Closed
Bug 603270
Opened 14 years ago
Closed 14 years ago
Intermittent crash in (browser-)chrome and mochitests after brain transplants landed. [@ js_GetPropertyHelper]
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
People
(Reporter: jst, Assigned: jorendorff)
References
Details
(Keywords: crash, intermittent-failure, Whiteboard: [fixed-in-tracemonkey])
Crash Data
We've been seeing an intermittent crashes after brain transplants (bug 580128) landed. So far noone has been able to reproduce these locally, but it does look like a very real bug. The stack is either: 0 XUL!js_GetPropertyHelper [jsscope.h:1eda0cc3bbf9 : 835 + 0x3] rbx = 0x175e9380 r12 = 0x0c101640 r13 = 0x194306e0 r14 = 0x00000000 r15 = 0x175e9380 rip = 0x00f17684 rsp = 0x5fbfb1f0 rbp = 0x0c101640 1 XUL!js_TryMethod [jsobj.cpp:1eda0cc3bbf9 : 5112 + 0x1f] rbx = 0x194306e0 r12 = 0x175e9380 r13 = 0x0000ffff r14 = 0x005b6f80 r15 = 0x5fbfb3c0 rip = 0x00f182f0 rsp = 0x5fbfb320 rbp = 0x0c101640 2 XUL!js::DefaultValue [jsobj.cpp:1eda0cc3bbf9 : 5619 + 0x22] rbx = 0x175e9380 r12 = 0x5fbfb3c0 r13 = 0x00000003 r14 = 0x5fbfb4f0 r15 = 0x175e9380 rip = 0x00f18474 rsp = 0x5fbfb3a0 rbp = 0x194306e0 3 XUL!js_ValueToString [jsstr.cpp:1eda0cc3bbf9 : 3651 + 0x19] rbx = 0x194306e0 r12 = 0x194306e0 r13 = 0x1ce8b460 r14 = 0x5fbfb4f0 r15 = 0x1a70d130 rip = 0x00f86540 rsp = 0x5fbfb410 rbp = 0x1a76dd90 4 XUL!ToXMLName [jsxml.cpp:1eda0cc3bbf9 : 2847 + 0x4] rbx = 0x175e9380 r12 = 0x194306e0 r13 = 0x1ce8b460 r14 = 0x5fbfb4f0 r15 = 0x1a70d130 rip = 0x00fcda92 rsp = 0x5fbfb430 rbp = 0x1a76dd90 5 XUL!GetProperty [jsxml.cpp:1eda0cc3bbf9 : 3748 + 0xc] rbx = 0x175e9384 r12 = 0x194306e0 r13 = 0x1ce8b460 r14 = 0x5fbfb950 r15 = 0x1a70d130 rip = 0x00fcedf0 rsp = 0x5fbfb490 rbp = 0x1a76dd90 6 XUL!js::Interpret [jsobj.h:1eda0cc3bbf9 : 1079 + 0x1b] rbx = 0x5fbfb950 r12 = 0x00000037 r13 = 0x0ba54368 r14 = 0x194306e0 r15 = 0x1a70d130 rip = 0x00ee6f80 rsp = 0x5fbfb540 rbp = 0x1a76dd90 7 XUL!js::Invoke [jsinterp.cpp:1eda0cc3bbf9 : 612 + 0xe] rbx = 0x0ba542d0 r12 = 0x00000000 r13 = 0x00000000 r14 = 0x1d369120 r15 = 0x00000002 rip = 0x00ef6d68 rsp = 0x5fbfba90 rbp = 0x194306e0 8 XUL!js::mjit::stubs::SlowCall [InvokeHelpers.cpp:1eda0cc3bbf9 : 227 + 0xd] rbx = 0x5fbfbb80 r12 = 0x1d2ef4c0 r13 = 0x00000000 r14 = 0xffffffff r15 = 0x1a76dd90 rip = 0x0108dd60 rsp = 0x5fbfbb50 rbp = 0x5fbfbc00 9 XUL!SlowCallFromIC [MonoIC.cpp:1eda0cc3bbf9 : 221 + 0x8] rbx = 0x0ba54208 r12 = 0x1d2ef4c0 r13 = 0x00000000 r14 = 0xffffffff r15 = 0x1a76dd90 rip = 0x0107aaed rsp = 0x5fbfbb70 rbp = 0x5fbfbc00 10 0x1103350a9 rbx = 0x0ba54208 r12 = 0x1d2ef4c0 r13 = 0x00000000 r14 = 0xffffffff r15 = 0x1a76dd90 rip = 0x103350aa rsp = 0x5fbfbb80 rbp = 0x5fbfbc00 or: Thread 0 (crashed) 0 linux-gate.so + 0x424 eip = 0x00b92424 esp = 0xbfde0b94 ebp = 0xbfde0bb8 ebx = 0xb32c6e40 esi = 0x00000000 edi = 0x00755ff4 eax = 0xfffffffc ecx = 0x00000007 edx = 0xffffffff efl = 0x00200293 Found by: given as instruction pointer in context 1 libglib-2.0.so.0.2200.2 + 0x47a0b eip = 0x001dba0c esp = 0xbfde0bc0 ebp = 0xbfde0bd8 Found by: previous frame's frame pointer 2 libglib-2.0.so.0.2200.2 + 0x3a882 eip = 0x001ce883 esp = 0xbfde0be0 ebp = 0xbfde0c58 Found by: previous frame's frame pointer 3 libglib-2.0.so.0.2200.2 + 0x3ab73 eip = 0x001ceb74 esp = 0xbfde0c60 ebp = 0xbfde0c98 Found by: previous frame's frame pointer 4 libxul.so!nsAppShell::ProcessNextNativeEvent [nsAppShell.cpp:1eda0cc3bbf9 : 144 + 0xa] eip = 0x017baafe esp = 0xbfde0ca0 ebp = 0x00000014 Found by: previous frame's frame pointer 5 libxul.so!nsBaseAppShell::DoProcessNextNativeEvent [nsBaseAppShell.cpp:1eda0cc3bbf9 : 161 + 0x7] eip = 0x017d24f8 esp = 0xbfde0cc0 ebp = 0x00000014 ebx = 0x020a7870 Found by: call frame info 6 libxul.so!nsBaseAppShell::OnProcessNextEvent [nsBaseAppShell.cpp:1eda0cc3bbf9 : 317 + 0xb] eip = 0x017d2760 esp = 0xbfde0ce0 ebp = 0x00000014 ebx = 0x020a7870 esi = 0xb677add0 edi = 0x99a5dfd3 Found by: call frame info 7 libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:1eda0cc3bbf9 : 517 + 0x1a] eip = 0x01964af4 esp = 0xbfde0d10 ebp = 0x00000001 ebx = 0x020a7870 esi = 0x017d2684 edi = 0xb7573d80 Found by: call frame info 8 libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 250 + 0xf] eip = 0x0192e831 esp = 0xbfde0d50 ebp = 0x00000000 ebx = 0x020a7870 esi = 0x00000000 edi = 0xb75d1880 Found by: call frame info 9 libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp:1eda0cc3bbf9 : 134 + 0xb] eip = 0x01886ea4 esp = 0xbfde0d80 ebp = 0x00000000 ebx = 0x020a7870 esi = 0x00000000 edi = 0xb75d1880 Found by: call frame info 10 libxul.so!MessageLoop::RunInternal [message_loop.cc:1eda0cc3bbf9 : 219 + 0x8] eip = 0x01999aee esp = 0xbfde0dc0 ebp = 0xb2ec1fb0 ebx = 0x020a7870 esi = 0xb7545600 edi = 0xb677add0 Found by: call frame info 11 libxul.so!MessageLoop::Run [message_loop.cc:1eda0cc3bbf9 : 202 + 0x8] eip = 0x01999b86 esp = 0xbfde0de0 ebp = 0xb2ec1fb0 ebx = 0x020a7870 esi = 0xb7573d80 edi = 0xb677add0 Found by: call frame info 12 libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp:1eda0cc3bbf9 : 180 + 0xd] eip = 0x017d28dd esp = 0xbfde0e10 ebp = 0xb2ec1fb0 ebx = 0x020a7870 esi = 0xb7573d80 edi = 0xb677add0 Found by: call frame info 13 libxul.so!nsAppStartup::Run [nsAppStartup.cpp:1eda0cc3bbf9 : 191 + 0x5] eip = 0x016855fd esp = 0xbfde0e30 ebp = 0xb2ec1fb0 ebx = 0x020a7870 esi = 0xb324f5e0 edi = 0x0183e69a Found by: call frame info 14 0x20a786f eip = 0x020a7870 esp = 0xbfde0e48 ebp = 0xb2ec1fb0 ebx = 0x020a7870 esi = 0xb2ec1fb0 edi = 0x0183e69a Found by: call frame info 15 libxul.so!XRE_main [nsAppRunner.cpp:1eda0cc3bbf9 : 3670 + 0x8] eip = 0x00ea9333 esp = 0xbfde0e50 ebp = 0xb2ec1fb0 Found by: stack scanning 16 firefox-bin!main [nsBrowserApp.cpp:1eda0cc3bbf9 : 158 + 0xe] eip = 0x08049554 esp = 0xbfde1360 ebp = 0xbfde1474 ebx = 0x08054858 esi = 0xbfde1474 edi = 0x00000000 Found by: call frame info 17 libc-2.11.so + 0x16bb5 eip = 0x005fbbb6 esp = 0xbfde13d0 ebp = 0xbfde1448 ebx = 0x00755ff4 esi = 0x00000000 edi = 0x00000000 Found by: call frame info 18 firefox-bin + 0x1390 eip = 0x08049391 esp = 0xbfde1450 ebp = 0x00000000 Found by: previous frame's frame pointer 19 firefox-bin!Output [nsBrowserApp.cpp:1eda0cc3bbf9 : 77 + 0x4] eip = 0x0804946f esp = 0xbfde1454 ebp = 0x00000000 Found by: stack scanning 20 0x4 eip = 0x00000005 esp = 0xbfde1474 ebp = 0x00000000 ebx = 0x00ae58e0 Found by: call frame info It's not known yet whether this is one bug biting in two ways, or two separate bugs. So far this has been seen mostly on OS X64 opt, but also on Linux opt.
Severity: normal → critical
Keywords: crash
Summary: Intermittent crash in (browser-)chrome and mochitests after brain transplants landed. → Intermittent crash in (browser-)chrome and mochitests after brain transplants landed. [@ js_GetPropertyHelper]
Comment 1•14 years ago
|
||
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286796897.1286797445.16237.gz#err321 http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286799341.1286799845.29065.gz#err160 http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286799840.1286800502.32219.gz#err16 http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286804983.1286805629.23819.gz#err7 Personally, I'd describe it as an "eventual crash after massive multiple failures in XUL template tests" - sure, they've always failed a lot, but not in that way and not that many times in a single run.
Blocks: 438871
Whiteboard: [orange]
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → jorendorff
Comment 2•14 years ago
|
||
sayrer pointed out that the crashes are overwhelmingly on 64-bit. The crashes without JS on the stack have a 2nd thread doing JS GC at the same time.
Comment 3•14 years ago
|
||
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286840936.1286841453.28583.gz#err263 Rev3 Fedora 12 tracemonkey opt test mochitest-other on 2010/10/11 16:48:56 s: talos-r3-fed-045
Reporter | ||
Comment 4•14 years ago
|
||
I'm running both browser-chrome and chrome tests with gcZeal set to 2, but no luck yet. But the tests take a *loooong* time to run this way, so I've only just started...
Reporter | ||
Comment 5•14 years ago
|
||
Setting gcZeal doesn't necessarily help hit this. I just got this in a debugger (non-optimized code with symbols, but no DEBUG defined, but js_Dump* enabled). Here's the JS stack at the time of the crash: (gdb) call js_DumpStackFrame(cx, cx->fp()) [Thread 0x7fffde0fe710 (LWP 8913) exited] JSStackFrame at 0x7fffe95fd2d0 callee fun: <function setForCurrentStep at 0x7fffcca3d850 (JSFunction at 0x7fffd937be40)> file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js line 182 pc = 0x7fffd90605a3 current op: getelem slots: 0x7fffe95fd328 sp: 0x7fffe95fd370 = slots + 9 0x7fffe95fd328: <Array object at 0x7fffcca18e00> 0x7fffe95fd330: <XML object at 0x7fffcca521c0> 0x7fffe95fd338: "2" 0x7fffe95fd340: <Array object at 0x7fffcca52d90> 0x7fffe95fd348: 1 0x7fffe95fd350: 2 0x7fffe95fd358: 0 0x7fffe95fd360: <XML object at 0x7fffcca18d90> 0x7fffe95fd368: <Array object at 0x7fffce23dee0> actuals: 0x7fffe95fd2c0 (2) formals: 0x7fffe95fd2c0 (2) rval: undefined flags: scopeChain: (JSObject *) 0x7fffccade1c0 JSStackFrame at 0x7fffe95fd208 callee fun: <function checkResults at 0x7fffcca3d7e0 (JSFunction at 0x7fffd937bda8)> file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js line 133 pc = 0x7fffd903e5bf current op: call slots: 0x7fffe95fd260 sp: 0x7fffe95fd2d0 = slots + 14 0x7fffe95fd260: <XML object at 0x7fffcca18d90> 0x7fffe95fd268: undefined 0x7fffe95fd270: undefined 0x7fffe95fd278: undefined 0x7fffe95fd280: undefined 0x7fffe95fd288: undefined 0x7fffe95fd290: undefined 0x7fffe95fd298: undefined 0x7fffe95fd2a0: undefined 0x7fffe95fd2a8: undefined 0x7fffe95fd2b0: <function setForCurrentStep at 0x7fffcca3d850 (JSFunction at 0x7fffd937be40)> 0x7fffe95fd2b8: null 0x7fffe95fd2c0: <XML object at 0x7fffcca18d90> 0x7fffe95fd2c8: 0 actuals: 0x7fffe95fd1f8 (2) formals: 0x7fffe95fd1f8 (2) rval: undefined flags: scopeChain: (JSObject *) 0x7fffccade1c0 JSStackFrame at 0x7fffe95fd168 callee fun: <function test_template at 0x7fffcca3d700 (JSFunction at 0x7fffd937b8e8)> file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js line 66 pc = 0x7fffd903dadb current op: call slots: 0x7fffe95fd1c0 sp: 0x7fffe95fd208 = slots + 9 0x7fffe95fd1c0: <XULElement object at 0x7fffcca29700> 0x7fffe95fd1c8: <XPCWrappedNative_NoHelper object at 0x7fffcca1be70> 0x7fffe95fd1d0: <XPCWrappedNative_NoHelper object at 0x7fffcca1baf0> 0x7fffe95fd1d8: "chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/animals.rdf" 0x7fffe95fd1e0: undefined 0x7fffe95fd1e8: <function checkResults at 0x7fffcca3d7e0 (JSFunction at 0x7fffd937bda8)> 0x7fffe95fd1f0: null 0x7fffe95fd1f8: <XULElement object at 0x7fffcca29700> 0x7fffe95fd200: 0 actuals: 0x7fffe95fd168 (0) formals: 0x7fffe95fd168 (0) rval: undefined flags: scopeChain: (JSObject *) 0x7fffccade1c0 JSStackFrame at 0x7fffe95fd100 callee fun: <function onload at 0x7fffccae42a0 (JSFunction at 0x7fffccae3390)> file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/test_tmpl_simplesyntaxfilterwithmultiplerules.xul line 1 pc = 0x7fffdbf48944 current op: call slots: 0x7fffe95fd158 sp: 0x7fffe95fd168 = slots + 2 0x7fffe95fd158: <function test_template at 0x7fffcca3d700 (JSFunction at 0x7fffd937b8e8)> 0x7fffe95fd160: null actuals: 0x7fffe95fd0f8 (1) formals: 0x7fffe95fd0f8 (1) this: <Proxy object at 0x7fffdcb9d540> rval: undefined flags: scopeChain: (JSObject *) 0x7fffccade1c0 JSStackFrame at 0x7fffe95fd060 callee fun: <unnamed function at 0x7fffcca3d1c0 (JSFunction at 0x7fffdcb37850)> file chrome://mochikit/content/MochiKit/packed.js line 3048 pc = 0x7fffdbf8747d current op: apply slots: 0x7fffe95fd0b8 sp: 0x7fffe95fd100 = slots + 9 0x7fffe95fd0b8: <Array object at 0x7fffcca3d230> 0x7fffe95fd0c0: 0 0x7fffe95fd0c8: <function apply at 0x7fffccadfa18 (JSFunction at 0x7fffccadfa18)> 0x7fffe95fd0d0: <function onload at 0x7fffccae42a0 (JSFunction at 0x7fffccae3390)> 0x7fffe95fd0d8: <Proxy object at 0x7fffdcb9d540> 0x7fffe95fd0e0: <Arguments object at 0x7fffcca1b9a0> 0x7fffe95fd0e8: <function onload at 0x7fffccae42a0 (JSFunction at 0x7fffccae3390)> 0x7fffe95fd0f0: <Proxy object at 0x7fffdcb9d540> 0x7fffe95fd0f8: <Event object at 0x7fffcca1b930> actuals: 0x7fffe95fd048 (1) formals: 0x7fffe95fd060 (0) argsobj: <Arguments object at 0x7fffcca1b9a0> this: <Proxy object at 0x7fffdcb9d540> rval: undefined flags: scopeChain: (JSObject *) 0x7fffccade1c0 And here's what we think obj is: (gdb) call js_DumpObject(obj) object 0x7fffce23de00 class 0x7ffff7f8dd80 Array flags: delegate hasPropertyTable properties: proto <Object at 0x7fffcf739bd0> parent <Window object at 0x7fffcf739af0> private (nil) slots: 1 = <function Array at 0x7fffce214d10 (JSFunction at 0x7fffce214d10)> 2 = <function toSource at 0x7fffce214da8 (JSFunction at 0x7fffce214da8)> 3 = <function toString at 0x7fffce214e40 (JSFunction at 0x7fffce214e40)> 4 = <function toLocaleString at 0x7fffce214ed8 (JSFunction at 0x7fffce214ed8)> 5 = <function join at 0x7fffce258130 (JSFunction at 0x7fffce258130)> 6 = <function reverse at 0x7fffce258260 (JSFunction at 0x7fffce258260)> 7 = <function sort at 0x7fffce258390 (JSFunction at 0x7fffce258390)> 8 = <function push at 0x7fffce2584c0 (JSFunction at 0x7fffce2584c0)> 9 = <function pop at 0x7fffce2585f0 (JSFunction at 0x7fffce2585f0)> 10 = <function shift at 0x7fffce258720 (JSFunction at 0x7fffce258720)> 11 = <function unshift at 0x7fffce258850 (JSFunction at 0x7fffce258850)> 12 = <function splice at 0x7fffce258980 (JSFunction at 0x7fffce258980)> 13 = <function concat at 0x7fffce258ab0 (JSFunction at 0x7fffce258ab0)> 14 = <function slice at 0x7fffce258be0 (JSFunction at 0x7fffce258be0)> 15 = <function indexOf at 0x7fffce258d10 (JSFunction at 0x7fffce258d10)> 16 = <function lastIndexOf at 0x7fffce258e40 (JSFunction at 0x7fffce258e40)> 17 = <function forEach at 0x7fffce2f7098 (JSFunction at 0x7fffce2f7098)> 18 = <function map at 0x7fffce2f71c8 (JSFunction at 0x7fffce2f71c8)> 19 = <function reduce at 0x7fffce2f72f8 (JSFunction at 0x7fffce2f72f8)> 20 = <function reduceRight at 0x7fffce2f7428 (JSFunction at 0x7fffce2f7428)> 21 = <function filter at 0x7fffce2f7558 (JSFunction at 0x7fffce2f7558)> 22 = <function some at 0x7fffce2f7688 (JSFunction at 0x7fffce2f7688)> 23 = <function every at 0x7fffce2f77b8 (JSFunction at 0x7fffce2f77b8)> 24 = undefined 25 = undefined 26 = undefined 27 = undefined 28 = undefined 29 = undefined 30 = undefined 31 = undefined 32 = undefined 33 = undefined 34 = 1.67982e-322 35 = <Array object at 0x7fffce23de00> 36 = <function join at 0x7fffce258098 (JSFunction at 0x7fffce258098)> 37 = <function reverse at 0x7fffce2581c8 (JSFunction at 0x7fffce2581c8)> 38 = <function sort at 0x7fffce2582f8 (JSFunction at 0x7fffce2582f8)> 39 = <function push at 0x7fffce258428 (JSFunction at 0x7fffce258428)> 40 = <function pop at 0x7fffce258558 (JSFunction at 0x7fffce258558)> 41 = <function shift at 0x7fffce258688 (JSFunction at 0x7fffce258688)> 42 = <function unshift at 0x7fffce2587b8 (JSFunction at 0x7fffce2587b8)> 43 = <function splice at 0x7fffce2588e8 (JSFunction at 0x7fffce2588e8)> 44 = <function concat at 0x7fffce258a18 (JSFunction at 0x7fffce258a18)> 45 = <function slice at 0x7fffce258b48 (JSFunction at 0x7fffce258b48)> 46 = <function indexOf at 0x7fffce258c78 (JSFunction at 0x7fffce258c78)> 47 = <function lastIndexOf at 0x7fffce258da8 (JSFunction at 0x7fffce258da8)> 48 = <function forEach at 0x7fffce258ed8 (JSFunction at 0x7fffce258ed8)> 49 = <function map at 0x7fffce2f7130 (JSFunction at 0x7fffce2f7130)> 50 = <function reduce at 0x7fffce2f7260 (JSFunction at 0x7fffce2f7260)> 51 = <function reduceRight at 0x7fffce2f7390 (JSFunction at 0x7fffce2f7390)> 52 = <function filter at 0x7fffce2f74c0 (JSFunction at 0x7fffce2f74c0)> 53 = <function some at 0x7fffce2f75f0 (JSFunction at 0x7fffce2f75f0)> 54 = <function every at 0x7fffce2f7720 (JSFunction at 0x7fffce2f7720)> 55 = <function isArray at 0x7fffce2f7850 (JSFunction at 0x7fffce2f7850)> 56 = undefined 57 = undefined 58 = undefined 59 = undefined 60 = undefined 61 = undefined 62 = undefined 63 = undefined 64 = undefined 65 = undefined 66 = 6.95332e-310 67 = 0 68 = 0 69 = 6.95332e-310 70 = 0 71 = 0 72 = 6.95332e-310 73 = 6.95332e-310 74 = 0 75 = 0 76 = 6.95332e-310 77 = 6.95332e-310 78 = 6.95332e-310 79 = 0 80 = 6.95332e-310 81 = 0 82 = 0 83 = 6.95332e-310 84 = 6.95332e-310 85 = 0 86 = 0 87 = 6.95332e-310 88 = 0 89 = 0 90 = 6.95332e-310 91 = 6.95332e-310 92 = 0 93 = 6.95332e-310 94 = 6.95332e-310 95 = 0 96 = 0 97 = 6.95332e-310 98 = 0 99 = 0 100 = 0 101 = 6.95332e-310 102 = 6.95332e-310 103 = 6.95332e-310 104 = 0 105 = 0 106 = 6.95332e-310 107 = 0 108 = 6.95332e-310 109 = 0 110 = 0 111 = 0 112 = 0 113 = 6.95332e-310 114 = 6.95332e-310 115 = 6.95332e-310 116 = 6.95332e-310 117 = 0 118 = 0 119 = 6.95332e-310 120 = 0 121 = 6.95332e-310 122 = 0 123 = 6.95332e-310 124 = 6.95332e-310 125 = 6.95332e-310 126 = 0 127 = 6.95332e-310 128 = 6.95332e-310 129 = 0 130 = 0 131 = 0 132 = 0 133 = 6.95332e-310 [more random patterns of 0 and 6.95332e-310] 669 = 0 670 = 6.95332e-310 671 = 0 672 = 6.95332e-310 673 = 0 674 = 6.27463e-322 675 = 1.5151e-310 676 = 1.0402e-309 677 = 6.95335e-310 678 = 4.94066e-324 679 = 6.95332e-310 680 = 0 681 = 1.5151e-310 682 = 1.0402e-309 683 = 6.95335e-310 684 = 4.94066e-324 685 = 6.95332e-310 686 = 0 687 = 1.5151e-310 688 = 1.0402e-309 689 = 6.95335e-310 690 = 4.94066e-324 691 = 6.95332e-310 692 = 0 693 = 1.5151e-310 694 = 1.0402e-309 695 = 6.95335e-310 696 = 4.94066e-324 697 = 6.95332e-310 698 = 0 699 = 1.5151e-310 700 = 1.0402e-309 701 = 6.95335e-310 702 = 4.94066e-324 703 = 6.95332e-310 704 = 0 705 = 1.5151e-310 706 = 1.67982e-322 707 = <String object at 0x7fffce2210e0> 708 = <function quote at 0x7fffce2f7da8 (JSFunction at 0x7fffce2f7da8)> 709 = <function substring at 0x7fffce26f260 (JSFunction at 0x7fffce26f260)> 710 = <function toLowerCase at 0x7fffce26f390 (JSFunction at 0x7fffce26f390)> 711 = <function toUpperCase at 0x7fffce26f4c0 (JSFunction at 0x7fffce26f4c0)> 712 = <function charAt at 0x7fffce26f5f0 (JSFunction at 0x7fffce26f5f0)> 713 = <function charCodeAt at 0x7fffce26f720 (JSFunction at 0x7fffce26f720)> 714 = <function indexOf at 0x7fffce26f850 (JSFunction at 0x7fffce26f850)> 715 = <function lastIndexOf at 0x7fffce26f980 (JSFunction at 0x7fffce26f980)> 716 = <function trim at 0x7fffce26fab0 (JSFunction at 0x7fffce26fab0)> 717 = <function trimLeft at 0x7fffce26fbe0 (JSFunction at 0x7fffce26fbe0)> 718 = <function trimRight at 0x7fffce26fd10 (JSFunction at 0x7fffce26fd10)> 719 = <function toLocaleLowerCase at 0x7fffce26fe40 (JSFunction at 0x7fffce26fe40)> 720 = <function toLocaleUpperCase at 0x7fffce20c098 (JSFunction at 0x7fffce20c098)> 721 = <function localeCompare at 0x7fffce20c1c8 (JSFunction at 0x7fffce20c1c8)> 722 = <function match at 0x7fffce20c2f8 (JSFunction at 0x7fffce20c2f8)> 723 = <function search at 0x7fffce20c428 (JSFunction at 0x7fffce20c428)> 724 = <function replace at 0x7fffce20c558 (JSFunction at 0x7fffce20c558)> 725 = <function split at 0x7fffce20c688 (JSFunction at 0x7fffce20c688)> 726 = <function substr at 0x7fffce20c7b8 (JSFunction at 0x7fffce20c7b8)> 727 = <function concat at 0x7fffce20c8e8 (JSFunction at 0x7fffce20c8e8)> 728 = <function slice at 0x7fffce20ca18 (JSFunction at 0x7fffce20ca18)> 729 = <function fromCharCode at 0x7fffce2b5428 (JSFunction at 0x7fffce2b5428)> 730 = undefined 731 = undefined 732 = undefined 733 = undefined 734 = undefined 735 = undefined 736 = undefined 737 = undefined 738 = 6.27463e-322 739 = 1.78012e-306 740 = 8.62242e-308 741 = 8.90105e-307 742 = 8.62242e-308 743 = 1.24611e-306 744 = 8.62242e-308 745 = 1.66891e-307 746 = 1.1126e-306 747 = 8.62242e-308 748 = 2.22521e-306 749 = 1.95813e-306 750 = 1.66891e-307 751 = 1.11262e-306 752 = 2.04722e-306 753 = 2.04713e-306 754 = 1.37961e-306 755 = 2.00756e-317 756 = 0 757 = 0 758 = 0 759 = 0 760 = 0 761 = 0 762 = 0 763 = 0 764 = 0 765 = 0 766 = 0 767 = 0 768 = 0 769 = 0 770 = 6.95332e-310 771 = 0 772 = 0 773 = 6.95332e-310 774 = 0 775 = 0 776 = 6.95332e-310 777 = 6.95332e-310 778 = 6.95332e-310 779 = 6.95332e-310 780 = 6.95332e-310 781 = 0 782 = 6.95332e-310 783 = 0 784 = 6.95332e-310 785 = 6.95332e-310 786 = 0 787 = 0 788 = 6.95332e-310 789 = 0 790 = 0 [more random patterns of 0 and 6.95332e-310 again, and some other random numbers thrown into the mix] 2456 = 6.95332e-310 2457 = 6.95332e-310 2458 = 0 2459 = 0 2460 = 6.95332e-310 2461 = 0 2462 = 6.95332e-310 2463 = 6.95332e-310 2464 = 6.95332e-310 2465 = 0 2466 = 6.42285e-322 2467 = "KEY_ENTER" 2468 = "KEY_SHIFT" 2469 = "KEY_CTRL" 2470 = "KEY_ALT" 2471 = "KEY_PAUSE" 2472 = "KEY_CAPS_LOCK" 2473 = "KEY_ESCAPE" 2474 = "KEY_SPACEBAR" 2475 = "KEY_PAGE_UP" 2476 = "KEY_PAGE_DOWN" 2477 = "KEY_END" 2478 = "KEY_HOME" 2479 = "KEY_ARROW_LEFT" 2480 = "KEY_ARROW_UP" 2481 = "KEY_ARROW_RIGHT" 2482 = "KEY_ARROW_DOWN" 2483 = "KEY_PRINT_SCREEN" 2484 = "KEY_INSERT" 2485 = "KEY_DELETE" 2486 = "KEY_SEMICOLON" 2487 = "KEY_WINDOWS_LEFT" 2488 = "KEY_WINDOWS_RIGHT" 2489 = "KEY_SELECT" 2490 = "KEY_NUM_PAD_ASTERISK" 2491 = "KEY_NUM_PAD_PLUS_SIGN" 2492 = "KEY_NUM_PAD_HYPHEN-MINUS" 2493 = "KEY_NUM_PAD_FULL_STOP" 2494 = "KEY_NUM_PAD_SOLIDUS" 2495 = "KEY_NUM_LOCK" 2496 = "KEY_SCROLL_LOCK" 2497 = "KEY_SEMICOLON" 2498 = "KEY_EQUALS_SIGN" 2499 = "KEY_COMMA" 2500 = "KEY_HYPHEN-MINUS" 2501 = "KEY_FULL_STOP" 2502 = "KEY_SOLIDUS" 2503 = "KEY_GRAVE_ACCENT" 2504 = "KEY_LEFT_SQUARE_BRACKET" 2505 = "KEY_REVERSE_SOLIDUS" 2506 = "KEY_RIGHT_SQUARE_BRACKET" 2507 = "KEY_APOSTROPHE" 2508 = "KEY_0\x00\x00\x00or\x00ync.fail\x00lue\x00\u94c0\ud8a0\u7fff\x00\u9490\ud8a0\u7fff\x00KEY_1\x00\x00\x00r\x00sync.doXHR\x00__\x00\u9540\ud8a0\u7fff\x00\u94d0\ud8a0\u7fff\x00KEY_2\x00\x00\x00or\x00ync.wait\x00LE.\x00\u0140\x00\x00\x00\u9510\ud8a0\u7fff\x00"Test" should equal \x00\x00\x00\x00\u9640\ud8a0\u7fff\x00\u9550\ud8a0\u7fff\x00KEY_3\x00\x00\x00r\x00sync.__new__\x00\x00... and then more of that spewed until I interrupted the js_DumpObject() call. The crash happens when we try to look up "toString" on the object, presumably in the third line in the function setForCurrentStep, which starts out as follows: function setForCurrentStep(content, currentStep) { var todelete = []; for each (var child in content) { var stepstr = child.@step.toString(); <-- here? var stepsarr = stepstr.split(","); for (var s = 0; s < stepsarr.length; s++) { var step = parseInt(stepsarr[s]); if ((step > 0 && step > currentStep) || (step < 0 && -step <= currentStep)) { todelete.push(child); } } } ... For now I fail to see any direct connection with the compartments changes, but it's clearly either caused by it or triggered by it. I'll leave this gdb session up in so that we can dig out more data here if needed.
Assignee | ||
Comment 6•14 years ago
|
||
jst points out that he reproduced this by building with --enable-application=browser --enable-64bit --disable-debug --disable-optimize --enable-debugger-info-modules and using the patch in bug 603517. No one has reproduced it on Windows or in debug builds.
Assignee | ||
Comment 7•14 years ago
|
||
JSStackFrame at 0x7fffe95fd2d0 callee fun: <function setForCurrentStep at 0x7fffcca3d850 (JSFunction at 0x7fffd937be40)> file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js line 182 pc = 0x7fffd90605a3 current op: getelem slots: 0x7fffe95fd328 sp: 0x7fffe95fd370 = slots + 9 0x7fffe95fd328: <Array object at 0x7fffcca18e00> var toDelete 0x7fffe95fd330: <XML object at 0x7fffcca521c0> var child 0x7fffe95fd338: "2" var stepstr 0x7fffe95fd340: <Array object at 0x7fffcca52d90> var stepsarr 0x7fffe95fd348: 1 var s 0x7fffe95fd350: 2 var step 0x7fffe95fd358: 0 var d 0x7fffe95fd360: <XML object at 0x7fffcca18d90> 0x7fffe95fd368: <Array object at 0x7fffce23dee0> The fact that d is set means to me that we're past the first loop and in the second, probably here: for (var d = 0; d < todelete.length; d++) delete content.*[todelete[d].childIndex()]; The subexpression `content.*` compiles to: getarg 0 anyname getelem I bet anyname has been gc'd and something else allocated in its place. This theory will be easy to test. In the meantime I'm going to look to see where anyname gets marked.
Assignee | ||
Comment 8•14 years ago
|
||
Maybe this is it. Trying to reproduce in the shell now. diff --git a/js/src/jsxml.cpp b/js/src/jsxml.cpp --- a/js/src/jsxml.cpp +++ b/js/src/jsxml.cpp @@ -334,18 +334,18 @@ DEFINE_GETTER(QNameNameURI_getter, DEFINE_GETTER(QNameLocalName_getter, if (obj->getClass() == &js_QNameClass) *vp = obj->getQNameLocalName()) static void anyname_finalize(JSContext* cx, JSObject* obj) { /* Make sure the next call to js_GetAnyName doesn't try to use obj. */ - if (cx->compartment->anynameObject == obj) - cx->compartment->anynameObject = NULL; + if (obj->compartment()->anynameObject == obj) + obj->compartment()->anynameObject = NULL; } static JSBool qname_identity(JSObject *qna, JSObject *qnb) { JSString *uri1 = GetURI(qna); JSString *uri2 = GetURI(qnb);
Assignee | ||
Comment 9•14 years ago
|
||
Pushed with r=mrbkap. Still trying to reproduce in the shell. I can get the dangling pointer to happen, just trying to make it crash after that. http://hg.mozilla.org/tracemonkey/rev/ae1cec6335b1
Assignee | ||
Comment 10•14 years ago
|
||
Looks good. I was unable to trigger this via the shell. Of course, we already have test coverage, since it was a test that discovered this.
Whiteboard: [orange] → [orange][fixed-in-tracemonkey]
Comment 11•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/ae1cec6335b1
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js_GetPropertyHelper]
Updated•12 years ago
|
Keywords: intermittent-failure
Updated•12 years ago
|
Whiteboard: [orange][fixed-in-tracemonkey] → [fixed-in-tracemonkey]
You need to log in
before you can comment on or make changes to this bug.
Description
•