This bug was filed from the Socorro interface and is report bp-ce2043f3-810d-400c-b43b-6dd032140527. ============================================================= Steps to Reproduce for me I had 3 tabs open Facebook my google mail my hotmail aka outlook mail I was getting the stop script warning https://support.mozilla.org/en-US/kb/warning-unresponsive-script I clicked the debug button on the nightly then it went away then it came back then I clicked debug again and after it this time it crashed my firefox

(In reply to David Weir (satdav) from comment #0) > This bug was filed from the Socorro interface and is > report bp-ce2043f3-810d-400c-b43b-6dd032140527. > ============================================================= > Steps to Reproduce for me > > I had 3 tabs open > > Facebook > my google mail > my hotmail aka outlook mail > > I was getting the stop script warning > https://support.mozilla.org/en-US/kb/warning-unresponsive-script > > I clicked the debug button on the nightly then it went away then it came > back then I clicked debug again and after it this time it crashed my firefox What went away? Did the debugger pop up? I can't reproduce the slow script dialog if I just have those 3 tabs open -- more steps would appreciated.

poisoned address 0x5a5a5a62 This is mostly Windows, plus a few crashes on Linux, in the past week.

the debugger then it crashed the firefox sorry I forgot to add that if I get a crash again I will take a screenshot of the stop script error

(In reply to [:tracy] Tracy Walker - QA Mentor from comment #2) > poisoned address 0x5a5a5a62 > > This is mostly Windows, plus a few crashes on Linux, in the past week. Do you have links to the other crashes? I would more STR.

(In reply to Shu-yu Guo [:shu] from comment #4) > (In reply to [:tracy] Tracy Walker - QA Mentor from comment #2) > > poisoned address 0x5a5a5a62 > > > > This is mostly Windows, plus a few crashes on Linux, in the past week. > > Do you have links to the other crashes? I would more STR. Oops, missed a word: I would love more STR.

more crash rports here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ALifoAlloc%3A%3AfreeAll%28%29+|+js%3A%3Ajit%3A%3ABaselineScript%3A%3A~BaselineScript%28%29#tab-sigsummary satdav should be able to provide better STR's as he is crashing often with this signature.

I was on that error and I clicked to get the debugger up and when that opened it crashed again this time

I can now access the dev console what am I looking for and under what section of nightly

I think I figured it out. It's a double free, so marking s-s. David, thanks for your report!

Doing it slowly with a quadratic check. Performance isn't important here.

I think you in fact pointed out this fact to me in the review, but I did not correctly address it. My bad.

Comment on attachment 8429696 [details] [diff] [review] Fix handling of recursive calls in DebugModeOSR. Review of attachment 8429696 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/BaselineDebugModeOSR.cpp @@ +143,5 @@ > + return index_ == entries_.length(); > + } > + > + const DebugModeOSREntry &entry() { > + return entries_[index_]; Nit: MOZ_ASSERT(!done()); @@ +146,5 @@ > + const DebugModeOSREntry &entry() { > + return entries_[index_]; > + } > + > + UniqueScriptOSREntryIter &operator++() { And here.

Note for the security team: I'm not going to request sec-approval or uplift because even though the code isn't Nightly-only, it can only be triggered by chrome privileged JS. The chrome JS that triggers this (the slow script debug button code in gDevTools.jsm) is Nightly-only.

Gah. Is there a reason we didn't take this on ESR31?

Not enough here for me to reproduce, but I'm setting a needinfo request to Satdav. Satdav, can you try this again with the Fx32 release candidate and make sure it does not crash for you? Thank you.

(In reply to Matt Wobensmith from comment #18) > Not enough here for me to reproduce, but I'm setting a needinfo request to > Satdav. > > Satdav, can you try this again with the Fx32 release candidate and make sure > it does not crash for you? Thank you. You can run the shell test js/src/jit-test/tests/debug/Debugger-debuggees-27.js from mozilla-central against a shell built from the Fx32 RC sources to see if it crashes.

Thanks Shu! Unfortunately, that test case does not crash Fx32 jsshell from the date this was reported (2014-05-27) so I can't tell if I'm hitting the bug or not. If you have any other advice, let me know.

Lowering this to sec-moderate given that the STR requires convincing a user to hit the Debug button in a slow script dialog. As a sec-moderate we may not need this on ESR31 so I'm restoring Al's nomination rather than assuming we have to track it for 31.1 ("32"").

This doesn't meet the criteria for ESR.