Closed
Bug 695505
Opened 13 years ago
Closed 11 years ago
Firefox Crash @ js::PropertyCache
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: marcia, Assigned: dmandelin)
References
Details
(Keywords: crash, regression)
Crash Data
Seen while looking at Aurora crash stats. https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill%28JSContext*,%20JSObject*,%20unsigned%20int,%20JSObject*,%20js::Shape%20const*,%20int%29 Crashes started showing up in crash stats using the 20110928 build. Crash appears in other versions as well. Not enough volume for correlations. #30 top crash in Aurora in the last week. https://crash-stats.mozilla.com/report/index/56914a63-9eef-45c7-b59d-a66322111018 Frame Module Signature [Expand] Source 0 @0x728b62c 1 mozjs.dll js::PropertyCache::fill js/src/jspropertycache.cpp:130 2 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:884 3 mozjs.dll js::Interpret js/src/jsinterp.cpp:4076 4 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:624 5 mozjs.dll js::ExecuteKernel js/src/jsinterp.cpp:814 6 mozjs.dll js::Execute js/src/jsinterp.cpp:853 7 mozjs.dll EvaluateUCScriptForPrincipalsCommon js/src/jsapi.cpp:4924 8 mozjs.dll JS_EvaluateUCScriptForPrincipalsVersion js/src/jsapi.cpp:4936 9 xul.dll nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1476 10 xul.dll nsScriptLoader::EvaluateScript content/base/src/nsScriptLoader.cpp:906 11 xul.dll nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:799 12 xul.dll nsScriptLoader::ProcessPendingRequests 13 xul.dll nsScriptLoader::OnStreamComplete content/base/src/nsScriptLoader.cpp:1183 14 xul.dll nsStreamLoader::OnStopRequest netwerk/base/src/nsStreamLoader.cpp:125 15 xul.dll nsHTTPCompressConv::OnStopRequest netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127 16 xul.dll nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4253 17 xul.dll nsDisplayListBuilder::Allocate layout/base/nsDisplayList.cpp:385 18 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:403 19 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:114 20 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 21 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:308 22 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 23 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 24 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175 25 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189 26 xul.dll xul.dll@0xbbe3ef 27 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:228 28 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3557 29 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:107 30 firefox.exe firefox.exe@0x4033 31 firefox.exe __tmainCRTStartup crtexe.c:594 32 smime3.dll sec_pkcs7_verify_signature security/nss/lib/pkcs7/p7decode.c:1771 33 firefox.exe _SEH_epilog4 34 kernel32.dll BaseProcessStart 35 smime3.dll sec_pkcs7_verify_signature security/nss/lib/pkcs7/p7decode.c:1771 36 kernel32.dll GetCodePageFileInfo
|
||
Comment 1•13 years ago
|
||
It's #8 top crasher in 9.0a2 and #35 in 10.0a1. It first appeared in 9.0a1/20110830. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=33031c875984&tochange=e6591ea9b27b
Keywords: regression
Version: Trunk → 9 Branch
|
|
||
Updated•13 years ago
|
tracking-firefox9:
--- → ?
|
|
||
Comment 2•13 years ago
|
||
It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1.
|
||
Comment 3•13 years ago
|
||
(In reply to Scoobidiver from comment #2) > It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1. Can we take another look to see if there are any correlations here?
|
Assignee | |
Comment 4•13 years ago
|
||
We plan on removing the property cache, so I wouldn't bother with this.
|
|
||
Comment 5•13 years ago
|
||
It's #16 top browser crasher in 9.0.1 and #11 in 10.0b2. Let's mark it as topcrash.
Keywords: topcrash
|
|
||
Comment 6•13 years ago
|
||
(In reply to David Mandelin from comment #4) > We plan on removing the property cache, so I wouldn't bother with this. Did this, or will this, change land for FF10? If not, the topcrash status warrants further investigation.
Assignee: general → dmandelin
|
|
Assignee | |
Comment 7•12 years ago
|
||
bhackett and I investigated a minidump. The stack signature is wrong--this is actually a jitcode crash. Something must have changed in our code or the way it interacts with breakpad to show this new signature. Anyway, that means it's really mostly a dup of the EnterMethodJIT crashes, although this may be a cluster of some particular kind of EnterMethodJIT crash. The most common crash address is 0xc. It turns out it's crashing on a shape guard for some kind of IC'd property access, with a null pointer for the object. It's unclear exactly what the code is, but Brian thinks it's code like |foo.bar|, i.e., a property of a global property. Brian pointed out that if the global got ClearScope'd, the jitcode could have baked in the address to read |foo| from, which after ClearScope would hold a null pointer, thus triggering the NPE.
Depends on: 637099
|
|
||
Updated•12 years ago
|
Blocks: SadJägerMonkey
|
|
||
Comment 8•12 years ago
|
||
(In reply to David Mandelin from comment #7) > bhackett and I investigated a minidump. The stack signature is wrong--this > is actually a jitcode crash. Something must have changed in our code or the > way it interacts with breakpad to show this new signature. Anyway, that > means it's really mostly a dup of the EnterMethodJIT crashes, although this > may be a cluster of some particular kind of EnterMethodJIT crash. Thanks Dave. Based upon your analysis that this won't have any more significant user impact in FF10 than FF9, we'll untrack.
|
|
||
Updated•12 years ago
|
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) ] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)]
[@ js::PropertyCache::fill]
OS: Windows 7 → All
Hardware: x86 → All
|
Reporter | |
Comment 9•12 years ago
|
||
https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill is still hanging around as a signature and has been increasing on the Mac side, but because volume is smaller on Mac I don't know what to make of it or whether we should be concerned at all. js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) signature seems to not be present at all in Firefox 11 so far.
|
|
||
Comment 10•12 years ago
|
||
There are 32 crashes in 13.0.
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)]
[@ js::PropertyCache::fill] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)]
[@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*)]
[@ js::PropertyCache::fill]
Keywords: topcrash
|
|
||
Comment 11•11 years ago
|
||
There are only 3 crashes in 20.0 so let's close it.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•