Segmentation fault [@ js_BooleanIntToString ]. js_BooleanIntToString (methodjit, x86_64)

RESOLVED FIXED in Thunderbird 5.0b1

Status

defect
--
critical
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: protz, Assigned: protz)

Tracking

({crash})

Trunk
Thunderbird 5.0b1
x86_64
All

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(7 attachments, 1 obsolete attachment)

Assignee

Description

8 years ago
Posted file Full backtrace
So I started noticing something suspicious when my debug statement told me that I had a = true, b = true and c = true, and also c = a && !b. Moving debug statements around now give me a reliable crash. Disabling the methodjit makes the problem go away.

Here's a full backtrace. I'll try to reproduce this with a debug build (this a symbol + opt build) and post the results, probably tomorrow (CEST).

protzenk@sauternes:~/C/comm-central $ hg log | head -n1
changeset:   7664:e30e000dd47c
protzenk@sauternes:~/C/c/mozilla $ hg log | head -n1
changeset:   68875:79157d41d7bc

This is triggered by chrome code using let-bindings in a Thunderbird extension. This is the function that exhibited the funny boolean behavior:

https://github.com/protz/GMail-Conversation-View/blob/master/modules/monkeypatch.js#L164

That's pretty much all I can tell :-).
Assignee

Comment 3

8 years ago
Posted file Valgrind log
Assignee

Comment 4

8 years ago
Program received signal SIGINT, Interrupt.
0x00007f22a0808dd8 in ScanObject (this=<value optimized out>)
    at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:537
537	    if (obj->isNewborn())
(gdb) bt full
#0  0x00007f22a0808dd8 in ScanObject (this=<value optimized out>)
    at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:537
        clasp = 0x50c
#1  js::GCMarker::drainMarkStack (this=<value optimized out>)
    at /home/jonathan/Sources/comm-central/mozilla/js/src/jsgcmark.cpp:711
No locals.
Cannot access memory at address 0x7fff02b60c58

I'm also getting errors in the GC, but this time with methodjit disabled, don't know if this is related...
Thanks. Unfortunately, I'm not really seeing anything useful pop out of these stack traces. I think we'll have to reproduce this to know what's going on. Could you give more detailed steps to reproduce?

I'm guessing I'll have to install Thunderbird along with the GMail-Conversation-View extension. Which version of the extension should I use? And is there any consistent way to trigger the crash?
Assignee

Comment 7

8 years ago
Ok, here's the (pretty involved, sorry) debug procedure.
- On x86_64, build Thunderbird 3.4 (comm-central + mozilla-central). The bug still seems to be there in recent revisions, but to be on the safe side, I'd recommend using the set of revisions which are known to fail.
- Run Thunderbird, install Thunderbird Conversations from Tools > Addons. Restart Thunderbird.
- You are prompted with the setup assistant. Click "Apply Changes".
- You're now facing your Inbox. Click on a collapsed thread and, using the keyboard and the Right arrow / Left arrow keys, repeatedly expand / collapse that thread. Proceed that way, possibly moving to other threads with the keyboard, until you segfault.
- You can tell that things have gone awry if the thread is collapsed and the message that is expanded in the conversation is the first one, not the last one as it should be.

Please let me know if you manage to reproduce this... if you can't reproduce, I might be able to open a gdbserver on my machine and let you poke around at things.
Assignee

Comment 8

8 years ago
https://crash-stats.mozilla.com/report/index/8a04f11c-bd8b-4540-934d-aef6d2110511

Also crashed on Thunderbird 3.3a4 which is built on top of mozilla-aurora.
indeed, i seem to be running into random crashes lately as well. my only correlation is that i have upgraded 10.5.8 -> 10.6.7. protz gave me the URL to this bug and it seems my last crash report has the same signature:

https://crash-stats.mozilla.com/report/index/bp-c7601a74-7753-4a5d-8636-a47b42110517

comments tab should have links to my other crashes as well. miramar 3.3a3 behaved rock stable on leopard. it is also behaving very stable on 32-bit linux laptop i'm running.
is something you're doing in GCV manifesting this issue or would a completely clean miramar also crash with it?
Assignee

Comment 12

8 years ago
Posted patch Fix the issue (obsolete) — Splinter Review
So :mrbkap found the bug. All the extensive details are in bug 658351, and here's a patch that should fix it. I think we should do a more thorough review of mailnews code for this class of errors, but I'm afraid we don't have automated analysis tools for that.
Assignee: general → jonathan.protzenko
Status: NEW → ASSIGNED
Attachment #533747 - Flags: review?(dbienvenu)

Updated

8 years ago
Severity: normal → critical
Keywords: crash

Updated

8 years ago
OS: Linux → All
Summary: Segmentation fault. js_BooleanIntToString (methodjit, x86_64) → Segmentation fault [@ js_BooleanIntToString ]. js_BooleanIntToString (methodjit, x86_64)
Assignee

Comment 13

8 years ago
Attachment #533747 - Attachment is obsolete: true
Attachment #533747 - Flags: review?(dbienvenu)
Attachment #533754 - Flags: review?(Pidgeot18)
Attachment #533754 - Flags: review?(Pidgeot18) → review+
Assignee

Comment 14

8 years ago
http://hg.mozilla.org/comm-central/rev/184b63b572e1
Component: JavaScript Engine → Database
Product: Core → MailNews Core
QA Contact: general → database
Target Milestone: --- → Thunderbird 3.3a4
Assignee

Updated

8 years ago
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee

Updated

8 years ago
Target Milestone: Thunderbird 3.3a4 → Thunderbird 3.4
Assignee

Comment 15

8 years ago
Comment on attachment 533754 [details] [diff] [review]
Conformance with the Style Guide

We should definitely land this on 3.3 as it's crashing Miramar pretty badly.
Attachment #533754 - Flags: approval-thunderbird3.3?
Attachment #533754 - Flags: approval-thunderbird3.3? → approval-thunderbird3.3+
Assignee

Comment 16

8 years ago
http://hg.mozilla.org/releases/comm-miramar/rev/60fad03d78a5
Target Milestone: Thunderbird 3.4 → Thunderbird 3.3a4
Crash Signature: [@ js_BooleanIntToString ]
You need to log in before you can comment on or make changes to this bug.