Closed Bug 883544 Opened 6 years ago Closed 6 years ago

crash in JSFunction::createScriptForLazilyInterpretedFunction

Categories

(Core :: JavaScript Engine, defect, critical)

24 Branch
x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 --- verified

People

(Reporter: scoobidiver, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

It first showed up in 24.0a1/201306015. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317
It's likely a regression from bug 678037.

Currently, all users have Adblock Plus installed.

Signature 	JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) More Reports Search
UUID	0bdfd1c3-a468-4c52-b061-f8bf02130615
Date Processed	2013-06-15 15:57:39
Uptime	745
Last Crash	12.5 minutes before submission
Install Age	26.1 minutes since version was first installed.
Install Time	2013-06-15 15:31:26
Product	Firefox
Version	24.0a1
Build ID	20130615031212
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 3.8.0-25-generic #37-Ubuntu SMP Thu Jun 6 20:47:07 UTC 2013 x86_64
Build Architecture	amd64
Build Architecture Info	family 6 model 37 stepping 2
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Ironlake Mobile  -- 2.1 Mesa 9.1.3 -- texture_from_pixmap
Processor Notes 	sp-processor05_phx1_mozilla_com_32021:2012; exploitability tool: ERROR: unable to analyze dump
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	JSFunction::createScriptForLazilyInterpretedFunction 	js/src/jsfriendapi.h:348
1 	libxul.so 	js::TempAllocPolicy::realloc_ 	obj-firefox/dist/include/js/Utility.h:164
2 	libxul.so 	JSFunction::getOrCreateScript 	js/src/jsfun.h:216
3 	libxul.so 	CreateLazyScriptsForCompartment 	js/src/jscompartment.cpp:671

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSFunction%3A%3AcreateScriptForLazilyInterpretedFunction%28JSContext*%2C+JS%3A%3AHandle%3CJSFunction*%3E%29
Attached patch patchSplinter Review
This should fix the crashes.  The problem I think is that if we abort a syntax parse at some point the parser can leave orphaned functions with LazyScripts around.  When debug mode is turned on in the compartment we delazify all functions with lazy scripts, but need to skip over these ones as they don't have any source information --- source info is not set until a lazy script's parent is compiled to bytecode, which never happens for these scripts.
Assignee: general → bhackett1024
Attachment #763138 - Flags: review?(luke)
(In reply to Andrew McCreight [:mccr8] from comment #2)
> https://crash-stats.mozilla.com/report/index/0af49e13-fac3-4db4-86ac-
> 4a2e82130615
> https://crash-stats.mozilla.com/report/index/bp-66e2e3d8-42d7-41dc-8d69-
> 4581e2130615
It's bug 883524, not this bug.
Pushing this ahead of review to fix the crashes; this patch is simple.

https://hg.mozilla.org/integration/mozilla-inbound/rev/49b957b9e31b
https://hg.mozilla.org/mozilla-central/rev/49b957b9e31b

Should this have a test?
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Comment on attachment 763138 [details] [diff] [review]
patch

Not just aborted-during-parsing, but also self-hested builtins are interpreted-lazy and have fun->lazyScript() == NULL, iirc.
Attachment #763138 - Flags: review?(luke) → review+
Blocks: 900115
Marking verified since the remaining crashes will be handled in bug 900115.
You need to log in before you can comment on or make changes to this bug.