Crash in js::types::TypeSet::hasType

RESOLVED FIXED in mozilla16

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: luke)

Tracking

({crash, regression, topcrash})

9 Branch
mozilla16
x86
Windows 7
crash, regression, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
It's #46 top crasher in 9.0b2 and #45 in 10.0a2 over the last 3 days.
It first appeared in 9.0a1/20110830.

There are three kinds of stack traces:
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:925
1 	mozjs.dll 	js::types::TypeCompartment::markSetsUnknown 	js/src/jsinfer.cpp:2267
2 	mozjs.dll 	js::SetProto 	js/src/jsobj.cpp:4768
3 	mozjs.dll 	JS_SetPrototype 	js/src/jsapi.cpp:3102
4 	xul.dll 	nsJSContext::SetOuterObject 	dom/base/nsJSEnvironment.cpp:2320
5 	xul.dll 	nsGlobalWindow::SetNewDocument 	dom/base/nsGlobalWindow.cpp:2179
6 	xul.dll 	DocumentViewerImpl::InitInternal 	layout/base/nsDocumentViewer.cpp:959
7 	xul.dll 	DocumentViewerImpl::Init 	layout/base/nsDocumentViewer.cpp:702
8 	xul.dll 	nsDocShell::SetupNewViewer 	docshell/base/nsDocShell.cpp:7688
9 	xul.dll 	nsDocShell::Embed 	docshell/base/nsDocShell.cpp:5790
10 	xul.dll 	nsDocShell::CreateContentViewer 	docshell/base/nsDocShell.cpp:7475
11 	xul.dll 	nsDSURIContentListener::DoContent 	docshell/base/nsDSURIContentListener.cpp:147
...

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:925
1 	mozjs.dll 	js::types::TypeMonitorResult 	js/src/jsinfer.cpp:5090
2 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2342
3 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
4 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
5 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:1885
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:660
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4036
8 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:614
9 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
10 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:710
11 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5039
...

Frame 	Module 	Signature [Expand] 	Source
0 		@0x512b0cc 	
1 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:943
2 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1064
3 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1142
4 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3989
5 	mozjs.dll 	js::types::TypeMonitorCallSlow 	js/src/jsinfer.cpp:5014
6 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:584
7 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:679
8 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5199
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29
Adding Brian and wondering if this is a dupe of Bug 683317.
(Reporter)

Comment 2

5 years ago
It's currently #38 top crasher in 9.0b4.
(Reporter)

Comment 3

5 years ago
It's #38 top browser crasher in 9.0.1, #35 in 10.0b2, #15 in 11.0a2, and #53 in 12.0a1.
Keywords: topcrash
(Reporter)

Comment 4

5 years ago
It's #10 top browser crasher in 10.0.1.

Here are 10.0.1 correlations reports on Feb 15:
     24% (105/433) vs.   0% (106/49762) {1c02736b-82fb-4096-8c46-2eac570216d3} (SetiTagila Toolbar)
     18% (79/433) vs.   1% (387/49762) adblockpopups@jessehakanen.net
     18% (78/433) vs.   1% (303/49762) SkipScreen@SkipScreen (SkipScreen, https://addons.mozilla.org/addon/11243)
     18% (80/433) vs.   1% (682/49762) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364)
     17% (75/433) vs.   0% (164/49762) fastdial@telega.phpnet.us (Fast Dial, https://addons.mozilla.org/addon/5721)
     17% (74/433) vs.   1% (280/49762) vk@sergeykolosov.mp (VKontakte.ru Downloader)
(Reporter)

Comment 5

5 years ago
In 10.0.2, it's correlated to RadioWMPCoreGecko10.dll that belongs to various toolbars and a trojan (see http://home.mcafee.com/virusinfo/virusprofile.aspx?key=810626#none):
64% (174/270) vs.  13% (4401/34630) RadioWMPCoreGecko10.dll

Updated

5 years ago
Blocks: 730703
(Reporter)

Comment 6

5 years ago
It's still correlated with Conduit products:
* 10.0.2: 59% (298/508) vs.  11% (7780/70876) RadioWMPCoreGecko10.dll
* 11.0:    22% (42/190) vs.   8% (2918/34940) RadioWMPCoreGecko11.dll
(Reporter)

Comment 7

5 years ago
There's a spike in crashes starting from 16.0a1/20120606 making it #3 top crasher in this build. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type) ] → [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::hasType]
tracking-firefox16: --- → ?
It's easy to reproduce when browsing http://apina.biz/75302 (NSFW!) with a very recent Nightly for example. Or so I heard ;-)
The first bad revision is:
changeset:   95790:b863ef9946b8
user:        Luke Wagner <luke@mozilla.com>
date:        Thu Feb 23 13:59:10 2012 -0800
summary:     Bug 659577 - Don't alias stack variables (r=bhackett)
Blocks: 659577
(Assignee)

Comment 10

5 years ago
Thanks for finding STR!  This is a simple bug with a simple fix, but the conditions to catch it unfortunately require a browser, GC, the arguments object, so it went undetected.
(Assignee)

Comment 11

5 years ago
Created attachment 631462 [details] [diff] [review]
release script->types if gczeal

This patch just tweaks GC so that shell testing can reproduce this bug.  This should improve fuzzing coverage.  (Putting in a separate patch for bisection of any bugs this uncovers.)
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #631462 - Flags: review?(wmccloskey)
(Assignee)

Comment 12

5 years ago
Created attachment 631467 [details] [diff] [review]
ArgSetter needs to ensureTypes before calling TypeScript::SetArgument

This broke with bug 659577 because, before that patch, no ensureTypes was needed because the script had a live stack frame which would necessarily ensure it had types.
Attachment #631467 - Flags: review?(wmccloskey)
Attachment #631462 - Flags: review?(wmccloskey) → review+
Attachment #631467 - Flags: review?(wmccloskey) → review+
(Assignee)

Updated

5 years ago
Duplicate of this bug: 762137
(Assignee)

Comment 14

5 years ago
https://hg.mozilla.org/mozilla-central/rev/6cbb5b6e3da2
https://hg.mozilla.org/mozilla-central/rev/7d68b45776ff
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
(Assignee)

Updated

5 years ago
Duplicate of this bug: 762581
tracking-firefox16: ? → ---
You need to log in before you can comment on or make changes to this bug.