Closed
Bug 744986
Opened 12 years ago
Closed 11 years ago
Crash in js_AtomizeChars
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: scoobidiver, Unassigned)
Details
(Keywords: crash, regression, Whiteboard: [native-crash][startupcrash])
Crash Data
It first appeared in 14.0a1/20120330. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1965a2c89d61&tochange=92fe907ddac8 It's less frequent after 14.0a1/20120402. Signature js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior) More Reports Search UUID d7491098-fac7-43ca-b6ba-42be72120411 Date Processed 2012-04-11 08:32:35 Uptime 0 Last Crash 3 seconds before submission Install Age 5.6 hours since version was first installed. Install Time 2012-04-11 02:56:31 Product Firefox Version 14.0a1 Build ID 20120410075652 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture amd64 Build Architecture Info family 6 model 37 stepping 5 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x848f000 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0ca3, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.17.12.9573 D2D? D2D+ DWrite? DWrite+ EMCheckCompatibility True Total Virtual Memory 8796092891136 Available Virtual Memory 8795821010944 System Memory Use Percentage 18 Available Page File 23664754688 Available Physical Memory 6881722368 Frame Module Signature Source 0 xul.dll js_AtomizeChars js/src/jsatom.cpp:459 1 xul.dll js::XDRAtom<1> js/src/jsatom.cpp:685 2 xul.dll js::XDRScript<1> js/src/jsscript.cpp:679 More reports at: https://crash-stats.mozilla.com/report/list?signature=js_AtomizeChars%28JSContext*%2C+wchar_t+const*%2C+unsigned+__int64%2C+js%3A%3AInternBehavior%29
Reporter | ||
Comment 1•12 years ago
|
||
I found the related 32-bit crash signature that has stopped spiking after 14.0a1/20120402: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Adetail%3A%3AHashTable%3Cjs%3A%3AAtomStateEntry+const%2C+js%3A%3AHashSet%3Cjs%3A%3AAtomStateEntry%2C+js%3A%3AAtomHasher%2C+js%3A%3ASystemAllocPolicy%3E%3A%3ASetOps%2C+js%3A%3ASystemAllocPolicy%3E%3A%3AlookupForAdd%28js%3A%3AAtomHasher%3A%3ALookup+const%26%29
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)]
[@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps js::SystemAllocPolicy>::lookupForAdd(j…
Hardware: x86_64 → All
Summary: 64-bit crash in js_AtomizeChars → Crash in js_AtomizeChars
Comment 2•12 years ago
|
||
This crash seems not to be too common any more. Is that correct? Initial investigation: It's crashing because js::XDRAtom<1> tries to atomize a bad char array. This ultimately crashes when a hash table tries to hash the chars. It looks like XDR is reading outside of its buffer. Not sure if that would be because of OOM or because of a malformed XDR file. Many of these are on startup, which makes me lean toward the latter, but it's kind of weak evidence.
Reporter | ||
Comment 3•12 years ago
|
||
Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to this bug?
Comment 4•12 years ago
|
||
(In reply to Scoobidiver from comment #3) > Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to > this bug? Looks like it probably is the same bug.
Reporter | ||
Updated•12 years ago
|
Crash Signature: js::SystemAllocPolicy>::lookupForAdd(js::AtomHasher::Lookup const&)] → js::SystemAllocPolicy>::lookupForAdd(js::AtomHasher::Lookup const&)]
[@ js::XDRAtom<(js::XDRMode)1u>]
Whiteboard: [startupcrash] → [native-crash][startupcrash]
Reporter | ||
Comment 5•11 years ago
|
||
There have been no crashes for the last four weeks after 18.0.2.
Status: NEW → RESOLVED
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)]
[@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookupForAdd(… → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)]
[@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned int, js::InternBehavior) ]
[@ js_AtomizeChars ]
[@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet…
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•