crash in JSFunction::createScriptForLazilyInterpretedFunction @ js::ScriptSource::chars

NEW
Unassigned

Status

()

Core
JavaScript Engine
--
critical
5 years ago
2 years ago

People

(Reporter: Scoobidiver (away), Unassigned)

Tracking

({crash, regression, testcase-wanted})

24 Branch
crash, regression, testcase-wanted
Points:
---

Firefox Tracking Flags

(firefox23 unaffected, firefox24 affected, firefox25 affected, firefox44 affected, firefox45 affected)

Details

(Whiteboard: [close me 2016-05-14], crash signature)

(Reporter)

Description

5 years ago
It first showed up in 24.0a1/20130618 but discontinuous across builds. The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=834c8941ae24&tochange=4e5983de6e3b
It might be a regression caused by bug 678037

Some comments say:
"Clicked the console tab in the web inspector, then Aurora crashed."
"I was testing for a cookie / document ready / window load bug and hitting F5 repeatedly and rapidly at different intervals."

Signature 	js::ScriptSource::chars(JSContext*) More Reports Search
UUID 	91822d94-69fe-4879-ab74-e2c942130708
Date Processed	2013-07-08 09:45:19.824842
Uptime	7131
Last Crash	6629461 seconds before submission
Install Age 	266965 since version was first installed.
Install Time 	2013-07-05 07:35:37
Product 	Firefox
Version 	25.0a1
Build ID 	20130704031323
Release Channel 	nightly
OS 	Windows NT
OS Version 	6.1.7601 Service Pack 1
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 23 stepping 6 | None
Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0xffffffffdadadaf2
User Comments 	#itf88
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9583, AdapterSubsysID: 0083106b, AdapterDriverVersion: 8.812.0.0
WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ 

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::ScriptSource::chars(JSContext *) 	js/src/jsscript.cpp
1 	mozjs.dll 	JSFunction::createScriptForLazilyInterpretedFunction(JSContext *,JS::Handle<JSFunction *>) 	js/src/jsfun.cpp
2 	mozjs.dll 	JSFunction::getOrCreateScript(JSContext *) 	js/src/jsfun.h
3 	mozjs.dll 	CreateLazyScriptsForCompartment 	js/src/jscompartment.cpp
4 	mozjs.dll 	JSCompartment::addDebuggee(JSContext *,js::GlobalObject *,js::AutoDebugModeGC &) 	js/src/jscompartment.cpp
5 	mozjs.dll 	js::Debugger::addDebuggeeGlobal(JSContext *,JS::Handle<js::GlobalObject *>,js::AutoDebugModeGC &) 	js/src/vm/Debugger.cpp
6 	mozjs.dll 	js::Debugger::addDebuggeeGlobal(JSContext *,JS::Handle<js::GlobalObject *>) 	js/src/vm/Debugger.cpp
7 	mozjs.dll 	js::Debugger::addDebuggee(JSContext *,unsigned int,JS::Value *) 	js/src/vm/Debugger.cpp
8 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
9 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
10 	xul.dll 	XPCConvert::NativeInterface2JSObject(JS::Value *,nsIXPConnectJSObjectHolder * *,xpcObjectHelper &,nsID const *,XPCNativeInterface * *,bool,tag_nsresult *) 	js/xpconnect/src/XPCConvert.cpp
11 	mozjs.dll 	js::ElementIteratorObject::next(JSContext *,unsigned int,JS::Value *) 	js/src/jsiter.cpp
12 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
13 	mozjs.dll 	js::ObjectImpl::nativeLookup(JSContext *,int) 	js/src/vm/ObjectImpl.cpp
14 	mozjs.dll 	js::StackFrame::prologue(JSContext *) 	js/src/vm/Stack.cpp
15 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
16 	xul.dll 	xul.dll@0x2d16a0 	
17 		@0x1 	
More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AScriptSource%3A%3Achars%28JSContext*%29
(Assignee)

Updated

4 years ago
Assignee: general → nobody

Updated

3 years ago
Crash Signature: [@ js::ScriptSource::chars(JSContext*)] → [@ js::ScriptSource::chars(JSContext*)] [@ js::ScriptSource::chars]
[@ js::ScriptSource::chars ]

Win7, FF45.0a1, 64bit

https://crash-stats.mozilla.com/report/index/cdfb7589-0ca4-4481-8ad0-d0baa2151107

Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&) 	js/src/jsscript.cpp
1 	xul.dll 	JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) 	js/src/jsfun.cpp
2 	xul.dll 	JSFunction::getOrCreateScript(JSContext*) 	js/src/jsfun.h
3 	xul.dll 	JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) 	js/src/jsfun.cpp
4 	xul.dll 	JSFunction::getOrCreateScript(JSContext*) 	js/src/jsfun.h
5 	xul.dll 	Interpret 	js/src/vm/Interpreter.cpp
6 	xul.dll 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
7 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
8 	xul.dll 	js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
9 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
10 	xul.dll 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
11 	xul.dll 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
12 		@0x160d2771a5c 	
13 	xul.dll 	js::jit::DoTypeMonitorFallback 	js/src/jit/BaselineIC.cpp
14 		@0x901
status-firefox45: --- → affected
See Also: → bug 1147144, bug 1148963

Updated

2 years ago
status-firefox44: --- → affected
Keywords: testcase-wanted
Socorro reports shows that [@ js::ScriptSource::chars ] crash signature is still present in the latest release 45.0.2. Scoobidiver, can you please provide a test case o STR so I can try to reproduce this issue on my end?

Thanks,
Paul.
Flags: needinfo?(scoobidiver)
Whiteboard: [close me 2016-05-14]

Comment 3

2 years ago
Scoobidiver is not active any more, and he filed bugs like this just from our crash data, we have no STR or test cases from that data.
Flags: needinfo?(scoobidiver)
You need to log in before you can comment on or make changes to this bug.