Closed Bug 695505 Opened 9 years ago Closed 7 years ago

Firefox Crash @ js::PropertyCache

Categories

(Core :: JavaScript Engine, defect)

9 Branch
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox9 - ---
firefox10 - ---
firefox11 - ---

People

(Reporter: marcia, Assigned: dmandelin)

References

Details

(Keywords: crash, regression)

Crash Data

Seen while looking at Aurora crash stats. https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill%28JSContext*,%20JSObject*,%20unsigned%20int,%20JSObject*,%20js::Shape%20const*,%20int%29 

Crashes started showing up in crash stats using the 20110928 build. Crash appears in other versions as well. 

Not enough volume for correlations. #30 top crash in Aurora in the last week.

https://crash-stats.mozilla.com/report/index/56914a63-9eef-45c7-b59d-a66322111018

Frame 	Module 	Signature [Expand] 	Source
0 		@0x728b62c 	
1 	mozjs.dll 	js::PropertyCache::fill 	js/src/jspropertycache.cpp:130
2 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:884
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4076
4 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:624
5 	mozjs.dll 	js::ExecuteKernel 	js/src/jsinterp.cpp:814
6 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:853
7 	mozjs.dll 	EvaluateUCScriptForPrincipalsCommon 	js/src/jsapi.cpp:4924
8 	mozjs.dll 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:4936
9 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1476
10 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:906
11 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:799
12 	xul.dll 	nsScriptLoader::ProcessPendingRequests 	
13 	xul.dll 	nsScriptLoader::OnStreamComplete 	content/base/src/nsScriptLoader.cpp:1183
14 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:125
15 	xul.dll 	nsHTTPCompressConv::OnStopRequest 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
16 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4253
17 	xul.dll 	nsDisplayListBuilder::Allocate 	layout/base/nsDisplayList.cpp:385
18 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
19 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:114
20 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
21 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
22 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
23 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
24 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
26 	xul.dll 	xul.dll@0xbbe3ef 	
27 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:228
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3557
29 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
30 	firefox.exe 	firefox.exe@0x4033 	
31 	firefox.exe 	__tmainCRTStartup 	crtexe.c:594
32 	smime3.dll 	sec_pkcs7_verify_signature 	security/nss/lib/pkcs7/p7decode.c:1771
33 	firefox.exe 	_SEH_epilog4 	
34 	kernel32.dll 	BaseProcessStart 	
35 	smime3.dll 	sec_pkcs7_verify_signature 	security/nss/lib/pkcs7/p7decode.c:1771
36 	kernel32.dll 	GetCodePageFileInfo
It's #8 top crasher in 9.0a2 and #35 in 10.0a1.
It first appeared in 9.0a1/20110830.
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=33031c875984&tochange=e6591ea9b27b
Keywords: regression
Version: Trunk → 9 Branch
It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1.
(In reply to Scoobidiver from comment #2)
> It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1.

Can we take another look to see if there are any correlations here?
We plan on removing the property cache, so I wouldn't bother with this.
It's #16 top browser crasher in 9.0.1 and #11 in 10.0b2.
Let's mark it as topcrash.
Keywords: topcrash
(In reply to David Mandelin from comment #4)
> We plan on removing the property cache, so I wouldn't bother with this.

Did this, or will this, change land for FF10? If not, the topcrash status warrants further investigation.
Assignee: general → dmandelin
bhackett and I investigated a minidump. The stack signature is wrong--this is actually a jitcode crash. Something must have changed in our code or the way it interacts with breakpad to show this new signature. Anyway, that means it's really mostly a dup of the EnterMethodJIT crashes, although this may be a cluster of some particular kind of EnterMethodJIT crash.

The most common crash address is 0xc. It turns out it's crashing on a shape guard for some kind of IC'd property access, with a null pointer for the object. It's unclear exactly what the code is, but Brian thinks it's code like |foo.bar|, i.e., a property of a global property. Brian pointed out that if the global got ClearScope'd, the jitcode could have baked in the address to read |foo| from, which after ClearScope would hold a null pointer, thus triggering the NPE.
Depends on: 637099
(In reply to David Mandelin from comment #7)
> bhackett and I investigated a minidump. The stack signature is wrong--this
> is actually a jitcode crash. Something must have changed in our code or the
> way it interacts with breakpad to show this new signature. Anyway, that
> means it's really mostly a dup of the EnterMethodJIT crashes, although this
> may be a cluster of some particular kind of EnterMethodJIT crash.

Thanks Dave. Based upon your analysis that this won't have any more significant user impact in FF10 than FF9, we'll untrack.
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) ] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)] [@ js::PropertyCache::fill]
OS: Windows 7 → All
Hardware: x86 → All
https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill is still hanging around as a signature and has been increasing on the Mac side, but because volume is smaller on Mac I don't know what to make of it or whether we should be concerned at all.

js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) signature seems to not be present at all in Firefox 11 so far.
There are 32 crashes in 13.0.
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)] [@ js::PropertyCache::fill] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)] [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*)] [@ js::PropertyCache::fill]
Keywords: topcrash
There are only 3 crashes in 20.0 so let's close it.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.