Closed Bug 1260198 Opened 8 years ago Closed 8 years ago

crash in js::CopyStringChars and many other JS string functions

Categories

(Core :: JavaScript Engine, defect)

48 Branch
x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox48 --- fixed

People

(Reporter: semtex2, Assigned: jonco)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-2f9d2515-3e98-4151-bc30-709a32160328.
=============================================================
I see in last days quite few of this crashes, to randomly to provide STR, but looks like I'm not alone with this: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ACopyStringChars

I
m not sure if this is not triggered by OneDrive, Need future observation.
Component: General → JavaScript Engine
Product: Firefox → Core
The topcrash list is full of JS string-related crashes, of which this is one.  Some of them started a few days ago, and some just today.

http://dbaron.org/mozilla/crashes-by-build may have useful links.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, topcrash
(The older ones started in the nightly of March 24.)
Most likely a regression from bug 1258453.
Depends on: 1258453
Summary: crash in js::CopyStringChars → crash in js::CopyStringChars and many other JS string functions
Blocks: 1258453
No longer depends on: 1258453
This appears to be the top 7 topcrashes on nightly, or 20% of all of our crashes.  Can we back out bug 1258453?
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
And the 8th, 10th, 12th, 13th ...
I haven't been able to reproduce this exact crash, but did find one problem  - we aren't clearing xpconnect string cache when we move strings.  Here's a patch for that.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8736346 - Flags: review?(terrence)
Attachment #8736346 - Flags: review?(terrence) → review+
Keywords: leave-open
Based on crash stats for the last few days, nightlies from the 29th onwards are seeing only a handful of crashes now for js::CopyStringChars, JSRope::flatten, JSFlatString::isIndex and mozilla::dom::ConvertJSValueToString<T>.  This is thanks to Terrence's patch in bug 1259490.
See Also: → 1260778
See Also: → 1260786
See Also: → 1260610
See Also: → 1260683
See Also: → 1261646
AFAICT, the trunk crash spike appears to have disappeared as of 31-March. Is there anything left to do here?
See Also: → 1260757
The patch in bug 1259490 and the one here seems to have fixed this, so I'm resolving this bug.
Status: NEW → RESOLVED
Closed: 8 years ago
Depends on: 1259490
Resolution: --- → FIXED
Clearing ni.
Flags: needinfo?(terrence)
Looks like we can call this FIXED in 48, given that we believe that bug 1259490 fixed this, and it was fixed in 48.
Not fixed, still crashing. 

Firefox 49.0 Crash Report [@ js::DispatchTyped<T> ]

https://crash-stats.mozilla.com/report/index/65a790d1-d140-45ac-8486-925a42170213

Frame 	Module 	Signature 	Source

0 	xul.dll 	js::DispatchTyped<TraverseEdgeFunctor<jsid, js::ObjectGroup*>, js::GCMarker* const, js::ObjectGroup*&>(TraverseEdgeFunctor<jsid, js::ObjectGroup*>, jsid&, js::GCMarker* const&&, js::ObjectGroup*&) 	obj-firefox/dist/include/js/Id.h:210

1 	xul.dll 	js::GCMarker::lazilyMarkChildren(js::ObjectGroup*) 	js/src/gc/Marking.cpp:1225

2 	xul.dll 	js::GCMarker::processMarkStackTop(js::SliceBudget&) 	js/src/gc/Marking.cpp:1451

3 	xul.dll 	js::GCMarker::drainMarkStack(js::SliceBudget&) 	js/src/gc/Marking.cpp:1353

4 	xul.dll 	js::gc::GCRuntime::drainMarkStack(js::SliceBudget&, js::gcstats::Phase) 	js/src/jsgc.cpp:5265

5 	xul.dll 	js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) 	js/src/jsgc.cpp:5929

6 	xul.dll 	js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) 	js/src/jsgc.cpp:6190
7 	xul.dll 	js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) 	js/src/jsgc.cpp:6298
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in before you can comment on or make changes to this bug.