Closed
Bug 935348
Opened 12 years ago
Closed 12 years ago
crash in Interpret
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | + | verified |
People
(Reporter: tonymec, Assigned: jandem)
References
Details
(Keywords: crash, reproducible)
Crash Data
This bug was filed from the Socorro interface and is
report bp-4318020c-6459-4193-a5ac-171e82131106.
=============================================================
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206 CSet: 770de5942471
Crash @ Interpret several times in succession; the first one by entering an MDN page (which then started loading), the others when tying to restart, even if clicking "Don't restore" in the "Restore session" popup. The only way I could start Firefox and not crash was by "doctoring" the preference browser.startup.homepage in prefs.js between a crash and the next startup.
bp-8e5d951a-8ba6-443e-9174-4532c2131106
bp-788f789e-17f1-4d14-8339-7a81c2131106
bp-93dd0e0e-4017-492b-b8c6-ffd0b2131106
bp-b8adc32d-d708-4b1c-a872-aaff32131106
bp-4318020c-6459-4193-a5ac-171e82131106
All with signature "Interpret". This is not bug 884194 since it was FIXED on 2013-06-21 and this build is from source pulled on 2013-11-05.
Here is the Socorro output for the last of the five crashes listed above, which is also the one from which I asked Socorro to file a bug:
Signature Interpret More Reports Search
UUID 4318020c-6459-4193-a5ac-171e82131106
Date Processed 2013-11-06 02:06:39.174099
Uptime 27
Last Crash 47 seconds before submission
Install Age 2855 since version was first installed.
Install Time 2013-11-06 01:18:00
Product Firefox
Version 28.0a1
Build ID 20131105030206
Release Channel nightly
OS Linux
OS Version 0.0.0 Linux 3.4.63-2.44-desktop #1 SMP PREEMPT Wed Oct 2 11:18:32 UTC 2013 (d91a619) x86_64
Build Architecture amd64
Build Architecture Info family 15 model 4 stepping 1 | 2
Crash Reason SIGSEGV
Crash Address 0x90
User Comments on restart from crash (reloading session in spite of "Don't restore" button click)
App Notes
OpenGL: VMware, Inc. -- Gallium 0.4 on llvmpipe (LLVM 0x301) -- 2.1 Mesa 8.0.4 -- texture_from_pixmap
Processor Notes sp-processor04_phx1_mozilla_com.28022:2012; LegacyCrashProcessor; exploitability tool failed: 127
EMCheckCompatibility
False
Winsock LSP
Adapter Vendor ID
Adapter Device ID
Bugzilla - Report this bug in Firefox Core Plugins Toolkit
Related Bugs
682573 NEW --- [meta] Crash @ js::Interpret
884194 RESOLVED FIXED crash in Interpret
917792 VERIFIED FIXED crash in js::ObjectImpl::getDenseInitializedLength() (with Norton installed?)
Crashing Thread
Frame Module Signature Source
0 libxul.so Interpret js/src/vm/Interpreter.cpp
1 libxul.so js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
2 libxul.so js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp
3 libxul.so js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp
4 libxul.so JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char16_t const*, unsigned long, JS::Value*) js/src/jsapi.cpp
5 libxul.so nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) dom/base/nsJSUtils.cpp
6 libxul.so nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) dom/base/nsJSEnvironment.cpp
7 libxul.so nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&, void**) content/base/src/nsScriptLoader.cpp
8 libxul.so nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) content/base/src/nsScriptLoader.cpp
9 libxul.so nsContentUtils::RemoveScriptBlocker() content/base/src/nsContentUtils.cpp
10 libxul.so nsDocument::EndUpdate(unsigned int) content/base/src/nsDocument.cpp
11 libxul.so nsHTMLDocument::EndUpdate(unsigned int) content/html/document/src/nsHTMLDocument.cpp
12 libxul.so mozAutoDocUpdate::~mozAutoDocUpdate() content/base/src/mozAutoDocUpdate.h
13 libxul.so nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) content/base/src/nsINode.cpp
14 libxul.so mozilla::dom::NodeBinding::appendChild obj-firefox/dist/include/nsINode.h
15 libxul.so mozilla::dom::NodeBinding::genericMethod obj-firefox/dom/bindings/NodeBinding.cpp
16 libxul.so js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h
17 libxul.so Interpret js/src/vm/Interpreter.cpp
18 libxul.so js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
19 libxul.so js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp
20 libxul.so js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp
21 libxul.so JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp
22 libxul.so mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) obj-firefox/dom/bindings/EventListenerBinding.cpp
23 libxul.so void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, nsDOMEvent&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h
24 libxul.so nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp
25 libxul.so nsEventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp
26 libxul.so nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&, nsCxPusher*) content/events/src/nsEventListenerManager.h
27 libxul.so nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) content/events/src/nsEventDispatcher.cpp
28 libxul.so PresShell::FireResizeEvent() layout/base/nsPresShell.cpp
29 libxul.so PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp
30 libxul.so PresShell::FlushPendingNotifications(mozFlushType) layout/base/nsPresShell.cpp
31 libxul.so mozilla::ScrollFrameHelper::AsyncScrollPortEvent::Run() layout/generic/nsGfxScrollFrame.cpp
32 libxul.so nsRootPresContext::FlushWillPaintObservers() layout/base/nsPresContext.cpp
33 libxul.so PresShell::WillPaint() layout/base/nsPresShell.cpp
34 libxul.so nsViewManager::CallWillPaintOnObservers() view/src/nsViewManager.cpp
35 libxul.so nsViewManager::ProcessPendingUpdates() view/src/nsViewManager.cpp
36 libxul.so nsRefreshDriver::Tick(long, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp
37 libxul.so mozilla::RefreshDriverTimer::Tick() layout/base/nsRefreshDriver.cpp
38 libxul.so nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp
39 libxul.so nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp
40 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
41 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
42 libxul.so nsThread::Shutdown() xpcom/threads/nsThread.cpp
43 libxul.so nsRunnableMethodImpl<tag_nsresult (nsIThread::*)(), void, true>::Run() obj-firefox/dist/include/nsThreadUtils.h
44 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
45 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp
46 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp
47 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc
48 libxul.so nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp
49 libxul.so nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp
50 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp
51 libxul.so XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp
52 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp
53 firefox do_main browser/app/nsBrowserApp.cpp
54 firefox main browser/app/nsBrowserApp.cpp
55 libc-2.15.so libc-2.15.so@0x21455
56 firefox firefox@0x40a0
|
Reporter | |
Comment 1•12 years ago
|
||
P.S. IIRC, the problematic MDN page was the one about chrome URLs in Firefox, Thunderbird and SeaMonkey. I am NOT going to try to load it now.
|
|
Reporter | |
Comment 3•12 years ago
|
||
No unrelated news, please. This site is a live site and this page is about a crash in Firefox, period. For tests about Bugzilla, see http://landfill.bugzilla.org/
|
||
Comment 4•12 years ago
|
||
Crash with STR with comment#2
Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/da5df68e8857
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131104023709
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/495a9c210b91
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131104024108
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=da5df68e8857&tochange=495a9c210b91
Regressed by:
495a9c210b91 Jan de Mooij — Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett
Blocks: 933798
tracking-firefox28:
--- → ?
Keywords: reproducible
OS: Linux → All
Version: Trunk → 28 Branch
|
|
||
Updated•12 years ago
|
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
|
|
||
Updated•12 years ago
|
Crash Signature: [@ Interpret] → [@ Interpret ]
|
|
Reporter | |
Comment 5•12 years ago
|
||
(In reply to Alice0775 White from comment #4)
> Crash with STR with comment#2
If comment #2 has STR, please list them 1. 2. 3. etc.
When I clicked the link in comment #2, I saw a notification bar telling me that Nightly had blocked a redirect, and when I accepted the redirect I saw a newspage telling me that Blackberry won't be sold.
|
|
||
Comment 6•12 years ago
|
||
Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/770de5942471
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206
STR
1. Start Firefox with newly created profile
2. Open URL in commnet#2
then automatically redirected to morocco news
then crash browser with crash sig bp-b5e5e975-763a-431f-9f88-f616a2131106
|
|
||
Comment 7•12 years ago
|
||
s/morocco news/marocpress/
|
|
||
Comment 8•12 years ago
|
||
Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/770de5942471
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206
Linux 64bit build also crashes with STR in comment#6 on ubuntu x64.
bp-ce401ed2-6abd-4ed7-ae4f-1e6592131106
|
||
Comment 10•12 years ago
|
||
Assignee: nobody → jdemooij
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
||
Updated•12 years ago
|
status-firefox27:
--- → unaffected
|
|
Reporter | |
Comment 11•12 years ago
|
||
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131107030200 CSet: 70de5e24d79b
So I can try to VERIFY this fix, is there a preference setting which I should change to be "automatically redirected" as stated in comment #6 instead of getting a notification bar saying that Firefox has prevented a redirect as I said in comment #5? I tried to filter about:config on "redirect" and found only defaulted prefs:
network.http.prompt-temp-redirect default boolean true
network.http.redirection-limit default integer 20
network.seer.redirect-likely-confidence default integer 75
network.websocket.auto-follow-http-redirects default boolean false
places.frecency.permRedirectVisitBonus default integer 0
places.frecency.tempRedirectVisitBonus default integer 0
OTOH, AFAIK none of my add-ons interferes with redirecting:
Extensions: BackToTop, ChatZilla, Console², DOM Inspector, JavaScript Debugger, keyconfig, Mozilla QA Companion, Nightly Tester Tools, Restartless Restart, Tab Mix Plus, Test Pilot, the rest are disabled.
All plugins are set to "Ask to Activate".
The current theme is the default, no lightweight theme is installed.
|
|
||
Comment 12•12 years ago
|
||
> 1. Start Firefox with newly created profile
|
|
Reporter | |
Comment 13•12 years ago
|
||
(In reply to Alice0775 White from comment #12)
> > 1. Start Firefox with newly created profile
No crash, and no notification either.
Of course any tests that I run apply only to Linux64. Please check also on Windows (where this bug was seen too) before setting VERIFIED.
Keywords: verifyme
|
|
Reporter | |
Comment 14•12 years ago
|
||
FWIW, after closing Nightly I did a diff of prefs.js in both profiles, and the very first line in the older one looks like a possible culprit:
user_pref("accessibility.blockautorefresh", true);
|
|
||
Comment 15•12 years ago
|
||
Crash:
http://hg.mozilla.org/mozilla-central/rev/9ba3faa35c96
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131106030200
No crash:
http://hg.mozilla.org/mozilla-central/rev/70de5e24d79b
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131107030200
I can verify that latest Nightly does not crash anymore with STR of comment#6.
|
|
Reporter | |
Comment 16•12 years ago
|
||
Setting VERIFIED on the basis of comment #13 and comment #15.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in
before you can comment on or make changes to this bug.
Description
•