Last Comment Bug 705423 - Crash in js::types::TypeSet::hasType
: Crash in js::types::TypeSet::hasType
Status: RESOLVED FIXED
: crash, regression, topcrash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 9 Branch
: x86 Windows 7
: -- critical (vote)
: mozilla16
Assigned To: Luke Wagner [:luke]
:
Mentors:
: 762137 762581 (view as bug list)
Depends on:
Blocks: 659577 730703
  Show dependency treegraph
 
Reported: 2011-11-26 05:42 PST by Scoobidiver (away)
Modified: 2012-06-15 17:53 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
release script->types if gczeal (606 bytes, patch)
2012-06-08 10:57 PDT, Luke Wagner [:luke]
wmccloskey: review+
Details | Diff | Splinter Review
ArgSetter needs to ensureTypes before calling TypeScript::SetArgument (1.57 KB, patch)
2012-06-08 10:59 PDT, Luke Wagner [:luke]
wmccloskey: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2011-11-26 05:42:39 PST
It's #46 top crasher in 9.0b2 and #45 in 10.0a2 over the last 3 days.
It first appeared in 9.0a1/20110830.

There are three kinds of stack traces:
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:925
1 	mozjs.dll 	js::types::TypeCompartment::markSetsUnknown 	js/src/jsinfer.cpp:2267
2 	mozjs.dll 	js::SetProto 	js/src/jsobj.cpp:4768
3 	mozjs.dll 	JS_SetPrototype 	js/src/jsapi.cpp:3102
4 	xul.dll 	nsJSContext::SetOuterObject 	dom/base/nsJSEnvironment.cpp:2320
5 	xul.dll 	nsGlobalWindow::SetNewDocument 	dom/base/nsGlobalWindow.cpp:2179
6 	xul.dll 	DocumentViewerImpl::InitInternal 	layout/base/nsDocumentViewer.cpp:959
7 	xul.dll 	DocumentViewerImpl::Init 	layout/base/nsDocumentViewer.cpp:702
8 	xul.dll 	nsDocShell::SetupNewViewer 	docshell/base/nsDocShell.cpp:7688
9 	xul.dll 	nsDocShell::Embed 	docshell/base/nsDocShell.cpp:5790
10 	xul.dll 	nsDocShell::CreateContentViewer 	docshell/base/nsDocShell.cpp:7475
11 	xul.dll 	nsDSURIContentListener::DoContent 	docshell/base/nsDSURIContentListener.cpp:147
...

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:925
1 	mozjs.dll 	js::types::TypeMonitorResult 	js/src/jsinfer.cpp:5090
2 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2342
3 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
4 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
5 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:1885
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:660
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4036
8 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:614
9 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:678
10 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:710
11 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5039
...

Frame 	Module 	Signature [Expand] 	Source
0 		@0x512b0cc 	
1 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:943
2 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1064
3 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1142
4 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3989
5 	mozjs.dll 	js::types::TypeMonitorCallSlow 	js/src/jsinfer.cpp:5014
6 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:584
7 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:679
8 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5199
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29
Comment 1 Marcia Knous [:marcia - use ni] 2011-11-26 17:27:38 PST
Adding Brian and wondering if this is a dupe of Bug 683317.
Comment 2 Scoobidiver (away) 2011-12-12 02:10:36 PST
It's currently #38 top crasher in 9.0b4.
Comment 3 Scoobidiver (away) 2012-01-06 05:54:03 PST
It's #38 top browser crasher in 9.0.1, #35 in 10.0b2, #15 in 11.0a2, and #53 in 12.0a1.
Comment 4 Scoobidiver (away) 2012-02-16 11:41:23 PST
It's #10 top browser crasher in 10.0.1.

Here are 10.0.1 correlations reports on Feb 15:
     24% (105/433) vs.   0% (106/49762) {1c02736b-82fb-4096-8c46-2eac570216d3} (SetiTagila Toolbar)
     18% (79/433) vs.   1% (387/49762) adblockpopups@jessehakanen.net
     18% (78/433) vs.   1% (303/49762) SkipScreen@SkipScreen (SkipScreen, https://addons.mozilla.org/addon/11243)
     18% (80/433) vs.   1% (682/49762) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364)
     17% (75/433) vs.   0% (164/49762) fastdial@telega.phpnet.us (Fast Dial, https://addons.mozilla.org/addon/5721)
     17% (74/433) vs.   1% (280/49762) vk@sergeykolosov.mp (VKontakte.ru Downloader)
Comment 5 Scoobidiver (away) 2012-02-20 07:53:54 PST
In 10.0.2, it's correlated to RadioWMPCoreGecko10.dll that belongs to various toolbars and a trojan (see http://home.mcafee.com/virusinfo/virusprofile.aspx?key=810626#none):
64% (174/270) vs.  13% (4401/34630) RadioWMPCoreGecko10.dll
Comment 6 Scoobidiver (away) 2012-03-02 01:45:23 PST
It's still correlated with Conduit products:
* 10.0.2: 59% (298/508) vs.  11% (7780/70876) RadioWMPCoreGecko10.dll
* 11.0:    22% (42/190) vs.   8% (2918/34940) RadioWMPCoreGecko11.dll
Comment 7 Scoobidiver (away) 2012-06-06 12:24:09 PDT
There's a spike in crashes starting from 16.0a1/20120606 making it #3 top crasher in this build. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917
Comment 8 Gian-Carlo Pascutto [:gcp] 2012-06-07 11:18:49 PDT
It's easy to reproduce when browsing http://apina.biz/75302 (NSFW!) with a very recent Nightly for example. Or so I heard ;-)
Comment 9 Gian-Carlo Pascutto [:gcp] 2012-06-08 01:48:55 PDT
The first bad revision is:
changeset:   95790:b863ef9946b8
user:        Luke Wagner <luke@mozilla.com>
date:        Thu Feb 23 13:59:10 2012 -0800
summary:     Bug 659577 - Don't alias stack variables (r=bhackett)
Comment 10 Luke Wagner [:luke] 2012-06-08 10:55:29 PDT
Thanks for finding STR!  This is a simple bug with a simple fix, but the conditions to catch it unfortunately require a browser, GC, the arguments object, so it went undetected.
Comment 11 Luke Wagner [:luke] 2012-06-08 10:57:22 PDT
Created attachment 631462 [details] [diff] [review]
release script->types if gczeal

This patch just tweaks GC so that shell testing can reproduce this bug.  This should improve fuzzing coverage.  (Putting in a separate patch for bisection of any bugs this uncovers.)
Comment 12 Luke Wagner [:luke] 2012-06-08 10:59:27 PDT
Created attachment 631467 [details] [diff] [review]
ArgSetter needs to ensureTypes before calling TypeScript::SetArgument

This broke with bug 659577 because, before that patch, no ensureTypes was needed because the script had a live stack frame which would necessarily ensure it had types.
Comment 13 Luke Wagner [:luke] 2012-06-08 11:44:56 PDT
*** Bug 762137 has been marked as a duplicate of this bug. ***
Comment 15 Luke Wagner [:luke] 2012-06-11 17:18:42 PDT
*** Bug 762581 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.