Closed
Bug 858655
Opened 8 years ago
Closed 8 years ago
crash in js::ScopeIter::settle
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla23
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | unaffected |
| firefox23 | --- | verified |
People
(Reporter: scoobidiver, Assigned: jandem)
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
2.55 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
It first showed up in 23.0a1/20130403 and is currently #10 top browser crasher in 23.0a1. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aae004a3c5d9&tochange=97cfc16ba5dc It's mostly correlated to Firebug (manual check). Signature js::AllFramesIter::popIonFrame() More Reports Search UUID 14f8ba61-72f1-4880-b291-a79012130405 Date Processed 2013-04-05 15:48:53 Uptime 134 Last Crash 2.5 minutes before submission Install Age 12.0 minutes since version was first installed. Install Time 2013-04-05 15:36:17 Product Firefox Version 23.0a1 Build ID 20130405030918 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xc App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0126, AdapterSubsysID: 04931028, AdapterDriverVersion: 8.15.10.2279 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Processor Notes sp-processor10.phx1.mozilla.com_15924:2008 EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x0126 Total Virtual Memory 2147352576 Available Virtual Memory 1602793472 System Memory Use Percentage 75 Available Page File 3482660864 Available Physical Memory 824999936 Frame Module Signature Source 0 mozjs.dll js::AllFramesIter::popIonFrame js/src/vm/Stack.cpp:2216 1 mozjs.dll js::AllFramesIter::operator++ js/src/vm/Stack.cpp:2246 2 mozjs.dll js::AbstractFramePtr::evalPrevScopeChain js/src/vm/Stack.cpp:2307 3 mozjs.dll js::ScopeIter::settle js/src/vm/ScopeObject.cpp:1043 4 mozjs.dll js::ScopeIter::ScopeIter js/src/vm/ScopeObject.cpp:965 5 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2096 6 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2109 7 mozjs.dll GetDebugScopeForScope js/src/vm/ScopeObject.cpp:1992 8 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2117 9 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2097 10 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2109 11 mozjs.dll GetDebugScopeForScope js/src/vm/ScopeObject.cpp:1992 12 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2117 13 mozjs.dll js::GetDebugScopeForFrame js/src/vm/ScopeObject.cpp:2137 14 mozjs.dll JSAbstractFramePtr::scopeChain js/src/jsdbgapi.cpp:1234 15 xul.dll jsd_GetScopeChainForStackFrame js/jsd/jsd_stak.cpp:292 16 xul.dll jsdStackFrame::GetScope js/jsd/jsd_xpc.cpp:1998 17 xul.dll NS_InvokeByIndex xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70 18 xul.dll XPC_WN_GetterSetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1508 19 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:408 20 mozjs.dll js::Invoke js/src/jsinterp.cpp:455 21 mozjs.dll js::ion::DoGetPropFallback js/src/ion/BaselineIC.cpp:4872 22 mozjs.dll mozjs.dll@0x64d70 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AAllFramesIter%3A%3ApopIonFrame%28%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3AScopeIter%3A%3Asettle%28%29
|
Reporter | |
Updated•8 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
|
|
Reporter | |
Updated•8 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() ]
|
|
Reporter | |
Updated•8 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() ] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame()]
I've reproduced this crash on Ubuntu 12.04 64-bit with Firefox Nightly 23.0a1 2013-04-08 Steps: 1. Install Firefox Nightly 23.0a1 2013-04-08 2. Install Firebug 1.11.2 3. Navigate to maps.google.com 4. Press F12 to show Firebug panel 5. Click the Script tab and click Enable 6. Reload the page and verify script content loads in the Firebug panel 7. Click Experience MapsGL and click Try it Now Result: Crash Reports: https://crash-stats.mozilla.com/report/index/bp-832837b9-4bc7-42c5-9b52-56fbf2130408 https://crash-stats.mozilla.com/report/index/bp-cc1457a1-1dcf-4d41-a278-488002130408 https://crash-stats.mozilla.com/report/index/cf728ffb-ce13-440e-9422-6eb782130408
Keywords: reproducible
This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to work on a regression range.
Keywords: regressionwindow-wanted
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #2) > This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to > work on a regression range. Sorry, this should be 2013-04-02.
|
Assignee | |
Comment 4•8 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #1) > I've reproduced this crash on Ubuntu 12.04 64-bit with Firefox Nightly > 23.0a1 2013-04-08 Excellent, thanks! I will look into this tomorrow. (In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #2) > This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to > work on a regression range. This likely came in with the BC landing (last Wednesday).
|
|
Assignee | |
Updated•8 years ago
|
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Last good nightly: 2013-04-03 First bad nightly: 2013-04-04 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=97cfc16ba5dc&tochange=c232bec6974d This would seem to confirm comment 4.
Keywords: regressionwindow-wanted
|
|
Assignee | |
Comment 6•8 years ago
|
||
I can reproduce on OS X with the steps in comment 1; going to build a debug browser now.
|
|
Assignee | |
Comment 7•8 years ago
|
||
Problem is that we correctly called DebugScopes::onPopCall for function frames, but we didn't call DebugScopes::onPopStrictEvalScope for strict-eval frames. The patch adds the call (see also StackFrame::epilogue) and fixes the Google Maps crash. Without the onPopStrictEvalScope call we can keep a bogus BaselineFrame pointer stored in the DebugScopes map. When accessing this pointer, things can crash in different ways depending on what's on the stack etc, hence the multiple signatures. Not sure why the fuzzers didn't catch this. I tried to write a jit-test but gave up after a while. Furthermore, if JSD is enabled, we currently eagerly compile scripts so that we don't have to OSR into Baseline and update the StackFrame pointer stored by JSD. The patch makes this check a bit more explicit/robust.
Attachment #736193 -
Flags: review?(kvijayan)
|
||
Comment 8•8 years ago
|
||
Comment on attachment 736193 [details] [diff] [review] Patch Review of attachment 736193 [details] [diff] [review]: ----------------------------------------------------------------- Nice.
Attachment #736193 -
Flags: review?(kvijayan) → review+
|
|
Assignee | |
Comment 9•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/006605c1ccc5 (Linux64 Try: https://tbpl.mozilla.org/?tree=Try&rev=f37d2e034d53)
|
|
Reporter | |
Updated•8 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame()] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame()]
[@ js::AbstractFramePtr::evalPrevScopeChain(JSRuntime*) const ]
|
||
Comment 10•8 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #9) > https://hg.mozilla.org/integration/mozilla-inbound/rev/006605c1ccc5 > > (Linux64 Try: https://tbpl.mozilla.org/?tree=Try&rev=f37d2e034d53) This build makes the crash unreproducible for me.
|
|
Assignee | |
Comment 11•8 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #10) > > This build makes the crash unreproducible for me. Great, thanks for verifying!
|
||
Comment 12•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Comment 13•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12) > https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5 Marking this fixed for Firefox 23. Will verify on Monday with the latest Nightly.
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
tracking-firefox23:
+ → ---
|
|
||
Comment 14•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12) > https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5 I cannot reproduce this crash with my steps in comment 1 using Firefox Nightly 23.0a1 2013-04-17.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•