Closed Bug 883524 Opened 6 years ago Closed 6 years ago

Crash Report [@ JSScript::ensureRanAnalysis(JSContext*) ]

Categories

(Core :: JavaScript Engine, defect, critical)

24 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 + verified

People

(Reporter: jmjjeffery, Assigned: bhackett)

References

()

Details

(4 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

STR: 
1.  Open groups.google.com
2.  Crash 

tested using the Nightly m-c build 6/13/2013 
cset: https://hg.mozilla.org/mozilla-central/rev/3d16d59c9317

Crash first noted in hourly build based on:
cset: https://hg.mozilla.org/mozilla-central/rev/05d9196b27a1

Also, could be related.
Open google.com 
search for anything
Note:  The 'search tools' button and the 'more' drop-box does not do anything

Also in the Error Console2 when first opening the google.com page this error is shown:

Sat Jun 15 2013 09:53:03
Error: SyntaxError: syntax error
Source file: https://www.google.com/xjs/_/js/k=xjs.s.en_US.O4F8cgGsAy8.O/m=c,sb,cr,cdos,jp,vm,tbui,mb,wobnm,cfm,abd,bihu,kp,lu,imap,m,tnv,amcl,erh,hv,lc,ob,r,rsn,sf,sfa,shb,tbpr,hsm,j,p,pcc,csi/am=yA/rt=j/d=1/sv=1/rs=AItRSTPY0jHO6XVcz2PUe3NXdFrIdXxEMg
Line: 1360, Column: 60
Source code:
f)&&/(\\?|&)adurl=/.test(c.href)&&!/(\\?|&)q=/.test(c.href))/(\\?|&)rct=j/.test(c.href)||(e+="&rct=j"),/(\\?|&)q=/.test(
The Syntax error problem is a different regression range, See 883523.


Regression window for the crash is as follows

Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/52c875b9c520
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130614015908
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=52c875b9c520&tochange=18c1fd169792

Regressed by: 
18c1fd169792	Nicholas D. Matsakis — Bug 880208 - Add UnsafeGet and UnsafeGetImmutable intrinsics r=djvj
Blocks: 880208
Crash Signature: [@ JSScript::ensureRanAnalysis(JSContext*)]
OS: Windows 7 → All
Unfortunately, m-i tinderbox build a8e3d80187d1 did not fix the crash....
a8e3d80187d1 	Gary Kwong — Backout rev 18c1fd169792 for causing issues with the fuzzers. r=luke in-person
No longer blocks: 880208
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317
Crash Signature: [@ JSScript::ensureRanAnalysis(JSContext*)] → [@ JSScript::ensureRanAnalysis(JSContext*)] [@ AnalyzeNewScriptProperties ]
Keywords: crash, topcrash
Hardware: x86_64 → All
Whiteboard: [native-crash]
Version: Trunk → 24 Branch
Duplicate of this bug: 883561
In a debug build, on the google groups page, I get the assertion:
  Assertion failure: hasScript(), at /Users/amccreight/mz/cent/js/src/jsfun.h:237

The stack is:
AnalyzeNewScriptProperties(JSContext*, js::types::TypeObject*, JS::Handle<JSFunction*>, NewScriptPropertiesState&) + 3421
CheckNewScriptProperties(JSContext*, JS::Handle<js::types::TypeObject*>, JS::Handle<JSFunction*>) + 236
JSCompartment::getNewType(JSContext*, js::Class*, js::TaggedProto, JSFunction*) + 603
js::CreateThisForFunctionWithProto(JSContext*, JS::Handle<JSObject*>, JSObject*, js::NewObjectKind) + 89
Attached patch patchSplinter Review
This is definitely due to bug 678037.  There is a place where we assume a function doesn't have a lazy script when in fact it might.
Assignee: general → bhackett1024
Attachment #763161 - Flags: review?(luke)
Blocks: LazyBytecode
Pushing this ahead of review to fix the crashes; this patch is simple.

https://hg.mozilla.org/integration/mozilla-inbound/rev/6c897b8852ab
I can confirm that the m-i build with this patch does fix the crash on groups.google.com

win7 x64 32bit hourly m-i 
cset: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c897b8852ab
Blocks: 883589
https://hg.mozilla.org/mozilla-central/rev/6c897b8852ab

Should this have a test?
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Duplicate of this bug: 883652
Attachment #763161 - Flags: review?(luke) → review+
Haven't had a crash on this yet after 6/15
Verified as fixed on FF 24b6 using Windows 7 x64, Mac OS 10.7.5 and Ubuntu 13.04
BuildID: 20130826142034
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.