705423 - Crash in js::types::TypeSet::hasType

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

It's #46 top crasher in 9.0b2 and #45 in 10.0a2 over the last 3 days.
It first appeared in 9.0a1/20110830.

There are three kinds of stack traces:
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:925
1 	mozjs.dll 	js::types::TypeCompartment::markSetsUnknown 	js/src/jsinfer.cpp:2267
2 	mozjs.dll 	js::SetProto 	js/src/jsobj.cpp:4768
3 	mozjs.dll 	JS_SetPrototype 	js/src/jsapi.cpp:3102
4 	xul.dll 	nsJSContext::SetOuterObject 	dom/base/nsJSEnvironment.cpp:2320
5 	xul.dll 	nsGlobalWindow::SetNewDocument 	dom/base/nsGlobalWindow.cpp:2179
6 	xul.dll 	DocumentViewerImpl::InitInternal 	layout/base/nsDocumentViewer.cpp:959
7 	xul.dll 	DocumentViewerImpl::Init 	layout/base/nsDocumentViewer.cpp:702
8 	xul.dll 	nsDocShell::SetupNewViewer 	docshell/base/nsDocShell.cpp:7688
9 	xul.dll 	nsDocShell::Embed 	docshell/base/nsDocShell.cpp:5790
10 	xul.dll 	nsDocShell::CreateContentViewer 	docshell/base/nsDocShell.cpp:7475
11 	xul.dll 	nsDSURIContentListener::DoContent 	docshell/base/nsDSURIContentListener.cpp:147
...

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:925
1 	mozjs.dll 	js::types::TypeMonitorResult 	js/src/jsinfer.cpp:5090
2 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2342
3 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
4 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
5 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:1885
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:660
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4036
8 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:614
9 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
10 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:710
11 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5039
...

Frame 	Module 	Signature [Expand] 	Source
0 		@0x512b0cc 	
1 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:943
2 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1064
3 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1142
4 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3989
5 	mozjs.dll 	js::types::TypeMonitorCallSlow 	js/src/jsinfer.cpp:5014
6 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:584
7 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:679
8 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5199
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29

Comment 1

[Marcia Knous [:marcia]]

Adding Brian and wondering if this is a dupe of Bug 683317.

Comment 2

[Scoobidiver (away)]

It's currently #38 top crasher in 9.0b4.

Comment 3

[Scoobidiver (away)]

It's #38 top browser crasher in 9.0.1, #35 in 10.0b2, #15 in 11.0a2, and #53 in 12.0a1.

Comment 4

[Scoobidiver (away)]

It's #10 top browser crasher in 10.0.1.

Here are 10.0.1 correlations reports on Feb 15:
     24% (105/433) vs.   0% (106/49762) {1c02736b-82fb-4096-8c46-2eac570216d3} (SetiTagila Toolbar)
     18% (79/433) vs.   1% (387/49762) adblockpopups@jessehakanen.net
     18% (78/433) vs.   1% (303/49762) SkipScreen@SkipScreen (SkipScreen, https://addons.mozilla.org/addon/11243)
     18% (80/433) vs.   1% (682/49762) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364)
     17% (75/433) vs.   0% (164/49762) fastdial@telega.phpnet.us (Fast Dial, https://addons.mozilla.org/addon/5721)
     17% (74/433) vs.   1% (280/49762) vk@sergeykolosov.mp (VKontakte.ru Downloader)

Comment 5

[Scoobidiver (away)]

In 10.0.2, it's correlated to RadioWMPCoreGecko10.dll that belongs to various toolbars and a trojan (see http://home.mcafee.com/virusinfo/virusprofile.aspx?key=810626#none):
64% (174/270) vs.  13% (4401/34630) RadioWMPCoreGecko10.dll

Comment 6

[Scoobidiver (away)]

It's still correlated with Conduit products:
* 10.0.2: 59% (298/508) vs.  11% (7780/70876) RadioWMPCoreGecko10.dll
* 11.0:    22% (42/190) vs.   8% (2918/34940) RadioWMPCoreGecko11.dll

Comment 7

[Scoobidiver (away)]

There's a spike in crashes starting from 16.0a1/20120606 making it #3 top crasher in this build. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917

Comment 8

[Gian-Carlo Pascutto [:gcp]]

It's easy to reproduce when browsing http://apina.biz/75302 (NSFW!) with a very recent Nightly for example. Or so I heard ;-)

Comment 9

[Gian-Carlo Pascutto [:gcp]]

The first bad revision is:
changeset:   95790:b863ef9946b8
user:        Luke Wagner <luke@mozilla.com>
date:        Thu Feb 23 13:59:10 2012 -0800
summary:     Bug 659577 - Don't alias stack variables (r=bhackett)

Comment 10

[Luke Wagner [:luke]]

Thanks for finding STR!  This is a simple bug with a simple fix, but the conditions to catch it unfortunately require a browser, GC, the arguments object, so it went undetected.

Comment 11

[Luke Wagner [:luke]]

Attachment: release script->types if gczeal

This patch just tweaks GC so that shell testing can reproduce this bug.  This should improve fuzzing coverage.  (Putting in a separate patch for bisection of any bugs this uncovers.)

Comment 12

[Luke Wagner [:luke]]

Attachment: ArgSetter needs to ensureTypes before calling TypeScript::SetArgument

This broke with bug 659577 because, before that patch, no ensureTypes was needed because the script had a live stack frame which would necessarily ensure it had types.

Comment 14

[Luke Wagner [:luke]]

https://hg.mozilla.org/mozilla-central/rev/6cbb5b6e3da2
https://hg.mozilla.org/mozilla-central/rev/7d68b45776ff