Closed
Bug 883544
Opened 11 years ago
Closed 11 years ago
crash in JSFunction::createScriptForLazilyInterpretedFunction
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | --- | verified |
People
(Reporter: scoobidiver, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
949 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
It first showed up in 24.0a1/201306015. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317
It's likely a regression from bug 678037.
Currently, all users have Adblock Plus installed.
Signature JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) More Reports Search
UUID 0bdfd1c3-a468-4c52-b061-f8bf02130615
Date Processed 2013-06-15 15:57:39
Uptime 745
Last Crash 12.5 minutes before submission
Install Age 26.1 minutes since version was first installed.
Install Time 2013-06-15 15:31:26
Product Firefox
Version 24.0a1
Build ID 20130615031212
Release Channel nightly
OS Linux
OS Version 0.0.0 Linux 3.8.0-25-generic #37-Ubuntu SMP Thu Jun 6 20:47:07 UTC 2013 x86_64
Build Architecture amd64
Build Architecture Info family 6 model 37 stepping 2
Crash Reason SIGSEGV
Crash Address 0x0
App Notes
OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Ironlake Mobile -- 2.1 Mesa 9.1.3 -- texture_from_pixmap
Processor Notes sp-processor05_phx1_mozilla_com_32021:2012; exploitability tool: ERROR: unable to analyze dump
EMCheckCompatibility True
Frame Module Signature Source
0 libxul.so JSFunction::createScriptForLazilyInterpretedFunction js/src/jsfriendapi.h:348
1 libxul.so js::TempAllocPolicy::realloc_ obj-firefox/dist/include/js/Utility.h:164
2 libxul.so JSFunction::getOrCreateScript js/src/jsfun.h:216
3 libxul.so CreateLazyScriptsForCompartment js/src/jscompartment.cpp:671
More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSFunction%3A%3AcreateScriptForLazilyInterpretedFunction%28JSContext*%2C+JS%3A%3AHandle%3CJSFunction*%3E%29
Assignee | ||
Comment 1•11 years ago
|
||
This should fix the crashes. The problem I think is that if we abort a syntax parse at some point the parser can leave orphaned functions with LazyScripts around. When debug mode is turned on in the compartment we delazify all functions with lazy scripts, but need to skip over these ones as they don't have any source information --- source info is not set until a lazy script's parent is compiled to bytecode, which never happens for these scripts.
Assignee: general → bhackett1024
Attachment #763138 -
Flags: review?(luke)
Comment 2•11 years ago
|
||
It looks like you have this figured out, but in case it helps I reliably (well, twice) hit this crash at this URL:
https://groups.google.com/a/chromium.org/forum/?fromgroups#!forum/chromium-dev
https://crash-stats.mozilla.com/report/index/0af49e13-fac3-4db4-86ac-4a2e82130615
https://crash-stats.mozilla.com/report/index/bp-66e2e3d8-42d7-41dc-8d69-4581e2130615
Reporter | ||
Comment 3•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #2)
> https://crash-stats.mozilla.com/report/index/0af49e13-fac3-4db4-86ac-
> 4a2e82130615
> https://crash-stats.mozilla.com/report/index/bp-66e2e3d8-42d7-41dc-8d69-
> 4581e2130615
It's bug 883524, not this bug.
Assignee | ||
Comment 4•11 years ago
|
||
Pushing this ahead of review to fix the crashes; this patch is simple.
https://hg.mozilla.org/integration/mozilla-inbound/rev/49b957b9e31b
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/49b957b9e31b
Should this have a test?
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Reporter | ||
Updated•11 years ago
|
Comment 6•11 years ago
|
||
Comment on attachment 763138 [details] [diff] [review]
patch
Not just aborted-during-parsing, but also self-hested builtins are interpreted-lazy and have fun->lazyScript() == NULL, iirc.
Attachment #763138 -
Flags: review?(luke) → review+
Comment 7•11 years ago
|
||
Marking verified since the remaining crashes will be handled in bug 900115.
You need to log in
before you can comment on or make changes to this bug.
Description
•