615993 - Fennec crash [@ js::mjit::JaegerShot ]

Status: RESOLVED INVALID

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

It is #7 top crasher in Fennec 4.0b3pre for the last week.
It happens only on ARM v5 or v6.

Signature	js::mjit::JaegerShot
UUID	01573a80-e8eb-48de-8699-786552101201
Time 	2010-12-01 09:56:06.95135
Uptime	31
Last Crash	274 seconds (4.6 minutes) before submission
Install Age	309 seconds (5.2 minutes) since version was first installed.
Product	Fennec
Version	4.0b3pre
Build ID	20101201043717
Branch	2.0
OS	Linux
OS Version	0.0.0 Linux 2.6.32.9-perf #1 PREEMPT Sat Sep 11 12:44:11 CST 2010 armv6l
CPU	arm
CPU Info	
Crash Reason	SIGILL
Crash Address	0x4693303c
User Comments	
App Notes 	nothumb Build
HUAWEI Ideos
Huawei/U8150/U8150/U8150:2.2/FRF91/eng.huawei.20100911.122209:user/release-keys

Frame 	Module 	Signature [Expand] 	Source
0 		@0x4693303c 	
1 	libxul.so 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:745
2 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:654
3 	libxul.so 	js::ExternalInvoke 	js/src/jsinterp.cpp:858
4 	libxul.so 	JS_CallFunctionValue 	js/src/jsinterp.h:962
5 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1694
6 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
7 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:132
8 	libxul.so 	libxul.so@0xd3eb6f 	
9 	libxul.so 	nsDOMEventListenerWrapper::HandleEvent 	content/events/src/nsDOMEventTargetHelper.cpp:65
10 		@0x4a9f0eff 	
11 	libxul.so 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1114
12 	libxul.so 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1210
13 	libxul.so 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventListenerManager.h:146
14 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:341
15 	libxul.so 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:628
16 	libxul.so 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:691
17 	libxul.so 	nsXMLHttpRequest::DispatchProgressEvent 	content/base/src/nsXMLHttpRequest.cpp:1596
18 	libxul.so 	nsXMLHttpRequest::DispatchProgressEvent 	content/base/src/nsXMLHttpRequest.h:271
19 	libxul.so 	nsXMLHttpRequest::RequestCompleted 	content/base/src/nsXMLHttpRequest.cpp:2204
20 	libxul.so 	nsXMLHttpRequest::OnStopRequest 	content/base/src/nsXMLHttpRequest.cpp:2158
21 	libxul.so 	nsHTTPCompressConv::OnStopRequest 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
22 	libxul.so 	nsStreamListenerTee::OnStopRequest 	netwerk/base/src/nsStreamListenerTee.cpp:71
23 	libxul.so 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4030
24 	libxul.so 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
25 	libxul.so 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
26 	libxul.so 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
27 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:626
28 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
29 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
30 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
31 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:202
32 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:192
33 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:191
34 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3691
35 	libxul.so 	GeckoStart 	toolkit/xre/nsAndroidStartup.cpp:131
36 	libc.so 	libc.so@0x1103f 	
37 	libc.so 	libc.so@0x10b23 	

More reports at:
http://crash-stats.mozilla.com/report/list?product=Fennec&version=Fennec%3A4.0b3pre&platform=linux&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3Amjit%3A%3AJaegerShot

Comment 1

[Scoobidiver (away)]

In Fennec 4.0b3, it happens on ARM v7 and it is #10 top crasher for the last week.
Stack traces are different from the ones in comment 0.

Signature	js::mjit::JaegerShot
UUID	9bef9430-0f49-4f48-861b-dbac22110102
Time 	2011-01-02 13:08:20.3470
Uptime	0
Install Age	431109 seconds (5.0 days) since version was first installed.
Product	Fennec
Version	4.0b3
Build ID	20101221205132
Branch	1.9
OS	Linux
OS Version	0.0.0 Linux 2.6.32.15-ge2c73db #1 PREEMPT Thu Sep 9 00:42:30 CST 2010 armv7l
CPU	arm
Crash Reason	SIGILL
Crash Address	0x42e84f00

Frame 	Module 	Signature [Expand] 	Source
0 		@0x42e84f00 	
1 	libxul.so 	js::mjit::JaegerShot 	js/src/jsinterp.h:576
2 	libxul.so 	js::Execute 	js/src/jsinterp.cpp:654
3 	libxul.so 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:4940
4 	libxul.so 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:140
5 	libxul.so 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1731
6 	libxul.so 	nsGlobalWindow::RunTimeout 	nsTSubstring.h:113
7 	libxul.so 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:9314
8 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:426
9 	libxul.so 	nsTimerEvent::Run 	nsAutoPtr.h:969
10 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:626
11 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
12 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
13 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
14 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
15 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
16 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
17 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:631
18 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
19 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
20 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
21 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:510
22 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:691
23 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
24 	libc.so 	libc.so@0xd432

Comment 2

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

occurred once when going to : http://www.ipligence.com/geolocation
through a google link.  Cannot seem to reproduce with just going to the website.

Note: error in console:
error: strings is null
Source File: resource://gre/modules/CrashSubmit.jsm line:180

http://crash-stats.mozilla.com/report/index/bp-93cc8dae-9400-45d7-9bc6-1fc522110120

(another crash occurred at the same time, however it was throttled: 
4913d004-7026-bf2a-383b3a64-4ee4364a)

0 		@0x4496733a 	
1 	libxul.so 	js::mjit::JaegerShot 	js/src/jscntxt.h:2893
2 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:654
3 	libxul.so 	js::ExternalInvoke 	js/src/jsinterp.cpp:858
4 	libxul.so 	JS_CallFunctionValue 	js/src/jsinterp.h:961
5 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1702
6 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:589
7 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:134
8 	libxul.so 	libxul.so@0x96693c 	
9 	libxul.so 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1114
10 		@0x4406c0df 	
11 	libxul.so 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1209
12 	libxul.so 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventListenerManager.h:146
13 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:343
14 	libxul.so 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:630
15 	libxul.so 	PostMessageEvent::Run 	nsCOMPtr.h:492
16 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
17 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
18 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
19 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
20 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
21 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
22 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
23 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:640
24 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
25 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
26 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
27 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:519
28 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:761
29 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
30 	libc.so 	libc.so@0xd412

Comment 3

[Stuart Parmenter]

Am able to reproduce by going to wiki.mozilla.org/WeeklyUpdates on my phone and clicking around

Comment 4

[Kevin Brosnan]

I crashed on wiki.mozilla.org as well.

Comment 6

[Aaron Train [:aaronmt]]

Crashed on vBulletin forums. Example, any of the threads in [H]ard|Forum
http://www.hardforum.com/forumdisplay.php?s=1ad304e2ce90cd08e188089e2fc83e8c&f=3

Comment 7

[Tony Chung [:tchung]]

(In reply to comment #4)
> I crashed on wiki.mozilla.org as well.

ditto on wikimo testing.

http://crash-stats.mozilla.com/report/index/bp-f6b5f745-2de8-4443-973f-b8e632110128

Comment 8

[Tony Chung [:tchung]]

(In reply to comment #7)
> (In reply to comment #4)
> > I crashed on wiki.mozilla.org as well.
> 
> ditto on wikimo testing.
> 
> http://crash-stats.mozilla.com/report/index/bp-f6b5f745-2de8-4443-973f-b8e632110128

more specifically, crashed on https://wiki.mozilla.org/Mobile/Notes

Comment 9

[Scoobidiver (away)]

Now #2 top crasher in Fennec 4.0b4.
Both stack traces in comment 0 and in comment 1 show up in crash reports.

Comment 10

[Alex Pakhotin (:alexp)]

When I try to open wiki.mozilla.org I'm getting the assertion with exactly the same stack as in the bug 626361. Not sure if it's the same issue as the original reported one, but could be the cause of the problem.

Assertion failure: (inst & mask) == expected, at /media/data/mozilla/mozilla-central/js/src/methodjit/ICChecker.h:56

Stack:
#0  0xafd0ec9c in kill () from /media/data/mozilla/debug/lib/libc.so
#1  0xafd13746 in raise () from /media/data/mozilla/debug/lib/libc.so
#2  0x82ee8c28 in JS_Assert (s=0x834217f8 "(inst & mask) == expected", 
    file=0x83421814 "/media/data/mozilla/mozilla-central/js/src/methodjit/ICChecker.h", ln=56) at /media/data/mozilla/mozilla-central/js/src/jsutil.cpp:90
#3  0x82fa5f1e in js::mjit::ic::Repatcher::relink(JSC::CodeLocationCall, JSC::FunctionPtr) ()
   from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so
#4  0x82fa689c in EqualityCompiler::update() () from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so
#5  0x82fa4bc8 in js::mjit::ic::Equality (f=..., ic=0x6) at /media/data/mozilla/mozilla-central/js/src/methodjit/MonoIC.cpp:392
#6  0x82f6ff8e in JaegerStubVeneer () from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so

Comment 11

[David Mandelin [:dmandelin]]

Neither cdleary nor I have been able to reproduce this by clicking around wiki.mozilla.org. Maybe there is a more detailed procedure?

But also, those crashes may have been mostly bug 626361. So maybe we should recheck on builds/betas that have those patches.

Comment 12

[Jacob Bramley [:jbramley]]

If it's not 626361, it's something like it. Hmm. I thought I'd reviewed all the ICs and checked that they did the RESERVE_IC_SPACE stuff properly. I clearly missed (at least) the equality stub in 626361.

Comment 13

[Stuart Parmenter]

This looks like it was fixed by 626361

Comment 14

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Reopening because the crash reports show that in recent builds, this crash signature is still occurring:
https://crash-stats.mozilla.com/report/list?range_value=7&range_unit=days&date=2011-06-20%2012%3A00%3A00&signature=libc-2.5.so%400x2a548&version=Fennec%3A5.0

Comment 15

[Jacob Bramley [:jbramley]]

Isn't that a different crash?

Comment 16

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Sorry, accidentally placed in the wrong sig:
https://crash-stats.mozilla.com/report/list?range_value=7&range_unit=days&date=2011-06-21%2007%3A00%3A00&signature=js%3A%3Amjit%3A%3AJaegerShot&version=Fennec%3A5.0

Comment 17

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

dup of {{Bug|670603}} - Crash at js::mjit::JaegerShot in Yahoo mail?

Comment 18

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Occurs in nightly
https://crash-stats.mozilla.com/report/index/df6cd4a4-1bb2-46b5-b664-18a842110806

Comment 19

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

This seems to have died down a lot.  Waiting to see if it dies off completely:
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&query_search=signature&query_type=contains&query=js%3A%3Amjit%3A%3AJaegerShot&reason_type=contains&date=02%2F09%2F2012%2010%3A21%3A53&range_value=30&range_unit=days&hang_type=any&process_type=any&do_query=1&admin=1&signature=js%3A%3Amjit%3A%3AJaegerShot

Comment 20

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Still occurring:

https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=ALL%3AALL&range_value=30&range_unit=days&date=02%2F28%2F2012+18%3A47%3A07&query_search=signature&query_type=contains&query=js%3A%3Amjit%3A%3AJaegerShot&reason=&build_id=&process_type=any&hang_type=any&do_query=1

Comment 21

[Kevin Brosnan [Ex-Mozilla]]

We don't have this code any more.