Closed
Bug 657418
Opened 13 years ago
Closed 13 years ago
Firefox Crash [@ nsJSPrincipalsSubsume ]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: marcia, Unassigned)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
1.92 KB,
patch
|
mrbkap
:
review+
asa
:
approval-mozilla-aurora+
asa
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Seen while reviewing trunk new crashes, but spans 3.6.x and 4.0.x as well. https://crash-stats.mozilla.com/report/list?signature=nsJSPrincipalsSubsume to the crashes across all versions. Crashes on the trunk started showing using the 2011051300 build. Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2a0fbd6eedbd&tochange=ad1fa68dcaf5 https://crash-stats.mozilla.com/report/index/09c84d00-7caf-4ac8-944a-314522110514 Frame Module Signature [Expand] Source 0 xul.dll nsJSPrincipalsSubsume caps/src/nsJSPrincipals.cpp:73 1 mozjs.dll EvalKernel 2 mozjs.dll js::PropertyCache::fill js/src/jspropertycache.cpp:154 3 mozjs.dll js::Interpret js/src/jsinterp.cpp:4673 4 @0x0
Comment 1•13 years ago
|
||
Line 154 in jspropertycache.cpp there is: if (!pobj->generic() && shape->hasDefaultGetter() && pobj->containsSlot(shape->slot)) { which means that frames 0 and 1 are bogus-ish (as in, we jumped into lala-land in fill()).
Comment 2•13 years ago
|
||
Hmm, of those report I looked into from https://crash-stats.mozilla.com/report/list?signature=nsJSPrincipalsSubsume there seem to be a number of different stacks that lead to a crash in nsJSPrincipalsSubsume. The 3.6 and 4 ones are very different, but the ones from 6.0a1 for Windows have the top frames from comment #0 mostly (with js::PropertyCache::fill in there), but most from Mac and Linux as well as bp-b2394f9b-40a3-4402-ae5b-832f42110516 have those top frames (Mac and Linux are missing the one being #3 here but all have #0, #1, #2 the same, the #4 here is #3 for the others, I also found cases of #2 "missing"): 0 xul.dll nsJSPrincipalsSubsume caps/src/nsJSPrincipals.cpp:73 1 mozjs.dll EvalKernel 2 mozjs.dll js::DirectEval js/src/jsobj.cpp:1303 3 mozjs.dll js::Interpret js/src/jsinterp.cpp:4673 4 mozjs.dll js::Interpret js/src/jsinterp.cpp:4580 Here a Mac example from bp-7a0aa18d-6f43-4a13-a531-e4bc72110515 0 XUL nsJSPrincipalsSubsume caps/src/nsJSPrincipals.cpp:73 1 XUL EvalKernel js/src/jsobj.cpp:990 2 XUL js::DirectEval js/src/jsobj.cpp:1303 3 XUL js::Interpret js/src/jsinterp.cpp:4580 And a Linux one from bp-e53f9a90-0886-465a-a47d-a183e2110515 0 libxul.so nsJSPrincipalsSubsume caps/src/nsJSPrincipals.cpp:73 1 libxul.so EvalKernel js/src/jsobj.cpp:995 2 libxul.so js::DirectEval js/src/jsobj.cpp:1303 3 libxul.so js::Interpret js/src/jsinterp.cpp:4580 All are coming from EvalKernel to nsJSPrincipalsSubsume, all are going through the same line in js::Interpret before, but the way there seems different. See the linked list for more examples. We had zero crashes with that signature for a week on 6 until this came up on 2011-05-14 with ~30 crashes daily since then. All those seem to be on startup, so due to retries there are a number of those marked as "duplicates".
Comment 3•13 years ago
|
||
The first nightly I can consistently reproduce this in is 05-13 from the Tracemonkey branch (5ff15fe83e16). I saw a crash once testing 05-12 nightly, but didn't get a signature and can't reproduce it. As quite a lot of my users are reporting this, I can probably provide a method to reproduce it consistently.
Comment 4•13 years ago
|
||
To reproduce this crash with a nighly build simply use the example extension attached to bug 644856 (attachment 521690 [details]).
Keywords: regression,
regressionwindow-wanted
Updated•13 years ago
|
Crash Signature: [@ nsJSPrincipalsSubsume ]
Comment 5•13 years ago
|
||
It is #3 top crasher in 6.0 and happens almost exclusively at startup. Maybe related to incompatible add-ons.
tracking-firefox6:
--- → ?
Comment 6•13 years ago
|
||
I don't think it's an issue with incompatible add-ons. In my case, it happens when evalInSandbox is called while a JSM is loading. I suspect it's only becoming more common in 6.0 because more people are using it with a wider variety of add-ons now that it's in beta.
Comment 7•13 years ago
|
||
Crashes are at 0x18 on 32-bit and 0x30 64-bit. In both cases, this is offsetof(nsJPrincipals, nsIPrincipalPtr) so I think this is simply null 'jsprin'. The only way to call 'subsume' from EvalKernel is through EvalCacheLookup, so hopefully this is just a simple fix.
Comment 8•13 years ago
|
||
(Ideally, we'd just do bug 668558, but this is beta, so quickfix/safe for now.)
Attachment #545194 -
Flags: review?(mrbkap)
Comment 9•13 years ago
|
||
For some reason this signature has risen in FF6 but appeared in FF5. We are going to track this with the assumption we will approve the null check for beta. We can verify the crashes go down.
Updated•13 years ago
|
Attachment #545194 -
Flags: review?(mrbkap) → review+
Updated•13 years ago
|
Attachment #545194 -
Flags: approval-mozilla-beta?
Attachment #545194 -
Flags: approval-mozilla-aurora?
Updated•13 years ago
|
Attachment #545194 -
Flags: approval-mozilla-beta?
Attachment #545194 -
Flags: approval-mozilla-beta+
Attachment #545194 -
Flags: approval-mozilla-aurora?
Attachment #545194 -
Flags: approval-mozilla-aurora+
Comment 10•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d6fa77966e7c http://hg.mozilla.org/releases/mozilla-aurora/rev/32b68884f5c5 http://hg.mozilla.org/releases/mozilla-beta/rev/3615026f5272
status-firefox6:
--- → fixed
Comment 11•13 years ago
|
||
The latest crashes on 7.0a2 (resp. 8.0a1) were with the build ID 20110712042004 (resp. 20110712030758), so it's verified that it's fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Comment 12•13 years ago
|
||
I think this caused a massive, presumably shell-only regression on ss-date-format-tofte (visible on the awfy-regress page on TI, as the TM branch doesn't have this cset yet). The principals are (I think?) always NULL in the shell, so we never use the eval cache when eval'ing the same scripts several hundred times. Is there a way to modify the tests so that shell performance reflects browser performance better?
Comment 13•13 years ago
|
||
Ah, thanks. File bug 672283.
See Also: → https://launchpad.net/bugs/810074
Updated•9 years ago
|
Keywords: regressionwindow-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•