Closed Bug 893890 Opened 7 years ago Closed 7 years ago

Crash [@ TryAttachCallStub] with setObjectMetadataCallback

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 18467a85acf6 (run with --ion-eager):


function test() {
    try {
        writeTestCaseResult();
    } catch(e) {}
}
function writeTestCaseResult( ) {
   return undefined.match(/foo/);
}
setObjectMetadataCallback(function(obj) { test(); });
x();
Whiteboard: [jsbugmon:update]
Crash Signature: [@ TryAttachCallStub] → [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub]
Needinfo from Brian because setObjectMetadataCallback is involved.
Flags: needinfo?(bhackett1024)
Duplicate of this bug: 888896
Duplicate of this bug: 888901
Attached patch patch.txtSplinter Review
Bad things happen when we reenter JS while parsing/emitting scripts.
Assignee: general → bhackett1024
Attachment #781836 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Attachment #781836 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/fb48c7d58b8b
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Crash Signature: [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub] → [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub] [@ js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool)]
It's #2 top crasher in 24.0a2 on Mac OS X.
Keywords: topcrash
setObjectMetadataCallback is a debugging hook which is not yet exposed to the browser at all.
(In reply to Brian Hackett (:bhackett) from comment #9)
> setObjectMetadataCallback is a debugging hook which is not yet exposed to
> the browser at all.

Isn't it still possible that this bug is triggered also without setObjectMetadataCallback, just that the fuzzer hasn't found this case? (because it might be more complex).
(In reply to Christian Holler (:decoder) from comment #10)
> (In reply to Brian Hackett (:bhackett) from comment #9)
> > setObjectMetadataCallback is a debugging hook which is not yet exposed to
> > the browser at all.
> 
> Isn't it still possible that this bug is triggered also without
> setObjectMetadataCallback, just that the fuzzer hasn't found this case?
> (because it might be more complex).

Well, this bug is about crashes that can happen when reentering JS in the parser/emitter.  This shouldn't be possible but could in principle happen.  It could be prevented entirely (we already do something similar when doing analysis/compilation) but it would be good to know if that is actually the culprit with these OS X (OS X only?) crashes.  Scoobidiver, can you point to some crash reports?  If the stack information is good enough it should be easy to see what's going on from them.
(In reply to Scoobidiver from comment #12)
> (In reply to Brian Hackett (:bhackett) from comment #11)
> > Scoobidiver, can you point to some crash reports? 
> Here they are:
> https://crash-stats.mozilla.com/report/
> list?product=Firefox&signature=js%3A%3AFunctionToString%28JSContext*%2C+JS%3A
> %3AHandle%3CJSFunction*%3E%2C+bool%2C+bool%29

This looks like a different issue, none of the crashes I see have parsing stuff on the stack.  All of them are NULL derefs under jsdScript::GetFunctionSource but it's not really obvious from the stacks which pointer is NULL.
You need to log in before you can comment on or make changes to this bug.