Closed Bug 885668 Opened 7 years ago Closed 7 years ago
crash in ns
Script Security Manager::Get Function Object Principal @ JS _Get Function Script
It first showed up in 24.0a1/20130615. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317 Signature JS_GetFunctionScript(JSContext*, JSFunction*) More Reports Search UUID 7afded64-b3b6-47bd-8181-fa34a2130619 Date Processed 2013-06-19 19:27:12 Uptime 59 Last Crash 1.6 minutes before submission Install Age 11.8 minutes since version was first installed. Install Time 2013-06-19 19:14:59 Product Firefox Version 24.0a1 Build ID 20130619031048 Release Channel nightly OS Windows NT OS Version 5.1.2600 Service Pack 2 Build Architecture x86 Build Architecture Info GenuineIntel family 15 model 3 stepping 4 Crash Reason EXCEPTION_BREAKPOINT Crash Address 0x173f8de App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x2572, AdapterSubsysID: 12bc103c, AdapterDriverVersion: 220.127.116.1196 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- Processor Notes sp-processor07_phx1_mozilla_com_26539:2012 EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x2572 Total Virtual Memory 2147352576 Available Virtual Memory 1919021056 System Memory Use Percentage 80 Available Page File 132780032 Available Physical Memory 103968768 Frame Module Signature Source 0 mozjs.dll JS_GetFunctionScript js/src/jsdbgapi.cpp:523 1 xul.dll nsScriptSecurityManager::GetFunctionObjectPrincipal caps/src/nsScriptSecurityManager.cpp:1973 2 xul.dll nsScriptSecurityManager::CheckFunctionAccess caps/src/nsScriptSecurityManager.cpp:1589 3 xul.dll mozilla::dom::CallbackObject::CallSetup::CallSetup dom/bindings/CallbackObject.cpp:113 4 xul.dll mozilla::dom::Function::Call<nsCOMPtr<nsISupports> > obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:52 5 xul.dll nsGlobalWindow::RunTimeoutHandler dom/base/nsGlobalWindow.cpp:10209 6 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:10447 7 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:10694 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=JS_GetFunctionScript%28JSContext*%2C+JSFunction*%29
It's #18 crasher in 24.0a2 and #12 in 25.0a1.
Actually, #8 on 25.0a1 and #12 on 24.0a2 now, on both we have ~70 crashes from ~50 installations within a week.
Tracking as this a topcrash. :kairo/:bsmedberg discussed that we'll find an owner for this in the platform meeting. Tracy mentioned we may have seen similar bugs in the past which could be related to data mgnr and would add more info on this bug which could help us move forward in some direction.Tracy any other URL's co-relations that we may have will be helpful.
(In reply to bhavana bajaj [:bajaj] from comment #3) > Tracy any other URL's co-relations that we may have will be helpful. I am replying for Tracy. There are no correlations available because Socorro 52 containing bug 888219 hasn't been pushed to prod.
That request was crossed/confused with another signature I mentioned in the stability meeting. What's needed here is the culprit that caused the regression: I think Bug 880917 - "Move JS versioning from the cx to the compartment" is the most likely suspect in the regression range Scoobidiver initially gave. cc'd bholly
Well, all this machinery can actually go away. That might result in us just crashing nearby, but we might as well do that. I'll upload a patch the remove this function.
Infra weirdness on the try push: https://tbpl.mozilla.org/?tree=Try&rev=33d711275f3f
Looks like Bobby is working on it, so assigning. :)
Assignee: nobody → bobbyholley+bmo
Total Count URL 23 https://www.facebook.com/ 9 about:blank 6 https://mail.google.com/mail/u/0/ 3 http://www.newspettacolo.com/games/win2 3 http://www.youtube.com/watch?v=XfSs_try4so 3 https://www.youtube.com/watch?v=rbLKEfB_MBY 3 http://www.youtube.com/watch?v=fsdbvHCLKyI 2 http://www.youtube.com/watch?v=3EEV9461Nvg 2 http://www.youtube.com/watch?v=yUv7556L2G8
Comment on attachment 772341 [details] [diff] [review] Removed specialized function object principal machinery from CAPS. v1 r=me
Attachment #772341 - Flags: review?(bzbarsky) → review+
(note - there was some roughness on the try push in comment 9, but it appears to be infra related, with zip files failing to extract and so on).
:bholley, is this ready for aurora uplift ?
Comment on attachment 772341 [details] [diff] [review] Removed specialized function object principal machinery from CAPS. v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): unknown User impact if declined: Crashes Testing completed (on m-c, etc.): baked on m-c Risk to taking this patch (and alternatives if risky): Low risk. String or IDL/UUID changes made by this patch: None
Attachment #772341 - Flags: approval-mozilla-aurora?
Attachment #772341 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Unable to crash Firefox 24 beta 8 and latest Nightly. Only 6 crashes in Socorro in the last 2 weeks so I think it`s safe to call this verified fixed.
(In reply to Bogdan Maris [QA] [:bogdan_maris] from comment #19) > Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 > Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 > Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 > Firefox/24.0 > > Unable to crash Firefox 24 beta 8 and latest Nightly. Can you please also check Firefox 25?
Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0 Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0 Also verified on Aurora 25.0a2, there is only one crash in the last week in Socorro.
You need to log in before you can comment on or make changes to this bug.