Closed Bug 884156 Opened 12 years ago Closed 12 years ago

crash in JS::Value::isMagic, crash in js::ObjectImpl::getSlot when I open CKEditor demo if Web Console is staying open

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
24 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox23 --- unaffected
firefox24 --- verified

People

(Reporter: alice0775, Unassigned)

References

(
URL
)

Details

(Keywords: crash, regression, reproducible)

Crash Data

Crash id: bp-6e93339c-d4b9-4670-adff-41e682130617 Browser crashes when I open certain site if Web Console is staying open However, Browser does not crash if I opened Browser Console instead of Web Console. Unfortunately, Bug 883562 does not fix the crash... Steps To Reproduce: 1. Open Web Console 2. Open http://ckeditor.com/demo Actual Results: Browser crashes Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/849e6303ac21 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130616 Firefox/24.0 ID:20130617091523 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/ccb80286042a Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130617 Firefox/24.0 ID:20130617093533 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=849e6303ac21&tochange=ccb80286042a Re-triggered by: ccb80286042a Jason Orendorff — Bug 883523 - Regression: 'if(1) /a/.test("a")' causes a SyntaxError after landing bug 872735. r=till. However, I think that this is false positive, because prior to land Bug 883523, the web page fails to load due to bug 872735. Regression window(m-i) before landing bug 872735 Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4 Regressed by: ce43d28276e4 Brian Hackett — Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody.
Firefox doesn't crash for me in 24.0a1/20130617 and it seems to be confirmed by crash stats. Dupe of bug 883562?
(In reply to Scoobidiver from comment #1) > Firefox doesn't crash for me in 24.0a1/20130617 and it seems to be confirmed > by crash stats. Because, Not crash due to Bug 883523. 24.0a1/20130617 build did not include the fix yet. > Dupe of bug 883562? No.
(In reply to Alice0775 White from comment #2) > Because, Not crash due to Bug 883523. 24.0a1/20130617 build did not include > the fix yet. How can it be a regression from bug 678037? It's a regression from bug 883523 in that case.
(In reply to Scoobidiver from comment #3) > (In reply to Alice0775 White from comment #2) > > Because, Not crash due to Bug 883523. 24.0a1/20130617 build did not include > > the fix yet. > How can it be a regression from bug 678037? It's a regression from bug > 883523 in that case. No. Bug 678037 landed: Start crash. Bug 872735 landed: The page fails to load due to regression of bug 872735, then stop crashing. Bug 883523 landed: Bug 883523 fixed the regression of bug 872735. so, then start crash again.
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] → [@ js::ObjectImpl::getSlot(unsigned int) ]
status-firefox23: --- → unaffected
status-firefox24: --- → affected
bp-b37b3143-0432-4eab-a079-63b6d2130618 http://hg.mozilla.org/mozilla-central/rev/4e5983de6e3b Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130618 Firefox/24.0 ID:20130618031335
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int) ] → [@ js::ObjectImpl::getSlot(unsigned int) ] [@ JS::Value::isMagic(JSWhyMagic) ]
Summary: crash in js::ObjectImpl::getSlot when I open CKEditor demo if Web Console is staying open → crash in JS::Value::isMagic, crash in js::ObjectImpl::getSlot when I open CKEditor demo if Web Console is staying open
Can someone help identify the regressing bug here ? Are we seeing this on any other editors ? needsinfo'ing :jorendoff and :bhackett here as they own the suspected bugs here ,to help investigate
Flags: needinfo?(jorendorff)
Flags: needinfo?(bhackett1024)
Alice is right, the regressing bug is bug 678037.
Flags: needinfo?(jorendorff)
I cannnot reproduce the crash anymore in http://hg.mozilla.org/integration/mozilla-inbound/rev/2ffbbe96954c Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130620 Firefox/24.0 ID:20130620123512 This was fixed by bug 884194 .
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Depends on: 884194
Target Milestone: --- → mozilla24
Flags: needinfo?(bhackett1024)
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 Verified as fixed on latest Nightly, Firefox 24 beta 6 and > http://hg.mozilla.org/integration/mozilla-inbound/rev/2ffbbe96954c I think this can`t be marked as verified since there are still crashes in Socorro http://bit.ly/1flG5Aj in the last week
Verified as fixed, using the STR from comment 0, on: Win 7 64bit, Ubuntu 13.04 64bit and Mac OS X 10.7.5, with Firefox 24 RC. Here are the reports for last month, from Socorro: 1) for the 1st signature: there are 20 crashes on 24.0b9, and no other crashes since then on the 24 branch https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&reason_type=contains&date=2013-08-29&range_value=28&range_unit=days&hang_type=any&process_type=any&signature=js%3A%3AObjectImpl%3A%3AgetSlot%28unsigned+int%29 2) for the 2nd signature: there is only 1 crash on 24.0b9, and no other crash since then https://crash-stats.mozilla.com/report/list?signature=JS%3A%3AValue%3A%3AisMagic%28JSWhyMagic%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-09-13+14%3A00%3A00&range_value=4
status-firefox24: fixedverified
QA Contact: manuela.muntean
You need to log in before you can comment on or make changes to this bug.