Closed
Bug 695505
Opened 13 years ago
Closed 12 years ago
Firefox Crash @ js::PropertyCache
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: marcia, Assigned: dmandelin)
References
Details
(Keywords: crash, regression)
Crash Data
Seen while looking at Aurora crash stats. https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill%28JSContext*,%20JSObject*,%20unsigned%20int,%20JSObject*,%20js::Shape%20const*,%20int%29
Crashes started showing up in crash stats using the 20110928 build. Crash appears in other versions as well.
Not enough volume for correlations. #30 top crash in Aurora in the last week.
https://crash-stats.mozilla.com/report/index/56914a63-9eef-45c7-b59d-a66322111018
Frame Module Signature [Expand] Source
0 @0x728b62c
1 mozjs.dll js::PropertyCache::fill js/src/jspropertycache.cpp:130
2 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:884
3 mozjs.dll js::Interpret js/src/jsinterp.cpp:4076
4 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:624
5 mozjs.dll js::ExecuteKernel js/src/jsinterp.cpp:814
6 mozjs.dll js::Execute js/src/jsinterp.cpp:853
7 mozjs.dll EvaluateUCScriptForPrincipalsCommon js/src/jsapi.cpp:4924
8 mozjs.dll JS_EvaluateUCScriptForPrincipalsVersion js/src/jsapi.cpp:4936
9 xul.dll nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1476
10 xul.dll nsScriptLoader::EvaluateScript content/base/src/nsScriptLoader.cpp:906
11 xul.dll nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:799
12 xul.dll nsScriptLoader::ProcessPendingRequests
13 xul.dll nsScriptLoader::OnStreamComplete content/base/src/nsScriptLoader.cpp:1183
14 xul.dll nsStreamLoader::OnStopRequest netwerk/base/src/nsStreamLoader.cpp:125
15 xul.dll nsHTTPCompressConv::OnStopRequest netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
16 xul.dll nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4253
17 xul.dll nsDisplayListBuilder::Allocate layout/base/nsDisplayList.cpp:385
18 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:403
19 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:114
20 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631
21 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:308
22 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110
23 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201
24 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175
25 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189
26 xul.dll xul.dll@0xbbe3ef
27 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:228
28 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3557
29 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:107
30 firefox.exe firefox.exe@0x4033
31 firefox.exe __tmainCRTStartup crtexe.c:594
32 smime3.dll sec_pkcs7_verify_signature security/nss/lib/pkcs7/p7decode.c:1771
33 firefox.exe _SEH_epilog4
34 kernel32.dll BaseProcessStart
35 smime3.dll sec_pkcs7_verify_signature security/nss/lib/pkcs7/p7decode.c:1771
36 kernel32.dll GetCodePageFileInfo
|
||
Comment 1•13 years ago
|
||
It's #8 top crasher in 9.0a2 and #35 in 10.0a1.
It first appeared in 9.0a1/20110830.
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=33031c875984&tochange=e6591ea9b27b
Keywords: regression
Version: Trunk → 9 Branch
|
|
||
Updated•13 years ago
|
tracking-firefox9:
--- → ?
|
|
||
Comment 2•13 years ago
|
||
It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1.
|
||
Comment 3•13 years ago
|
||
(In reply to Scoobidiver from comment #2)
> It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1.
Can we take another look to see if there are any correlations here?
|
Assignee | |
Comment 4•13 years ago
|
||
We plan on removing the property cache, so I wouldn't bother with this.
|
|
||
Comment 5•13 years ago
|
||
It's #16 top browser crasher in 9.0.1 and #11 in 10.0b2.
Let's mark it as topcrash.
Keywords: topcrash
|
|
||
Comment 6•13 years ago
|
||
(In reply to David Mandelin from comment #4)
> We plan on removing the property cache, so I wouldn't bother with this.
Did this, or will this, change land for FF10? If not, the topcrash status warrants further investigation.
Assignee: general → dmandelin
|
|
Assignee | |
Comment 7•13 years ago
|
||
bhackett and I investigated a minidump. The stack signature is wrong--this is actually a jitcode crash. Something must have changed in our code or the way it interacts with breakpad to show this new signature. Anyway, that means it's really mostly a dup of the EnterMethodJIT crashes, although this may be a cluster of some particular kind of EnterMethodJIT crash.
The most common crash address is 0xc. It turns out it's crashing on a shape guard for some kind of IC'd property access, with a null pointer for the object. It's unclear exactly what the code is, but Brian thinks it's code like |foo.bar|, i.e., a property of a global property. Brian pointed out that if the global got ClearScope'd, the jitcode could have baked in the address to read |foo| from, which after ClearScope would hold a null pointer, thus triggering the NPE.
Depends on: 637099
|
|
||
Updated•13 years ago
|
Blocks: SadJägerMonkey
|
|
||
Comment 8•13 years ago
|
||
(In reply to David Mandelin from comment #7)
> bhackett and I investigated a minidump. The stack signature is wrong--this
> is actually a jitcode crash. Something must have changed in our code or the
> way it interacts with breakpad to show this new signature. Anyway, that
> means it's really mostly a dup of the EnterMethodJIT crashes, although this
> may be a cluster of some particular kind of EnterMethodJIT crash.
Thanks Dave. Based upon your analysis that this won't have any more significant user impact in FF10 than FF9, we'll untrack.
|
|
||
Updated•13 years ago
|
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) ] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)]
[@ js::PropertyCache::fill]
OS: Windows 7 → All
Hardware: x86 → All
|
Reporter | |
Comment 9•13 years ago
|
||
https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill is still hanging around as a signature and has been increasing on the Mac side, but because volume is smaller on Mac I don't know what to make of it or whether we should be concerned at all.
js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) signature seems to not be present at all in Firefox 11 so far.
|
|
||
Comment 10•13 years ago
|
||
There are 32 crashes in 13.0.
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)]
[@ js::PropertyCache::fill] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)]
[@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*)]
[@ js::PropertyCache::fill]
Keywords: topcrash
|
|
||
Comment 11•12 years ago
|
||
There are only 3 crashes in 20.0 so let's close it.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•