Firefox Crash @ js::PropertyCache

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
7 years ago
5 years ago

People

(Reporter: marcia, Assigned: dmandelin)

Tracking

({crash, regression})

9 Branch
crash, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox9-, firefox10-, firefox11-)

Details

(crash signature)

Seen while looking at Aurora crash stats. https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill%28JSContext*,%20JSObject*,%20unsigned%20int,%20JSObject*,%20js::Shape%20const*,%20int%29 

Crashes started showing up in crash stats using the 20110928 build. Crash appears in other versions as well. 

Not enough volume for correlations. #30 top crash in Aurora in the last week.

https://crash-stats.mozilla.com/report/index/56914a63-9eef-45c7-b59d-a66322111018

Frame 	Module 	Signature [Expand] 	Source
0 		@0x728b62c 	
1 	mozjs.dll 	js::PropertyCache::fill 	js/src/jspropertycache.cpp:130
2 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:884
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4076
4 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:624
5 	mozjs.dll 	js::ExecuteKernel 	js/src/jsinterp.cpp:814
6 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:853
7 	mozjs.dll 	EvaluateUCScriptForPrincipalsCommon 	js/src/jsapi.cpp:4924
8 	mozjs.dll 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:4936
9 	xul.dll 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1476
10 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:906
11 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:799
12 	xul.dll 	nsScriptLoader::ProcessPendingRequests 	
13 	xul.dll 	nsScriptLoader::OnStreamComplete 	content/base/src/nsScriptLoader.cpp:1183
14 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:125
15 	xul.dll 	nsHTTPCompressConv::OnStopRequest 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
16 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4253
17 	xul.dll 	nsDisplayListBuilder::Allocate 	layout/base/nsDisplayList.cpp:385
18 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
19 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:114
20 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
21 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
22 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
23 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
24 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
26 	xul.dll 	xul.dll@0xbbe3ef 	
27 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:228
28 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3557
29 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
30 	firefox.exe 	firefox.exe@0x4033 	
31 	firefox.exe 	__tmainCRTStartup 	crtexe.c:594
32 	smime3.dll 	sec_pkcs7_verify_signature 	security/nss/lib/pkcs7/p7decode.c:1771
33 	firefox.exe 	_SEH_epilog4 	
34 	kernel32.dll 	BaseProcessStart 	
35 	smime3.dll 	sec_pkcs7_verify_signature 	security/nss/lib/pkcs7/p7decode.c:1771
36 	kernel32.dll 	GetCodePageFileInfo

Comment 1

7 years ago
It's #8 top crasher in 9.0a2 and #35 in 10.0a1.
It first appeared in 9.0a1/20110830.
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=33031c875984&tochange=e6591ea9b27b
Keywords: regression
Version: Trunk → 9 Branch

Updated

7 years ago
tracking-firefox9: --- → ?

Comment 2

7 years ago
It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1.

Comment 3

7 years ago
(In reply to Scoobidiver from comment #2)
> It's now #21 top crasher in 9.0b2, #26 in 10.0a2 and #44 in 11.0a1.

Can we take another look to see if there are any correlations here?
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox9: ? → -
(Assignee)

Comment 4

7 years ago
We plan on removing the property cache, so I wouldn't bother with this.

Comment 5

7 years ago
It's #16 top browser crasher in 9.0.1 and #11 in 10.0b2.
Let's mark it as topcrash.
Keywords: topcrash

Comment 6

7 years ago
(In reply to David Mandelin from comment #4)
> We plan on removing the property cache, so I wouldn't bother with this.

Did this, or will this, change land for FF10? If not, the topcrash status warrants further investigation.
Assignee: general → dmandelin
(Assignee)

Comment 7

6 years ago
bhackett and I investigated a minidump. The stack signature is wrong--this is actually a jitcode crash. Something must have changed in our code or the way it interacts with breakpad to show this new signature. Anyway, that means it's really mostly a dup of the EnterMethodJIT crashes, although this may be a cluster of some particular kind of EnterMethodJIT crash.

The most common crash address is 0xc. It turns out it's crashing on a shape guard for some kind of IC'd property access, with a null pointer for the object. It's unclear exactly what the code is, but Brian thinks it's code like |foo.bar|, i.e., a property of a global property. Brian pointed out that if the global got ClearScope'd, the jitcode could have baked in the address to read |foo| from, which after ClearScope would hold a null pointer, thus triggering the NPE.
Depends on: 637099

Updated

6 years ago
Blocks: 595351

Comment 8

6 years ago
(In reply to David Mandelin from comment #7)
> bhackett and I investigated a minidump. The stack signature is wrong--this
> is actually a jitcode crash. Something must have changed in our code or the
> way it interacts with breakpad to show this new signature. Anyway, that
> means it's really mostly a dup of the EnterMethodJIT crashes, although this
> may be a cluster of some particular kind of EnterMethodJIT crash.

Thanks Dave. Based upon your analysis that this won't have any more significant user impact in FF10 than FF9, we'll untrack.
tracking-firefox10: + → -
tracking-firefox11: + → -

Updated

6 years ago
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) ] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)] [@ js::PropertyCache::fill]
OS: Windows 7 → All
Hardware: x86 → All
https://crash-stats.mozilla.com/report/list?signature=js::PropertyCache::fill is still hanging around as a signature and has been increasing on the Mac side, but because volume is smaller on Mac I don't know what to make of it or whether we should be concerned at all.

js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int) signature seems to not be present at all in Firefox 11 so far.

Comment 10

6 years ago
There are 32 crashes in 13.0.
Crash Signature: [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)] [@ js::PropertyCache::fill] → [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*, int)] [@ js::PropertyCache::fill(JSContext*, JSObject*, unsigned int, JSObject*, js::Shape const*)] [@ js::PropertyCache::fill]
Keywords: topcrash

Comment 11

5 years ago
There are only 3 crashes in 20.0 so let's close it.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.