Closed Bug 1260610 Opened 8 years ago Closed 5 years ago

crash in void js::PreBarrierFunctor<T>::operator()<T>

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
48 Branch
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox47 --- unaffected
firefox48 - wontfix
firefox49 --- ?
firefox50 --- ?

People

(Reporter: u279076, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-56cb591b-dcfa-4edc-81ef-b4d652160329.
=============================================================
0 	XUL 	void js::PreBarrierFunctor<JS::Value>::operator()<JSString>(JSString*) 	js/public/HeapAPI.h
1 	XUL 	js::HeapSlot::set(js::NativeObject*, js::HeapSlot::Kind, unsigned int, JS::Value const&) 	js/public/Value.h
2 	XUL 	NativeSetExistingDataProperty 	js/src/vm/NativeObject.h
3 	XUL 	js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) 	js/src/vm/NativeObject.cpp
4 	XUL 	js::SetObjectElement(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool, JS::Handle<JSScript*>, unsigned char*) 	js/src/vm/NativeObject.h
5 	XUL 	js::jit::DoSetElemFallback 	js/src/jit/BaselineIC.cpp
6 		@0x10a5f2c69 	
7 		@0x10a5ee84e 	
8 	XUL 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
9 	XUL 	js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 	js/src/jit/BaselineJIT.cpp
10 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
11 	XUL 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
12 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
13 	XUL 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
14 		@0x10a5f273f 	
15 		@0x116c50137 	
16 		@0x10a5ee84e 	
17 	XUL 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
18 	XUL 	js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 	js/src/jit/BaselineJIT.cpp
19 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
20 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
21 	XUL 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
22 	XUL 	js::fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
23 	XUL 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/jscntxtinlines.h
24 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
25 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
26 	XUL 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
27 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
28 	XUL 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
29 		@0x10a5f273f 	
30 		@0x11347d3c7 	
31 		@0x10a5ee84e 	
32 	XUL 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
33 	XUL 	js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 	js/src/jit/BaselineJIT.cpp
34 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
35 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
36 	XUL 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
37 	XUL 	js::fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
38 	XUL 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/jscntxtinlines.h
39 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
40 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
41 	XUL 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
42 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
43 	XUL 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
44 	XUL 	mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) 	obj-firefox/x86_64/dom/bindings/FunctionBinding.cpp
45 	XUL 	nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) 	obj-firefox/x86_64/dist/include/mozilla/dom/FunctionBinding.h
46 	XUL 	nsGlobalWindow::RunTimeout(nsTimeout*) 	dom/base/nsGlobalWindow.cpp
47 	XUL 	nsGlobalWindow::TimerCallback(nsITimer*, void*) 	dom/base/nsGlobalWindow.cpp
48 	XUL 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
49 	XUL 	nsTimerEvent::Run() 	xpcom/threads/TimerThread.cpp
50 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
51 	XUL 	NS_ProcessPendingEvents(nsIThread*, unsigned int) 	xpcom/glue/nsThreadUtils.cpp
52 	XUL 	nsBaseAppShell::NativeEventCallback() 	widget/nsBaseAppShell.cpp
53 	XUL 	nsAppShell::ProcessGeckoEvents(void*) 	widget/cocoa/nsAppShell.mm
Ø 54 	CoreFoundation 	CoreFoundation@0x7e5c0 	
Ø 55 	CoreFoundation 	CoreFoundation@0x7041b 	
Ø 56 	CoreFoundation 	CoreFoundation@0x6f93e 	
Ø 57 	CoreFoundation 	CoreFoundation@0x6f337 	
Ø 58 	HIToolbox 	HIToolbox@0x30934 	
Ø 59 	HIToolbox 	HIToolbox@0x3076e 	
Ø 60 	HIToolbox 	HIToolbox@0x305ae 	
Ø 61 	AppKit 	AppKit@0x8a0ed 	
Ø 62 	AppKit 	AppKit@0x456942 	
63 	XUL 	-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	widget/cocoa/nsAppShell.mm
Ø 64 	AppKit 	AppKit@0x7ffc7 	
65 	XUL 	nsAppShell::Run() 	widget/cocoa/nsAppShell.mm
66 	XUL 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
67 	XUL 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
68 	XUL 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
69 	plugin-container 	content_process_main(int, char**) 	ipc/contentproc/plugin-container.cpp
70 	plugin-container 	start 	
=============================================================
More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=void+js%3A%3APreBarrierFunctor%3CT%3E%3A%3Aoperator%28%29%3CT%3E

Got this crash today. I had two tabs open for the last couple days. My computer was idle all day and I saw the tab had crashed when I returned home from work. I have not reproduced the crash as of yet.

Other reports seem to point this at Firefox Nightly 48.0a1 20160325083832 although there are a couple of crashes with earlier builds (44/45 releases) but nothing in between. Assuming the 48.0a1 crashes are a separate issue this might be a regression.

Just in case, here is the pushlog for the March 25th build (interesting that the only change is a backout due to a Mac-only stability issue):
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b942c98f56c4c2926b8b81b98425072a091bbf7b&tochange=d5f3da0cfe7ccf846c354014c9b059fad6ba0de5
[Tracking Requested - why for this release]: just because it's a stability regression.

Mark, since you're involved in bug 1259245 (the only bug in the range above), do you have any insight as to what might be the cause of this crash?

Thanks
tracking-firefox48: --- → ?
Flags: needinfo?(standard8)
There were two nightly builds for Mac (and maybe other platforms) on 25th March - 20160325030241 and 20160325083832. Crash stats shows only the second id.

That puts the regression range at:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b942c98f56c4c2926b8b81b98425072a091bbf7b&tochange=b2dbee5ca727e87bdaeab9ab60fb83df2a9846a2

and there's a few potential js patches landed in there.

FWIW, I've also been seeing this on Mac - approx 3 times yesterday. I've probably had around 30 tabs open (though not all of them have always been loaded due to previous crash), and they've crashed when FF has been idle or I've been doing something simple (though that's may/may not be related).
Flags: needinfo?(standard8)
This is probably more fallout from landing bug 1258453.
See Also: → 1260198
Note, I just filed bug 1261646 for another crash (different signature) within the same range. It might be related.
Tracking and marking this as blocking bug 1258453. It seems to be a very low volume crash though.
Blocks: 1258453
tracking-firefox48: ?+
No crashes in beta, only one or two crashes on other channels over the last 2 weeks. I don't think we need to track this. 
Naveed does someone on your team want to investigate?
Flags: needinfo?(nihsanullah)
Version: unspecified → 48 Branch
@Jon: Crash volume on this is low. Should we decrease its importance or are you still actively working on it?
Assignee: nobody → jcoppeard
Flags: needinfo?(nihsanullah) → needinfo?(jcoppeard)
I'm not working on this any more.  Seems very low volume so probably not worth spending time on at the moment.
Assignee: jcoppeard → nobody
Flags: needinfo?(jcoppeard)

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.