Closed Bug 705423 Opened 13 years ago Closed 13 years ago

Crash in js::types::TypeSet::hasType

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla16

People

(Reporter: scoobidiver, Assigned: luke)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(2 files)

release script->types if gczeal 13 years ago Luke Wagner [:luke] 606 bytes, patch	billm : review+	Details \| Diff \| Splinter Review
ArgSetter needs to ensureTypes before calling TypeScript::SetArgument 13 years ago Luke Wagner [:luke] 1.57 KB, patch	billm : review+	Details \| Diff \| Splinter Review

Scoobidiver (away)

Reporter

Description

•

13 years ago

It's #46 top crasher in 9.0b2 and #45 in 10.0a2 over the last 3 days. It first appeared in 9.0a1/20110830. There are three kinds of stack traces: 0 mozjs.dll js::types::TypeSet::hasType js/src/jsinferinlines.h:925 1 mozjs.dll js::types::TypeCompartment::markSetsUnknown js/src/jsinfer.cpp:2267 2 mozjs.dll js::SetProto js/src/jsobj.cpp:4768 3 mozjs.dll JS_SetPrototype js/src/jsapi.cpp:3102 4 xul.dll nsJSContext::SetOuterObject dom/base/nsJSEnvironment.cpp:2320 5 xul.dll nsGlobalWindow::SetNewDocument dom/base/nsGlobalWindow.cpp:2179 6 xul.dll DocumentViewerImpl::InitInternal layout/base/nsDocumentViewer.cpp:959 7 xul.dll DocumentViewerImpl::Init layout/base/nsDocumentViewer.cpp:702 8 xul.dll nsDocShell::SetupNewViewer docshell/base/nsDocShell.cpp:7688 9 xul.dll nsDocShell::Embed docshell/base/nsDocShell.cpp:5790 10 xul.dll nsDocShell::CreateContentViewer docshell/base/nsDocShell.cpp:7475 11 xul.dll nsDSURIContentListener::DoContent docshell/base/nsDSURIContentListener.cpp:147 ... Frame Module Signature [Expand] Source 0 mozjs.dll js::types::TypeSet::hasType js/src/jsinferinlines.h:925 1 mozjs.dll js::types::TypeMonitorResult js/src/jsinfer.cpp:5090 2 mozjs.dll js::Interpret js/src/jsinterp.cpp:2342 3 mozjs.dll js::ContextStack::pushInvokeFrame js/src/vm/Stack.cpp:691 4 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:678 5 mozjs.dll js_fun_apply js/src/jsfun.cpp:1885 6 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:660 7 mozjs.dll js::Interpret js/src/jsinterp.cpp:4036 8 mozjs.dll js::RunScript js/src/jsinterp.cpp:614 9 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:678 10 mozjs.dll js::Invoke js/src/jsinterp.cpp:710 11 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5039 ... Frame Module Signature [Expand] Source 0 @0x512b0cc 1 mozjs.dll js::types::TypeSet::hasType js/src/jsinferinlines.h:943 2 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1064 3 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:1142 4 mozjs.dll js::Interpret js/src/jsinterp.cpp:3989 5 mozjs.dll js::types::TypeMonitorCallSlow js/src/jsinfer.cpp:5014 6 mozjs.dll js::RunScript js/src/jsinterp.cpp:584 7 mozjs.dll js::Invoke js/src/jsinterp.cpp:679 8 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5199 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29

Marcia Knous [:marcia]

Comment 1

•

13 years ago

Adding Brian and wondering if this is a dupe of Bug 683317.

Scoobidiver (away)

Reporter

Comment 2

•

13 years ago

It's currently #38 top crasher in 9.0b4.

Scoobidiver (away)

Reporter

Comment 3

•

13 years ago

It's #38 top browser crasher in 9.0.1, #35 in 10.0b2, #15 in 11.0a2, and #53 in 12.0a1.

Keywords: topcrash

Scoobidiver (away)

Reporter

Comment 4

•

13 years ago

It's #10 top browser crasher in 10.0.1. Here are 10.0.1 correlations reports on Feb 15: 24% (105/433) vs. 0% (106/49762) {1c02736b-82fb-4096-8c46-2eac570216d3} (SetiTagila Toolbar) 18% (79/433) vs. 1% (387/49762) adblockpopups@jessehakanen.net 18% (78/433) vs. 1% (303/49762) SkipScreen@SkipScreen (SkipScreen, https://addons.mozilla.org/addon/11243) 18% (80/433) vs. 1% (682/49762) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364) 17% (75/433) vs. 0% (164/49762) fastdial@telega.phpnet.us (Fast Dial, https://addons.mozilla.org/addon/5721) 17% (74/433) vs. 1% (280/49762) vk@sergeykolosov.mp (VKontakte.ru Downloader)

Scoobidiver (away)

Reporter

Comment 5

•

13 years ago

In 10.0.2, it's correlated to RadioWMPCoreGecko10.dll that belongs to various toolbars and a trojan (see http://home.mcafee.com/virusinfo/virusprofile.aspx?key=810626#none): 64% (174/270) vs. 13% (4401/34630) RadioWMPCoreGecko10.dll

Bob Clary [:bc] (inactive)

Updated

•

13 years ago

Blocks: 730703

Scoobidiver (away)

Reporter

Comment 6

•

13 years ago

It's still correlated with Conduit products: * 10.0.2: 59% (298/508) vs. 11% (7780/70876) RadioWMPCoreGecko10.dll * 11.0: 22% (42/190) vs. 8% (2918/34940) RadioWMPCoreGecko11.dll

Scoobidiver (away)

Reporter

Comment 7

•

13 years ago

There's a spike in crashes starting from 16.0a1/20120606 making it #3 top crasher in this build. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917

Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type) ] → [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::hasType]

tracking-firefox16: --- → ?

Gian-Carlo Pascutto [:gcp]

Comment 8

•

13 years ago

It's easy to reproduce when browsing http://apina.biz/75302 (NSFW!) with a very recent Nightly for example. Or so I heard ;-)

Gian-Carlo Pascutto [:gcp]

Comment 9

•

13 years ago

The first bad revision is: changeset: 95790:b863ef9946b8 user: Luke Wagner <luke@mozilla.com> date: Thu Feb 23 13:59:10 2012 -0800 summary: Bug 659577 - Don't alias stack variables (r=bhackett)

Gian-Carlo Pascutto [:gcp]

Updated

•

13 years ago

Blocks: 659577

Luke Wagner [:luke]

Assignee

Comment 10

•

13 years ago

Thanks for finding STR! This is a simple bug with a simple fix, but the conditions to catch it unfortunately require a browser, GC, the arguments object, so it went undetected.

Luke Wagner [:luke]

Assignee

Comment 11

•

13 years ago

Attached patch release script->types if gczeal — Details — Splinter Review

This patch just tweaks GC so that shell testing can reproduce this bug. This should improve fuzzing coverage. (Putting in a separate patch for bisection of any bugs this uncovers.)

Assignee: general → luke

Status: NEW → ASSIGNED

Attachment #631462 - Flags: review?(wmccloskey)

Luke Wagner [:luke]

Assignee

Comment 12

•

13 years ago

Attached patch ArgSetter needs to ensureTypes before calling TypeScript::SetArgument — Details — Splinter Review

This broke with bug 659577 because, before that patch, no ensureTypes was needed because the script had a live stack frame which would necessarily ensure it had types.

Attachment #631467 - Flags: review?(wmccloskey)

Bill McCloskey [inactive unless it's an emergency] (:billm)

Updated

•

13 years ago

Attachment #631462 - Flags: review?(wmccloskey) → review+

Bill McCloskey [inactive unless it's an emergency] (:billm)

Updated

•

13 years ago

Attachment #631467 - Flags: review?(wmccloskey) → review+

Luke Wagner [:luke]

Assignee

Comment 14

•

13 years ago

https://hg.mozilla.org/mozilla-central/rev/6cbb5b6e3da2 https://hg.mozilla.org/mozilla-central/rev/7d68b45776ff

Status: ASSIGNED → RESOLVED

Closed: 13 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla16

Lukas Blakk [:lsblakk] use ?needinfo

Updated

•

13 years ago

tracking-firefox16: ? → ---

You need to log in before you can comment on or make changes to this bug.