Closed Bug 604371 Opened 14 years ago Closed 14 years ago

crash [@ js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) ] [@ js::mjit::EnterMethodJIT ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 595351
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre This is a new crash signature. Crashes first appeared in b8pre/20101011 build. It is #45 top crasher in 4.0b8pre for the last week. Signature js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) UUID d3ce7f78-5f0c-4a1b-82c6-b475f2101014 Time 2010-10-14 06:00:58.886257 Uptime 2792 Last Crash 2951703 seconds (4.9 weeks) before submission Install Age 10529 seconds (2.9 hours) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101013225426 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info AuthenticAMD family 16 model 5 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xffffffffea32c000 App Notes AdapterVendorID: 1002, AdapterDeviceID: 9442 Frame Module Signature [Expand] Source 0 @0x18f31621 1 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:742 2 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:767 3 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:784 4 mozjs.dll js::RunScript js/src/jsinterp.cpp:635 5 mozjs.dll js::Invoke js/src/jsinterp.cpp:747 6 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:871 7 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:4961 8 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1692 9 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:571 10 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 11 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 12 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1112 The regression range is : http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631 More reports at: http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=js%3A%3Amjit%3A%3AEnterMethodJIT%28JSContext*%2C%20JSStackFrame*%2C%20void*%2C%20js%3A%3AValue*%29
blocking2.0: --- → ?
spiked **** the 14th in builds from 13th and 14th, but there was one crash on the 12th in builds from the 11th. if what ever caused this makes it to the branch it should block b7. 20101009 20101010 20101011 20101012 1 4.0b8pre2010101105 1 , 20101013 20101014 85 44 4.0b8pre2010101404, 41 4.0b8pre2010101322,
many of the reports look like repeat crashes Correlation to startup or time of session 85 total crashes for js::mjit::EnterMethodJIT.JSContext...JSStackFrame...void...js::Value.. on 20101014-crashdata.csv 35 startup crashes inside 30 sec. 56 startup crashes inside 3 min. 34 repeated crashes inside 3 min. of last crash os breakdown js::mjit::EnterMethodJIT.JSContext...JSStackFrame...void...js::Value..Total 85 Win5.1 0.33 Win6.0 0.05 Win6.1 0.62 many of the comments reflect gmail involved, and domains of sites in the urls are largely google. domains of sites 13 \N// 11 https://www.google.com 2 http://www.google.com 2 http://www.google.ca 6 http://www.orkut.com.br 3 http://www.google.co.uk 4 https://mail.google.com 3 http://mail.google.com 4 http://docs.google.com 2 https://docs.google.com 4 about:blank// 3 http://mantis.edisoft.local 2 http://www.nicovideo.jp 2 http://www.mediafire.com 2 http://www.liquibase.org 2 http://localhost:8080
The story here isn't any different from bug 595351.
blocking2.0: ? → betaN+
I can trigger this with the Firebug extension enabled (1.7X.0a3 [1]) and going just to gmail. Firefox will crash during the load process. 1: http://getfirebug.com/releases/firebug/1.7X/
OS: Windows 7 → Windows XP
OS: Windows XP → All
Summary: crash [@ js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) ] → crash [@ js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) ] [@ js::mjit::EnterMethodJIT ]
I can trigger this with the flashblock extension enabled + methodjit and just going to gmail. (turning off flashblock or methodjit avoids the problem)
(In reply to comment #5) If you use Linux x64, or OS X 10.6, you are most likely seeing bug 605452.
looks like maybe only a small pct of users hitting this might have been on 64 bit. volume is still high on builds post 2010-10-20 07:30 which is when the fix for bug 605452 landed date tl crashes at, count build, count build, ... js::mjit::EnterMethodJIT.JSContext.,.JSStackFrame.,.void.,.js::Value.. 20101022 104 57 4.0b8pre2010102204, 33 4.0b8pre2010102104, 8 4.0b8pre2010102012, 4 4.0b8pre2010101904, 2 4.0b8pre201010200
1. http://www.charismamag.com/index.php/features/2010/april-?start=4 2. crash winxp/win7 so far. Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0x84 Thread 0 (crashed) 0 0x91cde24 eip = 0x091cde24 esp = 0x0012cbac ebp = 0x0012cbe4 ebx = 0x00000000 esi = 0x05a8be50 edi = 0x00000000 eax = 0x00000001 ecx = 0x097aaf28 edx = 0x05a8be50 efl = 0x00210202 Found by: given as instruction pointer in context 1 mozjs.dll!js::mjit::EnterMethodJIT(JSContext *,JSStackFrame *,void *,js::Value *) [MethodJIT.cpp : 742 + 0x14] eip = 0x0088aedd esp = 0x0012cbec ebp = 0x0012cc2c Found by: previous frame's frame pointer 2 mozjs.dll!CheckStackAndEnterMethodJIT [MethodJIT.cpp : 767 + 0x14] eip = 0x0088b15a esp = 0x0012cc34 ebp = 0x0012cc4c Found by: call frame info 3 mozjs.dll!js::mjit::JaegerShotAtSafePoint(JSContext *,void *) [MethodJIT.cpp : 794 + 0x15] eip = 0x0088b1c4 esp = 0x0012cc54 ebp = 0x0012cc60 Found by: call frame info 4 mozjs.dll!EvaluateExcessFrame [InvokeHelpers.cpp : 832 + 0xc] eip = 0x008f2f5d esp = 0x0012cc68 ebp = 0x0012cc7c Found by: call frame info 5 mozjs.dll!FinishExcessFrames [InvokeHelpers.cpp : 852 + 0xc] eip = 0x008f2ea6 esp = 0x0012cc84 ebp = 0x0012cc90 Found by: call frame info 6 mozjs.dll!RunTracer(js::VMFrame &,js::mjit::ic::TraceICInfo &) [InvokeHelpers.cpp : 997 + 0xc] eip = 0x008f2684 esp = 0x0012cc98 ebp = 0x0012ccc4 Found by: call frame info 7 mozjs.dll!js::mjit::stubs::InvokeTracer(js::VMFrame &,js::mjit::ic::TraceICInfo *) [InvokeHelpers.cpp : 1034 + 0xc] eip = 0x008f3049 esp = 0x0012cccc ebp = 0x0012ccdc Found by: call frame info 8 mozjs.dll!js::mjit::EnterMethodJIT(JSContext *,JSStackFrame *,void *,js::Value *) [MethodJIT.cpp : 742 + 0x14] eip = 0x0088aedd esp = 0x0012cd24 ebp = 0x0012cd1c Found by: call frame info with scanning
(In reply to comment #8) Awesome, Bob, I can reproduce this by visiting that site. However, I get a very different stack (once again evidence that having multiple "EnterMethodJIT" bugs is not useful). It looks like maybe either compartments or regex. I'll file a new bug and close this one. mozjs.dll!js::RegExp::executeInternal(JSContext * cx=0x1cbc4240, js::RegExpStatics * res=0x1bad7a90, JSString * input=0x34544ab0, unsigned int * lastIndex=0x002cd1cc, bool test=false, js::Value * rval=0x03ea0980) Line 331 + 0xb bytes C++ > mozjs.dll!DoMatch(JSContext * cx=0x1cbc4240, js::RegExpStatics * res=0x1bad7a90, js::Value * vp=0x00000000, JSString * str=0x34544ab0, const RegExpPair & rep={...}, bool (JSContext *, js::RegExpStatics *, unsigned int, void *)* callback=0x6dca2fc0, void * data=0x002cd218, MatchControlFlags flags=TEST_GLOBAL_BIT) Line 1855 + 0x2d bytes C++ mozjs.dll!str_match(JSContext * cx=, unsigned int argc=, js::Value * vp=) Line 1929 + 0x1c bytes C++ mozjs.dll!JSCompartment::wrap(JSContext * cx=, js::Value * vp=) Line 133 + 0x12 bytes C++ mozjs.dll!JS_EvaluateUCScriptForPrincipalsVersion(JSContext * cx=0x1cbc4240, JSObject * obj=0x142430e0, JSPrincipals * principals=0x1acc7384, const wchar_t * chars=0x002cd5e8, unsigned int length=0x0000001b, const char * filename=0x1bb79d38, unsigned int lineno=0x000004e2, unsigned __int64 * rval=0x00000000, JSVersion version=JSVERSION_DEFAULT) Line 4857 + 0x22 bytes C++ xul.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x00000000, nsIPrincipal * aPrincipal=0x00000001, const char * aURL=0x1bb79d38, unsigned int aLineNo=0x000004e2, unsigned int aVersion=0x00000000, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x002cd514) Line 1724 + 0x5d bytes C++ xul.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x23e0b2e0, const nsString & aScript={...}) Line 813 + 0x3d bytes C++ xul.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x00000000) Line 716 + 0xc bytes C++ xul.dll!nsScriptLoader::ProcessScriptElement(nsIScriptElement * aElement=0x00000000) Line 668 + 0x8 bytes C++ xul.dll!AtomImpl::IsStaticAtom() + 0x300918 bytes C++
Filed bug 606882, and dupe'ing against other meta bug 595351.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Keywords: topcrash
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) ] [@ js::mjit::EnterMethodJIT ]
You need to log in before you can comment on or make changes to this bug.