1135286 - crash in js::types::TypeSet::addType(js::types::Type, js::LifoAlloc*)

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Mats Palmgren (inactive)]

This bug was filed from the Socorro interface and is 
report bp-eaf7ce9f-1ccc-400f-ad99-51be02150214.
=============================================================

Currently at #41 in the "Top Crashers for Firefox 35.0.1" list,
with 1776 crashes in the past week in that channel (I suspect the
real number is higher).  Almost all crashes are on OSX.
(It's #3 when restricting the search to crashes on OSX.)

Many user comments mentions Pinterest:
https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=28&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AaddType%28js%3A%3Atypes%3A%3AType%2C+js%3A%3ALifoAlloc*%29#tab-comments

It might be possible to find Steps To Reproduce the crash
by using Pinterest with an OSX build.

Stack:

@0x14c95bcc0
js::types::TypeSet::addType(js::types::Type, js::LifoAlloc*)
@0xfffc00013b75d60f
EnterBaseline
js::jit::EnterBaselineMethod(JSContext*, js::RunState&)
Interpret
js::RunScript(JSContext*, js::RunState&)
js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)
js_fun_apply(JSContext*, unsigned int, JS::Value*)
js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)
Interpret
js::RunScript(JSContext*, js::RunState&)
js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)
js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*)
js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)
js_fun_call(JSContext*, unsigned int, JS::Value*)
@0x1007c7a84
...

Comment 1

[Mats Palmgren (inactive)]

[Tracking Requested - why for this release]: topcrash

Comment 2

[Lawrence Mandel [:lmandel] (use needinfo)]

I don't think that it's worth tracking for 36 as it is about to ship. I have tracked for 37+ but we need to confirm that this is still an issue on these branches. 37 moves to Beta next week so we should get more data on that branch shortly.

ni Naveed to find an owner

Comment 3

[Naveed Ihsanullah [:naveed]]

Jan can you find someone to take a look? I suspect alloc is null or corrupted so the insertion is crashing. It's not much of a stack. We probably need an owner with OSX who can repro this.

Comment 4

[Jan de Mooij [:jandem]]

I fixed a crash on Pinterest a few weeks ago, the fix for that is in Firefox 36. It was responsible for one of our topcrashes in Firefox 35 and this could very well be the same issue.

I don't see this as a topcrash for 36, can you confirm?

Comment 5

[Lawrence Mandel [:lmandel] (use needinfo)]

Although the crash signature has not dropped to zero, there is only a trickle of crash reports in every release since 35.0.1. Specifically, 37 Beta has only seen 3 crashes, all on Beta 3.

Comment 6

[Lawrence Mandel [:lmandel] (use needinfo)]

As the crash rate is not actually zero, I'll let Jan make the call about whether to close the bug. However, at the current volume, I don't think we need to track this for 37 or 38.

Comment 7

[Wayne Mery (:wsmwk)]

(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #6)
> As the crash rate is not actually zero, I'll let Jan make the call about
> whether to close the bug. However, at the current volume, I don't think we
> need to track this for 37 or 38.

Way less than a trickle, there is only one version 37 crash in the past two months, and none for newer versions.

FWIW, almost no crash comments match pinterest for any crash sigs https://crash-stats.mozilla.com/search/?user_comments=~pinterest&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature