Closed
Bug 645881
Opened 13 years ago
Closed 6 years ago
Firefox 4.0 Crash [@ js::detail::HashTable<js::Shape* const, js::HashSet<js::Shape*, js::ShapeHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookup(js::Shape const* const&, unsigned int, unsigned int) ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: marcia, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [rare], ShutDownKill)
Crash Data
Attachments
(1 file)
10.85 KB,
text/plain
|
Details |
Seen while reviewing top changers in 4.0. http://tinyurl.com/4rbh38m to the crash reports which are all Windows. Comments: "Testing code that creates a new form on the current page and then POSTs it to another location" "Crashed accepting game requests on facebook NEW---ALWAYS SEEMS TO HAPPEN on Farmville/Frontierville game requests!" https://crash-stats.mozilla.com/report/index/4e38df56-0f13-4d3e-adf9-af9072110324 Frame Module Signature [Expand] Source 0 mozjs.dll js::detail::HashTable<js::Shape* const,js::HashSet<js::Shape*,js::ShapeHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy>::lookup js/src/jshashtable.h:406 1 mozjs.dll js::PropertyTree::getChild js/src/jspropertytree.cpp:225 2 mozjs.dll js::Shape::getChild js/src/jsscope.cpp:512 3 mozjs.dll js::Bindings::add js/src/jsscript.cpp:159 4 mozjs.dll js_XDRScript js/src/jsscript.cpp:462 5 mozjs.dll js_CloneScript js/src/jsscript.cpp:2001 6 mozjs.dll js_CloneFunctionObject js/src/jsfun.cpp:2807 7 mozjs.dll JS_CloneFunctionObject js/src/jsapi.cpp:4301 8 xul.dll nsXBLProtoImplAnonymousMethod::Execute content/xbl/src/nsXBLProtoImplMethod.cpp:319 9 xul.dll nsXBLBinding::ExecuteAttachedHandler content/xbl/src/nsXBLBinding.cpp:980 10 xul.dll nsBindingManager::ProcessAttachedQueue content/xbl/src/nsBindingManager.cpp:1019 11 xul.dll PresShell::InitialReflow layout/base/nsPresShell.cpp:2741 12 xul.dll nsContentSink::StartLayout content/base/src/nsContentSink.cpp:1241 13 xul.dll nsHtml5TreeOpExecutor::StartLayout parser/html/nsHtml5TreeOpExecutor.cpp:668 14 xul.dll nsHtml5TreeOperation::Perform parser/html/nsHtml5TreeOperation.cpp:708 15 xul.dll nsHtml5TreeOpExecutor::RunFlushLoop parser/html/nsHtml5TreeOpExecutor.cpp:509 16 xul.dll nsHtml5ExecutorReflusher::Run parser/html/nsHtml5StreamParser.cpp:153 17 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 18 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 19 xul.dll xul.dll@0xb367c7 20 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 21 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 22 mozcrt19.dll _VEC_memzero 23 xul.dll xul.dll@0x35d7cd 24 firefox.exe firefox.exe@0x1bb7 25 ntdll.dll WinSqmSetIfMaxDWORD 26 ntdll.dll _RtlUserThreadStart 27 firefox.exe firefox.exe@0x186f 28 firefox.exe firefox.exe@0x186f
Comment 1•13 years ago
|
||
Luke, any idea what's going on here? Seems to be crashing in hash table lookup with a variety of sigs.
Comment 2•13 years ago
|
||
The two main crash addresses: http://hg.mozilla.org/releases/mozilla-2.0/annotate/6be9e31d01b4/js/src/jshashtable.h#l406 http://hg.mozilla.org/releases/mozilla-2.0/annotate/6be9e31d01b4/js/src/jshashtable.h#l402 are basically where you'd crash if you had a corrupted hash table. There is a highly disproportionate number of crashes under js::Bindings::add either while parsing or XDR decoding. Maybe Waldo has an idea?
(In reply to comment #2) > ... There is a > highly disproportionate number of crashes under js::Bindings::add either while > parsing or XDR decoding. Maybe Waldo has an idea? In that case, it's quite possible that this is a dupe of bug 637304.
Reporter | ||
Comment 4•13 years ago
|
||
While no overall correlation data shows for this bug, 1 or 2 individual reports I looked at had kikin_4_0.dll. So Bill assessment in Comment 3 could very well be correct.
Comment 5•13 years ago
|
||
the stacks are varied. here is a sample distribution of 25 stacks under this signature. should we spin off other bugs?
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ js::detail::HashTable<js::Shape* const, js::HashSet<js::Shape*, js::ShapeHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookup(js::Shape const* const&, unsigned int, unsigned int) ]
Comment 6•12 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #3) > (In reply to comment #2) > > ... There is a > > highly disproportionate number of crashes under js::Bindings::add either while > > parsing or XDR decoding. Maybe Waldo has an idea? > > In that case, it's quite possible that this is a dupe of bug 637304. The signatures listed in bug 637304 are gone after version 4, so I'd say this bug addresses the signatures for more recent releases. But the crashes are relatively rare https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=js%3A%3Adetail%3A%3AHashTable%26lt%3Bjs%3A%3AShape*%20const%2C%20js%3A%3AHashSet%26lt%3Bjs%3A%3AShape*%2C%20js%3A%3AShapeHasher%2C%20js%3A%3ASystemAllocPolicy%26gt%3B%3A%3ASetOps%2C%20js%3A%3ASystemAllocPolicy%26gt%3B%3A%3Alookup%28js%3A%3AShape%20const*%20const%26amp%3B%2C%20unsigned%20int%2C%20unsigned%20int%29&reason_type=contains&date=12%2F17%2F2012%2014%3A25%3A35&range_value=4&range_unit=weeks&hang_type=any&process_type=all&do_query=1&admin=1&signature=js%3A%3Adetail%3A%3AHashTable%3Cjs%3A%3AShape*%20const%2C%20js%3A%3AHashSet%3Cjs%3A%3AShape*%2C%20js%3A%3AShapeHasher%2C%20js%3A%3ASystemAllocPolicy%3E%3A%3ASetOps%2C%20js%3A%3ASystemAllocPolicy%3E%3A%3Alookup%28js%3A%3AShape%20const*%20const%26%2C%20unsigned%20int%2C%20unsigned%20int%29 Some, like bp-9b3e0bd3-a88e-4d48-b7eb-9452c2121213, involve about:sessionstore
Depends on: 637304
Whiteboard: [rare]
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Updated•9 years ago
|
Crash Signature: [@ js::detail::HashTable<js::Shape* const, js::HashSet<js::Shape*, js::ShapeHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookup(js::Shape const* const&, unsigned int, unsigned int) ] → [@ js::detail::HashTable<js::Shape* const, js::HashSet<js::Shape*, js::ShapeHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookup(js::Shape const* const&, unsigned int, unsigned int) ]
[@ js::detail::HashTable<T>::lookup ]
Comment 7•9 years ago
|
||
Guess that bug 999434 is a dup of this one... but I let anyway both open.
Blocks: shutdownkill
Updated•9 years ago
|
Whiteboard: [rare] → [rare], ShutDownKill
From the crash signature (js::detail::HashTable<T>::lookup), the affected versions are: - Aurora: 46 - Beta: 44.0b1, 45.0b1, 45.0b2, 44.0b7, 44.0b9, 44.0b99
No longer blocks: shutdownkill
Comment 9•6 years ago
|
||
Only 3 crash in past month all android.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•