Closed
Bug 883524
Opened 6 years ago
Closed 6 years ago
Crash Report [@ JSScript::ensureRanAnalysis(JSContext*) ]
Categories
(Core :: JavaScript Engine, defect, critical)
Tracking
()
VERIFIED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | unaffected |
| firefox24 | + | verified |
People
(Reporter: jmjjeffery, Assigned: bhackett)
References
()
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
|
828 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
STR: 1. Open groups.google.com 2. Crash tested using the Nightly m-c build 6/13/2013 cset: https://hg.mozilla.org/mozilla-central/rev/3d16d59c9317 Crash first noted in hourly build based on: cset: https://hg.mozilla.org/mozilla-central/rev/05d9196b27a1 Also, could be related. Open google.com search for anything Note: The 'search tools' button and the 'more' drop-box does not do anything Also in the Error Console2 when first opening the google.com page this error is shown: Sat Jun 15 2013 09:53:03 Error: SyntaxError: syntax error Source file: https://www.google.com/xjs/_/js/k=xjs.s.en_US.O4F8cgGsAy8.O/m=c,sb,cr,cdos,jp,vm,tbui,mb,wobnm,cfm,abd,bihu,kp,lu,imap,m,tnv,amcl,erh,hv,lc,ob,r,rsn,sf,sfa,shb,tbpr,hsm,j,p,pcc,csi/am=yA/rt=j/d=1/sv=1/rs=AItRSTPY0jHO6XVcz2PUe3NXdFrIdXxEMg Line: 1360, Column: 60 Source code: f)&&/(\\?|&)adurl=/.test(c.href)&&!/(\\?|&)q=/.test(c.href))/(\\?|&)rct=j/.test(c.href)||(e+="&rct=j"),/(\\?|&)q=/.test(
|
||
Comment 1•6 years ago
|
||
The Syntax error problem is a different regression range, See 883523. Regression window for the crash is as follows Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/52c875b9c520 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130614015908 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=52c875b9c520&tochange=18c1fd169792 Regressed by: 18c1fd169792 Nicholas D. Matsakis — Bug 880208 - Add UnsafeGet and UnsafeGetImmutable intrinsics r=djvj
Blocks: 880208
Crash Signature: [@ JSScript::ensureRanAnalysis(JSContext*)]
tracking-firefox24:
--- → ?
Keywords: regressionwindow-wanted
|
|
||
Updated•6 years ago
|
OS: Windows 7 → All
|
|
||
Comment 2•6 years ago
|
||
Unfortunately, m-i tinderbox build a8e3d80187d1 did not fix the crash.... a8e3d80187d1 Gary Kwong — Backout rev 18c1fd169792 for causing issues with the fuzzers. r=luke in-person
No longer blocks: 880208
Keywords: regressionwindow-wanted
|
||
Comment 3•6 years ago
|
||
The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317
Crash Signature: [@ JSScript::ensureRanAnalysis(JSContext*)] → [@ JSScript::ensureRanAnalysis(JSContext*)]
[@ AnalyzeNewScriptProperties ]
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
Hardware: x86_64 → All
Whiteboard: [native-crash]
Version: Trunk → 24 Branch
|
||
Updated•6 years ago
|
status-firefox23:
unaffected → ---
status-firefox24:
affected → ---
|
|
||
Updated•6 years ago
|
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
|
|
||
Updated•6 years ago
|
Keywords: reproducible
|
||
Comment 5•6 years ago
|
||
In a debug build, on the google groups page, I get the assertion: Assertion failure: hasScript(), at /Users/amccreight/mz/cent/js/src/jsfun.h:237 The stack is: AnalyzeNewScriptProperties(JSContext*, js::types::TypeObject*, JS::Handle<JSFunction*>, NewScriptPropertiesState&) + 3421 CheckNewScriptProperties(JSContext*, JS::Handle<js::types::TypeObject*>, JS::Handle<JSFunction*>) + 236 JSCompartment::getNewType(JSContext*, js::Class*, js::TaggedProto, JSFunction*) + 603 js::CreateThisForFunctionWithProto(JSContext*, JS::Handle<JSObject*>, JSObject*, js::NewObjectKind) + 89
|
Assignee | |
Comment 6•6 years ago
|
||
This is definitely due to bug 678037. There is a place where we assume a function doesn't have a lazy script when in fact it might.
Assignee: general → bhackett1024
Attachment #763161 -
Flags: review?(luke)
|
|
Assignee | |
Updated•6 years ago
|
Blocks: LazyBytecode
|
|
||
Updated•6 years ago
|
Keywords: regressionwindow-wanted
|
|
Assignee | |
Comment 7•6 years ago
|
||
Pushing this ahead of review to fix the crashes; this patch is simple. https://hg.mozilla.org/integration/mozilla-inbound/rev/6c897b8852ab
|
Reporter | |
Comment 8•6 years ago
|
||
I can confirm that the m-i build with this patch does fix the crash on groups.google.com win7 x64 32bit hourly m-i cset: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c897b8852ab
|
||
Comment 9•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6c897b8852ab Should this have a test?
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Attachment #763161 -
Flags: review?(luke) → review+
Haven't had a crash on this yet after 6/15
|
||
Updated•6 years ago
|
|
||
Comment 12•6 years ago
|
||
Verified as fixed on FF 24b6 using Windows 7 x64, Mac OS 10.7.5 and Ubuntu 13.04 BuildID: 20130826142034
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•