Last Comment Bug 603270 - Intermittent crash in (browser-)chrome and mochitests after brain transplants landed. [@ js_GetPropertyHelper]
: Intermittent crash in (browser-)chrome and mochitests after brain transplants...
Status: RESOLVED FIXED
[fixed-in-tracemonkey]
: crash, intermittent-failure
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Jason Orendorff [:jorendorff]
:
Mentors:
Depends on:
Blocks: 438871
  Show dependency treegraph
 
Reported: 2010-10-11 00:52 PDT by Johnny Stenback (:jst, jst@mozilla.com)
Modified: 2012-11-25 19:31 PST (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Johnny Stenback (:jst, jst@mozilla.com) 2010-10-11 00:52:12 PDT
We've been seeing an intermittent crashes after brain transplants (bug 580128) landed. So far noone has been able to reproduce these locally, but it does look like a very real bug. The stack is either:

0  XUL!js_GetPropertyHelper [jsscope.h:1eda0cc3bbf9 : 835 + 0x3]
    rbx = 0x175e9380   r12 = 0x0c101640   r13 = 0x194306e0   r14 = 0x00000000
    r15 = 0x175e9380   rip = 0x00f17684   rsp = 0x5fbfb1f0   rbp = 0x0c101640
 1  XUL!js_TryMethod [jsobj.cpp:1eda0cc3bbf9 : 5112 + 0x1f]
    rbx = 0x194306e0   r12 = 0x175e9380   r13 = 0x0000ffff   r14 = 0x005b6f80
    r15 = 0x5fbfb3c0   rip = 0x00f182f0   rsp = 0x5fbfb320   rbp = 0x0c101640
 2  XUL!js::DefaultValue [jsobj.cpp:1eda0cc3bbf9 : 5619 + 0x22]
    rbx = 0x175e9380   r12 = 0x5fbfb3c0   r13 = 0x00000003   r14 = 0x5fbfb4f0
    r15 = 0x175e9380   rip = 0x00f18474   rsp = 0x5fbfb3a0   rbp = 0x194306e0
 3  XUL!js_ValueToString [jsstr.cpp:1eda0cc3bbf9 : 3651 + 0x19]
    rbx = 0x194306e0   r12 = 0x194306e0   r13 = 0x1ce8b460   r14 = 0x5fbfb4f0
    r15 = 0x1a70d130   rip = 0x00f86540   rsp = 0x5fbfb410   rbp = 0x1a76dd90
 4  XUL!ToXMLName [jsxml.cpp:1eda0cc3bbf9 : 2847 + 0x4]
    rbx = 0x175e9380   r12 = 0x194306e0   r13 = 0x1ce8b460   r14 = 0x5fbfb4f0
    r15 = 0x1a70d130   rip = 0x00fcda92   rsp = 0x5fbfb430   rbp = 0x1a76dd90
 5  XUL!GetProperty [jsxml.cpp:1eda0cc3bbf9 : 3748 + 0xc]
    rbx = 0x175e9384   r12 = 0x194306e0   r13 = 0x1ce8b460   r14 = 0x5fbfb950
    r15 = 0x1a70d130   rip = 0x00fcedf0   rsp = 0x5fbfb490   rbp = 0x1a76dd90
 6  XUL!js::Interpret [jsobj.h:1eda0cc3bbf9 : 1079 + 0x1b]
    rbx = 0x5fbfb950   r12 = 0x00000037   r13 = 0x0ba54368   r14 = 0x194306e0
    r15 = 0x1a70d130   rip = 0x00ee6f80   rsp = 0x5fbfb540   rbp = 0x1a76dd90
 7  XUL!js::Invoke [jsinterp.cpp:1eda0cc3bbf9 : 612 + 0xe]
    rbx = 0x0ba542d0   r12 = 0x00000000   r13 = 0x00000000   r14 = 0x1d369120
    r15 = 0x00000002   rip = 0x00ef6d68   rsp = 0x5fbfba90   rbp = 0x194306e0
 8  XUL!js::mjit::stubs::SlowCall [InvokeHelpers.cpp:1eda0cc3bbf9 : 227 + 0xd]
    rbx = 0x5fbfbb80   r12 = 0x1d2ef4c0   r13 = 0x00000000   r14 = 0xffffffff
    r15 = 0x1a76dd90   rip = 0x0108dd60   rsp = 0x5fbfbb50   rbp = 0x5fbfbc00
 9  XUL!SlowCallFromIC [MonoIC.cpp:1eda0cc3bbf9 : 221 + 0x8]
    rbx = 0x0ba54208   r12 = 0x1d2ef4c0   r13 = 0x00000000   r14 = 0xffffffff
    r15 = 0x1a76dd90   rip = 0x0107aaed   rsp = 0x5fbfbb70   rbp = 0x5fbfbc00
10  0x1103350a9
    rbx = 0x0ba54208   r12 = 0x1d2ef4c0   r13 = 0x00000000   r14 = 0xffffffff
    r15 = 0x1a76dd90   rip = 0x103350aa   rsp = 0x5fbfbb80   rbp = 0x5fbfbc00

or:

Thread 0 (crashed)
 0  linux-gate.so + 0x424
    eip = 0x00b92424   esp = 0xbfde0b94   ebp = 0xbfde0bb8   ebx = 0xb32c6e40
    esi = 0x00000000   edi = 0x00755ff4   eax = 0xfffffffc   ecx = 0x00000007
    edx = 0xffffffff   efl = 0x00200293
    Found by: given as instruction pointer in context
 1  libglib-2.0.so.0.2200.2 + 0x47a0b
    eip = 0x001dba0c   esp = 0xbfde0bc0   ebp = 0xbfde0bd8
    Found by: previous frame's frame pointer
 2  libglib-2.0.so.0.2200.2 + 0x3a882
    eip = 0x001ce883   esp = 0xbfde0be0   ebp = 0xbfde0c58
    Found by: previous frame's frame pointer
 3  libglib-2.0.so.0.2200.2 + 0x3ab73
    eip = 0x001ceb74   esp = 0xbfde0c60   ebp = 0xbfde0c98
    Found by: previous frame's frame pointer
 4  libxul.so!nsAppShell::ProcessNextNativeEvent [nsAppShell.cpp:1eda0cc3bbf9 : 144 + 0xa]
    eip = 0x017baafe   esp = 0xbfde0ca0   ebp = 0x00000014
    Found by: previous frame's frame pointer
 5  libxul.so!nsBaseAppShell::DoProcessNextNativeEvent [nsBaseAppShell.cpp:1eda0cc3bbf9 : 161 + 0x7]
    eip = 0x017d24f8   esp = 0xbfde0cc0   ebp = 0x00000014   ebx = 0x020a7870
    Found by: call frame info
 6  libxul.so!nsBaseAppShell::OnProcessNextEvent [nsBaseAppShell.cpp:1eda0cc3bbf9 : 317 + 0xb]
    eip = 0x017d2760   esp = 0xbfde0ce0   ebp = 0x00000014   ebx = 0x020a7870
    esi = 0xb677add0   edi = 0x99a5dfd3
    Found by: call frame info
 7  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:1eda0cc3bbf9 : 517 + 0x1a]
    eip = 0x01964af4   esp = 0xbfde0d10   ebp = 0x00000001   ebx = 0x020a7870
    esi = 0x017d2684   edi = 0xb7573d80
    Found by: call frame info
 8  libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 250 + 0xf]
    eip = 0x0192e831   esp = 0xbfde0d50   ebp = 0x00000000   ebx = 0x020a7870
    esi = 0x00000000   edi = 0xb75d1880
    Found by: call frame info
 9  libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp:1eda0cc3bbf9 : 134 + 0xb]
    eip = 0x01886ea4   esp = 0xbfde0d80   ebp = 0x00000000   ebx = 0x020a7870
    esi = 0x00000000   edi = 0xb75d1880
    Found by: call frame info
10  libxul.so!MessageLoop::RunInternal [message_loop.cc:1eda0cc3bbf9 : 219 + 0x8]
    eip = 0x01999aee   esp = 0xbfde0dc0   ebp = 0xb2ec1fb0   ebx = 0x020a7870
    esi = 0xb7545600   edi = 0xb677add0
    Found by: call frame info
11  libxul.so!MessageLoop::Run [message_loop.cc:1eda0cc3bbf9 : 202 + 0x8]
    eip = 0x01999b86   esp = 0xbfde0de0   ebp = 0xb2ec1fb0   ebx = 0x020a7870
    esi = 0xb7573d80   edi = 0xb677add0
    Found by: call frame info
12  libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp:1eda0cc3bbf9 : 180 + 0xd]
    eip = 0x017d28dd   esp = 0xbfde0e10   ebp = 0xb2ec1fb0   ebx = 0x020a7870
    esi = 0xb7573d80   edi = 0xb677add0
    Found by: call frame info
13  libxul.so!nsAppStartup::Run [nsAppStartup.cpp:1eda0cc3bbf9 : 191 + 0x5]
    eip = 0x016855fd   esp = 0xbfde0e30   ebp = 0xb2ec1fb0   ebx = 0x020a7870
    esi = 0xb324f5e0   edi = 0x0183e69a
    Found by: call frame info
14  0x20a786f
    eip = 0x020a7870   esp = 0xbfde0e48   ebp = 0xb2ec1fb0   ebx = 0x020a7870
    esi = 0xb2ec1fb0   edi = 0x0183e69a
    Found by: call frame info
15  libxul.so!XRE_main [nsAppRunner.cpp:1eda0cc3bbf9 : 3670 + 0x8]
    eip = 0x00ea9333   esp = 0xbfde0e50   ebp = 0xb2ec1fb0
    Found by: stack scanning
16  firefox-bin!main [nsBrowserApp.cpp:1eda0cc3bbf9 : 158 + 0xe]
    eip = 0x08049554   esp = 0xbfde1360   ebp = 0xbfde1474   ebx = 0x08054858
    esi = 0xbfde1474   edi = 0x00000000
    Found by: call frame info
17  libc-2.11.so + 0x16bb5
    eip = 0x005fbbb6   esp = 0xbfde13d0   ebp = 0xbfde1448   ebx = 0x00755ff4
    esi = 0x00000000   edi = 0x00000000
    Found by: call frame info
18  firefox-bin + 0x1390
    eip = 0x08049391   esp = 0xbfde1450   ebp = 0x00000000
    Found by: previous frame's frame pointer
19  firefox-bin!Output [nsBrowserApp.cpp:1eda0cc3bbf9 : 77 + 0x4]
    eip = 0x0804946f   esp = 0xbfde1454   ebp = 0x00000000
    Found by: stack scanning
20  0x4
    eip = 0x00000005   esp = 0xbfde1474   ebp = 0x00000000   ebx = 0x00ae58e0
    Found by: call frame info
It's not known yet whether this is one bug biting in two ways, or two separate bugs. So far this has been seen mostly on OS X64 opt, but also on Linux opt.
Comment 1 Phil Ringnalda (:philor) 2010-10-11 07:45:08 PDT
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286796897.1286797445.16237.gz#err321
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286799341.1286799845.29065.gz#err160
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286799840.1286800502.32219.gz#err16
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286804983.1286805629.23819.gz#err7

Personally, I'd describe it as an "eventual crash after massive multiple failures in XUL template tests" - sure, they've always failed a lot, but not in that way and not that many times in a single run.
Comment 2 Andreas Gal :gal 2010-10-11 12:13:44 PDT
sayrer pointed out that the crashes are overwhelmingly on 64-bit. The crashes without JS on the stack have a 2nd thread doing JS GC at the same time.
Comment 3 Phil Ringnalda (:philor) 2010-10-11 17:08:49 PDT
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286840936.1286841453.28583.gz#err263
Rev3 Fedora 12 tracemonkey opt test mochitest-other on 2010/10/11 16:48:56
s: talos-r3-fed-045
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2010-10-11 17:21:16 PDT
I'm running both browser-chrome and chrome tests with gcZeal set to 2, but no luck yet. But the tests take a *loooong* time to run this way, so I've only just started...
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2010-10-11 22:33:03 PDT
Setting gcZeal doesn't necessarily help hit this. I just got this in a debugger (non-optimized code with symbols, but no DEBUG defined, but js_Dump* enabled). Here's the JS stack at the time of the crash:

(gdb) call js_DumpStackFrame(cx, cx->fp())
[Thread 0x7fffde0fe710 (LWP 8913) exited]
JSStackFrame at 0x7fffe95fd2d0
callee fun: <function setForCurrentStep at 0x7fffcca3d850 (JSFunction at 0x7fffd937be40)>
file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js line 182
  pc = 0x7fffd90605a3
  current op: getelem
  slots: 0x7fffe95fd328
  sp:    0x7fffe95fd370 = slots + 9
    0x7fffe95fd328: <Array object at 0x7fffcca18e00>
    0x7fffe95fd330: <XML object at 0x7fffcca521c0>
    0x7fffe95fd338: "2"
    0x7fffe95fd340: <Array object at 0x7fffcca52d90>
    0x7fffe95fd348: 1
    0x7fffe95fd350: 2
    0x7fffe95fd358: 0
    0x7fffe95fd360: <XML object at 0x7fffcca18d90>
    0x7fffe95fd368: <Array object at 0x7fffce23dee0>
  actuals: 0x7fffe95fd2c0 (2)   formals: 0x7fffe95fd2c0 (2)
  rval: undefined
  flags:
  scopeChain: (JSObject *) 0x7fffccade1c0

JSStackFrame at 0x7fffe95fd208
callee fun: <function checkResults at 0x7fffcca3d7e0 (JSFunction at 0x7fffd937bda8)>
file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js line 133
  pc = 0x7fffd903e5bf
  current op: call
  slots: 0x7fffe95fd260
  sp:    0x7fffe95fd2d0 = slots + 14
    0x7fffe95fd260: <XML object at 0x7fffcca18d90>
    0x7fffe95fd268: undefined
    0x7fffe95fd270: undefined
    0x7fffe95fd278: undefined
    0x7fffe95fd280: undefined
    0x7fffe95fd288: undefined
    0x7fffe95fd290: undefined
    0x7fffe95fd298: undefined
    0x7fffe95fd2a0: undefined
    0x7fffe95fd2a8: undefined
    0x7fffe95fd2b0: <function setForCurrentStep at 0x7fffcca3d850 (JSFunction at 0x7fffd937be40)>
    0x7fffe95fd2b8: null
    0x7fffe95fd2c0: <XML object at 0x7fffcca18d90>
    0x7fffe95fd2c8: 0
  actuals: 0x7fffe95fd1f8 (2)   formals: 0x7fffe95fd1f8 (2)
  rval: undefined
  flags:
  scopeChain: (JSObject *) 0x7fffccade1c0

JSStackFrame at 0x7fffe95fd168
callee fun: <function test_template at 0x7fffcca3d700 (JSFunction at 0x7fffd937b8e8)>
file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js line 66
  pc = 0x7fffd903dadb
  current op: call
  slots: 0x7fffe95fd1c0
  sp:    0x7fffe95fd208 = slots + 9
    0x7fffe95fd1c0: <XULElement object at 0x7fffcca29700>
    0x7fffe95fd1c8: <XPCWrappedNative_NoHelper object at 0x7fffcca1be70>
    0x7fffe95fd1d0: <XPCWrappedNative_NoHelper object at 0x7fffcca1baf0>
    0x7fffe95fd1d8: "chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/animals.rdf"
    0x7fffe95fd1e0: undefined
    0x7fffe95fd1e8: <function checkResults at 0x7fffcca3d7e0 (JSFunction at 0x7fffd937bda8)>
    0x7fffe95fd1f0: null
    0x7fffe95fd1f8: <XULElement object at 0x7fffcca29700>
    0x7fffe95fd200: 0
  actuals: 0x7fffe95fd168 (0)   formals: 0x7fffe95fd168 (0)
  rval: undefined
  flags:
  scopeChain: (JSObject *) 0x7fffccade1c0

JSStackFrame at 0x7fffe95fd100
callee fun: <function onload at 0x7fffccae42a0 (JSFunction at 0x7fffccae3390)>
file chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/test_tmpl_simplesyntaxfilterwithmultiplerules.xul line 1
  pc = 0x7fffdbf48944
  current op: call
  slots: 0x7fffe95fd158
  sp:    0x7fffe95fd168 = slots + 2
    0x7fffe95fd158: <function test_template at 0x7fffcca3d700 (JSFunction at 0x7fffd937b8e8)>
    0x7fffe95fd160: null
  actuals: 0x7fffe95fd0f8 (1)   formals: 0x7fffe95fd0f8 (1)
  this: <Proxy object at 0x7fffdcb9d540>
  rval: undefined
  flags:
  scopeChain: (JSObject *) 0x7fffccade1c0

JSStackFrame at 0x7fffe95fd060
callee fun: <unnamed function at 0x7fffcca3d1c0 (JSFunction at 0x7fffdcb37850)>
file chrome://mochikit/content/MochiKit/packed.js line 3048
  pc = 0x7fffdbf8747d
  current op: apply
  slots: 0x7fffe95fd0b8
  sp:    0x7fffe95fd100 = slots + 9
    0x7fffe95fd0b8: <Array object at 0x7fffcca3d230>
    0x7fffe95fd0c0: 0
    0x7fffe95fd0c8: <function apply at 0x7fffccadfa18 (JSFunction at 0x7fffccadfa18)>
    0x7fffe95fd0d0: <function onload at 0x7fffccae42a0 (JSFunction at 0x7fffccae3390)>
    0x7fffe95fd0d8: <Proxy object at 0x7fffdcb9d540>
    0x7fffe95fd0e0: <Arguments object at 0x7fffcca1b9a0>
    0x7fffe95fd0e8: <function onload at 0x7fffccae42a0 (JSFunction at 0x7fffccae3390)>
    0x7fffe95fd0f0: <Proxy object at 0x7fffdcb9d540>
    0x7fffe95fd0f8: <Event object at 0x7fffcca1b930>
  actuals: 0x7fffe95fd048 (1)   formals: 0x7fffe95fd060 (0)
  argsobj: <Arguments object at 0x7fffcca1b9a0>
  this: <Proxy object at 0x7fffdcb9d540>
  rval: undefined
  flags:
  scopeChain: (JSObject *) 0x7fffccade1c0

And here's what we think obj is:
(gdb) call js_DumpObject(obj)
object 0x7fffce23de00
class 0x7ffff7f8dd80 Array
flags: delegate hasPropertyTable
properties:
proto <Object at 0x7fffcf739bd0>
parent <Window object at 0x7fffcf739af0>
private (nil)
slots:
   1 = <function Array at 0x7fffce214d10 (JSFunction at 0x7fffce214d10)>
   2 = <function toSource at 0x7fffce214da8 (JSFunction at 0x7fffce214da8)>
   3 = <function toString at 0x7fffce214e40 (JSFunction at 0x7fffce214e40)>
   4 = <function toLocaleString at 0x7fffce214ed8 (JSFunction at 0x7fffce214ed8)>
   5 = <function join at 0x7fffce258130 (JSFunction at 0x7fffce258130)>
   6 = <function reverse at 0x7fffce258260 (JSFunction at 0x7fffce258260)>
   7 = <function sort at 0x7fffce258390 (JSFunction at 0x7fffce258390)>
   8 = <function push at 0x7fffce2584c0 (JSFunction at 0x7fffce2584c0)>
   9 = <function pop at 0x7fffce2585f0 (JSFunction at 0x7fffce2585f0)>
  10 = <function shift at 0x7fffce258720 (JSFunction at 0x7fffce258720)>
  11 = <function unshift at 0x7fffce258850 (JSFunction at 0x7fffce258850)>
  12 = <function splice at 0x7fffce258980 (JSFunction at 0x7fffce258980)>
  13 = <function concat at 0x7fffce258ab0 (JSFunction at 0x7fffce258ab0)>
  14 = <function slice at 0x7fffce258be0 (JSFunction at 0x7fffce258be0)>
  15 = <function indexOf at 0x7fffce258d10 (JSFunction at 0x7fffce258d10)>
  16 = <function lastIndexOf at 0x7fffce258e40 (JSFunction at 0x7fffce258e40)>
  17 = <function forEach at 0x7fffce2f7098 (JSFunction at 0x7fffce2f7098)>
  18 = <function map at 0x7fffce2f71c8 (JSFunction at 0x7fffce2f71c8)>
  19 = <function reduce at 0x7fffce2f72f8 (JSFunction at 0x7fffce2f72f8)>
  20 = <function reduceRight at 0x7fffce2f7428 (JSFunction at 0x7fffce2f7428)>
  21 = <function filter at 0x7fffce2f7558 (JSFunction at 0x7fffce2f7558)>
  22 = <function some at 0x7fffce2f7688 (JSFunction at 0x7fffce2f7688)>
  23 = <function every at 0x7fffce2f77b8 (JSFunction at 0x7fffce2f77b8)>
  24 = undefined
  25 = undefined
  26 = undefined
  27 = undefined
  28 = undefined
  29 = undefined
  30 = undefined
  31 = undefined
  32 = undefined
  33 = undefined
  34 = 1.67982e-322
  35 = <Array object at 0x7fffce23de00>
  36 = <function join at 0x7fffce258098 (JSFunction at 0x7fffce258098)>
  37 = <function reverse at 0x7fffce2581c8 (JSFunction at 0x7fffce2581c8)>
  38 = <function sort at 0x7fffce2582f8 (JSFunction at 0x7fffce2582f8)>
  39 = <function push at 0x7fffce258428 (JSFunction at 0x7fffce258428)>
  40 = <function pop at 0x7fffce258558 (JSFunction at 0x7fffce258558)>
  41 = <function shift at 0x7fffce258688 (JSFunction at 0x7fffce258688)>
  42 = <function unshift at 0x7fffce2587b8 (JSFunction at 0x7fffce2587b8)>
  43 = <function splice at 0x7fffce2588e8 (JSFunction at 0x7fffce2588e8)>
  44 = <function concat at 0x7fffce258a18 (JSFunction at 0x7fffce258a18)>
  45 = <function slice at 0x7fffce258b48 (JSFunction at 0x7fffce258b48)>
  46 = <function indexOf at 0x7fffce258c78 (JSFunction at 0x7fffce258c78)>
  47 = <function lastIndexOf at 0x7fffce258da8 (JSFunction at 0x7fffce258da8)>
  48 = <function forEach at 0x7fffce258ed8 (JSFunction at 0x7fffce258ed8)>
  49 = <function map at 0x7fffce2f7130 (JSFunction at 0x7fffce2f7130)>
  50 = <function reduce at 0x7fffce2f7260 (JSFunction at 0x7fffce2f7260)>
  51 = <function reduceRight at 0x7fffce2f7390 (JSFunction at 0x7fffce2f7390)>
  52 = <function filter at 0x7fffce2f74c0 (JSFunction at 0x7fffce2f74c0)>
  53 = <function some at 0x7fffce2f75f0 (JSFunction at 0x7fffce2f75f0)>
  54 = <function every at 0x7fffce2f7720 (JSFunction at 0x7fffce2f7720)>
  55 = <function isArray at 0x7fffce2f7850 (JSFunction at 0x7fffce2f7850)>
  56 = undefined
  57 = undefined
  58 = undefined
  59 = undefined
  60 = undefined
  61 = undefined
  62 = undefined
  63 = undefined
  64 = undefined
  65 = undefined
  66 = 6.95332e-310
  67 = 0
  68 = 0
  69 = 6.95332e-310
  70 = 0
  71 = 0
  72 = 6.95332e-310
  73 = 6.95332e-310
  74 = 0
  75 = 0
  76 = 6.95332e-310
  77 = 6.95332e-310
  78 = 6.95332e-310
  79 = 0
  80 = 6.95332e-310
  81 = 0
  82 = 0
  83 = 6.95332e-310
  84 = 6.95332e-310
  85 = 0
  86 = 0
  87 = 6.95332e-310
  88 = 0
  89 = 0
  90 = 6.95332e-310
  91 = 6.95332e-310
  92 = 0
  93 = 6.95332e-310
  94 = 6.95332e-310
  95 = 0
  96 = 0
  97 = 6.95332e-310
  98 = 0
  99 = 0
 100 = 0
 101 = 6.95332e-310
 102 = 6.95332e-310
 103 = 6.95332e-310
 104 = 0
 105 = 0
 106 = 6.95332e-310
 107 = 0
 108 = 6.95332e-310
 109 = 0
 110 = 0
 111 = 0
 112 = 0
 113 = 6.95332e-310
 114 = 6.95332e-310
 115 = 6.95332e-310
 116 = 6.95332e-310
 117 = 0
 118 = 0
 119 = 6.95332e-310
 120 = 0
 121 = 6.95332e-310
 122 = 0
 123 = 6.95332e-310
 124 = 6.95332e-310
 125 = 6.95332e-310
 126 = 0
 127 = 6.95332e-310
 128 = 6.95332e-310
 129 = 0
 130 = 0
 131 = 0
 132 = 0
 133 = 6.95332e-310
[more random patterns of 0 and 6.95332e-310]
 669 = 0
 670 = 6.95332e-310
 671 = 0
 672 = 6.95332e-310
 673 = 0
 674 = 6.27463e-322
 675 = 1.5151e-310
 676 = 1.0402e-309
 677 = 6.95335e-310
 678 = 4.94066e-324
 679 = 6.95332e-310
 680 = 0
 681 = 1.5151e-310
 682 = 1.0402e-309
 683 = 6.95335e-310
 684 = 4.94066e-324
 685 = 6.95332e-310
 686 = 0
 687 = 1.5151e-310
 688 = 1.0402e-309
 689 = 6.95335e-310
 690 = 4.94066e-324
 691 = 6.95332e-310
 692 = 0
 693 = 1.5151e-310
 694 = 1.0402e-309
 695 = 6.95335e-310
 696 = 4.94066e-324
 697 = 6.95332e-310
 698 = 0
 699 = 1.5151e-310
 700 = 1.0402e-309
 701 = 6.95335e-310
 702 = 4.94066e-324
 703 = 6.95332e-310
 704 = 0
 705 = 1.5151e-310
 706 = 1.67982e-322
 707 = <String object at 0x7fffce2210e0>
 708 = <function quote at 0x7fffce2f7da8 (JSFunction at 0x7fffce2f7da8)>
 709 = <function substring at 0x7fffce26f260 (JSFunction at 0x7fffce26f260)>
 710 = <function toLowerCase at 0x7fffce26f390 (JSFunction at 0x7fffce26f390)>
 711 = <function toUpperCase at 0x7fffce26f4c0 (JSFunction at 0x7fffce26f4c0)>
 712 = <function charAt at 0x7fffce26f5f0 (JSFunction at 0x7fffce26f5f0)>
 713 = <function charCodeAt at 0x7fffce26f720 (JSFunction at 0x7fffce26f720)>
 714 = <function indexOf at 0x7fffce26f850 (JSFunction at 0x7fffce26f850)>
 715 = <function lastIndexOf at 0x7fffce26f980 (JSFunction at 0x7fffce26f980)>
 716 = <function trim at 0x7fffce26fab0 (JSFunction at 0x7fffce26fab0)>
 717 = <function trimLeft at 0x7fffce26fbe0 (JSFunction at 0x7fffce26fbe0)>
 718 = <function trimRight at 0x7fffce26fd10 (JSFunction at 0x7fffce26fd10)>
 719 = <function toLocaleLowerCase at 0x7fffce26fe40 (JSFunction at 0x7fffce26fe40)>
 720 = <function toLocaleUpperCase at 0x7fffce20c098 (JSFunction at 0x7fffce20c098)>
 721 = <function localeCompare at 0x7fffce20c1c8 (JSFunction at 0x7fffce20c1c8)>
 722 = <function match at 0x7fffce20c2f8 (JSFunction at 0x7fffce20c2f8)>
 723 = <function search at 0x7fffce20c428 (JSFunction at 0x7fffce20c428)>
 724 = <function replace at 0x7fffce20c558 (JSFunction at 0x7fffce20c558)>
 725 = <function split at 0x7fffce20c688 (JSFunction at 0x7fffce20c688)>
 726 = <function substr at 0x7fffce20c7b8 (JSFunction at 0x7fffce20c7b8)>
 727 = <function concat at 0x7fffce20c8e8 (JSFunction at 0x7fffce20c8e8)>
 728 = <function slice at 0x7fffce20ca18 (JSFunction at 0x7fffce20ca18)>
 729 = <function fromCharCode at 0x7fffce2b5428 (JSFunction at 0x7fffce2b5428)>
 730 = undefined
 731 = undefined
 732 = undefined
 733 = undefined
 734 = undefined
 735 = undefined
 736 = undefined
 737 = undefined
 738 = 6.27463e-322
 739 = 1.78012e-306
 740 = 8.62242e-308
 741 = 8.90105e-307
 742 = 8.62242e-308
 743 = 1.24611e-306
 744 = 8.62242e-308
 745 = 1.66891e-307
 746 = 1.1126e-306
 747 = 8.62242e-308
 748 = 2.22521e-306
 749 = 1.95813e-306
 750 = 1.66891e-307
 751 = 1.11262e-306
 752 = 2.04722e-306
 753 = 2.04713e-306
 754 = 1.37961e-306
 755 = 2.00756e-317
 756 = 0
 757 = 0
 758 = 0
 759 = 0
 760 = 0
 761 = 0
 762 = 0
 763 = 0
 764 = 0
 765 = 0
 766 = 0
 767 = 0
 768 = 0
 769 = 0
 770 = 6.95332e-310
 771 = 0
 772 = 0
 773 = 6.95332e-310
 774 = 0
 775 = 0
 776 = 6.95332e-310
 777 = 6.95332e-310
 778 = 6.95332e-310
 779 = 6.95332e-310
 780 = 6.95332e-310
 781 = 0
 782 = 6.95332e-310
 783 = 0
 784 = 6.95332e-310
 785 = 6.95332e-310
 786 = 0
 787 = 0
 788 = 6.95332e-310
 789 = 0
 790 = 0
[more random patterns of 0 and 6.95332e-310 again, and some other random numbers thrown into the mix]
2456 = 6.95332e-310
 2457 = 6.95332e-310
 2458 = 0
 2459 = 0
 2460 = 6.95332e-310
 2461 = 0
 2462 = 6.95332e-310
 2463 = 6.95332e-310
 2464 = 6.95332e-310
 2465 = 0
 2466 = 6.42285e-322
 2467 = "KEY_ENTER"
 2468 = "KEY_SHIFT"
 2469 = "KEY_CTRL"
 2470 = "KEY_ALT"
 2471 = "KEY_PAUSE"
 2472 = "KEY_CAPS_LOCK"
 2473 = "KEY_ESCAPE"
 2474 = "KEY_SPACEBAR"
 2475 = "KEY_PAGE_UP"
 2476 = "KEY_PAGE_DOWN"
 2477 = "KEY_END"
 2478 = "KEY_HOME"
 2479 = "KEY_ARROW_LEFT"
 2480 = "KEY_ARROW_UP"
 2481 = "KEY_ARROW_RIGHT"
 2482 = "KEY_ARROW_DOWN"
 2483 = "KEY_PRINT_SCREEN"
 2484 = "KEY_INSERT"
 2485 = "KEY_DELETE"
 2486 = "KEY_SEMICOLON"
 2487 = "KEY_WINDOWS_LEFT"
 2488 = "KEY_WINDOWS_RIGHT"
 2489 = "KEY_SELECT"
 2490 = "KEY_NUM_PAD_ASTERISK"
 2491 = "KEY_NUM_PAD_PLUS_SIGN"
 2492 = "KEY_NUM_PAD_HYPHEN-MINUS"
 2493 = "KEY_NUM_PAD_FULL_STOP"
 2494 = "KEY_NUM_PAD_SOLIDUS"
 2495 = "KEY_NUM_LOCK"
 2496 = "KEY_SCROLL_LOCK"
 2497 = "KEY_SEMICOLON"
 2498 = "KEY_EQUALS_SIGN"
 2499 = "KEY_COMMA"
 2500 = "KEY_HYPHEN-MINUS"
 2501 = "KEY_FULL_STOP"
 2502 = "KEY_SOLIDUS"
 2503 = "KEY_GRAVE_ACCENT"
 2504 = "KEY_LEFT_SQUARE_BRACKET"
 2505 = "KEY_REVERSE_SOLIDUS"
 2506 = "KEY_RIGHT_SQUARE_BRACKET"
 2507 = "KEY_APOSTROPHE"
 2508 = "KEY_0\x00\x00\x00or\x00ync.fail\x00lue\x00\u94c0\ud8a0\u7fff\x00\u9490\ud8a0\u7fff\x00KEY_1\x00\x00\x00r\x00sync.doXHR\x00__\x00\u9540\ud8a0\u7fff\x00\u94d0\ud8a0\u7fff\x00KEY_2\x00\x00\x00or\x00ync.wait\x00LE.\x00\u0140\x00\x00\x00\u9510\ud8a0\u7fff\x00"Test" should equal \x00\x00\x00\x00\u9640\ud8a0\u7fff\x00\u9550\ud8a0\u7fff\x00KEY_3\x00\x00\x00r\x00sync.__new__\x00\x00...

and then more of that spewed until I interrupted the js_DumpObject() call.

The crash happens when we try to look up "toString" on the object, presumably in the third line in the function setForCurrentStep, which starts out as follows:

function setForCurrentStep(content, currentStep)
{
  var todelete = [];
  for each (var child in content) {
    var stepstr = child.@step.toString();             <-- here?
    var stepsarr = stepstr.split(",");
    for (var s = 0; s < stepsarr.length; s++) {
      var step = parseInt(stepsarr[s]);
      if ((step > 0 && step > currentStep) ||
          (step < 0 && -step <= currentStep)) {
        todelete.push(child);
      }
    }
  }
...

For now I fail to see any direct connection with the compartments changes, but it's clearly either caused by it or triggered by it.

I'll leave this gdb session up in so that we can dig out more data here if needed.
Comment 6 Jason Orendorff [:jorendorff] 2010-10-12 11:37:07 PDT
jst points out that he reproduced this by building with

  --enable-application=browser --enable-64bit
  --disable-debug --disable-optimize --enable-debugger-info-modules

and using the patch in bug 603517.

No one has reproduced it on Windows or in debug builds.
Comment 7 Jason Orendorff [:jorendorff] 2010-10-12 12:11:16 PDT
JSStackFrame at 0x7fffe95fd2d0
callee fun: <function setForCurrentStep at 0x7fffcca3d850 (JSFunction at
0x7fffd937be40)>
file
chrome://mochitests/content/chrome/content/xul/templates/tests/chrome/templates_shared.js
line 182
  pc = 0x7fffd90605a3
  current op: getelem
  slots: 0x7fffe95fd328
  sp:    0x7fffe95fd370 = slots + 9

    0x7fffe95fd328: <Array object at 0x7fffcca18e00>         var toDelete
    0x7fffe95fd330: <XML object at 0x7fffcca521c0>           var child
    0x7fffe95fd338: "2"                                      var stepstr
    0x7fffe95fd340: <Array object at 0x7fffcca52d90>         var stepsarr
    0x7fffe95fd348: 1                                        var s
    0x7fffe95fd350: 2                                        var step
    0x7fffe95fd358: 0                                        var d
    0x7fffe95fd360: <XML object at 0x7fffcca18d90>
    0x7fffe95fd368: <Array object at 0x7fffce23dee0>

The fact that d is set means to me that we're past the first loop and in the second, probably here:

  for (var d = 0; d < todelete.length; d++)
    delete content.*[todelete[d].childIndex()];

The subexpression `content.*` compiles to:
  getarg 0
  anyname
  getelem

I bet anyname has been gc'd and something else allocated in its place. This theory will be easy to test. In the meantime I'm going to look to see where anyname gets marked.
Comment 8 Jason Orendorff [:jorendorff] 2010-10-12 12:18:52 PDT
Maybe this is it. Trying to reproduce in the shell now.

diff --git a/js/src/jsxml.cpp b/js/src/jsxml.cpp
--- a/js/src/jsxml.cpp
+++ b/js/src/jsxml.cpp
@@ -334,18 +334,18 @@ DEFINE_GETTER(QNameNameURI_getter,
 DEFINE_GETTER(QNameLocalName_getter,
               if (obj->getClass() == &js_QNameClass)
                   *vp = obj->getQNameLocalName())

 static void
 anyname_finalize(JSContext* cx, JSObject* obj)
 {
     /* Make sure the next call to js_GetAnyName doesn't try to use obj. */
-    if (cx->compartment->anynameObject == obj)
-        cx->compartment->anynameObject = NULL;
+    if (obj->compartment()->anynameObject == obj)
+        obj->compartment()->anynameObject = NULL;
 }

 static JSBool
 qname_identity(JSObject *qna, JSObject *qnb)
 {
     JSString *uri1 = GetURI(qna);
     JSString *uri2 = GetURI(qnb);
Comment 9 Jason Orendorff [:jorendorff] 2010-10-12 12:43:27 PDT
Pushed with r=mrbkap. Still trying to reproduce in the shell. I can get the dangling pointer to happen, just trying to make it crash after that.

http://hg.mozilla.org/tracemonkey/rev/ae1cec6335b1
Comment 10 Jason Orendorff [:jorendorff] 2010-10-13 11:44:14 PDT
Looks good.

I was unable to trigger this via the shell. Of course, we already have test coverage, since it was a test that discovered this.

Note You need to log in before you can comment on or make changes to this bug.