crash in Interpret

VERIFIED FIXED in Firefox 28

Status

()

--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: tonymec, Assigned: jandem)

Tracking

({crash, reproducible})

28 Branch
mozilla28
x86_64
All
crash, reproducible
Points:
---

Firefox Tracking Flags

(firefox27 unaffected, firefox28+ verified)

Details

(crash signature)

This bug was filed from the Socorro interface and is 
report bp-4318020c-6459-4193-a5ac-171e82131106.
=============================================================
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206 CSet: 770de5942471

Crash @ Interpret several times in succession; the first one by entering an MDN page (which then started loading), the others when tying to restart, even if clicking "Don't restore" in the "Restore session" popup. The only way I could start Firefox and not crash was by "doctoring" the preference browser.startup.homepage in prefs.js between a crash and the next startup.

bp-8e5d951a-8ba6-443e-9174-4532c2131106
bp-788f789e-17f1-4d14-8339-7a81c2131106
bp-93dd0e0e-4017-492b-b8c6-ffd0b2131106
bp-b8adc32d-d708-4b1c-a872-aaff32131106
bp-4318020c-6459-4193-a5ac-171e82131106

All with signature "Interpret". This is not bug 884194 since it was FIXED on 2013-06-21 and this build is from source pulled on 2013-11-05.

Here is the Socorro output for the last of the five crashes listed above, which is also the one from which I asked Socorro to file a bug:

Signature 	Interpret More Reports Search
UUID 	4318020c-6459-4193-a5ac-171e82131106
Date Processed	2013-11-06 02:06:39.174099
Uptime	27
Last Crash	47 seconds before submission
Install Age 	2855 since version was first installed.
Install Time 	2013-11-06 01:18:00
Product 	Firefox
Version 	28.0a1
Build ID 	20131105030206
Release Channel 	nightly
OS 	Linux
OS Version 	0.0.0 Linux 3.4.63-2.44-desktop #1 SMP PREEMPT Wed Oct 2 11:18:32 UTC 2013 (d91a619) x86_64
Build Architecture 	amd64
Build Architecture Info 	family 15 model 4 stepping 1 | 2
Crash Reason 	SIGSEGV
Crash Address 	0x90
User Comments 	on restart from crash (reloading session in spite of "Don't restore" button click)
App Notes 	

OpenGL: VMware, Inc. -- Gallium 0.4 on llvmpipe (LLVM 0x301) -- 2.1 Mesa 8.0.4 -- texture_from_pixmap

Processor Notes 	sp-processor04_phx1_mozilla_com.28022:2012; LegacyCrashProcessor; exploitability tool failed: 127
EMCheckCompatibility 	

False

Winsock LSP 	

Adapter Vendor ID 	

Adapter Device ID 	

Bugzilla - Report this bug in Firefox Core Plugins Toolkit
Related Bugs

    682573 NEW --- [meta] Crash @ js::Interpret
    884194 RESOLVED FIXED crash in Interpret
    917792 VERIFIED FIXED crash in js::ObjectImpl::getDenseInitializedLength() (with Norton installed?)

Crashing Thread
Frame 	Module 	Signature 	Source
0 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
1 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
2 	libxul.so 	js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) 	js/src/vm/Interpreter.cpp
3 	libxul.so 	js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) 	js/src/vm/Interpreter.cpp
4 	libxul.so 	JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char16_t const*, unsigned long, JS::Value*) 	js/src/jsapi.cpp
5 	libxul.so 	nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) 	dom/base/nsJSUtils.cpp
6 	libxul.so 	nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) 	dom/base/nsJSEnvironment.cpp
7 	libxul.so 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&, void**) 	content/base/src/nsScriptLoader.cpp
8 	libxul.so 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) 	content/base/src/nsScriptLoader.cpp
9 	libxul.so 	nsContentUtils::RemoveScriptBlocker() 	content/base/src/nsContentUtils.cpp
10 	libxul.so 	nsDocument::EndUpdate(unsigned int) 	content/base/src/nsDocument.cpp
11 	libxul.so 	nsHTMLDocument::EndUpdate(unsigned int) 	content/html/document/src/nsHTMLDocument.cpp
12 	libxul.so 	mozAutoDocUpdate::~mozAutoDocUpdate() 	content/base/src/mozAutoDocUpdate.h
13 	libxul.so 	nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) 	content/base/src/nsINode.cpp
14 	libxul.so 	mozilla::dom::NodeBinding::appendChild 	obj-firefox/dist/include/nsINode.h
15 	libxul.so 	mozilla::dom::NodeBinding::genericMethod 	obj-firefox/dom/bindings/NodeBinding.cpp
16 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
17 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
18 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
19 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
20 	libxul.so 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
21 	libxul.so 	JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) 	js/src/jsapi.cpp
22 	libxul.so 	mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) 	obj-firefox/dom/bindings/EventListenerBinding.cpp
23 	libxul.so 	void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, nsDOMEvent&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) 	obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h
24 	libxul.so 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
25 	libxul.so 	nsEventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
26 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&, nsCxPusher*) 	content/events/src/nsEventListenerManager.h
27 	libxul.so 	nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) 	content/events/src/nsEventDispatcher.cpp
28 	libxul.so 	PresShell::FireResizeEvent() 	layout/base/nsPresShell.cpp
29 	libxul.so 	PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) 	layout/base/nsPresShell.cpp
30 	libxul.so 	PresShell::FlushPendingNotifications(mozFlushType) 	layout/base/nsPresShell.cpp
31 	libxul.so 	mozilla::ScrollFrameHelper::AsyncScrollPortEvent::Run() 	layout/generic/nsGfxScrollFrame.cpp
32 	libxul.so 	nsRootPresContext::FlushWillPaintObservers() 	layout/base/nsPresContext.cpp
33 	libxul.so 	PresShell::WillPaint() 	layout/base/nsPresShell.cpp
34 	libxul.so 	nsViewManager::CallWillPaintOnObservers() 	view/src/nsViewManager.cpp
35 	libxul.so 	nsViewManager::ProcessPendingUpdates() 	view/src/nsViewManager.cpp
36 	libxul.so 	nsRefreshDriver::Tick(long, mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
37 	libxul.so 	mozilla::RefreshDriverTimer::Tick() 	layout/base/nsRefreshDriver.cpp
38 	libxul.so 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
39 	libxul.so 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
40 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
41 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
42 	libxul.so 	nsThread::Shutdown() 	xpcom/threads/nsThread.cpp
43 	libxul.so 	nsRunnableMethodImpl<tag_nsresult (nsIThread::*)(), void, true>::Run() 	obj-firefox/dist/include/nsThreadUtils.h
44 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
45 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
46 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
47 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
48 	libxul.so 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
49 	libxul.so 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
50 	libxul.so 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
51 	libxul.so 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
52 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp
53 	firefox 	do_main 	browser/app/nsBrowserApp.cpp
54 	firefox 	main 	browser/app/nsBrowserApp.cpp
55 	libc-2.15.so 	libc-2.15.so@0x21455 	
56 	firefox 	firefox@0x40a0
P.S. IIRC, the problematic MDN page was the one about chrome URLs in Firefox, Thunderbird and SeaMonkey. I am NOT going to try to load it now.

Comment 2

5 years ago
Open this page http://dl.dropboxusercontent.com/u/95157096/85f61cf7/sRe31nA6L.html
No unrelated news, please. This site is a live site and this page is about a crash in Firefox, period. For tests about Bugzilla, see http://landfill.bugzilla.org/

Comment 4

5 years ago
Crash with STR with comment#2

Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/da5df68e8857
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131104023709
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/495a9c210b91
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131104024108
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=da5df68e8857&tochange=495a9c210b91

Regressed by:
495a9c210b91	Jan de Mooij — Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett
Blocks: 933798
tracking-firefox28: --- → ?
Keywords: reproducible
OS: Linux → All
Version: Trunk → 28 Branch

Updated

5 years ago
Component: Untriaged → JavaScript Engine
Product: Firefox → Core

Updated

5 years ago
Crash Signature: [@ Interpret] → [@ Interpret ]
(In reply to Alice0775 White from comment #4)
> Crash with STR with comment#2

If comment #2 has STR, please list them 1. 2. 3. etc.
When I clicked the link in comment #2, I saw a notification bar telling me that Nightly had blocked a redirect, and when I accepted the redirect I saw a newspage telling me that Blackberry won't be sold.

Comment 6

5 years ago
Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/770de5942471
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206

STR
1. Start Firefox with newly created profile
2. Open URL in commnet#2
   then automatically redirected to morocco news
   then crash browser with crash sig bp-b5e5e975-763a-431f-9f88-f616a2131106

Comment 7

5 years ago
s/morocco news/marocpress/

Comment 8

5 years ago
Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/770de5942471
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131105030206

Linux 64bit build also crashes with STR in comment#6 on ubuntu x64.
bp-ce401ed2-6abd-4ed7-ae4f-1e6592131106

Updated

5 years ago
Duplicate of this bug: 935385
https://hg.mozilla.org/mozilla-central/rev/175bebe48034
Assignee: nobody → jdemooij
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28

Updated

5 years ago
status-firefox27: --- → unaffected
tracking-firefox28: ? → +
Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131107030200 CSet: 70de5e24d79b

So I can try to VERIFY this fix, is there a preference setting which I should change to be "automatically redirected" as stated in comment #6 instead of getting a notification bar saying that Firefox has prevented a redirect as I said in comment #5? I tried to filter about:config on "redirect" and found only defaulted prefs:

network.http.prompt-temp-redirect              default   boolean   true
network.http.redirection-limit                 default   integer   20
network.seer.redirect-likely-confidence        default   integer   75
network.websocket.auto-follow-http-redirects   default   boolean   false
places.frecency.permRedirectVisitBonus         default   integer   0
places.frecency.tempRedirectVisitBonus         default   integer   0

OTOH, AFAIK none of my add-ons interferes with redirecting:
Extensions: BackToTop, ChatZilla, Console², DOM Inspector, JavaScript Debugger, keyconfig, Mozilla QA Companion, Nightly Tester Tools, Restartless Restart, Tab Mix Plus, Test Pilot, the rest are disabled.
All plugins are set to "Ask to Activate".
The current theme is the default, no lightweight theme is installed.

Comment 12

5 years ago
> 1. Start Firefox with newly created profile
(In reply to Alice0775 White from comment #12)
> > 1. Start Firefox with newly created profile

No crash, and no notification either.

Of course any tests that I run apply only to Linux64. Please check also on Windows (where this bug was seen too) before setting VERIFIED.
Keywords: verifyme
FWIW, after closing Nightly I did a diff of prefs.js in both profiles, and the very first line in the older one looks like a possible culprit:

user_pref("accessibility.blockautorefresh", true);

Comment 15

5 years ago
Crash:
http://hg.mozilla.org/mozilla-central/rev/9ba3faa35c96
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131106030200

No crash:
http://hg.mozilla.org/mozilla-central/rev/70de5e24d79b
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 ID:20131107030200

I can verify that latest Nightly does not crash anymore with STR of comment#6.
Setting VERIFIED on the basis of comment #13 and comment #15.
Status: RESOLVED → VERIFIED
Keywords: verifyme
status-firefox28: affected → verified
You need to log in before you can comment on or make changes to this bug.