Closed
Bug 654126
Opened 14 years ago
Closed 14 years ago
Segmentation fault [@ js_BooleanIntToString ]. js_BooleanIntToString (methodjit, x86_64)
Categories
(MailNews Core :: Database, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird 5.0b1
People
(Reporter: protz, Assigned: protz)
Details
(Keywords: crash)
Crash Data
Attachments
(7 files, 1 obsolete file)
9.33 KB,
text/plain
|
Details | |
1.10 KB,
application/x-gzip
|
Details | |
4.11 KB,
application/x-gzip
|
Details | |
4.09 KB,
application/x-gzip
|
Details | |
7.45 KB,
application/x-gzip
|
Details | |
408.13 KB,
application/x-xpinstall
|
Details | |
506 bytes,
patch
|
jcranmer
:
review+
standard8
:
approval-thunderbird5.0b1+
|
Details | Diff | Splinter Review |
So I started noticing something suspicious when my debug statement told me that I had a = true, b = true and c = true, and also c = a && !b. Moving debug statements around now give me a reliable crash. Disabling the methodjit makes the problem go away.
Here's a full backtrace. I'll try to reproduce this with a debug build (this a symbol + opt build) and post the results, probably tomorrow (CEST).
protzenk@sauternes:~/C/comm-central $ hg log | head -n1
changeset: 7664:e30e000dd47c
protzenk@sauternes:~/C/c/mozilla $ hg log | head -n1
changeset: 68875:79157d41d7bc
This is triggered by chrome code using let-bindings in a Thunderbird extension. This is the function that exhibited the funny boolean behavior:
https://github.com/protz/GMail-Conversation-View/blob/master/modules/monkeypatch.js#L164
That's pretty much all I can tell :-).
Assignee | ||
Comment 1•14 years ago
|
||
Assignee | ||
Comment 2•14 years ago
|
||
Assignee | ||
Comment 3•14 years ago
|
||
Assignee | ||
Comment 4•14 years ago
|
||
Program received signal SIGINT, Interrupt.
0x00007f22a0808dd8 in ScanObject (this=<value optimized out>)
at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:537
537 if (obj->isNewborn())
(gdb) bt full
#0 0x00007f22a0808dd8 in ScanObject (this=<value optimized out>)
at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:537
clasp = 0x50c
#1 js::GCMarker::drainMarkStack (this=<value optimized out>)
at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:711
No locals.
Cannot access memory at address 0x7fff02b60c58
I'm also getting errors in the GC, but this time with methodjit disabled, don't know if this is related...
Assignee | ||
Comment 5•14 years ago
|
||
Thanks. Unfortunately, I'm not really seeing anything useful pop out of these stack traces. I think we'll have to reproduce this to know what's going on. Could you give more detailed steps to reproduce?
I'm guessing I'll have to install Thunderbird along with the GMail-Conversation-View extension. Which version of the extension should I use? And is there any consistent way to trigger the crash?
Assignee | ||
Comment 7•14 years ago
|
||
Ok, here's the (pretty involved, sorry) debug procedure.
- On x86_64, build Thunderbird 3.4 (comm-central + mozilla-central). The bug still seems to be there in recent revisions, but to be on the safe side, I'd recommend using the set of revisions which are known to fail.
- Run Thunderbird, install Thunderbird Conversations from Tools > Addons. Restart Thunderbird.
- You are prompted with the setup assistant. Click "Apply Changes".
- You're now facing your Inbox. Click on a collapsed thread and, using the keyboard and the Right arrow / Left arrow keys, repeatedly expand / collapse that thread. Proceed that way, possibly moving to other threads with the keyboard, until you segfault.
- You can tell that things have gone awry if the thread is collapsed and the message that is expanded in the conversation is the first one, not the last one as it should be.
Please let me know if you manage to reproduce this... if you can't reproduce, I might be able to open a gdbserver on my machine and let you poke around at things.
Assignee | ||
Comment 8•14 years ago
|
||
https://crash-stats.mozilla.com/report/index/8a04f11c-bd8b-4540-934d-aef6d2110511
Also crashed on Thunderbird 3.3a4 which is built on top of mozilla-aurora.
Comment 9•14 years ago
|
||
indeed, i seem to be running into random crashes lately as well. my only correlation is that i have upgraded 10.5.8 -> 10.6.7. protz gave me the URL to this bug and it seems my last crash report has the same signature:
https://crash-stats.mozilla.com/report/index/bp-c7601a74-7753-4a5d-8636-a47b42110517
comments tab should have links to my other crashes as well. miramar 3.3a3 behaved rock stable on leopard. it is also behaving very stable on 32-bit linux laptop i'm running.
Assignee | ||
Comment 10•14 years ago
|
||
https://crash-stats.mozilla.com/report/index/5050b202-fb38-483c-82f8-2c1c42110517
https://crash-stats.mozilla.com/report/index/d663d862-c036-492f-88f1-e4de92110517
https://crash-stats.mozilla.com/report/index/578e06e0-1fdc-40b9-9b79-3de8c2110517
All of these crashed within 10 seconds of Thunderbird startup.
Comment 11•14 years ago
|
||
is something you're doing in GCV manifesting this issue or would a completely clean miramar also crash with it?
Assignee | ||
Comment 12•14 years ago
|
||
So :mrbkap found the bug. All the extensive details are in bug 658351, and here's a patch that should fix it. I think we should do a more thorough review of mailnews code for this class of errors, but I'm afraid we don't have automated analysis tools for that.
Assignee: general → jonathan.protzenko
Status: NEW → ASSIGNED
Attachment #533747 -
Flags: review?(dbienvenu)
Updated•14 years ago
|
OS: Linux → All
Summary: Segmentation fault. js_BooleanIntToString (methodjit, x86_64) → Segmentation fault [@ js_BooleanIntToString ]. js_BooleanIntToString (methodjit, x86_64)
Assignee | ||
Comment 13•14 years ago
|
||
Attachment #533747 -
Attachment is obsolete: true
Attachment #533747 -
Flags: review?(dbienvenu)
Attachment #533754 -
Flags: review?(Pidgeot18)
Updated•14 years ago
|
Attachment #533754 -
Flags: review?(Pidgeot18) → review+
Assignee | ||
Comment 14•14 years ago
|
||
Component: JavaScript Engine → Database
Product: Core → MailNews Core
QA Contact: general → database
Target Milestone: --- → Thunderbird 3.3a4
Assignee | ||
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•14 years ago
|
Target Milestone: Thunderbird 3.3a4 → Thunderbird 3.4
Assignee | ||
Comment 15•14 years ago
|
||
Comment on attachment 533754 [details] [diff] [review]
Conformance with the Style Guide
We should definitely land this on 3.3 as it's crashing Miramar pretty badly.
Attachment #533754 -
Flags: approval-thunderbird3.3?
Updated•14 years ago
|
Attachment #533754 -
Flags: approval-thunderbird3.3? → approval-thunderbird3.3+
Assignee | ||
Comment 16•14 years ago
|
||
Target Milestone: Thunderbird 3.4 → Thunderbird 3.3a4
Updated•14 years ago
|
Crash Signature: [@ js_BooleanIntToString ]
You need to log in
before you can comment on or make changes to this bug.
Description
•