Closed Bug 728705 Opened 13 years ago Closed 11 years ago

Crash @ js_ValueToAtom

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
11 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox11 - affected
firefox12 - affected

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, reproducible)

Crash Data

It's a low volume crash but there's an increase of crashes from 13.0a1/20120216: 2012021803 12 2012021703 4 2012021603 3 2012021503 1 2012021403 1 The regression range is unclear but might be: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d45c7d7b0079&tochange=a853f4017192 Signature js_ValueToAtom(JSContext*, JS::Value const&, JSAtom**) More Reports Search UUID 39b2550d-4ef2-40fe-980c-2c3132120219 Date Processed 2012-02-19 00:47:30 Uptime 2170 Last Crash 1.9 weeks before submission Install Age 7.0 hours since version was first installed. Install Time 2012-02-18 20:50:50 Product Firefox Version 13.0a1 Build ID 20120218031156 Release Channel nightly OS Windows NT OS Version 6.1.7600 Build Architecture x86 Build Architecture Info AuthenticAMD family 15 model 79 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 User Comments Was watching a livestream. App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0241, AdapterSubsysID: 01f41028, AdapterDriverVersion: 8.17.11.9621 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- EMCheckCompatibility False Total Virtual Memory 2147352576 Available Virtual Memory 1727520768 System Memory Use Percentage 57 Available Page File 1891094528 Available Physical Memory 654848000 Frame Module Signature [Expand] Source 0 mozjs.dll js_ValueToAtom js/src/jsatominlines.h:73 1 mozjs.dll js::FetchElementId js/src/jsinterpinlines.h:695 2 mozjs.dll js::mjit::stubs::GetElem js/src/methodjit/StubCalls.cpp:199 3 mozjs.dll js::mjit::stubs::SetElem<0> js/src/methodjit/StubCalls.cpp:231 More reports at: https://crash-stats.mozilla.com/report/list?signature=js_ValueToAtom%28JSContext*%2C%20JS%3A%3AValue%20const%26%2C%20JSAtom**%29
I can reproduce this in the latest Firefox 11 beta, with these steps to reproduce: - In a Google Docs document, choose "Mail Contributers" - From that 'dialog', choose 'Choose from contact persons' - Choose one of the contacts you want to add, then press 'Done' Result: crash https://crash-stats.mozilla.com/report/index/bp-3a87bad9-8d22-473f-8eeb-127532120312
tracking-firefox11: --- → ?
Version: 13 Branch → 11 Branch
Ok, it turns out you need to have the about:config preference browser.link.open_newwindow.restriction set to 0, to trigger this crash.
The spike in 13 is gone. There are only 164 crashes across all versions over the last week.
Keywords: regressionreproducible
Confirmed STR in Beta 11. It doesn't crash in 13, though. Need to check 12 too.
status-firefox11: --- → affected
tracking-firefox11: ?+
tracking-firefox12: --- → +
status-firefox12: --- → affected
This is the changeset that fixed the problem: changeset: 83501:0d684c34d1e4 user: Olli Pettay <Olli.Pettay@helsinki.fi> date: Fri Dec 30 12:47:23 2011 +0200 summary: Bug 714162 - Don't traverse certainly alive selections, r=mccr8 I'm not sure it actually fixed the bug--given the title it might just be reducing the amount of CC traversals and thus giving fewer opportunities to crash. I'll look for the regressor next.
The bug appears to have been introduced here: changeset: 79966:366d80e91816 user: Chris Leary <cdleary@mozilla.com> date: Mon Nov 07 13:42:31 2011 -0800 summary: Bug 634654 - Add RegExpPrivate cache. (r=Waldo) I say "appears" because it repros in a different way for me: Firefox doesn't crash, it just exits. But it works fine on a build from the previous rev.
Blocks: 634654
Depends on: 714162
(In reply to David Mandelin from comment #5) > This is the changeset that fixed the problem: > > changeset: 83501:0d684c34d1e4 > user: Olli Pettay <Olli.Pettay@helsinki.fi> > date: Fri Dec 30 12:47:23 2011 +0200 > summary: Bug 714162 - Don't traverse certainly alive selections, r=mccr8 > > I'm not sure it actually fixed the bug--given the title it might just be > reducing the amount of CC traversals and thus giving fewer opportunities to > crash. I'll look for the regressor next. I would be very surprised if that bug really fixed this one.
Depends on: 735917
Spinning off the reproducible crash as bug 735917, so this can be reserved for the topcrash.
There have been no crashes for the last four weeks after 15.0.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.