixed on Friefox 20 Beta 1 (20130220104816):
Mozilla/5.0 (Windows NT 6.1; rv:20.0) Gecko/20100101 Firefox/20.0
Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0

No new crashes in Socorro either.

Comment 26

5 years ago
Verified as fixed on Firefox 20 beta 2 (20130227063501):
Mozilla/5.0 (Windows NT 6.1; rv:20.0) Gecko/20100101 Firefox/20.0
Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0

There is one Firefox 20 beta crash in Socorro (https://crash-stats.mozilla.com/report/index/e8afb425-a7c9-48ca-b7c5-038022130228), but it doesn't look like it's the same crash.
status-firefox20: fixed → verified

Comment 27

4 years ago
Verified as fixed on Firefox 21 RC - 20130507015204.
status-firefox21: fixed → verified
You need to log in before you can comment on or make changes to this bug.