crash in Interpret

VERIFIED FIXED in Firefox 28



5 years ago
5 years ago


(Reporter: tonymec, Assigned: jandem)


({crash, reproducible})

28 Branch
crash, reproducible

Firefox Tracking Flags

(firefox27 unaffected, firefox28+ verified)


(crash signature)

This bug was filed from the Socorro interface and is 
report bp-4318020c-6459-4193-a5ac-171e82131106.
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206 CSet: 770de5942471

Crash @ Interpret several times in succession; the first one by entering an MDN page (which then started loading), the others when tying to restart, even if clicking "Don't restore" in the "Restore session" popup. The only way I could start Firefox and not crash was by "doctoring" the preference browser.startup.homepage in prefs.js between a crash and the next startup.


All with signature "Interpret". This is not bug 884194 since it was FIXED on 2013-06-21 and this build is from source pulled on 2013-11-05.

Here is the Socorro output for the last of the five crashes listed above, which is also the one from which I asked Socorro to file a bug:

Signature 	Interpret More Reports Search
UUID 	4318020c-6459-4193-a5ac-171e82131106
Date Processed	2013-11-06 02:06:39.174099
Uptime	27
Last Crash	47 seconds before submission
Install Age 	2855 since version was first installed.
Install Time 	2013-11-06 01:18:00
Product 	Firefox
Version 	28.0a1
Build ID 	20131105030206
Release Channel 	nightly
OS 	Linux
OS Version 	0.0.0 Linux 3.4.63-2.44-desktop #1 SMP PREEMPT Wed Oct 2 11:18:32 UTC 2013 (d91a619) x86_64
Build Architecture 	amd64
Build Architecture Info 	family 15 model 4 stepping 1 | 2
Crash Reason 	SIGSEGV
Crash Address 	0x90
User Comments 	on restart from crash (reloading session in spite of "Don't restore" button click)
App Notes 	

OpenGL: VMware, Inc. -- Gallium 0.4 on llvmpipe (LLVM 0x301) -- 2.1 Mesa 8.0.4 -- texture_from_pixmap

Processor Notes 	sp-processor04_phx1_mozilla_com.28022:2012; LegacyCrashProcessor; exploitability tool failed: 127


Winsock LSP 	

Adapter Vendor ID 	

Adapter Device ID 	

Bugzilla - Report this bug in Firefox Core Plugins Toolkit
Related Bugs

    682573 NEW --- [meta] Crash @ js::Interpret
    884194 RESOLVED FIXED crash in Interpret
    917792 VERIFIED FIXED crash in js::ObjectImpl::getDenseInitializedLength() (with Norton installed?)

Crashing Thread
Frame 	Module 	Signature 	Source
0 	Interpret 	js/src/vm/Interpreter.cpp
1 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
2 	js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) 	js/src/vm/Interpreter.cpp
3 	js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) 	js/src/vm/Interpreter.cpp
4 	JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char16_t const*, unsigned long, JS::Value*) 	js/src/jsapi.cpp
5 	nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) 	dom/base/nsJSUtils.cpp
6 	nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) 	dom/base/nsJSEnvironment.cpp
7 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&, void**) 	content/base/src/nsScriptLoader.cpp
8 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) 	content/base/src/nsScriptLoader.cpp
9 	nsContentUtils::RemoveScriptBlocker() 	content/base/src/nsContentUtils.cpp
10 	nsDocument::EndUpdate(unsigned int) 	content/base/src/nsDocument.cpp
11 	nsHTMLDocument::EndUpdate(unsigned int) 	content/html/document/src/nsHTMLDocument.cpp
12 	mozAutoDocUpdate::~mozAutoDocUpdate() 	content/base/src/mozAutoDocUpdate.h
13 	nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) 	content/base/src/nsINode.cpp
14 	mozilla::dom::NodeBinding::appendChild 	obj-firefox/dist/include/nsINode.h
15 	mozilla::dom::NodeBinding::genericMethod 	obj-firefox/dom/bindings/NodeBinding.cpp
16 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
17 	Interpret 	js/src/vm/Interpreter.cpp
18 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
19 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
20 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
21 	JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) 	js/src/jsapi.cpp
22 	mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) 	obj-firefox/dom/bindings/EventListenerBinding.cpp
23 	void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, nsDOMEvent&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) 	obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h
24 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
25 	nsEventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
26 	nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&, nsCxPusher*) 	content/events/src/nsEventListenerManager.h
27 	nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) 	content/events/src/nsEventDispatcher.cpp
28 	PresShell::FireResizeEvent() 	layout/base/nsPresShell.cpp
29 	PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) 	layout/base/nsPresShell.cpp
30 	PresShell::FlushPendingNotifications(mozFlushType) 	layout/base/nsPresShell.cpp
31 	mozilla::ScrollFrameHelper::AsyncScrollPortEvent::Run() 	layout/generic/nsGfxScrollFrame.cpp
32 	nsRootPresContext::FlushWillPaintObservers() 	layout/base/nsPresContext.cpp
33 	PresShell::WillPaint() 	layout/base/nsPresShell.cpp
34 	nsViewManager::CallWillPaintOnObservers() 	view/src/nsViewManager.cpp
35 	nsViewManager::ProcessPendingUpdates() 	view/src/nsViewManager.cpp
36 	nsRefreshDriver::Tick(long, mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
37 	mozilla::RefreshDriverTimer::Tick() 	layout/base/nsRefreshDriver.cpp
38 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
39 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
40 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
41 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
42 	nsThread::Shutdown() 	xpcom/threads/nsThread.cpp
43 	nsRunnableMethodImpl<tag_nsresult (nsIThread::*)(), void, true>::Run() 	obj-firefox/dist/include/nsThreadUtils.h
44 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
45 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
46 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
47 	MessageLoop::Run() 	ipc/chromium/src/base/
48 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
49 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
50 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
51 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
52 	XRE_main 	toolkit/xre/nsAppRunner.cpp
53 	firefox 	do_main 	browser/app/nsBrowserApp.cpp
54 	firefox 	main 	browser/app/nsBrowserApp.cpp
56 	firefox 	firefox@0x40a0
P.S. IIRC, the problematic MDN page was the one about chrome URLs in Firefox, Thunderbird and SeaMonkey. I am NOT going to try to load it now.

Comment 2

5 years ago
Open this page
No unrelated news, please. This site is a live site and this page is about a crash in Firefox, period. For tests about Bugzilla, see

Comment 4

5 years ago
Crash with STR with comment#2

Regression window(m-i)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131104023709
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131104024108

Regressed by:
495a9c210b91	Jan de Mooij — Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett
Blocks: 933798
tracking-firefox28: --- → ?
Keywords: reproducible
OS: Linux → All
Version: Trunk → 28 Branch


5 years ago
Component: Untriaged → JavaScript Engine
Product: Firefox → Core


5 years ago
Crash Signature: [@ Interpret] → [@ Interpret ]
(In reply to Alice0775 White from comment #4)
> Crash with STR with comment#2

If comment #2 has STR, please list them 1. 2. 3. etc.
When I clicked the link in comment #2, I saw a notification bar telling me that Nightly had blocked a redirect, and when I accepted the redirect I saw a newspage telling me that Blackberry won't be sold.

Comment 6

5 years ago
Build Identifier:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206

1. Start Firefox with newly created profile
2. Open URL in commnet#2
   then automatically redirected to morocco news
   then crash browser with crash sig bp-b5e5e975-763a-431f-9f88-f616a2131106

Comment 7

5 years ago
s/morocco news/marocpress/

Comment 8

5 years ago
Build Identifier:
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206

Linux 64bit build also crashes with STR in comment#6 on ubuntu x64.


5 years ago
Duplicate of this bug: 935385
Assignee: nobody → jdemooij
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28


5 years ago
status-firefox27: --- → unaffected
tracking-firefox28: ? → +
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131107030200 CSet: 70de5e24d79b

So I can try to VERIFY this fix, is there a preference setting which I should change to be "automatically redirected" as stated in comment #6 instead of getting a notification bar saying that Firefox has prevented a redirect as I said in comment #5? I tried to filter about:config on "redirect" and found only defaulted prefs:

network.http.prompt-temp-redirect              default   boolean   true
network.http.redirection-limit                 default   integer   20
network.seer.redirect-likely-confidence        default   integer   75   default   boolean   false
places.frecency.permRedirectVisitBonus         default   integer   0
places.frecency.tempRedirectVisitBonus         default   integer   0

OTOH, AFAIK none of my add-ons interferes with redirecting:
Extensions: BackToTop, ChatZilla, Console², DOM Inspector, JavaScript Debugger, keyconfig, Mozilla QA Companion, Nightly Tester Tools, Restartless Restart, Tab Mix Plus, Test Pilot, the rest are disabled.
All plugins are set to "Ask to Activate".
The current theme is the default, no lightweight theme is installed.

Comment 12

5 years ago
> 1. Start Firefox with newly created profile
(In reply to Alice0775 White from comment #12)
> > 1. Start Firefox with newly created profile

No crash, and no notification either.

Of course any tests that I run apply only to Linux64. Please check also on Windows (where this bug was seen too) before setting VERIFIED.
Keywords: verifyme
FWIW, after closing Nightly I did a diff of prefs.js in both profiles, and the very first line in the older one looks like a possible culprit:

user_pref("accessibility.blockautorefresh", true);

Comment 15

5 years ago
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131106030200

No crash:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131107030200

I can verify that latest Nightly does not crash anymore with STR of comment#6.
Setting VERIFIED on the basis of comment #13 and comment #15.
Keywords: verifyme
status-firefox28: affected → verified
You need to log in before you can comment on or make changes to this bug.