Closed Bug 606536 Opened 14 years ago Closed 14 years ago

Firefox/4.0b8pre startup crash in [@ js_GetProtoIfDenseArray ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: marcia, Unassigned)

Details

(Keywords: crash)

Crash Data

Seen while reviewing crash stats. http://tinyurl.com/32ky3fd links to the crashes which happen with 1.9.2 and 1.9.1 as well. While the trunk crashes are startup crashes, the other crashes seem to have more uptime so might provide more of a chance of reproducing the issue. Frame Module Signature Source 0 mozjs.dll js_GetProtoIfDenseArray js/src/jsarray.h:131 1 mozjs.dll js::Interpret js/src/jsinterp.cpp:4178 2 mozjs.dll js::RunScript js/src/jsinterp.cpp:638 3 mozjs.dll js::Invoke js/src/jsinterp.cpp:747 4 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:871 5 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:4961 6 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1694 7 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:571 8 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 9 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 10 xul.dll nsComponentManagerImpl::CreateInstanceByContractID xpcom/components/nsComponentManager.cpp:1303 11 xul.dll nsComponentManagerImpl::GetServiceByContractID xpcom/components/nsComponentManager.cpp:1664 12 xul.dll nsCOMPtr_base::assign_from_gs_contractid obj-firefox/xpcom/build/nsCOMPtr.cpp:132 13 xul.dll NS_CreateServicesFromCategory xpcom/components/nsCategoryManager.cpp:788 14 xul.dll nsXREDirProvider::DoStartup toolkit/xre/nsXREDirProvider.cpp:754 15 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3546 16 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:129 17 firefox.exe __tmainCRTStartup obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591 18 kernel32.dll BaseThreadInitThunk 19 ntdll.dll __RtlUserThreadStart 20 ntdll.dll _RtlUserThreadStart
here are resent volume stats might have seen the first instance of this on the trunk on oct 17 and oct 20 in builds from oct 10, but maybe thats the lower volume risidual crash. the higher volume trunk problem might have started somewhere between 4.0b8pre2010101604 and 2010101804 20101015 7 3 3.6.102010091412, 1 4.0b62010091408, 1 3.6.82010072215, 1 3.6.72010071313, 1 3.6.32010040108, 20101016 6 4 3.6.102010091412, 1 3.6.82010072215, 1 3.5.132010091413, 20101017 7 1 4.0b8pre2010101004, 1 4.0b62010091408, 1 3.6.82010072215, 1 3.6.112010101211, 1 3.6.102010091412, 1 3.62010011514, 1 3.5.132010091413, 20101018 5 4 3.6.102010091412, 1 4.0b22010072019, 20101019 10 7 3.6.102010091412, 1 4.0b62010091408, 1 3.6.82010072215, 1 3.6.62010062523, 20101020 6 2 3.6.102010091412, 1 4.0b8pre2010101904, 1 4.0b52010083108, 1 3.6.32010040108, 1 3.6.112010101211, 20101021 40 11 4.0b8pre2010101904, 9 4.0b8pre2010101804, 7 4.0b8pre2010101704, 5 4.0b8pre2010102004, 2 4.0b8pre2010101604, 2 4.0b8pre2010101504, 2 3.6.102010091412, 1 4.0b62010091408, 1 3.6.112010101211,
moved to the #1 topcrash on trunk on oct 22 with 173 crashes. need to understand this better before b7 or b8. stats from yesterday don't show any crashes on trunk beyond 2010 10 20 so maybe the fix is in. 20101022 173 98 4.0b8pre2010101704, 22 4.0b8pre2010101604, 19 4.0b8pre2010101804, 17 4.0b8pre2010101904, 10 4.0b8pre2010102004, 5 3.6.112010101211, 1 4.0b7pre2010100204, 1 3.5.142010100117, Could this jsArray change that happened inside the the possible regression window be related? c45685276ce5 2010-10-13 11:49 -0700 Brian Hackett - Flexible length JSObject, bug 584917. r=brendan,igor
blocking2.0: --- → ?
Looks like js_GetProtoIfDenseArray is getting passed a NULL pointer by CALLPROP in Interpret, don't think this is 584917.
blocking2.0: ? → beta7+
Is this fixed? There haven't been any crashes with builds after 10/20.
Do we really need to hold b7 for this? We've gotta get it out the door! I know there will be stability issues in b7, and we've hundreds of changes going into the beta. Just want to be super critical when blocking b7. If we can get by without it, we should ship the beta and fix issues in a followup release.
(In reply to comment #4) > Is this fixed? There haven't been any crashes with builds after 10/20. I misread choffman's summary in comment 2. I think we should mark this WFM if the crash is gone. If it is still the number 1 topcrash, it should block b7.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
It looks like this might have been a spike volume regression on the trunk builds between around oct 16-20. I agree WFM is probably correct.
Crash Signature: [@ js_GetProtoIfDenseArray ]
You need to log in before you can comment on or make changes to this bug.