Closed Bug 595912 Opened 14 years ago Closed 14 years ago

Crash [@ js::Shape::removeFree() ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: scoobidiver, Assigned: brendan)

Details

(Keywords: crash, regression)

Crash Data

Build : Mozilla/5.0 (Windows NT 6.1; rv:2.0b6pre) Gecko/20100912
Firefox/4.0b6pre

This is a new crash signature that was introduced by this build.
It is #14 top crasher for this build.

Signature	js::Shape::removeFree()
UUID	84d03124-03cb-4da6-ab89-ea8e52100912
Time 	2010-09-12 12:16:08.243956
Uptime	11407
Install Age	11490 seconds (3.2 hours) since version was first installed.
Product	Firefox
Version	4.0b6pre
Build ID	20100912041924
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 11
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x1564b08c
User Comments	
App Notes 	AdapterVendorID: 1002, AdapterDeviceID: 68b8

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js::Shape::removeFree 	js/src/jsscope.h:429
1 	xul.dll 	js::PropertyTree::sweepShapes 	
2 	xul.dll 	MarkAndSweep 	js/src/jsgc.cpp:2914

The regression range is :
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=73ab2c3c5ad9&tochange=cd3c926a7413
blocking2.0: --- → ?
Any common URLs? A testcase would help a lot.

/be
Got this crash on close of browser - its intermittent does not crash on every close and so far no idea as to STR.  I did have the tbpl page up in active-tab when I closed - but not sure that has anything to do with the crash. 

http://crash-stats.mozilla.com/report/index/273537c1-ceb4-40bc-af52-87c792100913
the shutdown thesis seems to be a good one to pursue.  urls are all over the map.

   1 wyciwyg://0/http://www.kongregate.com/games/Tukkun/anti-idle-the-game
   1 jar:file:///C:/Program%20Files/Minefield/omni.jar!/chrome/toolkit/content/mozapps/extensions/extensions.xul
   1 https://privat24.privatbank.ua/p24/nrest
   1 http://www2.my-firefox.ru/goto/dl/firefox_40b2-ru-win32.html
   1 http://www.youhtc.ru/forum/attachment.php?attachmentid=xxxxxxxx
   1 http://www.webtretho.com/forum/f113/index7.html
   1 http://www.weatheroffice.gc.ca/city/pages/on-143_metric_e.html
   1 http://www.reddit.com/r/sports/comments/dcs44/this_is_how_we_score_touchdowns_in_the_cfl/
   1 http://www.netflix.com/WiPlayer?movieid=xxxxxxxxxxxxxxx
   1 http://www.ika-core.org/ikariam.php
   1 http://www.gomlab.com/ru/GMP_Introduction.html
   1 http://twitter.com/Odieuxconnard
   1 http://sms.t-zones.cz/open.jsp
   1 http://s1.gr.ikariam.com/index.php?view=island&id=xxxxxxxx
   1 http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-win32/
   1 http://diendan.zing.vn/volam/forumdisplay.php?f=73
   1 http://dantri.com.vn/
   1 http://cygwinports.dotsrc.org/
   1 http://afterthepostrock.com/forum/viewtopic.php?f=23&t=3517


Correlation to startup or time of session
20 total crashes for js::Shape::removeFree on 20100912-crashdata.csv
0 startup crashes inside 30 sec.
4 startup crashes inside 3 min.
1 repeated crashes inside 3 min. of last crash

os breakdown
js::Shape::removeFreeTotal 20
Win5.1  0.30
Win6.0  0.00
Win6.1  0.70
Assignee: general → brendan
The 1-day mozilla-central regression range includes the JM merge to MC.

This might be a manifestation of bug 596103.
FWIW it crashed when updating from yesterday's nightly to Mozilla/5.0 (Windows NT 6.0; rv:2.0b7pre) Gecko/20100914 Firefox/4.0b7pre ID:20100914041908 here.
Whiteboard: DUPEME
if crash no longer happens on tracemonkey after  2010-09-14 13:52:08 PDT or when 

http://hg.mozilla.org/tracemonkey/rev/6e5f17315d3d gets merged to trunk, then we could confirm this as dup of bug 596103

sayer, is this in the queue to get merged to moz central?
(In reply to comment #6)
> http://hg.mozilla.org/tracemonkey/rev/6e5f17315d3d gets merged to trunk, then
> we could confirm this as dup of bug 596103
> 
> sayer, is this in the queue to get merged to moz central?

Bug 596103 is fixed now (on m-c as well as tm). Can this be dup'ed now?

/be
yeah,  crashes on 17,18, an 19 after landing of 596103 on 2010-09-16 10:06:23, but the volume is down from the original spike

date     tl crashes at, count build, count build, ...
         js::Shape::removeFree
20100910
20100911
20100912 20 ,20 4.0b6pre2010091204
20100913 42 ,22 4.0b6pre2010091204,20 4.0b6pre2010091304
20100914 17 ,4 4.0b6pre2010091204,12 4.0b6pre2010091304,1 4.0b6pre2010091404
20100915 5 ,2 4.0b7pre2010091507,1 4.0b6pre2010091304,2 4.0b6pre2010091404
20100916 9 ,8 4.0b7pre2010091507,1 4.0b6pre2010091404
20100917 5 ,4 4.0b7pre2010091507,1 4.0b6pre2010091704
20100918 3 ,1 4.0b6pre2010091704,2 4.0b6pre2010091804
20100919 10 ,9 4.0b7pre2010091904,1 4.0b7pre2010091507
strangely volume has bounced back up on sept 20,21,22 on builds from sept20 and 21

date     tl crashes at, count build, count build, ...
         js::Shape::removeFree
 
20100920 30 ,17 4.0b7pre2010092004, 12 4.0b7pre2010091904,
20100921 42 ,23 4.0b7pre2010092004, 13 4.0b7pre2010092104, 3 4.0b7pre2010091904,
20100922 41 ,18 4.0b7pre2010092204, 18 4.0b7pre2010092104, 4 4.0b7pre2010092004,
Bug 596805 is fixed in tm, and sayrer says he is going to sync m-c and tm soon. Maybe look at stats after that fix lands on m-c?

/be
blocking2.0: ? → betaN+
Still in the topcrash list in today's build.
Has this disappeared?

/be
The last crash I see in this stack with a crash stats UI search is 20100928041914.
If anyone has time to pin the tail on the donkey, mark fixed and cite the fix (or even dup, since DUPEME was set). Thanks,

/be
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ js::Shape::removeFree() ]
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.