crash in js::ScopeIter::settle

VERIFIED FIXED in Firefox 23

Status

()

--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: scoobidiver, Assigned: jandem)

Tracking

(4 keywords)

23 Branch
mozilla23
crash, regression, reproducible, topcrash
Points:
---

Firefox Tracking Flags

(firefox22 unaffected, firefox23 verified)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
It first showed up in 23.0a1/20130403 and is currently #10 top browser crasher in 23.0a1. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aae004a3c5d9&tochange=97cfc16ba5dc
It's mostly correlated to Firebug (manual check).

Signature 	js::AllFramesIter::popIonFrame() More Reports Search
UUID	14f8ba61-72f1-4880-b291-a79012130405
Date Processed	2013-04-05 15:48:53
Uptime	134
Last Crash	2.5 minutes before submission
Install Age	12.0 minutes since version was first installed.
Install Time	2013-04-05 15:36:17
Product	Firefox
Version	23.0a1
Build ID	20130405030918
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xc
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0126, AdapterSubsysID: 04931028, AdapterDriverVersion: 8.15.10.2279
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor10.phx1.mozilla.com_15924:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x0126
Total Virtual Memory	2147352576
Available Virtual Memory	1602793472
System Memory Use Percentage	75
Available Page File	3482660864
Available Physical Memory	824999936

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::AllFramesIter::popIonFrame 	js/src/vm/Stack.cpp:2216
1 	mozjs.dll 	js::AllFramesIter::operator++ 	js/src/vm/Stack.cpp:2246
2 	mozjs.dll 	js::AbstractFramePtr::evalPrevScopeChain 	js/src/vm/Stack.cpp:2307
3 	mozjs.dll 	js::ScopeIter::settle 	js/src/vm/ScopeObject.cpp:1043
4 	mozjs.dll 	js::ScopeIter::ScopeIter 	js/src/vm/ScopeObject.cpp:965
5 	mozjs.dll 	GetDebugScope 	js/src/vm/ScopeObject.cpp:2096
6 	mozjs.dll 	GetDebugScope 	js/src/vm/ScopeObject.cpp:2109
7 	mozjs.dll 	GetDebugScopeForScope 	js/src/vm/ScopeObject.cpp:1992
8 	mozjs.dll 	GetDebugScope 	js/src/vm/ScopeObject.cpp:2117
9 	mozjs.dll 	GetDebugScope 	js/src/vm/ScopeObject.cpp:2097
10 	mozjs.dll 	GetDebugScope 	js/src/vm/ScopeObject.cpp:2109
11 	mozjs.dll 	GetDebugScopeForScope 	js/src/vm/ScopeObject.cpp:1992
12 	mozjs.dll 	GetDebugScope 	js/src/vm/ScopeObject.cpp:2117
13 	mozjs.dll 	js::GetDebugScopeForFrame 	js/src/vm/ScopeObject.cpp:2137
14 	mozjs.dll 	JSAbstractFramePtr::scopeChain 	js/src/jsdbgapi.cpp:1234
15 	xul.dll 	jsd_GetScopeChainForStackFrame 	js/jsd/jsd_stak.cpp:292
16 	xul.dll 	jsdStackFrame::GetScope 	js/jsd/jsd_xpc.cpp:1998
17 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
18 	xul.dll 	XPC_WN_GetterSetter 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1508
19 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:408
20 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:455
21 	mozjs.dll 	js::ion::DoGetPropFallback 	js/src/ion/BaselineIC.cpp:4872
22 	mozjs.dll 	mozjs.dll@0x64d70 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AAllFramesIter%3A%3ApopIonFrame%28%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AScopeIter%3A%3Asettle%28%29
(Reporter)

Updated

6 years ago
Crash Signature: [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] → [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() const]
(Reporter)

Updated

6 years ago
Crash Signature: [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] → [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() ]
(Reporter)

Updated

6 years ago
Crash Signature: [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() ] → [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] [@ js::ion::BaselineFrame::isNonStrictEvalFrame()]
I've reproduced this crash on Ubuntu 12.04 64-bit with Firefox Nightly 23.0a1 2013-04-08

Steps:
1. Install Firefox Nightly 23.0a1 2013-04-08
2. Install Firebug 1.11.2
3. Navigate to maps.google.com
4. Press F12 to show Firebug panel
5. Click the Script tab and click Enable
6. Reload the page and verify script content loads in the Firebug panel
7. Click Experience MapsGL and click Try it Now

Result: Crash

Reports:
https://crash-stats.mozilla.com/report/index/bp-832837b9-4bc7-42c5-9b52-56fbf2130408
https://crash-stats.mozilla.com/report/index/bp-cc1457a1-1dcf-4d41-a278-488002130408
https://crash-stats.mozilla.com/report/index/cf728ffb-ce13-440e-9422-6eb782130408
Keywords: reproducible
This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to work on a regression range.
Keywords: regressionwindow-wanted
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #2)
> This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to
> work on a regression range.

Sorry, this should be 2013-04-02.
(Assignee)

Comment 4

6 years ago
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #1)
> I've reproduced this crash on Ubuntu 12.04 64-bit with Firefox Nightly
> 23.0a1 2013-04-08

Excellent, thanks! I will look into this tomorrow.
      
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #2)
> This is not reproducible in Firefox Nightly 23.0a1 2013-03-08. I'll try to
> work on a regression range.

This likely came in with the BC landing (last Wednesday).
(Assignee)

Updated

6 years ago
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Last good nightly: 2013-04-03
First bad nightly: 2013-04-04

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=97cfc16ba5dc&tochange=c232bec6974d

This would seem to confirm comment 4.
Keywords: regressionwindow-wanted
(Assignee)

Comment 6

6 years ago
I can reproduce on OS X with the steps in comment 1; going to build a debug browser now.
(Assignee)

Comment 7

6 years ago
Created attachment 736193 [details] [diff] [review]
Patch

Problem is that we correctly called DebugScopes::onPopCall for function frames, but we didn't call DebugScopes::onPopStrictEvalScope for strict-eval frames. The patch adds the call (see also StackFrame::epilogue) and fixes the Google Maps crash.

Without the onPopStrictEvalScope call we can keep a bogus BaselineFrame pointer stored in the DebugScopes map. When accessing this pointer, things can crash in different ways depending on what's on the stack etc, hence the multiple signatures.

Not sure why the fuzzers didn't catch this. I tried to write a jit-test but gave up after a while.

Furthermore, if JSD is enabled, we currently eagerly compile scripts so that we don't have to OSR into Baseline and update the StackFrame pointer stored by JSD. The patch makes this check a bit more explicit/robust.
Attachment #736193 - Flags: review?(kvijayan)
Comment on attachment 736193 [details] [diff] [review]
Patch

Review of attachment 736193 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.
Attachment #736193 - Flags: review?(kvijayan) → review+
(Reporter)

Updated

6 years ago
Crash Signature: [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] [@ js::ion::BaselineFrame::isNonStrictEvalFrame()] → [@ js::AllFramesIter::popIonFrame()] [@ js::ScopeIter::settle()] [@ js::ion::BaselineFrame::isNonStrictEvalFrame() const] [@ js::ion::BaselineFrame::isNonStrictEvalFrame()] [@ js::AbstractFramePtr::evalPrevScopeChain(JSRuntime*) const ]
(In reply to Jan de Mooij [:jandem] from comment #9)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/006605c1ccc5
> 
> (Linux64 Try: https://tbpl.mozilla.org/?tree=Try&rev=f37d2e034d53)

This build makes the crash unreproducible for me.
(Assignee)

Comment 11

6 years ago
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #10)
> 
> This build makes the crash unreproducible for me.

Great, thanks for verifying!
https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)
> https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5

Marking this fixed for Firefox 23. Will verify on Monday with the latest Nightly.
status-firefox23: affected → fixed
Keywords: verifyme
QA Contact: anthony.s.hughes
tracking-firefox23: ? → +
tracking-firefox23: + → ---
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)
> https://hg.mozilla.org/mozilla-central/rev/006605c1ccc5

I cannot reproduce this crash with my steps in comment 1 using Firefox Nightly 23.0a1 2013-04-17.
Status: RESOLVED → VERIFIED
status-firefox23: fixed → verified
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.