Closed
Bug 856013
Opened 11 years ago
Closed 11 years ago
Full browser crash on visiting SES test page
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox22 | - | --- |
People
(Reporter: erights, Unassigned)
References
()
Details
(Keywords: regression)
In Nightly 22.0a1 (2013-03-29), visiting http://google-caja.googlecode.com/svn/trunk/src/com/google/caja/ses/explicit.html results in a full browser crash. This is a recent bug. It was working in the recently Nightly I was running before I upgraded. Feel free to reclassify -- I don't know your criteria. But I'm classifying it as critical/P1 because it is a full browser crash.
|
||
Comment 1•11 years ago
|
||
Crash report is: https://crash-stats.mozilla.com/report/index/bp-e173e78c-59b2-4991-b7a5-7f38a2130329 My debug build from a day or two ago is not crashing, though.
|
|
||
Comment 2•11 years ago
|
||
Range on nightlies: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=962f5293f87f&tochange=8693d1d4c86d
|
|
||
Comment 3•11 years ago
|
||
Stack to the assert:
(gdb) bt
#0 js::EmptyShape::getInitialShape (cx=0x11c0dbd20, clasp=0x102247680, proto={proto = 0x10fd361a0}, parent=0x10fd341a0, nfixed=4, objectFlags=16) at Shape.cpp:1244
#1 0x0000000101a0c82f in js::EmptyShape::getInitialShape (cx=0x11c0dbd20, clasp=0x102247680, proto={proto = 0x10fd361a0}, parent=0x10fd341a0, kind=js::gc::FINALIZE_OBJECT4, objectFlags=16) at Shape.cpp:1285
#2 0x0000000101a0c684 in js::Shape::replaceLastProperty (cx=0x11c0dbd20, base=@0x7fff5fbf48f8, proto={proto = 0x10fd361a0}, shape={<js::HandleBase<js::Shape *>> = {<No data fields>}, ptr = 0x7fff5fbf48e8}) at Shape.cpp:299
#3 0x0000000101a12039 in js::Shape::setObjectFlag (cx=0x11c0dbd20, flag=js::BaseShape::NOT_EXTENSIBLE, proto={proto = 0x10fd361a0}, last=0x123600510) at Shape.cpp:1126
#4 0x0000000101a11ee6 in js::ObjectImpl::setFlag (this=0x12366cf80, cx=0x11c0dbd20, flag_=16, generateShape=js::ObjectImpl::GENERATE_SHAPE) at Shape.cpp:1090
#5 0x0000000101a11cc1 in js::ObjectImpl::preventExtensions (cx=0x11c0dbd20, obj={<js::HandleBase<js::ObjectImpl *>> = {<No data fields>}, ptr = 0x7fff5fbf4bd8}) at Shape.cpp:1062
#6 0x0000000101824622 in js::DirectProxyHandler::preventExtensions (this=0x10229d490, cx=0x11c0dbd20, proxy={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf4d80}) at jsproxy.cpp:652
#7 0x0000000101834700 in js::Proxy::preventExtensions (cx=0x11c0dbd20, proxy={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf4d80}) at jsproxy.cpp:2603
#8 0x0000000101a11b4b in js::ObjectImpl::preventExtensions (cx=0x11c0dbd20, obj={<js::HandleBase<js::ObjectImpl *>> = {<No data fields>}, ptr = 0x7fff5fbf5230}) at Shape.cpp:1040
#9 0x00000001017b8c7f in JSObject::sealOrFreeze (cx=0x11c0dbd20, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf5230}, it=JSObject::FREEZE) at jsobj.cpp:1075
#10 0x00000001015c404a in JSObject::freeze (cx=0x11c0dbd20, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5fbf5230}) at jsobj.h:554
#11 0x00000001019e1f91 in obj_freeze (cx=0x11c0dbd20, argc=1, vp=0x10e6007c8) at Object.cpp:929
Looks like a duplicate of bug 855960 at first glance...Blocks: 789897
|
||
Comment 4•11 years ago
|
||
Sigh, in hindsight CrossCompartmentWrapper almost certainly needs these both overridden. Obviously. Keep on backing out, I'll look at this today.
|
||
Comment 5•11 years ago
|
||
Is this bug requested for tracking because we suspect this is a commonly hit code path, or hints at larger issues? Current crash volume wouldn't suggest that.
|
|
||
Comment 6•11 years ago
|
||
It was tracking as in "don't ship with this crashing", I think. As in, make sure to fix this before releasing. The final landing in bug 789897 doesn't have this issue, so I think we're good here.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
||
Updated•11 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•