Closed Bug 883544 Opened 6 years ago Closed 6 years ago
crash in JSFunction::create
Script For Lazily Interpreted Function
It first showed up in 24.0a1/201306015. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317 It's likely a regression from bug 678037. Currently, all users have Adblock Plus installed. Signature JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) More Reports Search UUID 0bdfd1c3-a468-4c52-b061-f8bf02130615 Date Processed 2013-06-15 15:57:39 Uptime 745 Last Crash 12.5 minutes before submission Install Age 26.1 minutes since version was first installed. Install Time 2013-06-15 15:31:26 Product Firefox Version 24.0a1 Build ID 20130615031212 Release Channel nightly OS Linux OS Version 0.0.0 Linux 3.8.0-25-generic #37-Ubuntu SMP Thu Jun 6 20:47:07 UTC 2013 x86_64 Build Architecture amd64 Build Architecture Info family 6 model 37 stepping 2 Crash Reason SIGSEGV Crash Address 0x0 App Notes OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Ironlake Mobile -- 2.1 Mesa 9.1.3 -- texture_from_pixmap Processor Notes sp-processor05_phx1_mozilla_com_32021:2012; exploitability tool: ERROR: unable to analyze dump EMCheckCompatibility True Frame Module Signature Source 0 libxul.so JSFunction::createScriptForLazilyInterpretedFunction js/src/jsfriendapi.h:348 1 libxul.so js::TempAllocPolicy::realloc_ obj-firefox/dist/include/js/Utility.h:164 2 libxul.so JSFunction::getOrCreateScript js/src/jsfun.h:216 3 libxul.so CreateLazyScriptsForCompartment js/src/jscompartment.cpp:671 More reports at: https://crash-stats.mozilla.com/report/list?signature=JSFunction%3A%3AcreateScriptForLazilyInterpretedFunction%28JSContext*%2C+JS%3A%3AHandle%3CJSFunction*%3E%29
This should fix the crashes. The problem I think is that if we abort a syntax parse at some point the parser can leave orphaned functions with LazyScripts around. When debug mode is turned on in the compartment we delazify all functions with lazy scripts, but need to skip over these ones as they don't have any source information --- source info is not set until a lazy script's parent is compiled to bytecode, which never happens for these scripts.
Assignee: general → bhackett1024
Attachment #763138 - Flags: review?(luke)
It looks like you have this figured out, but in case it helps I reliably (well, twice) hit this crash at this URL: https://groups.google.com/a/chromium.org/forum/?fromgroups#!forum/chromium-dev https://crash-stats.mozilla.com/report/index/0af49e13-fac3-4db4-86ac-4a2e82130615 https://crash-stats.mozilla.com/report/index/bp-66e2e3d8-42d7-41dc-8d69-4581e2130615
(In reply to Andrew McCreight [:mccr8] from comment #2) > https://crash-stats.mozilla.com/report/index/0af49e13-fac3-4db4-86ac- > 4a2e82130615 > https://crash-stats.mozilla.com/report/index/bp-66e2e3d8-42d7-41dc-8d69- > 4581e2130615 It's bug 883524, not this bug.
Pushing this ahead of review to fix the crashes; this patch is simple. https://hg.mozilla.org/integration/mozilla-inbound/rev/49b957b9e31b
https://hg.mozilla.org/mozilla-central/rev/49b957b9e31b Should this have a test?
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Comment on attachment 763138 [details] [diff] [review] patch Not just aborted-during-parsing, but also self-hested builtins are interpreted-lazy and have fun->lazyScript() == NULL, iirc.
Attachment #763138 - Flags: review?(luke) → review+
Marking verified since the remaining crashes will be handled in bug 900115.
You need to log in before you can comment on or make changes to this bug.