Firefox 9.0a1 Crash [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ]

RESOLVED INCOMPLETE

Status

()

Core
JavaScript Engine
--
critical
RESOLVED INCOMPLETE
6 years ago
3 years ago

People

(Reporter: marcia, Assigned: bhackett)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, {crash})

Trunk
x86
Windows 7
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [TI-regression], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Crashes started showing up using the 2011083000 build. Fairly low volume trunk crash only so far https://crash-stats.mozilla.com/report/list?signature=js::types::TypeSet::getKnownTypeTag%28JSContext*%29 to the crashes which are all Windows.

Possible pushlog regression range:

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=33031c875984&tochange=e6591ea9b27b - Related to Type Inference landing? Adding Brian Hackett just in case.


https://crash-stats.mozilla.com/report/index/8cfc93af-606c-49eb-af0f-154d72110830

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::types::TypeSet::getKnownTypeTag 	js/src/jsinfer.cpp:1443
1 	mozjs.dll 	js::mjit::Compiler::knownPushedType 	js/src/methodjit/Compiler.cpp:7036
2 	mozjs.dll 	js::mjit::Compiler::generateMethod 	js/src/methodjit/Compiler.cpp:1962
3 	mozjs.dll 	js::mjit::Compiler::performCompilation 	js/src/methodjit/Compiler.cpp:513
4 	mozjs.dll 	js::mjit::Compiler::compile 	js/src/methodjit/Compiler.cpp:162
5 	mozjs.dll 	js::mjit::TryCompile 	js/src/methodjit/Compiler.cpp:620
6 	mozjs.dll 	js::mjit::CanMethodJIT 	js/src/methodjit/MethodJIT-inl.h:79
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4233
8 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:615
9 	mozjs.dll 	js::ExecuteKernel 	js/src/jsinterp.cpp:941
10 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:977
11 	mozjs.dll 	EvaluateUCScriptForPrincipalsCommon 	js/src/jsapi.cpp:4933
12 	mozjs.dll 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:4945
13 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1465
14 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:906
15 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:799
16 	xul.dll 	nsScriptLoader::ProcessPendingRequests 	
17 	xul.dll 	nsScriptLoader::OnStreamComplete 	content/base/src/nsScriptLoader.cpp:1183
18 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:125
19 	xul.dll 	nsHTTPCompressConv::OnStopRequest 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
20 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4212
21 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
22 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
23 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:114
24 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
25 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
26 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
27 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
28 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
29 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
30 	xul.dll 	xul.dll@0xbba973 	
31 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:224
32 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3551
33 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
34 	firefox.exe 	firefox.exe@0x4033 	
35 	firefox.exe 	__tmainCRTStartup 	crtexe.c:594
36 	firefox.exe 	_SEH_epilog4 	
37 	kernel32.dll 	BaseProcessStart 	
38 	kernel32.dll 	GetCodePageFileInfo 	
39 	kernel32.dll 	BaseProcessStart 	
40 	firefox.exe 	pre_c_init 	crtexe.c:304
(Assignee)

Comment 1

6 years ago
This is definitely a TI landing regression, the crash is in new code added by TI.
Blocks: 619415
(Reporter)

Comment 2

6 years ago
Adding related signature -> [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ]. Comments mention crashing when accessing Hotmail calendar.
Crash Signature: [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] → [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ]
js::ctypes is, confusingly, not at all related to js::types. Switching components. ;-)
Assignee: nobody → general
Component: js-ctypes → JavaScript Engine
QA Contact: js-ctypes → general
Duplicate of this bug: 683324

Updated

6 years ago
Assignee: general → bhackett1024
(Reporter)

Updated

6 years ago
Whiteboard: [TI-regression]
(Assignee)

Comment 5

6 years ago
Created attachment 557380 [details] [diff] [review]
possible patch

This bug and several other TI-related crashes are NULL dereferences when accessing information which we had just asked TI to compute.  The only way I can see this happening is if the script is associated with a cleared global, which inference will refuse to analyze (to prevent reentrancy crashes related to reinstantiation of the standard classes) but will pretend it has.
Attachment #557380 - Flags: review?(dvander)
Attachment #557380 - Flags: review?(dvander) → review+
(Assignee)

Comment 6

6 years ago
http://hg.mozilla.org/mozilla-central/rev/d772dfb96ba1
(Reporter)

Comment 7

6 years ago
Adding Mac and Linux specific signature.
Crash Signature: [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] → [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] [@ js::types::TypeSet::getKnownTypeTag ]
(Reporter)

Comment 8

6 years ago
[@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] has no crashes since the 20110831030834 build on the trunk so that signature has gone away.

[@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] has one crash using the 20110904030822 build so that signature has not gone away.

[@ js::types::TypeSet::getKnownTypeTag ] has one crash using the 20110901040207 build but the fix may have not made it in to that build.

Comment 9

6 years ago
[js::types::TypeSet::addType(JSContext*, js::types::Type)] has about 156 crashes on the trunk in the past week. The last build id I see is 20110917030857.

[@ js::types::TypeSet::getKnownTypeTag ] No crashes in builds after 20110831030834.
(Assignee)

Comment 10

6 years ago
All but three of the js::types::TypeSet::addType crashes were in the 9/17 build, which had a merge from the JM branch which was subsequently backed out.  The cause for this crash, and several other crashes that spiked on 9/17, was either bug 685358 or bug 683804.  JM merged to m-c again last night, but without patches for either of these two bugs.

Comment 11

6 years ago
Is Bug 688971 related?

Comment 12

6 years ago
Have a user from the support forums on 10.0a2 hitting this signature

bp-1ea4f7ac-cd17-4096-91fa-173952111206

https://support.mozilla.com/en-US/questions/902378

Comment 13

6 years ago
This seems to be rising in 9.0.1. Sitting at #23. I am going to add the top crash keyword.
Keywords: topcrash

Comment 14

6 years ago
Can we get someone to look at this. It's moved up further on the 9.0.1 in the last day.
(Assignee)

Comment 15

6 years ago
I don't know about the js::types::TypeSet::getKnownTypeTag signature, which wasn't on the first page of the 9.0.1 crashes, but I looked at the several crashes in js::types::HashSetLookup (#19) and js::types::TypeSet::addType (#23).  All of the crashes had RapportTanzan9.dll on the stack calling JSAPI methods directly, which is the behavior identified as causing bug 700176.  Entering JS without entering the right compartment is liable to screw up all sorts of JS stuff, especially type information.
Blocks: 700176
(Assignee)

Updated

6 years ago
Depends on: 715693

Updated

5 years ago
Duplicate of this bug: 794949

Updated

5 years ago
Duplicate of this bug: 794953

Comment 18

5 years ago
It's a low volume crash in 17.0 and above: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AaddType%28JSContext*%2C+js%3A%3Atypes%3A%3AType%29
Keywords: topcrash
The interpreter doesn't do type monitoring anymore.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Resolution: FIXED → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.