571626 - TM: Crash [@ js::ExecuteTree]

Status: RESOLVED DUPLICATE of bug 584565

(Core :: JavaScript Engine, defect)

Description

[Marcia Knous [:marcia]]

Seen while running : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a6pre) Gecko/20100611 Minefield/3.7a6pre and reviewing crash stats.

STR:
1. Load the site in the URL. Crash.

https://crash-stats.mozilla.com/report/index/963b5dac-a91d-4502-a326-8e4c92100611

Frame  	Module  	Signature [Expand]  	Source
0 		@0x2baee79 	
1 	mozjs.dll 	js::ExecuteTree 	js/src/jstracer.cpp:6493
2 	mozjs.dll 	js::TraceRecorder::attemptTreeCall 	js/src/jstracer.cpp:5999
3 	mozjs.dll 	js::TraceRecorder::recordLoopEdge 	js/src/jstracer.cpp:5941
4 	mozjs.dll 	js::MonitorLoopEdge 	js/src/jstracer.cpp:6880
5 	mozjs.dll 	js_Interpret 	js/src/jsops.cpp:918
6 	mozjs.dll 	js_Execute 	js/src/jsinterp.cpp:854
7 	mozjs.dll 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:4563
8 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1786
9 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:752
10 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:665
11 	xul.dll 	nsCOMPtr_base::assign_with_AddRef 	obj-firefox/xpcom/build/nsCOMPtr.cpp:88
12 	xul.dll 	nsScriptLoader::ProcessScriptElement 	content/base/src/nsScriptLoader.cpp:614

Crashes started appearing on 6-09. Will get an exact regression range in a moment.

Comment 1

[Marcia Knous [:marcia]]

Regression window:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100606 Minefield/3.7a5pre - works

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100607 Minefield/3.7a5pre - crash

Pushlog: http://tinyurl.com/2f3qjjg

Comment 2

[(mostly gone) XtC4UaLL [:xtc4uall]]

on TM branch the regression range is:
http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=8f08ae0b74df&tochange=b3e27c1ee35e
crashes on latest TM branch nightly too.
setting javascript.options.jit.content;false prevents the crashing.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I've a 1,000-line-total testcase coming up.

dvander indicates to assume the worst - s-s'ing now.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: htm testcase - needs second javascript file (sbm2.js) in the same directory

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: sbm2.js

Comment 6

[Jesse Ruderman]

Attachment: 33-line shell testcase

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #6)
> Created an attachment (id=450827) [details]
> 33-line shell testcase

Seems to be a null dereference, assume [sg:dos] unless otherwise noted:

Program received signal SIGSEGV, Segmentation fault.
0x003efe66 in ?? ()
(gdb) bt
#0  0x003efe66 in ?? ()
#1  0x08163dfd in js::ExecuteTree(JSContext*, js::TreeFragment*, unsigned int&, js::VMSideExit**, js::VMSideExit**) ()
(gdb) x/i $eip
=> 0x3efe66:	mov    (%eax),%ecx
(gdb) x/b $eax
0x0:	Cannot access memory at address 0x0

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   42835:b3e27c1ee35e
user:        Jeff Walden
date:        Wed Jun 02 23:44:24 2010 -0700
summary:     Bug 548671 - Stop using shared-permanent properties "inherited" from the prototype to represent (function(){}).length and [].length.  r=jorendorff

Comment 9

[Jason Orendorff [:jorendorff]]

Awesome work, guys. Here's a 4-line test case:

for (var i = 0; i < 9; i++) {
    var f = function (file) {};
    f.call(this, f.length >= 2);
}

Comment 10

[Jason Orendorff [:jorendorff]]

Attachment: TMFLAGS=full output for test run

Here's the debug spew for the 4-line test case. (windows x64)

Comment 11

[Robert Kaiser]

bug 579551 is about the same signature, and that signature has risen up significantly in recent builds, related to this or something else?

Comment 12

[Robert Sayre]

fixed by Bug 584565