Closed Bug 883544 Opened 11 years ago Closed 11 years ago

crash in JSFunction::createScriptForLazilyInterpretedFunction

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
24 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 --- verified

People

(Reporter: scoobidiver, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

patch
949 bytes, patch
luke
: review+
Details | Diff | Splinter Review
It first showed up in 24.0a1/201306015. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317 It's likely a regression from bug 678037. Currently, all users have Adblock Plus installed. Signature JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) More Reports Search UUID 0bdfd1c3-a468-4c52-b061-f8bf02130615 Date Processed 2013-06-15 15:57:39 Uptime 745 Last Crash 12.5 minutes before submission Install Age 26.1 minutes since version was first installed. Install Time 2013-06-15 15:31:26 Product Firefox Version 24.0a1 Build ID 20130615031212 Release Channel nightly OS Linux OS Version 0.0.0 Linux 3.8.0-25-generic #37-Ubuntu SMP Thu Jun 6 20:47:07 UTC 2013 x86_64 Build Architecture amd64 Build Architecture Info family 6 model 37 stepping 2 Crash Reason SIGSEGV Crash Address 0x0 App Notes OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Ironlake Mobile -- 2.1 Mesa 9.1.3 -- texture_from_pixmap Processor Notes sp-processor05_phx1_mozilla_com_32021:2012; exploitability tool: ERROR: unable to analyze dump EMCheckCompatibility True Frame Module Signature Source 0 libxul.so JSFunction::createScriptForLazilyInterpretedFunction js/src/jsfriendapi.h:348 1 libxul.so js::TempAllocPolicy::realloc_ obj-firefox/dist/include/js/Utility.h:164 2 libxul.so JSFunction::getOrCreateScript js/src/jsfun.h:216 3 libxul.so CreateLazyScriptsForCompartment js/src/jscompartment.cpp:671 More reports at: https://crash-stats.mozilla.com/report/list?signature=JSFunction%3A%3AcreateScriptForLazilyInterpretedFunction%28JSContext*%2C+JS%3A%3AHandle%3CJSFunction*%3E%29
Attached patch patchSplinter Review
This should fix the crashes. The problem I think is that if we abort a syntax parse at some point the parser can leave orphaned functions with LazyScripts around. When debug mode is turned on in the compartment we delazify all functions with lazy scripts, but need to skip over these ones as they don't have any source information --- source info is not set until a lazy script's parent is compiled to bytecode, which never happens for these scripts.
Assignee: general → bhackett1024
Attachment #763138 - Flags: review?(luke)
(In reply to Andrew McCreight [:mccr8] from comment #2) > https://crash-stats.mozilla.com/report/index/0af49e13-fac3-4db4-86ac- > 4a2e82130615 > https://crash-stats.mozilla.com/report/index/bp-66e2e3d8-42d7-41dc-8d69- > 4581e2130615 It's bug 883524, not this bug.
Pushing this ahead of review to fix the crashes; this patch is simple. https://hg.mozilla.org/integration/mozilla-inbound/rev/49b957b9e31b
https://hg.mozilla.org/mozilla-central/rev/49b957b9e31b Should this have a test?
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Comment on attachment 763138 [details] [diff] [review] patch Not just aborted-during-parsing, but also self-hested builtins are interpreted-lazy and have fun->lazyScript() == NULL, iirc.
Attachment #763138 - Flags: review?(luke) → review+
Blocks: 900115
Marking verified since the remaining crashes will be handled in bug 900115.
status-firefox24: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: