Closed Bug 683317 Opened 14 years ago Closed 11 years ago

Firefox 9.0a1 Crash [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: marcia, Assigned: bhackett1024)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [TI-regression])

Crash Data

Attachments

(1 file)

possible patch
1.46 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Crashes started showing up using the 2011083000 build. Fairly low volume trunk crash only so far https://crash-stats.mozilla.com/report/list?signature=js::types::TypeSet::getKnownTypeTag%28JSContext*%29 to the crashes which are all Windows. Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=33031c875984&tochange=e6591ea9b27b - Related to Type Inference landing? Adding Brian Hackett just in case. https://crash-stats.mozilla.com/report/index/8cfc93af-606c-49eb-af0f-154d72110830 Frame Module Signature [Expand] Source 0 mozjs.dll js::types::TypeSet::getKnownTypeTag js/src/jsinfer.cpp:1443 1 mozjs.dll js::mjit::Compiler::knownPushedType js/src/methodjit/Compiler.cpp:7036 2 mozjs.dll js::mjit::Compiler::generateMethod js/src/methodjit/Compiler.cpp:1962 3 mozjs.dll js::mjit::Compiler::performCompilation js/src/methodjit/Compiler.cpp:513 4 mozjs.dll js::mjit::Compiler::compile js/src/methodjit/Compiler.cpp:162 5 mozjs.dll js::mjit::TryCompile js/src/methodjit/Compiler.cpp:620 6 mozjs.dll js::mjit::CanMethodJIT js/src/methodjit/MethodJIT-inl.h:79 7 mozjs.dll js::Interpret js/src/jsinterp.cpp:4233 8 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:615 9 mozjs.dll js::ExecuteKernel js/src/jsinterp.cpp:941 10 mozjs.dll js::Execute js/src/jsinterp.cpp:977 11 mozjs.dll EvaluateUCScriptForPrincipalsCommon js/src/jsapi.cpp:4933 12 mozjs.dll JS_EvaluateUCScriptForPrincipalsVersion js/src/jsapi.cpp:4945 13 xul.dll nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1465 14 xul.dll nsScriptLoader::EvaluateScript content/base/src/nsScriptLoader.cpp:906 15 xul.dll nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:799 16 xul.dll nsScriptLoader::ProcessPendingRequests 17 xul.dll nsScriptLoader::OnStreamComplete content/base/src/nsScriptLoader.cpp:1183 18 xul.dll nsStreamLoader::OnStopRequest netwerk/base/src/nsStreamLoader.cpp:125 19 xul.dll nsHTTPCompressConv::OnStopRequest netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127 20 xul.dll nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4212 21 xul.dll nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:578 22 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:403 23 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:114 24 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 25 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:308 26 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:134 27 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 28 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175 29 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189 30 xul.dll xul.dll@0xbba973 31 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:224 32 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3551 33 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:107 34 firefox.exe firefox.exe@0x4033 35 firefox.exe __tmainCRTStartup crtexe.c:594 36 firefox.exe _SEH_epilog4 37 kernel32.dll BaseProcessStart 38 kernel32.dll GetCodePageFileInfo 39 kernel32.dll BaseProcessStart 40 firefox.exe pre_c_init crtexe.c:304
This is definitely a TI landing regression, the crash is in new code added by TI.
Blocks: infer-regress
Adding related signature -> [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ]. Comments mention crashing when accessing Hotmail calendar.
Crash Signature: [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] → [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ]
js::ctypes is, confusingly, not at all related to js::types. Switching components. ;-)
Assignee: nobody → general
Component: js-ctypes → JavaScript Engine
QA Contact: js-ctypes → general
Assignee: general → bhackett1024
Whiteboard: [TI-regression]
Attached patch possible patchSplinter Review
This bug and several other TI-related crashes are NULL dereferences when accessing information which we had just asked TI to compute. The only way I can see this happening is if the script is associated with a cleared global, which inference will refuse to analyze (to prevent reentrancy crashes related to reinstantiation of the standard classes) but will pretend it has.
Attachment #557380 - Flags: review?(dvander)
Attachment #557380 - Flags: review?(dvander) → review+
Adding Mac and Linux specific signature.
Crash Signature: [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] → [@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] [@ js::types::TypeSet::getKnownTypeTag ]
[@ js::types::TypeSet::getKnownTypeTag(JSContext*) ] has no crashes since the 20110831030834 build on the trunk so that signature has gone away. [@ js::types::TypeSet::addType(JSContext*, js::types::Type) ] has one crash using the 20110904030822 build so that signature has not gone away. [@ js::types::TypeSet::getKnownTypeTag ] has one crash using the 20110901040207 build but the fix may have not made it in to that build.
[js::types::TypeSet::addType(JSContext*, js::types::Type)] has about 156 crashes on the trunk in the past week. The last build id I see is 20110917030857. [@ js::types::TypeSet::getKnownTypeTag ] No crashes in builds after 20110831030834.
All but three of the js::types::TypeSet::addType crashes were in the 9/17 build, which had a merge from the JM branch which was subsequently backed out. The cause for this crash, and several other crashes that spiked on 9/17, was either bug 685358 or bug 683804. JM merged to m-c again last night, but without patches for either of these two bugs.
Is Bug 688971 related?
Have a user from the support forums on 10.0a2 hitting this signature bp-1ea4f7ac-cd17-4096-91fa-173952111206 https://support.mozilla.com/en-US/questions/902378
This seems to be rising in 9.0.1. Sitting at #23. I am going to add the top crash keyword.
Keywords: topcrash
Can we get someone to look at this. It's moved up further on the 9.0.1 in the last day.
I don't know about the js::types::TypeSet::getKnownTypeTag signature, which wasn't on the first page of the 9.0.1 crashes, but I looked at the several crashes in js::types::HashSetLookup (#19) and js::types::TypeSet::addType (#23). All of the crashes had RapportTanzan9.dll on the stack calling JSAPI methods directly, which is the behavior identified as causing bug 700176. Entering JS without entering the right compartment is liable to screw up all sorts of JS stuff, especially type information.
Blocks: 700176
Depends on: 715693
The interpreter doesn't do type monitoring anymore.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Resolution: FIXED → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: