Closed Bug 744986 Opened 12 years ago Closed 11 years ago

Crash in js_AtomizeChars

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
14 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression, Whiteboard: [native-crash][startupcrash])

Crash Data

It first appeared in 14.0a1/20120330. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1965a2c89d61&tochange=92fe907ddac8
It's less frequent after 14.0a1/20120402.

Signature 	js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior) More Reports Search
UUID	d7491098-fac7-43ca-b6ba-42be72120411
Date Processed	2012-04-11 08:32:35
Uptime	0
Last Crash	3 seconds before submission
Install Age	5.6 hours since version was first installed.
Install Time	2012-04-11 02:56:31
Product	Firefox
Version	14.0a1
Build ID	20120410075652
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	amd64
Build Architecture Info	family 6 model 37 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x848f000
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0ca3, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.17.12.9573
D2D? D2D+ DWrite? DWrite+ 
EMCheckCompatibility	True	
Total Virtual Memory	8796092891136
Available Virtual Memory	8795821010944
System Memory Use Percentage	18
Available Page File	23664754688
Available Physical Memory	6881722368

Frame 	Module 	Signature 	Source
0 	xul.dll 	js_AtomizeChars 	js/src/jsatom.cpp:459
1 	xul.dll 	js::XDRAtom<1> 	js/src/jsatom.cpp:685
2 	xul.dll 	js::XDRScript<1> 	js/src/jsscript.cpp:679

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js_AtomizeChars%28JSContext*%2C+wchar_t+const*%2C+unsigned+__int64%2C+js%3A%3AInternBehavior%29
I found the related 32-bit crash signature that has stopped spiking after 14.0a1/20120402:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Adetail%3A%3AHashTable%3Cjs%3A%3AAtomStateEntry+const%2C+js%3A%3AHashSet%3Cjs%3A%3AAtomStateEntry%2C+js%3A%3AAtomHasher%2C+js%3A%3ASystemAllocPolicy%3E%3A%3ASetOps%2C+js%3A%3ASystemAllocPolicy%3E%3A%3AlookupForAdd%28js%3A%3AAtomHasher%3A%3ALookup+const%26%29
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps js::SystemAllocPolicy>::lookupForAdd(j…
Hardware: x86_64 → All
Summary: 64-bit crash in js_AtomizeChars → Crash in js_AtomizeChars
This crash seems not to be too common any more. Is that correct?

Initial investigation: It's crashing because js::XDRAtom<1> tries to atomize a bad char array. This ultimately crashes when a hash table tries to hash the chars. It looks like XDR is reading outside of its buffer. Not sure if that would be because of OOM or because of a malformed XDR file. Many of these are on startup, which makes me lean toward the latter, but it's kind of weak evidence.
Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to this bug?
(In reply to Scoobidiver from comment #3)
> Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to
> this bug?

Looks like it probably is the same bug.
Crash Signature: js::SystemAllocPolicy>::lookupForAdd(js::AtomHasher::Lookup const&)] → js::SystemAllocPolicy>::lookupForAdd(js::AtomHasher::Lookup const&)] [@ js::XDRAtom<(js::XDRMode)1u>]
Whiteboard: [startupcrash] → [native-crash][startupcrash]
There have been no crashes for the last four weeks after 18.0.2.
Status: NEW → RESOLVED
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookupForAdd(… → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned int, js::InternBehavior) ] [@ js_AtomizeChars ] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet…
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.