Closed Bug 809150 Opened 12 years ago Closed 12 years ago

crash in js::LooselyEqual with spidermonkey support in libproxy

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
16 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 809430

People

(Reporter: milamby, Unassigned)

References

Details

(Keywords: crash)

Crash Data

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) konqueror/4.9.2 Safari/534.34

Steps to reproduce:

1. This crash happens only with NoScript addon enabled (versions 2.6 and 2.6.1 verified), also happened on FF 15.
2. Go to brettspielwelt.de
3. Temporary enable brettspielwelt.de in NoScript
4. Click "Spielen" button to the left under language flags




Actual results:

A popup window appears and FF crashes shortly afterwards with:

(gdb) bt full
#0  0x00007fffd26a1ba0 in ?? ()
No symbol table info available.
#1  0x00007ffff5822d22 in js::LooselyEqual (cx=0x7fffe3327680, lval=..., rval=..., result=0x7fffffff9c6f)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/src/jsinterp.cpp:573
        res = 32767
        lobj = {<JS::RootedBase<JSObject*>> = {<No data fields>}, ptr = 0x7fffd22012e0}
        eq = <optimized out>
        l = 0x7fffffff9610
        lvalue = {<JS::RootedBase<JS::Value>> = {<JS::MutableValueOperations<JS::Rooted<JS::Value> >> = {<JS::ValueOperations<JS::Rooted<JS::Value> >> = {<No data fields>}, <No data fields>}, <No data fields>}, ptr = {data = {asBits = 53, debugView = {payload47 = 53, tag = 0}, s = {payload = {i32 = 53, u32 = 53, why = 53}},
              asDouble = 2.6185479229586067e-322, asPtr = 0x35, asWord = 53, asUIntPtr = 53}}}
        rvalue = {<JS::RootedBase<JS::Value>> = {<JS::MutableValueOperations<JS::Rooted<JS::Value> >> = {<JS::ValueOperations<JS::Rooted<JS::Value> >> = {<No data fields>}, <No data fields>}, <No data fields>}, ptr = {data = {asBits = 140737005123200, debugView = {payload47 = 140737005123200, tag = 0}, s = {payload = {
                  i32 = -483232128, u32 = 3811735168, why = 3811735168}}, asDouble = 6.9533319329956632e-310, asPtr = 0x7fffe3327680, asWord = 140737005123200,
              asUIntPtr = 140737005123200}}}
        l = <optimized out>
        r = <optimized out>
#2  0x00007ffff582890f in js::Interpret (cx=0x7fffe3327680, entryFrame=0x7fffe2300118, interpMode=js::JSINTERP_NORMAL)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/src/jsinterp.cpp:1932
        rval = {data = {asBits = 18445618173033059040, debugView = {payload47 = 140736718705376, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = -769649952,
                u32 = 3525317344, why = 3525317344}}, asDouble = -nan(0xbffffd22012e0), asPtr = 0xfffbffffd22012e0, asWord = 18445618173033059040,
            asUIntPtr = 18445618173033059040}}
        lval = {data = {asBits = 18445618173033059040, debugView = {payload47 = 140736718705376, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = -769649952,
                u32 = 3525317344, why = 3525317344}}, asDouble = -nan(0xbffffd22012e0), asPtr = 0xfffbffffd22012e0, asWord = 18445618173033059040,
            asUIntPtr = 18445618173033059040}}
        cond = false
        rootObject2 = {<JS::RootedBase<JSObject*>> = {<No data fields>}, ptr = 0x0}
        jumpTable = 0x7ffff64a8b20 <js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)::normalJumpTable>
        script = {<JS::RootedBase<JSScript*>> = {<No data fields>}, ptr = 0x7fffcbc68cd0}
        op = JSOP_EQ
        interruptEnabler = {<js::InterpreterFrames::InterruptEnablerBase> = {
            _vptr.InterruptEnablerBase = 0x7ffff66ad120 <vtable for GenericInterruptEnabler<void* const*>+16>}, variable = 0x7fffffff9c40,
          value = 0x7ffff64a83e0 <js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)::interruptJumpTable>}
        rootId0 = {<JS::RootedBase<long>> = {<No data fields>}, ptr = 2}
        useMethodJIT = false
        interpreterFrame = {older = 0x0, context = 0x7fffe3327680, regs = 0x7fffffff97b0, enabler = @0x7fffffff97d0}
        rootFunction0 = {<JS::RootedBase<JSFunction*>> = {<No data fields>}, ptr = 0x7fffc5ddaac0}
        rootShape0 = {<JS::RootedBase<js::Shape*>> = {<No data fields>}, ptr = 0x0}
        normalJumpTable = {0x7ffff5828af0 <js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)+21440>,
          0x7ffff5825d25 <js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)+9717>,
...<cut many more entries>

         0x7ffff5825fa5 <js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)+10357>...}
        rootObject0 = {<JS::RootedBase<JSObject*>> = {<No data fields>}, ptr = 0x0}
        rootName0 = {<JS::RootedBase<js::PropertyName*>> = {<No data fields>}, ptr = 0x0}
        interpReturnOK = false
        interruptJumpTable = {0x7ffff58298c5 <js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)+24981> <repeats 229 times>}
        regs = {sp = 0x7fffe2300280, pc = 0x7fffca2adb32 "\022\a", inlined_ = 0x0, fp_ = 0x7fffe2300118, static offsetOfFp = 24, static offsetOfInlined = 16}
        rootValue0 = {<JS::RootedBase<JS::Value>> = {<JS::MutableValueOperations<JS::Rooted<JS::Value> >> = {<JS::ValueOperations<JS::Rooted<JS::Value> >> = {<No data fields>}, <No data fields>}, <No data fields>}, ptr = {data = {asBits = 18444633011384221704, debugView = {payload47 = 8, tag = JSVAL_TAG_INT32}, s = {
                payload = {i32 = 8, u32 = 8, why = JS_LAZY_ARGUMENTS}}, asDouble = -nan(0x8800000000008), asPtr = 0xfff8800000000008,
              asWord = 18444633011384221704, asUIntPtr = 18444633011384221704}}}
        rootObject1 = {<JS::RootedBase<JSObject*>> = {<No data fields>}, ptr = 0x0}
#3  0x00007ffff582e5ad in js::RunScript (cx=0x7fffe3327680, script=<optimized out>, fp=0x7fffe2300118)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/src/jsinterp.cpp:301
        marker = {profiler = 0x0}
        status = <optimized out>
#4  0x00007ffff582e7b9 in js::InvokeKernel (cx=0x7fffe3327680, args=..., construct=js::NO_CONSTRUCT)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/src/jsinterp.cpp:355
        callee = @0x7fffca1d6240: {<js::ObjectImpl> = {<js::gc::Cell> = {static CellShift = 3, static CellSize = 8, static CellMask = 7},
            shape_ = {<js::EncapsulatedPtr<js::Shape, unsigned long>> = {{value = 0x7fffcbc251a0, other = 140736611897760}}, <No data fields>},
            type_ = {<js::EncapsulatedPtr<js::types::TypeObject, unsigned long>> = {{value = 0x7fffcbc230a0, other = 140736611889312}}, <No data fields>},
            slots = 0x0, elements = 0x7ffff675acb0 <finalizeCount>, static SLOT_CAPACITY_MIN = 8}, static NELEMENTS_LIMIT = 268435456,
          static MAX_FIXED_SLOTS = 16, static JSSLOT_DATE_UTC_TIME = 0, static JSSLOT_DATE_TZA = 1, static JSSLOT_DATE_COMPONENTS_START = 2,
          static JSSLOT_DATE_LOCAL_TIME = 2, static JSSLOT_DATE_LOCAL_YEAR = 3, static JSSLOT_DATE_LOCAL_MONTH = 4, static JSSLOT_DATE_LOCAL_DATE = 5,
          static JSSLOT_DATE_LOCAL_DAY = 6, static JSSLOT_DATE_LOCAL_HOURS = 7, static JSSLOT_DATE_LOCAL_MINUTES = 8, static JSSLOT_DATE_LOCAL_SECONDS = 9,
          static DATE_CLASS_RESERVED_SLOTS = 10, static ITER_CLASS_NFIXED_SLOTS = 1, static JSSLOT_NAME_PREFIX = 0, static JSSLOT_NAME_URI = 1,
          static JSSLOT_NAMESPACE_DECLARED = 2, static JSSLOT_QNAME_LOCAL_NAME = 2, static NAMESPACE_CLASS_RESERVED_SLOTS = 3,
          static QNAME_CLASS_RESERVED_SLOTS = 3}
        clasp = 0x7fffd26a1ba0
        ok = <optimized out>
        initial = js::INITIAL_NONE
        ifg = {<js::FrameGuard> = {stack_ = 0x7fffe33276d8, pushedSeg_ = false, regs_ = {sp = 0x7fffe2300230, pc = 0x7fffca2ada70 "\tW", inlined_ = 0x0,
              fp_ = 0x7fffe2300118, static offsetOfFp = 24, static offsetOfInlined = 16}, prevRegs_ = 0x7fffffffa2e0}, <No data fields>}
#5  0x00007ffff582ed46 in Invoke (args=..., cx=0x7fffe3327680, construct=<optimized out>)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/src/jsinterp.h:119
        ok = <optimized out>
        construct = js::NO_CONSTRUCT
#6  js::Invoke (cx=0x7fffe3327680, thisv=..., fval=..., argc=7, argv=<optimized out>, rval=0x7fffffffa410)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/src/jsinterp.cpp:387
        args = {<js::CallArgsList> = {<JS::CallArgs> = {<JS::CallReceiver> = {argv_ = 0x7fffe23000a0}, argc_ = 7}, prev_ = 0x0, active_ = true},
          stack_ = 0x7fffe33276d8, pushedSeg_ = false}
#7  0x00007ffff57c497e in JS_CallFunctionValue (cx=0x7fffe3327680, obj=<optimized out>, fval=..., argc=<optimized out>, argv=<optimized out>, rval=<optimized out>)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/src/jsapi.cpp:5604
No locals.
#8  0x00007ffff52ad82d in nsXPCWrappedJSClass::CallMethod (this=0x7fffca2f5480, wrapper=<optimized out>, methodIndex=9856, info=0x7fffe56dffc0,
    nativeParams=0x7fffffffa530) at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/xpconnect/src/XPCWrappedJSClass.cpp:1436
        oldOpts = 4294938408
        rval = {data = {asBits = 140737488334064, debugView = {payload47 = 140737488334064, tag = 0}, s = {payload = {i32 = -21264, u32 = 4294946032,
                why = 4294946032}}, asDouble = 6.9533558067844231e-310, asPtr = 0x7fffffffacf0, asWord = 140737488334064, asUIntPtr = 140737488334064}}
        success = <optimized out>
        xpcc = 0x7fffe33fef00
        cx = 0x7fffe3327680
        ac = {bytes = {0x7fffe3327680, 0x7ffff6c5a800, 0x7fffcbc72680, 0x7fffe1779e00, 0x7fffe33276d8, 0x1, 0x7fffe2300090, 0x0, 0x0, 0x7fffe2300020, 0x0,
            0x7fffffffa301, 0x7fffc5ca2401}, state = JSAutoEnterCompartment::STATE_OTHER_COMPARTMENT}
        kungFuDeathGrip = {<nsCOMPtr_base> = {mRawPtr = 0x7fffca2f5480}, <No data fields>}
        readyToDoTheCall = 1
        param_iid = {m0 = 1119513144, m1 = 54809, m2 = 18859, m3 = "\202H=$~\225\235^"}
        fval = {data = {asBits = 18445618172898665024, debugView = {payload47 = 140736584311360, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = -904043968,
                u32 = 3390923328, why = 3390923328}}, asDouble = -nan(0xbffffca1d6240), asPtr = 0xfffbffffca1d6240, asWord = 18445618172898665024,
            asUIntPtr = 18445618172898665024}}
        context = <optimized out>
        obj = 0x7fffcbc72680
        argv = 0x7fffffffa268
        retval = 2147500037
        foundDependentParam = <optimized out>
        thisObj = 0x7fffcbc72680
        scriptEval = {mJSContext = 0x7fffe3327680, mState = 0x0, mErrorReporterSet = true, mEvaluated = true, mContextHasThread = 0, mEnterCompartment = {bytes = {
              0x7fffc19fccc8, 0x7fffc19fd5f0, 0x7fffffffa590, 0x7ffff1a3ede6 <PL_strncasestr+150>, 0x7fffffffa201, 0x7fff00000016, 0x7fff7ffff0df072,
              0x7fffffffa5b0, 0x7fffffffa2bf, 0x0, 0x31, 0x7ffff5645f3e <nsACString_internal::ReplacePrep(unsigned int, unsigned int, unsigned int)+50>, 0x31},
            state = JSAutoEnterCompartment::STATE_SAME_COMPARTMENT}}
        sp = <optimized out>
        i = <optimized out>
        name = 0x7fffe56e0010 "shouldLoad"
        argc = 7 '\a'
        ccx = {<nsAXPCNativeCallContext> = {_vptr.nsAXPCNativeCallContext = 0x7ffff661b240 <vtable for XPCCallContext+16>}, mState = XPCCallContext::HAVE_SCOPE,
          mXPC = 0x7fffe5556d40, mXPCContext = 0x7fffe33fef00, mJSContext = 0x7fffe3327680, mContextPopRequired = 1, mDestroyJSContextInDestructor = 0,
          mCallerLanguage = XPCContext::LANG_NATIVE, mPrevCallerLanguage = XPCContext::LANG_UNKNOWN, mPrevCallContext = 0x0,
          mScopeForNewJSObjects = 0x7fffcbc72680, mFlattenedJSObject = 0x7fffdeff1e00, mWrapper = 0x7fffffffa848, mTearOff = 0x7fffffffa700,
          mScriptableInfo = 0xa44ce700000000, mSet = 0xc, mInterface = 0x0, mMember = 0x7fffc9eaaf10, mName = 140736580988688, mStaticMemberIsLocal = -22624,
          mArgc = 32767, mArgv = 0x7fffffffa7bb, mRetVal = 0x7ffff4be0064
     <nsStandardURL::nsSegmentEncoder::EncodeSegmentCount(char const*, nsStandardURL::URLSegment const&, short, nsCString&, bool&, unsigned int)+784>,
          mMethodIndex = 15360, mScratchStrings = {{mString = {u = {bytes = "\026\000\000\000\377\177\000\000@\245\377\377\377\177\000", _ = 140733193388054}},
              mInUse = false}, {mString = {u = {bytes = "\000\000\000\360\377\177\000\000\220\245\377\377\377\177@", _ = 140737219919872}}, mInUse = false}}}
        args = {<JS::AutoVectorRooter<JS::Value>> = {<JS::AutoGCRooter> = {down = 0x0, tag = -12, stackTop = 0x7fffe33b1978}, vector = {<js::TempAllocPolicy> = {
                cx = 0x7fffe3327680}, static sElemIsPod = false, static sMaxInlineBytes = 1024, static sInlineCapacity = 8, static sInlineBytes = 64,
              mBegin = 0x7fffffffa268, mLength = 7, mCapacity = 8, storage = {u = {
                  bytes = "\005\000\000\000\000\200\370\377\320,\334\305\377\377\373\377p\334\334\305\377\377\373\377\340\022 \322\377\377\373\377@\330&\322\377\377\372\377\000\000\000\000\000\000\373\377\240\334\334\305\377\377\373\377\001\243\377\377\377\177\000", _ = 18444633011384221701}},
              static sMaxInlineStorage = <optimized out>}, vectorRoot = {<No data fields>}}, <No data fields>}
        paramCount = 8 '\b'
#9  0x00007ffff52a925b in nsXPCWrappedJS::CallMethod (this=0x7fffcb35a180, methodIndex=3, info=0x7fffe56dffc0, params=<optimized out>)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/js/xpconnect/src/XPCWrappedJS.cpp:580
No locals.
#10 0x00007ffff56413e1 in PrepareAndDispatch (self=0x7fffca0ca160, methodIndex=<optimized out>, args=<optimized out>, gpregs=0x7fffffffa610, fpregs=0x7fffffffa640)
    at /var/tmp/portage/www-client/firefox-16.0.2/work/mozilla-release/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
...<rest cut off as most likely not relevant anymore>



Expected results:

No JS interpreter crash. I will also post a link on NoScript forums linking to this, but I suppose this crash is not in their code.
Update: While the bug did not appear in safe mode nor with NoScript disabled, I get the same backtrace on every FF exit even in safe mode and after a reset.

New steps to reproduce:

1. Run FF in a terminal to see messages.
2. Close FF.

Same segfault happens.
(In reply to Miroslav Los from comment #1)
> New steps to reproduce:
> 1. Run FF in a terminal to see messages.
> 2. Close FF.
Do you mean that Firefox crashes at each exit whatever the website where you were?
Assignee: nobody → general
Severity: normal → critical
Crash Signature: [@ js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*)] [@ @0x0 | js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*)] [@ js::LooselyEqual]
Component: Untriaged → JavaScript Engine
Flags: needinfo?(milamby)
Keywords: crash
Product: Firefox → Core
(In reply to Scoobidiver from comment #2)
> (In reply to Miroslav Los from comment #1)
> > New steps to reproduce:
> > 1. Run FF in a terminal to see messages.
> > 2. Close FF.
> Do you mean that Firefox crashes at each exit whatever the website where you
> were?

Yes, even a new user without visiting any website.

I found this Gentoo bug - https://bugs.gentoo.org/show_bug.cgi?id=439148 that speculated about a symbol clash with spidermonkey when used by libproxy. I updated/reinstalled libproxy without spidermonkey support and cannot reproduce the crash anymore.
Flags: needinfo?(milamby)
Status: UNCONFIRMED → NEW
Ever confirmed: true
See Also: → https://bugs.gentoo.org/show_bug.cgi?id=439148
Summary: Browser crash in JS_LooselyEqual → crash in js::LooselyEqual with spidermonkey support in libproxy
Man I've been tearing my hair out trying to figure this one out. I have 2 gentoo systems and I was getting crashes on one but not the other. They were nearly identical except for some USE flag overrides, one of which was was libproxy[spidermonkey].

I can confirm that rebuilding libproxy without spidermonkey fixed all of the JS_LooselyEqual crashes I've been seeing recently.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.