645881 - Firefox 4.0 Crash [@ js::detail::HashTable<js::Shape* const, js::HashSet<js::Shape*, js::ShapeHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookup(js::Shape const* const&, unsigned int, unsigned int) ]

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Marcia Knous [:marcia]]

Seen while reviewing top changers in 4.0. http://tinyurl.com/4rbh38m to the crash reports which are all Windows.

Comments:

"Testing code that creates a new form on the current page and then POSTs it to another location"

"Crashed accepting game requests on facebook NEW---ALWAYS SEEMS TO HAPPEN on Farmville/Frontierville game requests!"

https://crash-stats.mozilla.com/report/index/4e38df56-0f13-4d3e-adf9-af9072110324

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::detail::HashTable<js::Shape* const,js::HashSet<js::Shape*,js::ShapeHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy>::lookup 	js/src/jshashtable.h:406
1 	mozjs.dll 	js::PropertyTree::getChild 	js/src/jspropertytree.cpp:225
2 	mozjs.dll 	js::Shape::getChild 	js/src/jsscope.cpp:512
3 	mozjs.dll 	js::Bindings::add 	js/src/jsscript.cpp:159
4 	mozjs.dll 	js_XDRScript 	js/src/jsscript.cpp:462
5 	mozjs.dll 	js_CloneScript 	js/src/jsscript.cpp:2001
6 	mozjs.dll 	js_CloneFunctionObject 	js/src/jsfun.cpp:2807
7 	mozjs.dll 	JS_CloneFunctionObject 	js/src/jsapi.cpp:4301
8 	xul.dll 	nsXBLProtoImplAnonymousMethod::Execute 	content/xbl/src/nsXBLProtoImplMethod.cpp:319
9 	xul.dll 	nsXBLBinding::ExecuteAttachedHandler 	content/xbl/src/nsXBLBinding.cpp:980
10 	xul.dll 	nsBindingManager::ProcessAttachedQueue 	content/xbl/src/nsBindingManager.cpp:1019
11 	xul.dll 	PresShell::InitialReflow 	layout/base/nsPresShell.cpp:2741
12 	xul.dll 	nsContentSink::StartLayout 	content/base/src/nsContentSink.cpp:1241
13 	xul.dll 	nsHtml5TreeOpExecutor::StartLayout 	parser/html/nsHtml5TreeOpExecutor.cpp:668
14 	xul.dll 	nsHtml5TreeOperation::Perform 	parser/html/nsHtml5TreeOperation.cpp:708
15 	xul.dll 	nsHtml5TreeOpExecutor::RunFlushLoop 	parser/html/nsHtml5TreeOpExecutor.cpp:509
16 	xul.dll 	nsHtml5ExecutorReflusher::Run 	parser/html/nsHtml5StreamParser.cpp:153
17 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
18 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
19 	xul.dll 	xul.dll@0xb367c7 	
20 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
21 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
22 	mozcrt19.dll 	_VEC_memzero 	
23 	xul.dll 	xul.dll@0x35d7cd 	
24 	firefox.exe 	firefox.exe@0x1bb7 	
25 	ntdll.dll 	WinSqmSetIfMaxDWORD 	
26 	ntdll.dll 	_RtlUserThreadStart 	
27 	firefox.exe 	firefox.exe@0x186f 	
28 	firefox.exe 	firefox.exe@0x186f

Comment 1

[David Mandelin [:dmandelin]]

Luke, any idea what's going on here? Seems to be crashing in hash table lookup with a variety of sigs.

Comment 2

[Luke Wagner [:luke]]

The two main crash addresses:
  http://hg.mozilla.org/releases/mozilla-2.0/annotate/6be9e31d01b4/js/src/jshashtable.h#l406
http://hg.mozilla.org/releases/mozilla-2.0/annotate/6be9e31d01b4/js/src/jshashtable.h#l402

are basically where you'd crash if you had a corrupted hash table.  There is a highly disproportionate number of crashes under js::Bindings::add either while parsing or XDR decoding.  Maybe Waldo has an idea?

Comment 3

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

(In reply to comment #2)
> ...  There is a
> highly disproportionate number of crashes under js::Bindings::add either while
> parsing or XDR decoding.  Maybe Waldo has an idea?

In that case, it's quite possible that this is a dupe of bug 637304.

Comment 4

[Marcia Knous [:marcia]]

While no overall correlation data shows for this bug, 1 or 2 individual reports I looked at had kikin_4_0.dll. So Bill assessment in Comment 3 could very well be correct.

Comment 5

[chris hofmann]

Attachment: breakdown of a sample of 25 of these stacks

the stacks are varied. here is a sample distribution of 25 stacks under this signature.  should we spin off other bugs?

Comment 6

[Wayne Mery (:wsmwk)]

(In reply to Bill McCloskey (:billm) from comment #3)
> (In reply to comment #2)
> > ...  There is a
> > highly disproportionate number of crashes under js::Bindings::add either while
> > parsing or XDR decoding.  Maybe Waldo has an idea?
> 
> In that case, it's quite possible that this is a dupe of bug 637304.

The signatures listed in bug 637304 are gone after version 4, so I'd say this bug addresses the signatures for more recent releases. But the crashes are relatively rare
https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=js%3A%3Adetail%3A%3AHashTable%26lt%3Bjs%3A%3AShape*%20const%2C%20js%3A%3AHashSet%26lt%3Bjs%3A%3AShape*%2C%20js%3A%3AShapeHasher%2C%20js%3A%3ASystemAllocPolicy%26gt%3B%3A%3ASetOps%2C%20js%3A%3ASystemAllocPolicy%26gt%3B%3A%3Alookup%28js%3A%3AShape%20const*%20const%26amp%3B%2C%20unsigned%20int%2C%20unsigned%20int%29&reason_type=contains&date=12%2F17%2F2012%2014%3A25%3A35&range_value=4&range_unit=weeks&hang_type=any&process_type=all&do_query=1&admin=1&signature=js%3A%3Adetail%3A%3AHashTable%3Cjs%3A%3AShape*%20const%2C%20js%3A%3AHashSet%3Cjs%3A%3AShape*%2C%20js%3A%3AShapeHasher%2C%20js%3A%3ASystemAllocPolicy%3E%3A%3ASetOps%2C%20js%3A%3ASystemAllocPolicy%3E%3A%3Alookup%28js%3A%3AShape%20const*%20const%26%2C%20unsigned%20int%2C%20unsigned%20int%29

Some, like bp-9b3e0bd3-a88e-4d48-b7eb-9452c2121213, involve about:sessionstore

Comment 7

[Tobias B. Besemer [:BesTo] (QA)]

Guess that bug 999434 is a dup of this one... but I let anyway both open.

Comment 8

[Karla Merza [Away. Please needinfo? Brindusa Tot[:brindusat] ]]

From the crash signature (js::detail::HashTable<T>::lookup), the affected versions are:
- Aurora: 46
- Beta: 44.0b1, 45.0b1, 45.0b2, 44.0b7, 44.0b9, 44.0b99

Comment 9

[Wayne Mery (:wsmwk)]

Only 3 crash in past month all android.