Closed Bug 877625 Opened 12 years ago Closed 11 years ago

crash in jsdScript::GetFunctionSource @ js::ScriptSource::hasSourceData with Firebug

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
24 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 --- affected
firefox25 --- affected

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

It first showed up in 24.0a1/20130524. The regression window is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=00b264c7cced&tochange=df526497d949 It might be a regression from bug 871306. Signature js::ScriptSource::hasSourceData() More Reports Search UUID c2f7e906-fd72-48e2-b055-8bfd32130530 Date Processed 2013-05-30 12:13:00 Uptime 10849 Install Age 17.0 hours since version was first installed. Install Time 2013-05-29 19:11:22 Product Firefox Version 24.0a1 Build ID 20130529031131 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 58 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xffffffffdadadada App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0166, AdapterSubsysID: 05841028, AdapterDriverVersion: 8.15.10.2712 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ D3D10 Layers- D3D9 Layers? D3D9 Layers- Processor Notes sp-processor04_phx1_mozilla_com_24908:2012; non-integer value of "SecondsSinceLastCrash" EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x0166 Total Virtual Memory 4294836224 Available Virtual Memory 3376885760 System Memory Use Percentage 28 Available Page File 14422347776 Available Physical Memory 6034980864 Frame Module Signature Source 0 mozjs.dll js::ScriptSource::hasSourceData js/src/jsscript.h:1035 1 mozjs.dll js::FunctionToString js/src/jsfun.cpp:628 2 mozjs.dll JS_DecompileFunction js/src/jsapi.cpp:5588 3 xul.dll jsdScript::GetFunctionSource js/jsd/jsd_xpc.cpp:1311 4 xul.dll NS_InvokeByIndex xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70 5 xul.dll XPC_WN_GetterSetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1535 6 mozjs.dll js::Invoke js/src/jsinterp.cpp:441 7 mozjs.dll js::GetPropertyOperation js/src/jsinterpinlines.h:293 8 mozjs.dll js::Interpret js/src/jsinterp.cpp:2067 9 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c:315 10 mozjs.dll js::gc::ArenaLists::refillFreeList<1> js/src/jsgc.cpp:1514 11 mozjs.dll js::NewObjectWithGivenProto js/src/jsobj.cpp:1311 12 mozjs.dll NewProxyObject js/src/jsproxy.cpp:3268 13 mozjs.dll js::Wrapper::New js/src/jswrapper.cpp:41 14 mozjs.dll JSFunction::getOrCreateScript js/src/jsfun.h:214 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AScriptSource%3A%3AhasSourceData%28%29
My bet is on bug 637572. Paging dr. Bruel.
Flags: needinfo?(ejpbruel)
Looks like ScriptSource is getting freed prematurely. Do you have steps to reproduce?
Flags: needinfo?(ejpbruel)
(In reply to Eddy Bruel [:ejpbruel] from comment #2) > Do you have steps to reproduce? A comment in French says it occurs when disabling Firebug.
With combined signatures, it's #18 browser crasher in 24.0a2 and 25.0a1. Reports also at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AObjectImpl%3A%3AgetSlot%28unsigned+int%29
Crash Signature: [@ js::ScriptSource::hasSourceData()] → [@ js::ScriptSource::hasSourceData()] [@ js::ObjectImpl::getSlot(unsigned int) ]
status-firefox25: --- → affected
Reports also at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AFunctionToString%28JSContext*%2C+JS%3A%3AHandle%3CJSFunction*%3E%2C+bool%2C+bool%29
Crash Signature: [@ js::ScriptSource::hasSourceData()] [@ js::ObjectImpl::getSlot(unsigned int) ] → [@ js::ScriptSource::hasSourceData()] [@ js::ObjectImpl::getSlot(unsigned int) ] [@ js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool) ]
I'm (possibly) seeing this bug several times a day. My crash report can be found here https://crash-stats.mozilla.com/report/index/67350ffc-3a70-4d53-8805-c6ee62140219
Although I'm on osx
I don't see a single instance of this with any version > 29, so I'd say this is fixed in Aurora. Given that current release (i.e., 28) seems to have reduced the crash rate quite a bit (the vast majority of reports are still from 27.0.1) and we don't know what fixed it entirely for Aurora, I'll mark this as WORKSFORME.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Till, I think I'd be inclined to agree with you. I had forgotten about this posting. I'm not getting this crash anymore, and I'm on 28 =]
(In reply to relequestual from comment #10) > Till, I think I'd be inclined to agree with you. I had forgotten about this > posting. I'm not getting this crash anymore, and I'm on 28 =] That's great to hear, thanks for the confirmation.
You need to log in before you can comment on or make changes to this bug.