Open Bug 960513 Opened 9 years ago Updated 6 months ago

Assertion failure: fun->isInterpretedLazy(), at js/src/../../js/src/jscompartment.cpp:732

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
REOPENED
Milestone:
mozilla29

People

(Reporter: past, Unassigned)

References

Details

(Keywords: assertion)

Attachments

(4 files)

Crash log
125.81 KB, text/plain
Details
Ensure LazyScript has script set for non-lazy canonical functions.
1.28 KB, patch
jandem
: review+
Details | Diff | Splinter Review
crash2.log
122.68 KB, text/plain
Details
brief gdb session
8.03 KB, text/plain
Details
Attached file Crash log 
fx-team tip with the patch from bug 933212 applied, and I follow the STR for bug 912924:

1) open http://jsfiddle.net/davibe/BsrKz/19/
2) open debugger
3) boom

Top of the stack:

0 JSCompartment::ensureDelazifyScriptsForDebugMode(JSContext*) + 1448 (jscntxt.h:359)
1 js::Debugger::ScriptQuery::addCompartment(JSCompartment*) + 64 (Debugger.cpp:2542)
2 js::Debugger::ScriptQuery::matchAllDebuggeeGlobals() + 198 (Debugger.cpp:2566)
3 js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*) + 408 (Debugger.cpp:2441)
4 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 97 (jscntxtinlines.h:220)
5 js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 869 (Interpreter.cpp:457)
6 Interpret(JSContext*, js::RunState&) + 39004 (Interpreter.cpp:2609)
7 js::RunScript(JSContext*, js::RunState&) + 541 (Interpreter.cpp:421)


Not 100% reproducible.
This is almost certainly my bug, in that it's probably a regression from bug 886193. :(

Will look into it.
Assignee: nobody → till
Status: NEW → ASSIGNED
Reproduced it on plain fx-team tip without any other patches.
Seems to be fixed today.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
I found a new reliable way to reproduce this in bug 900045 comment 0. Copying here for your convenience:

1. Open this web page: http://well.blogs.nytimes.com/2013/07/31/how-exercise-changes-fat-and-muscle-cells/?_r=3&
2. Open the web console or the inspector
3. Open the debugger
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Here's a stack trace:

(gdb) where
#0  0x00007ffff53cbb56 in CreateLazyScriptsForCompartment (cx=0x9121e0) at /home/jimb/moz/dbg/js/src/../../js/src/jscompartment.cpp:732
#1  JSCompartment::ensureDelazifyScriptsForDebugMode (this=<optimized out>, cx=0x9121e0) at /home/jimb/moz/dbg/js/src/../../js/src/jscompartment.cpp:764
#2  0x00007ffff54eb9af in js::Debugger::ScriptQuery::addCompartment (this=this@entry=0x7fffffff7810, comp=0x5985f00) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Debugger.cpp:2542
#3  0x00007ffff54ebefd in js::Debugger::ScriptQuery::matchAllDebuggeeGlobals (this=this@entry=0x7fffffff7810) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Debugger.cpp:2566
#4  0x00007ffff550dae2 in omittedQuery (this=0x7fffffff7810) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Debugger.cpp:2441
#5  js::Debugger::findScripts (cx=0x9121e0, argc=0, vp=<optimized out>) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Debugger.cpp:2687
#6  0x00007ffff54ad607 in js::CallJSNative (cx=cx@entry=0x9121e0, native=0x7ffff550d7a0 <js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/jimb/moz/dbg/js/src/../../js/src/jscntxtinlines.h:220
#7  0x00007ffff54ff610 in js::Invoke (cx=cx@entry=0x9121e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:464
#8  0x00007ffff54f8ce1 in Interpret (cx=cx@entry=0x9121e0, state=...) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:2609
#9  0x00007ffff54ff10c in js::RunScript (cx=cx@entry=0x9121e0, state=...) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:421
#10 0x00007ffff54ff7eb in js::Invoke (cx=cx@entry=0x9121e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:483
#11 0x00007ffff53d2b5e in js::CallOrConstructBoundFunction (cx=<optimized out>, argc=2, vp=<optimized out>) at /home/jimb/moz/dbg/js/src/../../js/src/jsfun.cpp:1346
#12 0x00007ffff54ad607 in js::CallJSNative (cx=cx@entry=0x9121e0, native=0x7ffff53d2628 <js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/jimb/moz/dbg/js/src/../../js/src/jscntxtinlines.h:220
#13 0x00007ffff54ff610 in js::Invoke (cx=cx@entry=0x9121e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:464
#14 0x00007ffff54f8ce1 in Interpret (cx=cx@entry=0x9121e0, state=...) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:2609
#15 0x00007ffff54ff10c in js::RunScript (cx=cx@entry=0x9121e0, state=...) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:421
#16 0x00007ffff54ff7eb in js::Invoke (cx=cx@entry=0x9121e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:483
#17 0x00007ffff53d4688 in js_fun_apply (cx=0x9121e0, argc=<optimized out>, vp=0x736138) at /home/jimb/moz/dbg/js/src/../../js/src/jsfun.cpp:1069
#18 0x00007ffff54ad607 in js::CallJSNative (cx=cx@entry=0x9121e0, native=0x7ffff53d3f80 <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/jimb/moz/dbg/js/src/../../js/src/jscntxtinlines.h:220
#19 0x00007ffff54ff610 in js::Invoke (cx=cx@entry=0x9121e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:464
#20 0x00007ffff54f8ce1 in Interpret (cx=cx@entry=0x9121e0, state=...) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:2609
#21 0x00007ffff54ff10c in js::RunScript (cx=cx@entry=0x9121e0, state=...) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:421
#22 0x00007ffff54ff7eb in js::Invoke (cx=cx@entry=0x9121e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:483
#23 0x00007ffff5501d43 in js::Invoke (cx=cx@entry=0x9121e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffc0d0, rval=JSVAL_VOID) at /home/jimb/moz/dbg/js/src/../../js/src/vm/Interpreter.cpp:520
#24 0x00007ffff53d86d2 in JS_CallFunctionValue (cx=cx@entry=0x9121e0, objArg=<optimized out>, fval=$jsval((JSObject *) 0x7fff298817c0 [object Function "makeInfallible/<"]), argc=argc@entry=0, argv=argv@entry=0x7fffffffc0d0, rval=rval@entry=0x7fffffffbfb0) at /home/jimb/moz/dbg/js/src/../../js/src/jsapi.cpp:5016
#25 0x00007ffff3b92fd3 in nsXPCWrappedJSClass::CallMethod (this=0x744d780, wrapper=<optimized out>, methodIndex=3, info_=0x5b3360, nativeParams=0x7fffffffc3a0) at /home/jimb/moz/dbg/js/xpconnect/src/XPCWrappedJSClass.cpp:1293
#26 0x00007ffff3b71e57 in nsXPCWrappedJS::CallMethod (this=0x6cee960, methodIndex=<optimized out>, info=0x5b3360, params=0x7fffffffc3a0) at /home/jimb/moz/dbg/js/xpconnect/src/XPCWrappedJS.cpp:519
#27 0x00007ffff2d2eded in PrepareAndDispatch (self=0x486d680, methodIndex=<optimized out>, args=<optimized out>, gpregs=0x7fffffffc490, fpregs=0x7fffffffc4c0) at /home/jimb/moz/dbg/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
#28 0x00007ffff2d2e087 in SharedStub () from /home/jimb/moz/dbg/obj-bug/dist/bin/libxul.so
#29 0x00007ffff2d2390e in nsThread::ProcessNextEvent (this=0x52cae0, mayWait=false, result=0x7fffffffc5bf) at /home/jimb/moz/dbg/xpcom/threads/nsThread.cpp:637
#30 0x00007ffff2c9f321 in NS_ProcessNextEvent (thread=<optimized out>, mayWait=mayWait@entry=false) at /home/jimb/moz/dbg/xpcom/glue/nsThreadUtils.cpp:263
#31 0x00007ffff301972c in mozilla::ipc::MessagePump::Run (this=0x529600, aDelegate=0x5288b0) at /home/jimb/moz/dbg/ipc/glue/MessagePump.cpp:95
#32 0x00007ffff2fff348 in MessageLoop::RunInternal (this=this@entry=0x5288b0) at /home/jimb/moz/dbg/ipc/chromium/src/base/message_loop.cc:226
#33 0x00007ffff2fff375 in RunHandler (this=0x5288b0) at /home/jimb/moz/dbg/ipc/chromium/src/base/message_loop.cc:219
#34 MessageLoop::Run (this=0x5288b0) at /home/jimb/moz/dbg/ipc/chromium/src/base/message_loop.cc:193
#35 0x00007ffff3acd4a7 in nsBaseAppShell::Run (this=0x8d9c60) at /home/jimb/moz/dbg/widget/xpwidgets/nsBaseAppShell.cpp:157
#36 0x00007ffff4b8cfbb in nsAppStartup::Run (this=0x8e3c40) at /home/jimb/moz/dbg/toolkit/components/startup/nsAppStartup.cpp:276
#37 0x00007ffff4b181e0 in XREMain::XRE_mainRun (this=this@entry=0x7fffffffca50) at /home/jimb/moz/dbg/toolkit/xre/nsAppRunner.cpp:4023
#38 0x00007ffff4b1865e in XREMain::XRE_main (this=this@entry=0x7fffffffca50, argc=argc@entry=4, argv=argv@entry=0x7fffffffdf28, aAppData=aAppData@entry=0x7fffffffcc50) at /home/jimb/moz/dbg/toolkit/xre/nsAppRunner.cpp:4091
#39 0x00007ffff4b18906 in XRE_main (argc=4, argv=0x7fffffffdf28, aAppData=0x7fffffffcc50, aFlags=<optimized out>) at /home/jimb/moz/dbg/toolkit/xre/nsAppRunner.cpp:4331
#40 0x0000000000404109 in do_main (argc=argc@entry=4, argv=argv@entry=0x7fffffffdf28, xreDirectory=0x41d010) at /home/jimb/moz/dbg/browser/app/nsBrowserApp.cpp:280
#41 0x0000000000404238 in main (argc=4, argv=0x7fffffffdf28) at /home/jimb/moz/dbg/browser/app/nsBrowserApp.cpp:648
(gdb)
The proper fix here would be to turn LazyScript::script_ into a WeakPtr and get rid of quite a bit of fragility in the setup. I won't be able to implement that before the uplift, though, so this has to do for now.
Attachment #8369117 - Flags: review?(jdemooij)
Comment on attachment 8369117 [details] [diff] [review]
Ensure LazyScript has script set for non-lazy canonical functions.

Review of attachment 8369117 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsscriptinlines.h
@@ +64,3 @@
>          function_->setUnlazifiedScript(const_cast<JSScript *>(this));
> +        // If this script has a LazyScript, make sure the LazyScript has a
> +        // reference to the script when delazifying it's canonical function.

Nit: s/it's/its
Attachment #8369117 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/05fd25b6979e
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Attached file crash2.log 
I still get the assertion even with this patch.

$ hg log -r 05fd25b6979e
changeset:   166535:05fd25b6979e
user:        Till Schneidereit <till@tillschneidereit.net>
date:        Sat Feb 01 23:31:57 2014 +0100
summary:     Bug 960513 - Ensure LazyScript has script set for non-lazy canonical functions. r=jandem

I'm attaching the new crash log as the line numbers have shifted a bit.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
This happens a lot to me when using the debugger. It's pretty annoying.
Attached file brief gdb session 
Just hit this while *opening* the debugger.
(In reply to David Baron [:dbaron] (UTC-8) (needinfo? for questions) from comment #12)
> Just hit this while *opening* the debugger.

Same here just now.

cx    JSContext *    0x1139f41c0    0x00000001139f41c0
lazyFunctions    JS::AutoObjectVector       
  JS::AutoVectorRooter<JSObject *>    JS::AutoVectorRooter<JSObject *>       
  _mCheckNotUsedAsTemporary    mozilla::detail::GuardObjectNotificationReceiver       
    mStatementDone    bool    true    true
i    js::gc::ZoneCellIter       
  js::gc::ZoneCellIterImpl    js::gc::ZoneCellIterImpl       
  noAlloc    JS::AutoAssertNoAlloc       
  lists    js::gc::ArenaLists *    NULL    0x0000000000000000
  kind    js::gc::AllocKind    FINALIZE_LAZY_SCRIPT    FINALIZE_LAZY_SCRIPT
  lazy    js::LazyScript *    0x13c9774c0    0x000000013c9774c0
  fun    JSFunction *    0x13c975680    0x000000013c975680
  js::NativeObject    js::NativeObject       
    nargs_    uint16_t    0    0
    flags_    uint16_t    193    193
  u    JSFunction::U       
  atom_    js::HeapPtrAtom
I can reproduce this consistently by going to a web site, and opening the JS debugger:

backtrace:
Assertion failure: fun->isInterpretedLazy(), at /Users/jyavenard/Work/Mozilla/mozilla-central/js/src/jscompartment.cpp:769
(lldb) bt
* thread #1: tid = 0x344913, 0x00000001095854aa XUL`CreateLazyScriptsForCompartment(cx=0x0000000100430c40) + 410 at jscompartment.cpp:769, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001095854aa XUL`CreateLazyScriptsForCompartment(cx=0x0000000100430c40) + 410 at jscompartment.cpp:769
    frame #1: 0x00000001095852cc XUL`JSCompartment::ensureDelazifyScriptsForDebugger(this=0x000000012e872f00, cx=0x0000000100430c40) + 156 at jscompartment.cpp:801
    frame #2: 0x0000000108f898a6 XUL`js::Debugger::ScriptQuery::addCompartment(this=0x00007fff5fbd3068, comp=0x000000012e872f00) + 70 at Debugger.cpp:3384
    frame #3: 0x0000000108f89816 XUL`js::Debugger::ScriptQuery::matchAllDebuggeeGlobals(this=0x00007fff5fbd3068) + 214 at Debugger.cpp:3408
    frame #4: 0x0000000108eeee3e XUL`js::Debugger::ScriptQuery::omittedQuery(this=0x00007fff5fbd3068) + 94 at Debugger.cpp:3275
    frame #5: 0x0000000108e85323 XUL`js::Debugger::findScripts(cx=0x0000000100430c40, argc=0, vp=0x00007fff5fbd3cc8) + 531 at Debugger.cpp:3534
    frame #6: 0x0000000108efabcb XUL`js::CallJSNative(cx=0x0000000100430c40, native=0x0000000108e85110, args=0x00007fff5fbd3b60)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 187 at jscntxtinlines.h:235
    frame #7: 0x0000000108e8e755 XUL`js::Invoke(cx=0x0000000100430c40, args=CallArgs at 0x00007fff5fbd3b60, construct=NO_CONSTRUCT) + 1269 at Interpreter.cpp:498
    frame #8: 0x0000000108e78174 XUL`js::Invoke(cx=0x0000000100430c40, thisv=0x000000011c3a08b0, fval=0x00007fff5fbd3da8, argc=0, argv=0x000000011c3a08b8, rval=JS::MutableHandleValue at 0x00007fff5fbd3c60) + 900 at Interpreter.cpp:554
    frame #9: 0x000000010972988c XUL`js::DirectProxyHandler::call(this=0x000000010c505290, cx=0x0000000100430c40, proxy=JS::HandleObject at 0x00007fff5fbd3dd8, args=0x00007fff5fbd4080) const + 316 at DirectProxyHandler.cpp:77
    frame #10: 0x000000010972967e XUL`js::CrossCompartmentWrapper::call(this=0x000000010c505290, cx=0x0000000100430c40, wrapper=JS::HandleObject at 0x00007fff5fbd3f10, args=0x00007fff5fbd4080) const + 574 at CrossCompartmentWrapper.cpp:288
    frame #11: 0x000000010972fad4 XUL`js::Proxy::call(cx=0x0000000100430c40, proxy=JS::HandleObject at 0x00007fff5fbd4000, args=0x00007fff5fbd4080) + 404 at Proxy.cpp:391
    frame #12: 0x0000000109731695 XUL`js::proxy_Call(cx=0x0000000100430c40, argc=0, vp=0x000000011c3a08a8) + 245 at Proxy.cpp:703
    frame #13: 0x0000000108efabcb XUL`js::CallJSNative(cx=0x0000000100430c40, native=0x00000001097315a0, args=0x00007fff5fbd4980)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 187 at jscntxtinlines.h:235
    frame #14: 0x0000000108e8e651 XUL`js::Invoke(cx=0x0000000100430c40, args=CallArgs at 0x00007fff5fbd4980, construct=NO_CONSTRUCT) + 1009 at Interpreter.cpp:491
    frame #15: 0x0000000108ea8cc5 XUL`Interpret(cx=0x0000000100430c40, state=0x00007fff5fbd7868) + 51749 at Interpreter.cpp:2596
    frame #16: 0x0000000108e9c1b9 XUL`js::RunScript(cx=0x0000000100430c40, state=0x00007fff5fbd7868) + 585 at Interpreter.cpp:448
    frame #17: 0x0000000108e8e896 XUL`js::Invoke(cx=0x0000000100430c40, args=CallArgs at 0x00007fff5fbd8060, construct=NO_CONSTRUCT) + 1590 at Interpreter.cpp:517
    frame #18: 0x0000000108e78174 XUL`js::Invoke(cx=0x0000000100430c40, thisv=0x00007fff5fbd8248, fval=0x00007fff5fbd8280, argc=0, argv=0x0000000000000000, rval=JS::MutableHandleValue at 0x00007fff5fbd8160) + 900 at Interpreter.cpp:554
    frame #19: 0x0000000108eb4e1c XUL`js::InvokeGetterOrSetter(cx=0x0000000100430c40, obj=0x00000001229f4380, fval=Value at 0x00007fff5fbd8280, argc=0, argv=0x0000000000000000, rval=JS::MutableHandleValue at 0x00007fff5fbd8278) + 172 at Interpreter.cpp:624
    frame #20: 0x0000000108fe7cf7 XUL`CallGetter(cx=0x0000000100430c40, receiver=JS::HandleObject at 0x00007fff5fbd8340, shape=js::HandleShape at 0x00007fff5fbd8338, vp=JS::MutableHandleValue at 0x00007fff5fbd8330) + 247 at NativeObject.cpp:1670
    frame #21: 0x0000000108f9e439 XUL`bool GetExistingProperty<(cx=0x0000000100430c40, receiver=js::MaybeRooted<JSObject *, js::AllowGC>::HandleType at 0x00007fff5fbd8430, obj=js::MaybeRooted<js::NativeObject *, js::AllowGC>::HandleType at 0x00007fff5fbd8428, shape=js::MaybeRooted<js::Shape *, js::AllowGC>::HandleType at 0x00007fff5fbd8420, vp=js::MaybeRooted<JS::Value, js::AllowGC>::MutableHandleType at 0x00007fff5fbd8418)1>(JSContext*, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 809 at NativeObject.cpp:1717
    frame #22: 0x0000000108f9e7ea XUL`bool NativeGetPropertyInline<(cx=0x0000000100430c40, obj=js::MaybeRooted<js::NativeObject *, js::AllowGC>::HandleType at 0x00007fff5fbd85f0, receiver=js::MaybeRooted<JSObject *, js::AllowGC>::HandleType at 0x00007fff5fbd85e8, id=js::MaybeRooted<jsid, js::AllowGC>::HandleType at 0x00007fff5fbd85e0, nameLookup=NotNameLookup, vp=js::MaybeRooted<JS::Value, js::AllowGC>::MutableHandleType at 0x00007fff5fbd85d8)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 570 at NativeObject.cpp:1919
    frame #23: 0x0000000108f9e59d XUL`js::NativeGetProperty(cx=0x0000000100430c40, obj=js::HandleNativeObject at 0x00007fff5fbd8658, receiver=JS::HandleObject at 0x00007fff5fbd8650, id=JS::HandleId at 0x00007fff5fbd8648, vp=JS::MutableHandleValue at 0x00007fff5fbd8640) + 93 at NativeObject.cpp:1953
    frame #24: 0x0000000108ef0016 XUL`js::GetProperty(cx=0x0000000100430c40, obj=JS::HandleObject at 0x00007fff5fbd86e0, receiver=JS::HandleObject at 0x00007fff5fbd86d8, id=JS::HandleId at 0x00007fff5fbd86d0, vp=JS::MutableHandleValue at 0x00007fff5fbd86c8) + 214 at NativeObject.h:1425
    frame #25: 0x0000000108ec867f XUL`GetPropertyOperation(cx=0x0000000100430c40, fp=0x000000011c3a0730, script=JS::HandleScript at 0x00007fff5fbd88e0, pc=0x000000012a46aa18, lval=JS::MutableHandleValue at 0x00007fff5fbd88d8, vp=JS::MutableHandleValue at 0x00007fff5fbd88d0) + 1279 at Interpreter.cpp:256
    frame #26: 0x0000000108ea701e XUL`Interpret(cx=0x0000000100430c40, state=0x00007fff5fbdb7e8) + 44414 at Interpreter.cpp:2413
    frame #27: 0x0000000108e9c1b9 XUL`js::RunScript(cx=0x0000000100430c40, state=0x00007fff5fbdb7e8) + 585 at Interpreter.cpp:448
    frame #28: 0x0000000108e8e896 XUL`js::Invoke(cx=0x0000000100430c40, args=CallArgs at 0x00007fff5fbdbfe0, construct=NO_CONSTRUCT) + 1590 at Interpreter.cpp:517
    frame #29: 0x0000000109611229 XUL`js::CallOrConstructBoundFunction(cx=0x0000000100430c40, argc=2, vp=0x000000011c3a0650) + 1145 at jsfun.cpp:1595
    frame #30: 0x0000000108efabcb XUL`js::CallJSNative(cx=0x0000000100430c40, native=0x0000000109610db0, args=0x00007fff5fbdcad0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 187 at jscntxtinlines.h:235
    frame #31: 0x0000000108e8e755 XUL`js::Invoke(cx=0x0000000100430c40, args=CallArgs at 0x00007fff5fbdcad0, construct=NO_CONSTRUCT) + 1269 at Interpreter.cpp:498
    frame #32: 0x0000000108ea8cc5 XUL`Interpret(cx=0x0000000100430c40, state=0x00007fff5fbdf9b8) + 51749 at Interpreter.cpp:2596
    frame #33: 0x0000000108e9c1b9 XUL`js::RunScript(cx=0x0000000100430c40, state=0x00007fff5fbdf9b8) + 585 at Interpreter.cpp:448
    frame #34: 0x0000000108e8e896 XUL`js::Invoke(cx=0x0000000100430c40, args=CallArgs at 0x00007fff5fbe01b0, construct=NO_CONSTRUCT) + 1590 at Interpreter.cpp:517
    frame #35: 0x000000010960f5b3 XUL`js::fun_apply(cx=0x0000000100430c40, argc=2, vp=0x00007fff5fbe1578) + 1747 at jsfun.cpp:1318
    frame #36: 0x0000000108efabcb XUL`js::CallJSNative(cx=0x0000000100430c40, native=0x000000010960eee0, args=0x00007fff5fbe1410)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 187 at jscntxtinlines.h:235
    frame #37: 0x0000000108e8e755 XUL`js::Invoke(cx=0x0000000100430c40, args=CallArgs at 0x00007fff5fbe1410, construct=NO_CONSTRUCT) + 1269 at Interpreter.cpp:498
    frame #38: 0x0000000108e78174 XUL`js::Invoke(cx=0x0000000100430c40, thisv=0x00007fff5fbe1810, fval=0x00007fff5fbe1840, argc=2, argv=0x00007fff5fbe19b0, rval=JS::MutableHandleValue at 0x00007fff5fbe1510) + 900 at Interpreter.cpp:554
    frame #39: 0x00000001091dd3b7 XUL`js::jit::DoCallFallback(cx=0x0000000100430c40, frame=0x00007fff5fbe1a18, stub_=0x00000001206d8358, argc=2, vp=0x00007fff5fbe19a0, res=JS::MutableHandleValue at 0x00007fff5fbe18f8) + 1847 at BaselineIC.cpp:9648
    frame #40: 0x00000001149d103b

100% reproduce-able.
(In reply to Jean-Yves Avenard [:jya] from comment #14)
> I can reproduce this consistently by going to a web site, and opening the JS
> debugger:

Which website, please? Do you have an URL? Or do you mean *any* website?
Flags: needinfo?(jyavenard)
One particular website, I can't provide the details here. I can contact you privately by email.
Flags: needinfo?(jyavenard)
Might be of interest for till (see comment 14 and 16)
Flags: needinfo?(till)
Flags: needinfo?(till)
Assignee: till → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.