crash js::StackIter::settleOnNewState

RESOLVED FIXED in Firefox 7

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: luke, Assigned: luke)

Tracking

unspecified
mozilla8
Points:
---

Firefox Tracking Flags

(firefox7 fixed)

Details

(Whiteboard: [inbound][qa-], crash signature)

Attachments

(2 attachments)

(Assignee)

Description

6 years ago
StackIter::settleOnNewState is showing up in crash-stats for FF7 and up.  The total number is low, but its #28 for FF7.0a2.  The crash happens at part of settleOnNewState that is sensitive to outside code breaking stack invariants.  I'd like to land some telemetry patches to get more details about how its crashing and release-build-assert some stronger invariants that will hopefully turn up a reproducible test-case.
(Assignee)

Comment 1

6 years ago
Created attachment 550130 [details] [diff] [review]
telemetry patch

Here's the first patch.  Pushing to try first; maybe we'll get lucky.
(Assignee)

Comment 2

6 years ago
Comment on attachment 550130 [details] [diff] [review]
telemetry patch

No luck; try's clean.
Attachment #550130 - Flags: review?(wmccloskey)
Attachment #550130 - Flags: review?(wmccloskey) → review+
(Assignee)

Comment 3

6 years ago
Landed telemetry patch:
http://hg.mozilla.org/integration/mozilla-inbound/rev/b0e4ea1084d1
http://hg.mozilla.org/mozilla-central/rev/b0e4ea1084d1
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
Comment on attachment 550130 [details] [diff] [review]
telemetry patch

>+        JS_ASSERT(false && "About to dereference invalid slot");

Is && really what you mean?
(Assignee)

Comment 6

6 years ago
(In reply to comment #5)
> Is && really what you mean?

It is.
(Assignee)

Updated

6 years ago
Crash Signature: [@ js::StackIter::settleOnNewState()] → [@ js::StackIter::settleOnNewState()] [@ CrashIfInvalidSlot ]
(Assignee)

Updated

6 years ago
Duplicate of this bug: 676571
(Assignee)

Comment 8

6 years ago
Reopening since the patch was telemetry.

So far, it looks like all of the crashes have moved (as of buildid 20110804030732) from StackIter::settleOnNewState to CrashIfInvalidSlot.  I'll try examining a dump on windows.
(Assignee)

Comment 9

6 years ago
Created attachment 550878 [details] [diff] [review]
fix and a test

Looking at the OS X crash stacks (the only ones with more than one frame), all the stacks include an error that calls a debugger throw hook than then later throws an exception.

Looking at the crash dumps, the bad 'vp' is pointing into the stack frame.  This could happen if sp_ was too low.  One way sp_ could be too low is if the intepreter popped sp but did not advance the pc.  This is only checked at JSOP_CALL, so I looked there and found one such instance that crashes in CrashIfInvalidSlot.  This patch fixes the bug and hopefully will fix this crash.
Attachment #550878 - Flags: review?(dvander)
Comment on attachment 550878 [details] [diff] [review]
fix and a test

Review of attachment 550878 [details] [diff] [review]:
-----------------------------------------------------------------

nice test case!
Attachment #550878 - Flags: review?(dvander) → review+
(Assignee)

Updated

6 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 11

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/6181622382cf
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/6181622382cf
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 13

6 years ago
Looks like that fixes it.  CrashInvalidSlot was hitting >50 times a day, getting to #12 on crash stats.  With the patch, it seems to have disappeared.
(Assignee)

Comment 14

6 years ago
Comment on attachment 550878 [details] [diff] [review]
fix and a test

Simple patch, should decrease random crashiness for Firebug users, requesting approval for 7.
Attachment #550878 - Attachment description: a bug fix, maybe the bug fix → fix and a test
Attachment #550878 - Flags: approval-mozilla-aurora?
Comment on attachment 550878 [details] [diff] [review]
fix and a test

Land it this week please, so that it makes it before migration
Attachment #550878 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 16

6 years ago
http://hg.mozilla.org/releases/mozilla-aurora/rev/800e20b4890f
(Assignee)

Updated

6 years ago
status-firefox7: --- → fixed
qa- as no QA fix verification needed
Whiteboard: [inbound] → [inbound][qa-]

Comment 18

6 years ago
Still crashing in FF7.0.1: https://crash-stats.mozilla.com/report/index/815c5157-fe01-449d-896e-898222111028
You need to log in before you can comment on or make changes to this bug.