Closed Bug 654126 Opened 10 years ago Closed 10 years ago

Segmentation fault [@ js_BooleanIntToString ]. js_BooleanIntToString (methodjit, x86_64)

Categories

(MailNews Core :: Database, defect)

x86_64
All
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED
Thunderbird 5.0b1

People

(Reporter: protz, Assigned: protz)

Details

(Keywords: crash)

Crash Data

Attachments

(7 files, 1 obsolete file)

Attached file Full backtrace
So I started noticing something suspicious when my debug statement told me that I had a = true, b = true and c = true, and also c = a && !b. Moving debug statements around now give me a reliable crash. Disabling the methodjit makes the problem go away.

Here's a full backtrace. I'll try to reproduce this with a debug build (this a symbol + opt build) and post the results, probably tomorrow (CEST).

protzenk@sauternes:~/C/comm-central $ hg log | head -n1
changeset:   7664:e30e000dd47c
protzenk@sauternes:~/C/c/mozilla $ hg log | head -n1
changeset:   68875:79157d41d7bc

This is triggered by chrome code using let-bindings in a Thunderbird extension. This is the function that exhibited the funny boolean behavior:

https://github.com/protz/GMail-Conversation-View/blob/master/modules/monkeypatch.js#L164

That's pretty much all I can tell :-).
Attached file Valgrind log
Program received signal SIGINT, Interrupt.
0x00007f22a0808dd8 in ScanObject (this=<value optimized out>)
    at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:537
537	    if (obj->isNewborn())
(gdb) bt full
#0  0x00007f22a0808dd8 in ScanObject (this=<value optimized out>)
    at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:537
        clasp = 0x50c
#1  js::GCMarker::drainMarkStack (this=<value optimized out>)
    at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:711
No locals.
Cannot access memory at address 0x7fff02b60c58

I'm also getting errors in the GC, but this time with methodjit disabled, don't know if this is related...
Thanks. Unfortunately, I'm not really seeing anything useful pop out of these stack traces. I think we'll have to reproduce this to know what's going on. Could you give more detailed steps to reproduce?

I'm guessing I'll have to install Thunderbird along with the GMail-Conversation-View extension. Which version of the extension should I use? And is there any consistent way to trigger the crash?
Ok, here's the (pretty involved, sorry) debug procedure.
- On x86_64, build Thunderbird 3.4 (comm-central + mozilla-central). The bug still seems to be there in recent revisions, but to be on the safe side, I'd recommend using the set of revisions which are known to fail.
- Run Thunderbird, install Thunderbird Conversations from Tools > Addons. Restart Thunderbird.
- You are prompted with the setup assistant. Click "Apply Changes".
- You're now facing your Inbox. Click on a collapsed thread and, using the keyboard and the Right arrow / Left arrow keys, repeatedly expand / collapse that thread. Proceed that way, possibly moving to other threads with the keyboard, until you segfault.
- You can tell that things have gone awry if the thread is collapsed and the message that is expanded in the conversation is the first one, not the last one as it should be.

Please let me know if you manage to reproduce this... if you can't reproduce, I might be able to open a gdbserver on my machine and let you poke around at things.
https://crash-stats.mozilla.com/report/index/8a04f11c-bd8b-4540-934d-aef6d2110511

Also crashed on Thunderbird 3.3a4 which is built on top of mozilla-aurora.
indeed, i seem to be running into random crashes lately as well. my only correlation is that i have upgraded 10.5.8 -> 10.6.7. protz gave me the URL to this bug and it seems my last crash report has the same signature:

https://crash-stats.mozilla.com/report/index/bp-c7601a74-7753-4a5d-8636-a47b42110517

comments tab should have links to my other crashes as well. miramar 3.3a3 behaved rock stable on leopard. it is also behaving very stable on 32-bit linux laptop i'm running.
is something you're doing in GCV manifesting this issue or would a completely clean miramar also crash with it?
Attached patch Fix the issue (obsolete) — Splinter Review
So :mrbkap found the bug. All the extensive details are in bug 658351, and here's a patch that should fix it. I think we should do a more thorough review of mailnews code for this class of errors, but I'm afraid we don't have automated analysis tools for that.
Assignee: general → jonathan.protzenko
Status: NEW → ASSIGNED
Attachment #533747 - Flags: review?(dbienvenu)
Severity: normal → critical
Keywords: crash
OS: Linux → All
Summary: Segmentation fault. js_BooleanIntToString (methodjit, x86_64) → Segmentation fault [@ js_BooleanIntToString ]. js_BooleanIntToString (methodjit, x86_64)
Attachment #533747 - Attachment is obsolete: true
Attachment #533747 - Flags: review?(dbienvenu)
Attachment #533754 - Flags: review?(Pidgeot18)
Attachment #533754 - Flags: review?(Pidgeot18) → review+
http://hg.mozilla.org/comm-central/rev/184b63b572e1
Component: JavaScript Engine → Database
Product: Core → MailNews Core
QA Contact: general → database
Target Milestone: --- → Thunderbird 3.3a4
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: Thunderbird 3.3a4 → Thunderbird 3.4
Comment on attachment 533754 [details] [diff] [review]
Conformance with the Style Guide

We should definitely land this on 3.3 as it's crashing Miramar pretty badly.
Attachment #533754 - Flags: approval-thunderbird3.3?
Attachment #533754 - Flags: approval-thunderbird3.3? → approval-thunderbird3.3+
http://hg.mozilla.org/releases/comm-miramar/rev/60fad03d78a5
Target Milestone: Thunderbird 3.4 → Thunderbird 3.3a4
Crash Signature: [@ js_BooleanIntToString ]
You need to log in before you can comment on or make changes to this bug.