Closed Bug 702901 Opened 14 years ago Closed 12 years ago

Crash in js::types::TypeScriptNesting::~TypeScriptNesting()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
9 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox9 + ---
firefox10 + ---

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

It's #33 top crasher in 9.0b1. It first appeared in 9.0a1/20110908. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=09935ede3c77&tochange=b7d269a291b6 Stack traces look like: Frame Module Signature [Expand] Source 0 mozjs.dll js::types::TypeScriptNesting::~TypeScriptNesting js/src/jsinfer.cpp:5215 1 mozjs.dll js::types::TypeScript::destroy js/src/jsinfer.cpp:6095 2 mozjs.dll JSCompartment::sweep js/src/jscompartment.cpp:645 3 mozjs.dll SweepPhase js/src/jsgc.cpp:2309 4 mozjs.dll MarkAndSweep js/src/jsgc.cpp:2402 5 mozjs.dll GCCycle js/src/jsgc.cpp:2645 6 mozjs.dll js_GC js/src/jsgc.cpp:2731 7 mozjs.dll JS_CompartmentGC js/src/jsapi.cpp:2616 8 mozjs.dll JS_GC js/src/jsapi.cpp:2623 9 xul.dll nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:414 10 xul.dll nsXPConnect::GarbageCollect js/src/xpconnect/src/nsXPConnect.cpp:422 11 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:3189 12 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424 13 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 14 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 15 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeScriptNesting%3A%3A~TypeScriptNesting%28%29
It's now #20 top crasher in 9.0b2.
It's now #15 top crasher in 9.0b4 and #73 in 10.0a2. Here are some comments: "i'am just creating gmail account" "I was changing my Gmail Inbox Theme and then Firefox crashed." "using my gmail account .." "On Google Calendar, Clicking the dropdown submenu of my calendar caused this crash."
tracking-firefox9: --- → ?
A regression window would probably help here.
OS: Windows 7 → All
Hardware: x86 → All
(In reply to Andreas Gal :gal from comment #3) > A regression window would probably help here. See comment 0.
IIRC correctly Google started to introduce its new look for GMail around August-September. So if the error reports are about GMail, then the bug in our code could be exposed by those changes and the regression range is not applicable for hunting the bug.
QA - could we do some exploratory testing around Gmail? Thanks!
Keywords: qawanted
It looks like this signature has gone way down in 9.0b5 (or I'm just confused). In beta 4 there are 473 (out of 89k) crashes and in beta 5 there are 29 (out of 82k). The regression range is right around the time the TypeScriptNesting stuff landed, so I doubt GMail changes are directly involved. The TypeScriptNesting structures form a pretty straightforward N-ary tree threaded through a compartment's scripts. When a script is destroyed its nesting info is destroyed and unlinked from its parent and children. These crashes are due to state in either the script or the TypeScriptNesting being corrupted somewhere.
(In reply to Brian Hackett (:bhackett) from comment #8) > It looks like this signature has gone way down in 9.0b5 (or I'm just > confused). In beta 4 there are 473 (out of 89k) crashes and in beta 5 there > are 29 (out of 82k). The regression range is right around the time the > TypeScriptNesting stuff landed, so I doubt GMail changes are directly > involved. > > The TypeScriptNesting structures form a pretty straightforward N-ary tree > threaded through a compartment's scripts. When a script is destroyed its > nesting info is destroyed and unlinked from its parent and children. These > crashes are due to state in either the script or the TypeScriptNesting being > corrupted somewhere. Then this sounds similar to the script corruption we see in some of the GC crashes.
Resolution: WONTFIX → INVALID
Resolution: INVALID → WORKSFORME
You need to log in before you can comment on or make changes to this bug.