Closed
Bug 1260198
Opened 8 years ago
Closed 8 years ago
crash in js::CopyStringChars and many other JS string functions
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: semtex2, Assigned: jonco)
References
Details
(Keywords: crash, regression, topcrash)
Crash Data
Attachments
(1 file)
974 bytes,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-2f9d2515-3e98-4151-bc30-709a32160328. ============================================================= I see in last days quite few of this crashes, to randomly to provide STR, but looks like I'm not alone with this: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ACopyStringChars I m not sure if this is not triggered by OneDrive, Need future observation.
Component: General → JavaScript Engine
Product: Firefox → Core
The topcrash list is full of JS string-related crashes, of which this is one. Some of them started a few days ago, and some just today. http://dbaron.org/mozilla/crashes-by-build may have useful links.
(The older ones started in the nightly of March 24.)
Comment 3•8 years ago
|
||
Most likely a regression from bug 1258453.
Updated•8 years ago
|
status-firefox48:
--- → ?
Keywords: regression
Updated•8 years ago
|
Summary: crash in js::CopyStringChars → crash in js::CopyStringChars and many other JS string functions
Updated•8 years ago
|
This appears to be the top 7 topcrashes on nightly, or 20% of all of our crashes. Can we back out bug 1258453?
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
And the 8th, 10th, 12th, 13th ...
Assignee | ||
Comment 6•8 years ago
|
||
I haven't been able to reproduce this exact crash, but did find one problem - we aren't clearing xpconnect string cache when we move strings. Here's a patch for that.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8736346 -
Flags: review?(terrence)
Updated•8 years ago
|
Attachment #8736346 -
Flags: review?(terrence) → review+
Assignee | ||
Updated•8 years ago
|
Keywords: leave-open
Assignee | ||
Comment 8•8 years ago
|
||
Based on crash stats for the last few days, nightlies from the 29th onwards are seeing only a handful of crashes now for js::CopyStringChars, JSRope::flatten, JSFlatString::isIndex and mozilla::dom::ConvertJSValueToString<T>. This is thanks to Terrence's patch in bug 1259490.
Comment 9•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e45ba191b66a
Comment 14•8 years ago
|
||
AFAICT, the trunk crash spike appears to have disappeared as of 31-March. Is there anything left to do here?
Assignee | ||
Comment 16•8 years ago
|
||
The patch in bug 1259490 and the one here seems to have fixed this, so I'm resolving this bug.
Comment 24•8 years ago
|
||
Looks like we can call this FIXED in 48, given that we believe that bug 1259490 fixed this, and it was fixed in 48.
Comment 25•7 years ago
|
||
Not fixed, still crashing. Firefox 49.0 Crash Report [@ js::DispatchTyped<T> ] https://crash-stats.mozilla.com/report/index/65a790d1-d140-45ac-8486-925a42170213 Frame Module Signature Source 0 xul.dll js::DispatchTyped<TraverseEdgeFunctor<jsid, js::ObjectGroup*>, js::GCMarker* const, js::ObjectGroup*&>(TraverseEdgeFunctor<jsid, js::ObjectGroup*>, jsid&, js::GCMarker* const&&, js::ObjectGroup*&) obj-firefox/dist/include/js/Id.h:210 1 xul.dll js::GCMarker::lazilyMarkChildren(js::ObjectGroup*) js/src/gc/Marking.cpp:1225 2 xul.dll js::GCMarker::processMarkStackTop(js::SliceBudget&) js/src/gc/Marking.cpp:1451 3 xul.dll js::GCMarker::drainMarkStack(js::SliceBudget&) js/src/gc/Marking.cpp:1353 4 xul.dll js::gc::GCRuntime::drainMarkStack(js::SliceBudget&, js::gcstats::Phase) js/src/jsgc.cpp:5265 5 xul.dll js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5929 6 xul.dll js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/jsgc.cpp:6190 7 xul.dll js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6298
Comment 26•6 years ago
|
||
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in
before you can comment on or make changes to this bug.
Description
•