Spike in crashes [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ][@ js::StackSpace::pushSegmentForInvoke ]

RESOLVED DUPLICATE of bug 632358

Status

()

--
critical
RESOLVED DUPLICATE of bug 632358
8 years ago
7 years ago

People

(Reporter: scoobidiver, Assigned: luke)

Tracking

({crash, regression})

Trunk
x86
All
crash, regression
Points:
---

Firefox Tracking Flags

(blocking2.0 final+)

Details

(Whiteboard: [fixed-in-tracemonkey][hardblocker], crash signature)

(Reporter)

Description

8 years ago
It is a residual crash signature but there is a spike from 4.0b12pre/20110212.
It is #4 top crasher in this build.

Signature	js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*)
UUID	916bc182-3c78-42d2-8ee1-5484a2110212
Time 	2011-02-12 16:13:52.757668
Uptime	2315
Install Age	8812 seconds (2.4 hours) since version was first installed.
Product	Firefox
Version	4.0b12pre
Build ID	20110212030346
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	AuthenticAMD family 15 model 107 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0x8
App Notes 	AdapterVendorID: 1002, AdapterDeviceID: 954f, AdapterDriverVersion: 8.801.0.0

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::StackSpace::pushSegmentForInvoke 	js/src/jscntxt.cpp:269
1 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:821
2 	mozjs.dll 	js_TryMethod 	js/src/jsobj.cpp:6344
3 	mozjs.dll 	js::DefaultValue 	js/src/jsobj.cpp:5961
4 	mozjs.dll 	js_ValueToString 	js/src/jsstr.cpp:3676
5 	mozjs.dll 	js_ReportUncaughtException 	js/src/jsexn.cpp:1235
6 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5153
7 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2008
8 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:9113
9 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:9458
10 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:425
11 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:517
12 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
13 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
14 	xul.dll 	xul.dll@0xb28beb 	
15 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
16 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
17 	mozcrt19.dll 	_VEC_memzero 	
18 	xul.dll 	xul.dll@0x3575cd 	
19 	firefox.exe 	firefox.exe@0x1bb7 	
20 	ntdll.dll 	WinSqmSetIfMaxDWORD 	
21 	ntdll.dll 	_RtlUserThreadStart 	
22 	firefox.exe 	firefox.exe@0x186f 	
23 	firefox.exe 	firefox.exe@0x186f 	

The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1ed3464aaa92&tochange=9698ac3f1c61

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=4&range_unit=weeks&signature=js%3A%3AStackSpace%3A%3ApushSegmentForInvoke%28JSContext*%2C%20unsigned%20int%2C%20js%3A%3AInvokeArgsGuard*%29
(Assignee)

Comment 1

8 years ago
The crashes seem to have the pattern:
 - called under js_ReportUncaughtException
 - only a dummy frame on the stack

They all crash at:

  http://hg.mozilla.org/mozilla-central/annotate/9698ac3f1c61/js/src/jscntxt.cpp#l269

The crash address (0x8) matches with offsetof(InvokeArgsGuard, cx), but it seems unlikely that this would be the actual crash: 'ag' is clearly passed a non-null ptr by its caller.  So task 1 is to investigate the mini-dump asm and see if the crash is actually setting ag->cx or, e.g., initializing 'seg->previousInMemory' (which is also at offset 0x8).

Another question is: is this really a Windows-only crash or is that just an artifact of low sample size.  Also, all but 1 (which may be a fluke) crashes have a bunch of extensions installed; I'm not sure if this is normal.

As for the regression range, on possibility http://hg.mozilla.org/mozilla-central/rev/02be97f9ef0d, which gave nsXPCWrappedJSClass::CallMethod a JSAutoEnterCompartment (which pushes a dummy frame).

I'll try to run this build with a bunch of the listed addons installed.  I think I can also inject some exceptions into CallMethod from the debugger.
Assignee: general → lw
(Assignee)

Comment 2

8 years ago
Judging from the stack in bug 633803, this may be fixed by bug 632358, which is currently fixed-in-tracemonkey.
(Reporter)

Updated

8 years ago
Depends on: 632358
(Reporter)

Updated

8 years ago
OS: Windows 7 → All
Summary: Spike in crashes [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ] → Spike in crashes [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ][@ js::StackSpace::pushSegmentForInvoke ]
(Assignee)

Comment 3

8 years ago
Woohoo, a crash comment gave STR that allows me to repro on a OSX10.6 nightly:
  "1.use greasemonkey+fit image 3.1 script 2.press history log icon on firefox toolbar ,then firefox crashed."

(Had to add the History icon using "Customize" and toggle it a few times.)
Is it fixed-in-tracemonkey by bug 632358?
(Assignee)

Comment 5

8 years ago
Attempting to test as you speak...
(Assignee)

Comment 6

8 years ago
Sweet, it indeed looks to be fixed-in-tracemonkey; I get an assert on debug m-c and no assert/crash on debug tm.
blocking2.0: ? → final+
Whiteboard: [fixed-in-tracemonkey][hardblocker]
(Assignee)

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
No longer depends on: 632358
Resolution: --- → DUPLICATE
Duplicate of bug: 632358
(Assignee)

Comment 8

8 years ago
As a confirmation, the crashes stopped at buildid 20110214.
Crash Signature: [@ js::StackSpace::pushSegmentForInvoke(JSContext*, unsigned int, js::InvokeArgsGuard*) ] [@ js::StackSpace::pushSegmentForInvoke ]
You need to log in before you can comment on or make changes to this bug.