Closed Bug 856013 Opened 9 years ago Closed 9 years ago

Full browser crash on visiting SES test page

Categories

(Core :: JavaScript Engine, defect)

22 Branch
x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox22 - ---

People

(Reporter: erights, Unassigned)

References

()

Details

(Keywords: regression)

In Nightly 22.0a1 (2013-03-29), visiting http://google-caja.googlecode.com/svn/trunk/src/com/google/caja/ses/explicit.html results in a full browser crash.

This is a recent bug. It was working in the recently Nightly I was running before I upgraded. Feel free to reclassify -- I don't know your criteria. But I'm classifying it as critical/P1 because it is a full browser crash.
Crash report is: https://crash-stats.mozilla.com/report/index/bp-e173e78c-59b2-4991-b7a5-7f38a2130329

My debug build from a day or two ago is not crashing, though.
Keywords: regression
Priority: P1 → --
Stack to the assert:

(gdb) bt
#0  js::EmptyShape::getInitialShape (cx=0x11c0dbd20, clasp=0x102247680, proto={proto = 0x10fd361a0}, parent=0x10fd341a0, nfixed=4, objectFlags=16) at Shape.cpp:1244
#1  0x0000000101a0c82f in js::EmptyShape::getInitialShape (cx=0x11c0dbd20, clasp=0x102247680, proto={proto = 0x10fd361a0}, parent=0x10fd341a0, kind=js::gc::FINALIZE_OBJECT4, objectFlags=16) at Shape.cpp:1285
#2  0x0000000101a0c684 in js::Shape::replaceLastProperty (cx=0x11c0dbd20, base=@0x7fff5fbf48f8, proto={proto = 0x10fd361a0}, shape={<js::HandleBase<js::Shape *>> = {<No data fields>}, ptr = 0x7fff5fbf48e8}) at Shape.cpp:299
#3  0x0000000101a12039 in js::Shape::setObjectFlag (cx=0x11c0dbd20, flag=js::BaseShape::NOT_EXTENSIBLE, proto={proto = 0x10fd361a0}, last=0x123600510) at Shape.cpp:1126
#4  0x0000000101a11ee6 in js::ObjectImpl::setFlag (this=0x12366cf80, cx=0x11c0dbd20, flag_=16, generateShape=js::ObjectImpl::GENERATE_SHAPE) at Shape.cpp:1090
#5  0x0000000101a11cc1 in js::ObjectImpl::preventExtensions (cx=0x11c0dbd20, obj={<js::HandleBase<js::ObjectImpl *>> = {<No data fields>}, ptr = 0x7fff5fbf4bd8}) at Shape.cpp:1062
#6  0x0000000101824622 in js::DirectProxyHandler::preventExtensions (this=0x10229d490, cx=0x11c0dbd20, proxy={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf4d80}) at jsproxy.cpp:652
#7  0x0000000101834700 in js::Proxy::preventExtensions (cx=0x11c0dbd20, proxy={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf4d80}) at jsproxy.cpp:2603
#8  0x0000000101a11b4b in js::ObjectImpl::preventExtensions (cx=0x11c0dbd20, obj={<js::HandleBase<js::ObjectImpl *>> = {<No data fields>}, ptr = 0x7fff5fbf5230}) at Shape.cpp:1040
#9  0x00000001017b8c7f in JSObject::sealOrFreeze (cx=0x11c0dbd20, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf5230}, it=JSObject::FREEZE) at jsobj.cpp:1075
#10 0x00000001015c404a in JSObject::freeze (cx=0x11c0dbd20, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf5230}) at jsobj.h:554
#11 0x00000001019e1f91 in obj_freeze (cx=0x11c0dbd20, argc=1, vp=0x10e6007c8) at Object.cpp:929

Looks like a duplicate of bug 855960 at first glance...
Blocks: 789897
Sigh, in hindsight CrossCompartmentWrapper almost certainly needs these both overridden.  Obviously.  Keep on backing out, I'll look at this today.
Is this bug requested for tracking because we suspect this is a commonly hit code path, or hints at larger issues? Current crash volume wouldn't suggest that.
It was tracking as in "don't ship with this crashing", I think.  As in, make sure to fix this before releasing.  The final landing in bug 789897 doesn't have this issue, so I think we're good here.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.