Closed Bug 1260610 Opened 10 years ago Closed 6 years ago

crash in void js::PreBarrierFunctor<T>::operator()<T>

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
48 Branch
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox47 --- unaffected
firefox48 - wontfix
firefox49 --- ?
firefox50 --- ?

People

(Reporter: u279076, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is report bp-56cb591b-dcfa-4edc-81ef-b4d652160329. ============================================================= 0 XUL void js::PreBarrierFunctor<JS::Value>::operator()<JSString>(JSString*) js/public/HeapAPI.h 1 XUL js::HeapSlot::set(js::NativeObject*, js::HeapSlot::Kind, unsigned int, JS::Value const&) js/public/Value.h 2 XUL NativeSetExistingDataProperty js/src/vm/NativeObject.h 3 XUL js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) js/src/vm/NativeObject.cpp 4 XUL js::SetObjectElement(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JS::Handle<JSScript*>, unsigned char*) js/src/vm/NativeObject.h 5 XUL js::jit::DoSetElemFallback js/src/jit/BaselineIC.cpp 6 @0x10a5f2c69 7 @0x10a5ee84e 8 XUL EnterBaseline js/src/jit/BaselineJIT.cpp 9 XUL js::jit::EnterBaselineMethod(JSContext*, js::RunState&) js/src/jit/BaselineJIT.cpp 10 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 11 XUL js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 12 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 13 XUL js::jit::DoCallFallback js/src/jit/BaselineIC.cpp 14 @0x10a5f273f 15 @0x116c50137 16 @0x10a5ee84e 17 XUL EnterBaseline js/src/jit/BaselineJIT.cpp 18 XUL js::jit::EnterBaselineMethod(JSContext*, js::RunState&) js/src/jit/BaselineJIT.cpp 19 XUL Interpret js/src/vm/Interpreter.cpp 20 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 21 XUL js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 22 XUL js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp 23 XUL js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/jscntxtinlines.h 24 XUL Interpret js/src/vm/Interpreter.cpp 25 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 26 XUL js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 27 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 28 XUL js::jit::DoCallFallback js/src/jit/BaselineIC.cpp 29 @0x10a5f273f 30 @0x11347d3c7 31 @0x10a5ee84e 32 XUL EnterBaseline js/src/jit/BaselineJIT.cpp 33 XUL js::jit::EnterBaselineMethod(JSContext*, js::RunState&) js/src/jit/BaselineJIT.cpp 34 XUL Interpret js/src/vm/Interpreter.cpp 35 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 36 XUL js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 37 XUL js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp 38 XUL js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/jscntxtinlines.h 39 XUL Interpret js/src/vm/Interpreter.cpp 40 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 41 XUL js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 42 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 43 XUL JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp 44 XUL mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) obj-firefox/x86_64/dom/bindings/FunctionBinding.cpp 45 XUL nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) obj-firefox/x86_64/dist/include/mozilla/dom/FunctionBinding.h 46 XUL nsGlobalWindow::RunTimeout(nsTimeout*) dom/base/nsGlobalWindow.cpp 47 XUL nsGlobalWindow::TimerCallback(nsITimer*, void*) dom/base/nsGlobalWindow.cpp 48 XUL nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp 49 XUL nsTimerEvent::Run() xpcom/threads/TimerThread.cpp 50 XUL nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 51 XUL NS_ProcessPendingEvents(nsIThread*, unsigned int) xpcom/glue/nsThreadUtils.cpp 52 XUL nsBaseAppShell::NativeEventCallback() widget/nsBaseAppShell.cpp 53 XUL nsAppShell::ProcessGeckoEvents(void*) widget/cocoa/nsAppShell.mm Ø 54 CoreFoundation CoreFoundation@0x7e5c0 Ø 55 CoreFoundation CoreFoundation@0x7041b Ø 56 CoreFoundation CoreFoundation@0x6f93e Ø 57 CoreFoundation CoreFoundation@0x6f337 Ø 58 HIToolbox HIToolbox@0x30934 Ø 59 HIToolbox HIToolbox@0x3076e Ø 60 HIToolbox HIToolbox@0x305ae Ø 61 AppKit AppKit@0x8a0ed Ø 62 AppKit AppKit@0x456942 63 XUL -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] widget/cocoa/nsAppShell.mm Ø 64 AppKit AppKit@0x7ffc7 65 XUL nsAppShell::Run() widget/cocoa/nsAppShell.mm 66 XUL XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp 67 XUL MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 68 XUL XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp 69 plugin-container content_process_main(int, char**) ipc/contentproc/plugin-container.cpp 70 plugin-container start ============================================================= More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=void+js%3A%3APreBarrierFunctor%3CT%3E%3A%3Aoperator%28%29%3CT%3E Got this crash today. I had two tabs open for the last couple days. My computer was idle all day and I saw the tab had crashed when I returned home from work. I have not reproduced the crash as of yet. Other reports seem to point this at Firefox Nightly 48.0a1 20160325083832 although there are a couple of crashes with earlier builds (44/45 releases) but nothing in between. Assuming the 48.0a1 crashes are a separate issue this might be a regression. Just in case, here is the pushlog for the March 25th build (interesting that the only change is a backout due to a Mac-only stability issue): https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b942c98f56c4c2926b8b81b98425072a091bbf7b&tochange=d5f3da0cfe7ccf846c354014c9b059fad6ba0de5
[Tracking Requested - why for this release]: just because it's a stability regression. Mark, since you're involved in bug 1259245 (the only bug in the range above), do you have any insight as to what might be the cause of this crash? Thanks
tracking-firefox48: --- → ?
Flags: needinfo?(standard8)
There were two nightly builds for Mac (and maybe other platforms) on 25th March - 20160325030241 and 20160325083832. Crash stats shows only the second id. That puts the regression range at: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b942c98f56c4c2926b8b81b98425072a091bbf7b&tochange=b2dbee5ca727e87bdaeab9ab60fb83df2a9846a2 and there's a few potential js patches landed in there. FWIW, I've also been seeing this on Mac - approx 3 times yesterday. I've probably had around 30 tabs open (though not all of them have always been loaded due to previous crash), and they've crashed when FF has been idle or I've been doing something simple (though that's may/may not be related).
Flags: needinfo?(standard8)
This is probably more fallout from landing bug 1258453.
See Also: → 1260198
Note, I just filed bug 1261646 for another crash (different signature) within the same range. It might be related.
Tracking and marking this as blocking bug 1258453. It seems to be a very low volume crash though.
Blocks: 1258453
tracking-firefox48: ?+
No crashes in beta, only one or two crashes on other channels over the last 2 weeks. I don't think we need to track this. Naveed does someone on your team want to investigate?
Flags: needinfo?(nihsanullah)
Version: unspecified → 48 Branch
@Jon: Crash volume on this is low. Should we decrease its importance or are you still actively working on it?
Assignee: nobody → jcoppeard
Flags: needinfo?(nihsanullah) → needinfo?(jcoppeard)
I'm not working on this any more. Seems very low volume so probably not worth spending time on at the moment.
Assignee: jcoppeard → nobody
Flags: needinfo?(jcoppeard)

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.