Closed
Bug 858655
Opened 12 years ago
Closed 12 years ago
crash in js::ScopeIter::settle
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla23
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | unaffected |
| firefox23 | --- | verified |
People
(Reporter: scoobidiver, Assigned: jandem)
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
2.55 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
It first showed up in 23.0a1/20130403 and is currently #10 top browser crasher in 23.0a1. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aae004a3c5d9&tochange=97cfc16ba5dc
It's mostly correlated to Firebug (manual check).
Signature js::AllFramesIter::popIonFrame() More Reports Search
UUID 14f8ba61-72f1-4880-b291-a79012130405
Date Processed 2013-04-05 15:48:53
Uptime 134
Last Crash 2.5 minutes before submission
Install Age 12.0 minutes since version was first installed.
Install Time 2013-04-05 15:36:17
Product Firefox
Version 23.0a1
Build ID 20130405030918
Release Channel nightly
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 42 stepping 7
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0xc
App Notes
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0126, AdapterSubsysID: 04931028, AdapterDriverVersion: 8.15.10.2279
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
Processor Notes sp-processor10.phx1.mozilla.com_15924:2008
EMCheckCompatibility True
Adapter Vendor ID 0x8086
Adapter Device ID 0x0126
Total Virtual Memory 2147352576
Available Virtual Memory 1602793472
System Memory Use Percentage 75
Available Page File 3482660864
Available Physical Memory 824999936
Frame Module Signature Source
0 mozjs.dll js::AllFramesIter::popIonFrame js/src/vm/Stack.cpp:2216
1 mozjs.dll js::AllFramesIter::operator++ js/src/vm/Stack.cpp:2246
2 mozjs.dll js::AbstractFramePtr::evalPrevScopeChain js/src/vm/Stack.cpp:2307
3 mozjs.dll js::ScopeIter::settle js/src/vm/ScopeObject.cpp:1043
4 mozjs.dll js::ScopeIter::ScopeIter js/src/vm/ScopeObject.cpp:965
5 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2096
6 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2109
7 mozjs.dll GetDebugScopeForScope js/src/vm/ScopeObject.cpp:1992
8 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2117
9 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2097
10 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2109
11 mozjs.dll GetDebugScopeForScope js/src/vm/ScopeObject.cpp:1992
12 mozjs.dll GetDebugScope js/src/vm/ScopeObject.cpp:2117
13 mozjs.dll js::GetDebugScopeForFrame js/src/vm/ScopeObject.cpp:2137
14 mozjs.dll JSAbstractFramePtr::scopeChain js/src/jsdbgapi.cpp:1234
15 xul.dll jsd_GetScopeChainForStackFrame js/jsd/jsd_stak.cpp:292
16 xul.dll jsdStackFrame::GetScope js/jsd/jsd_xpc.cpp:1998
17 xul.dll NS_InvokeByIndex xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
18 xul.dll XPC_WN_GetterSetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1508
19 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:408
20 mozjs.dll js::Invoke js/src/jsinterp.cpp:455
21 mozjs.dll js::ion::DoGetPropFallback js/src/ion/BaselineIC.cpp:4872
22 mozjs.dll mozjs.dll@0x64d70
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AAllFramesIter%3A%3ApopIonFrame%28%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AScopeIter%3A%3Asettle%28%29
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() ]
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() ] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame()]
I've reproduced this crash on Ubuntu 12.04 64-bit with Firefox Nightly 23.0a1 2013-04-08
Steps:
1. Install Firefox Nightly 23.0a1 2013-04-08
2. Install Firebug 1.11.2
3. Navigate to maps.google.com
4. Press F12 to show Firebug panel
5. Click the Script tab and click Enable
6. Reload the page and verify script content loads in the Firebug panel
7. Click Experience MapsGL and click Try it Now
Result: Crash
Reports:
https://crash-stats.mozilla.com/report/index/bp-832837b9-4bc7-42c5-9b52-56fbf2130408
https://crash-stats.mozilla.com/report/index/bp-cc1457a1-1dcf-4d41-a278-488002130408
https://crash-stats.mozilla.com/report/index/cf728ffb-ce13-440e-9422-6eb782130408
Keywords: reproducible
This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to work on a regression range.
Keywords: regressionwindow-wanted
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #2)
> This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to
> work on a regression range.
Sorry, this should be 2013-04-02.
|
Assignee | |
Comment 4•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #1)
> I've reproduced this crash on Ubuntu 12.04 64-bit with Firefox Nightly
> 23.0a1 2013-04-08
Excellent, thanks! I will look into this tomorrow.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #2)
> This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to
> work on a regression range.
This likely came in with the BC landing (last Wednesday).
|
|
Assignee | |
Updated•12 years ago
|
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Last good nightly: 2013-04-03
First bad nightly: 2013-04-04
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=97cfc16ba5dc&tochange=c232bec6974d
This would seem to confirm comment 4.
Keywords: regressionwindow-wanted
|
|
Assignee | |
Comment 6•12 years ago
|
||
I can reproduce on OS X with the steps in comment 1; going to build a debug browser now.
|
|
Assignee | |
Comment 7•12 years ago
|
||
Problem is that we correctly called DebugScopes::onPopCall for function frames, but we didn't call DebugScopes::onPopStrictEvalScope for strict-eval frames. The patch adds the call (see also StackFrame::epilogue) and fixes the Google Maps crash.
Without the onPopStrictEvalScope call we can keep a bogus BaselineFrame pointer stored in the DebugScopes map. When accessing this pointer, things can crash in different ways depending on what's on the stack etc, hence the multiple signatures.
Not sure why the fuzzers didn't catch this. I tried to write a jit-test but gave up after a while.
Furthermore, if JSD is enabled, we currently eagerly compile scripts so that we don't have to OSR into Baseline and update the StackFrame pointer stored by JSD. The patch makes this check a bit more explicit/robust.
Attachment #736193 -
Flags: review?(kvijayan)
|
||
Comment 8•12 years ago
|
||
Comment on attachment 736193 [details] [diff] [review]
Patch
Review of attachment 736193 [details] [diff] [review]:
-----------------------------------------------------------------
Nice.
Attachment #736193 -
Flags: review?(kvijayan) → review+
|
|
Assignee | |
Comment 9•12 years ago
|
||
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame()] → [@ js::AllFramesIter::popIonFrame()]
[@ js::ScopeIter::settle()]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
[@ js::ion::BaselineFrame::isNonStrictEvalFrame()]
[@ js::AbstractFramePtr::evalPrevScopeChain(JSRuntime*) const ]
|
||
Comment 10•12 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #9)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/006605c1ccc5
>
> (Linux64 Try: https://tbpl.mozilla.org/?tree=Try&rev=f37d2e034d53)
This build makes the crash unreproducible for me.
|
|
Assignee | |
Comment 11•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #10)
>
> This build makes the crash unreproducible for me.
Great, thanks for verifying!
|
||
Comment 12•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Comment 13•12 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)
> https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5
Marking this fixed for Firefox 23. Will verify on Monday with the latest Nightly.
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
tracking-firefox23:
+ → ---
|
|
||
Comment 14•12 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)
> https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5
I cannot reproduce this crash with my steps in comment 1 using Firefox Nightly 23.0a1 2013-04-17.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•