Closed Bug 633802 Opened 14 years ago Closed 14 years ago

Spike in crashes [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ][@ js::StackSpace::pushSegmentForInvoke ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 632358
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: scoobidiver, Assigned: luke)

Details

(Keywords: crash, regression, Whiteboard: [fixed-in-tracemonkey][hardblocker])

Crash Data

It is a residual crash signature but there is a spike from 4.0b12pre/20110212. It is #4 top crasher in this build. Signature js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) UUID 916bc182-3c78-42d2-8ee1-5484a2110212 Time 2011-02-12 16:13:52.757668 Uptime 2315 Install Age 8812 seconds (2.4 hours) since version was first installed. Product Firefox Version 4.0b12pre Build ID 20110212030346 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info AuthenticAMD family 15 model 107 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION_WRITE Crash Address 0x8 App Notes AdapterVendorID: 1002, AdapterDeviceID: 954f, AdapterDriverVersion: 8.801.0.0 Frame Module Signature [Expand] Source 0 mozjs.dll js::StackSpace::pushSegmentForInvoke js/src/jscntxt.cpp:269 1 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:821 2 mozjs.dll js_TryMethod js/src/jsobj.cpp:6344 3 mozjs.dll js::DefaultValue js/src/jsobj.cpp:5961 4 mozjs.dll js_ValueToString js/src/jsstr.cpp:3676 5 mozjs.dll js_ReportUncaughtException js/src/jsexn.cpp:1235 6 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5153 7 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2008 8 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:9113 9 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:9458 10 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:425 11 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:517 12 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 13 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:134 14 xul.dll xul.dll@0xb28beb 15 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 16 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 17 mozcrt19.dll _VEC_memzero 18 xul.dll xul.dll@0x3575cd 19 firefox.exe firefox.exe@0x1bb7 20 ntdll.dll WinSqmSetIfMaxDWORD 21 ntdll.dll _RtlUserThreadStart 22 firefox.exe firefox.exe@0x186f 23 firefox.exe firefox.exe@0x186f The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1ed3464aaa92&tochange=9698ac3f1c61 More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=4&range_unit=weeks&signature=js%3A%3AStackSpace%3A%3ApushSegmentForInvoke%28JSContext*%2C%20unsigned%20int%2C%20js%3A%3AInvokeArgsGuard*%29
The crashes seem to have the pattern: - called under js_ReportUncaughtException - only a dummy frame on the stack They all crash at: http://hg.mozilla.org/mozilla-central/annotate/9698ac3f1c61/js/src/jscntxt.cpp#l269 The crash address (0x8) matches with offsetof(InvokeArgsGuard, cx), but it seems unlikely that this would be the actual crash: 'ag' is clearly passed a non-null ptr by its caller. So task 1 is to investigate the mini-dump asm and see if the crash is actually setting ag->cx or, e.g., initializing 'seg->previousInMemory' (which is also at offset 0x8). Another question is: is this really a Windows-only crash or is that just an artifact of low sample size. Also, all but 1 (which may be a fluke) crashes have a bunch of extensions installed; I'm not sure if this is normal. As for the regression range, on possibility http://hg.mozilla.org/mozilla-central/rev/02be97f9ef0d, which gave nsXPCWrappedJSClass::CallMethod a JSAutoEnterCompartment (which pushes a dummy frame). I'll try to run this build with a bunch of the listed addons installed. I think I can also inject some exceptions into CallMethod from the debugger.
Assignee: general → lw
Judging from the stack in bug 633803, this may be fixed by bug 632358, which is currently fixed-in-tracemonkey.
Depends on: 632358
OS: Windows 7 → All
Summary: Spike in crashes [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ] → Spike in crashes [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ][@ js::StackSpace::pushSegmentForInvoke ]
Woohoo, a crash comment gave STR that allows me to repro on a OSX10.6 nightly: "1.use greasemonkey+fit image 3.1 script 2.press history log icon on firefox toolbar ,then firefox crashed." (Had to add the History icon using "Customize" and toggle it a few times.)
Is it fixed-in-tracemonkey by bug 632358?
Attempting to test as you speak...
Sweet, it indeed looks to be fixed-in-tracemonkey; I get an assert on debug m-c and no assert/crash on debug tm.
blocking2.0: ? → final+
Whiteboard: [fixed-in-tracemonkey][hardblocker]
Status: NEW → RESOLVED
Closed: 14 years ago
No longer depends on: 632358
Resolution: --- → DUPLICATE
As a confirmation, the crashes stopped at buildid 20110214.
Crash Signature: [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ] [@ js::StackSpace::pushSegmentForInvoke ]
You need to log in before you can comment on or make changes to this bug.