Closed Bug 683317 Opened 9 years ago Closed 6 years ago

Firefox 9.0a1 Crash [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ]


(Core :: JavaScript Engine, defect)

Windows 7
Not set





(Reporter: marcia, Assigned: bhackett1024)


(Depends on 1 open bug, Blocks 1 open bug, )


(Keywords: crash, Whiteboard: [TI-regression])

Crash Data


(1 file)

Crashes started showing up using the 2011083000 build. Fairly low volume trunk crash only so far*%29 to the crashes which are all Windows.

Possible pushlog regression range: - Related to Type Inference landing? Adding Brian Hackett just in case.

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::types::TypeSet::getKnownTypeTag 	js/src/jsinfer.cpp:1443
1 	mozjs.dll 	js::mjit::Compiler::knownPushedType 	js/src/methodjit/Compiler.cpp:7036
2 	mozjs.dll 	js::mjit::Compiler::generateMethod 	js/src/methodjit/Compiler.cpp:1962
3 	mozjs.dll 	js::mjit::Compiler::performCompilation 	js/src/methodjit/Compiler.cpp:513
4 	mozjs.dll 	js::mjit::Compiler::compile 	js/src/methodjit/Compiler.cpp:162
5 	mozjs.dll 	js::mjit::TryCompile 	js/src/methodjit/Compiler.cpp:620
6 	mozjs.dll 	js::mjit::CanMethodJIT 	js/src/methodjit/MethodJIT-inl.h:79
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4233
8 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:615
9 	mozjs.dll 	js::ExecuteKernel 	js/src/jsinterp.cpp:941
10 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:977
11 	mozjs.dll 	EvaluateUCScriptForPrincipalsCommon 	js/src/jsapi.cpp:4933
12 	mozjs.dll 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:4945
13 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1465
14 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:906
15 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:799
16 	xul.dll 	nsScriptLoader::ProcessPendingRequests 	
17 	xul.dll 	nsScriptLoader::OnStreamComplete 	content/base/src/nsScriptLoader.cpp:1183
18 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:125
19 	xul.dll 	nsHTTPCompressConv::OnStopRequest 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
20 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4212
21 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
22 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
23 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:114
24 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
25 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
26 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
27 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/
28 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/
29 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
30 	xul.dll 	xul.dll@0xbba973 	
31 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:224
32 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3551
33 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
34 	firefox.exe 	firefox.exe@0x4033 	
35 	firefox.exe 	__tmainCRTStartup 	crtexe.c:594
36 	firefox.exe 	_SEH_epilog4 	
37 	kernel32.dll 	BaseProcessStart 	
38 	kernel32.dll 	GetCodePageFileInfo 	
39 	kernel32.dll 	BaseProcessStart 	
40 	firefox.exe 	pre_c_init 	crtexe.c:304
This is definitely a TI landing regression, the crash is in new code added by TI.
Adding related signature -> [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ]. Comments mention crashing when accessing Hotmail calendar.
Crash Signature: [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] → [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ]
js::ctypes is, confusingly, not at all related to js::types. Switching components. ;-)
Assignee: nobody → general
Component: js-ctypes → JavaScript Engine
QA Contact: js-ctypes → general
Duplicate of this bug: 683324
Assignee: general → bhackett1024
Whiteboard: [TI-regression]
Attached patch possible patchSplinter Review
This bug and several other TI-related crashes are NULL dereferences when accessing information which we had just asked TI to compute.  The only way I can see this happening is if the script is associated with a cleared global, which inference will refuse to analyze (to prevent reentrancy crashes related to reinstantiation of the standard classes) but will pretend it has.
Attachment #557380 - Flags: review?(dvander)
Attachment #557380 - Flags: review?(dvander) → review+
Adding Mac and Linux specific signature.
Crash Signature: [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] → [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] [@ js::types::TypeSet::getKnownTypeTag ]
[@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] has no crashes since the 20110831030834 build on the trunk so that signature has gone away.

[@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] has one crash using the 20110904030822 build so that signature has not gone away.

[@ js::types::TypeSet::getKnownTypeTag ] has one crash using the 20110901040207 build but the fix may have not made it in to that build.
[js::types::TypeSet::addType(JSContext*, js::types::Type)] has about 156 crashes on the trunk in the past week. The last build id I see is 20110917030857.

[@ js::types::TypeSet::getKnownTypeTag ] No crashes in builds after 20110831030834.
All but three of the js::types::TypeSet::addType crashes were in the 9/17 build, which had a merge from the JM branch which was subsequently backed out.  The cause for this crash, and several other crashes that spiked on 9/17, was either bug 685358 or bug 683804.  JM merged to m-c again last night, but without patches for either of these two bugs.
Is Bug 688971 related?
Have a user from the support forums on 10.0a2 hitting this signature

This seems to be rising in 9.0.1. Sitting at #23. I am going to add the top crash keyword.
Keywords: topcrash
Can we get someone to look at this. It's moved up further on the 9.0.1 in the last day.
I don't know about the js::types::TypeSet::getKnownTypeTag signature, which wasn't on the first page of the 9.0.1 crashes, but I looked at the several crashes in js::types::HashSetLookup (#19) and js::types::TypeSet::addType (#23).  All of the crashes had RapportTanzan9.dll on the stack calling JSAPI methods directly, which is the behavior identified as causing bug 700176.  Entering JS without entering the right compartment is liable to screw up all sorts of JS stuff, especially type information.
Blocks: 700176
Depends on: 715693
Duplicate of this bug: 794949
Duplicate of this bug: 794953
The interpreter doesn't do type monitoring anymore.
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.