Closed Bug 736815 Opened 11 years ago Closed 11 years ago

crash in js_ValueToBoolean

Categories

(Core :: JavaScript Engine, defect)

14 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla14
Tracking Status
firefox14 + verified

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

It's a residual crash but there's a spike in crashes from 14.0a1/20120317, all in 64-bit builds.
The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e5f6caa40409&tochange=ecaad3ae9964
It might be a regression from bug 730497 or bug 733950.

64-bit stacks are various and probably buggy:
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:1938
2 	xul.dll 	js::mjit::stubs::TypeBarrierHelper 	js/src/methodjit/StubCalls.cpp:1651
...

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:1938
2 	xul.dll 	nsCSSRendering::PaintBackgroundWithSC 	layout/base/nsCSSRendering.cpp:2359

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:2389
2 	xul.dll 	nsGlobalWindow::QueryInterface 	dom/base/nsGlobalWindow.cpp:1398
3 	xul.dll 	SearchTable 	js/src/jsdhash.cpp:469
4 	nspr4.dll 	PR_ExitMonitor 	nsprpub/pr/src/threads/prmon.c:132
5 	xul.dll 	nsEventStateManager::PostHandleEvent 	content/events/src/nsEventStateManager.cpp:3460

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:1938
2 	nspr4.dll 	PR_GetCurrentThread 	nsprpub/pr/src/threads/prcthr.c:174
3 	nspr4.dll 	PR_GetCurrentThread 	nsprpub/pr/src/threads/prcthr.c:174
4 	xul.dll 	XPCCallContext::Init 	js/xpconnect/src/XPCCallContext.cpp:157
5 	xul.dll 	XPCCallContext::~XPCCallContext 	js/xpconnect/src/XPCCallContext.cpp:350
6 	xul.dll 	nsGlobalWindow::SetTimeoutOrInterval 	dom/base/nsGlobalWindow.cpp:9192
7 	xul.dll 	nsXPCWrappedJSClass::DelegatedQueryInterface 	js/xpconnect/src/XPCWrappedJSClass.cpp:785
8 	nspr4.dll 	PR_GetCurrentThread 	nsprpub/pr/src/threads/prcthr.c:174
...

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:1938
2 	KERNELBASE.dll 	SystemTimeToFileTime 	
3 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
4 	xul.dll 	nsJSContext::ScriptEvaluated 	dom/base/nsJSEnvironment.cpp:2967
5 	xul.dll 	nsRefPtr<nsIDOMEventListener>::~nsRefPtr<nsIDOMEventListener> 	obj-firefox/dist/include/nsAutoPtr.h:908
6 	xul.dll 	XPCCallContext::~XPCCallContext 	js/xpconnect/src/XPCCallContext.cpp:350
7 	xul.dll 	AutoScriptEvaluate::~AutoScriptEvaluate 	js/xpconnect/src/XPCWrappedJSClass.cpp:119
...

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:1914
2 	xul.dll 	XPCWrappedNative::GetWrappedNativeOfJSObject 	js/xpconnect/src/XPCWrappedNative.cpp:1773
3 	mozglue.dll 	arena_run_split 	memory/jemalloc/jemalloc.c:3333
4 	mozglue.dll 	choose_arena 	memory/jemalloc/jemalloc.c:2972
5 	mozglue.dll 	je_malloc 	memory/jemalloc/jemalloc.c:6299
6 	xul.dll 	js::TokenStream::getTokenInternal 	js/src/frontend/TokenStream.cpp:2143
7 	mozglue.dll 	choose_arena 	memory/jemalloc/jemalloc.c:2972
8 	xul.dll 	js_NewStringCopyN 	js/src/jsstr.cpp:3209
9 	xul.dll 	js::Parser::memberExpr 	js/src/frontend/Parser.cpp:5770
...

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:1914
2 	xul.dll 	xul.dll@0xd4baf 	
3 	mozglue.dll 	je_malloc 	memory/jemalloc/jemalloc.c:6299
4 	xul.dll 	js::TokenStream::getTokenInternal 	js/src/frontend/TokenStream.cpp:2143
5 	xul.dll 	js_NewStringCopyN 	js/src/jsstr.cpp:3209
6 	xul.dll 	js::Parser::memberExpr 	js/src/frontend/Parser.cpp:5770
...

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	js_ValueToBoolean 	js/src/jsbool.cpp:222
1 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:1914
2 	xul.dll 	nsDocShell::QueryInterface 	docshell/base/nsDocShell.cpp:907
3 	mozglue.dll 	choose_arena 	memory/jemalloc/jemalloc.c:2972
4 	xul.dll 	nsDocShell::FindChildWithName 	docshell/base/nsDocShell.cpp:3315
5 	mozglue.dll 	je_malloc 	memory/jemalloc/jemalloc.c:6299
6 	xul.dll 	js::TokenStream::getTokenInternal 	js/src/frontend/TokenStream.cpp:2143
7 	mozglue.dll 	choose_arena 	memory/jemalloc/jemalloc.c:2972
8 	xul.dll 	js_NewStringCopyN 	js/src/jsstr.cpp:3209
9 	xul.dll 	js::Parser::memberExpr 	js/src/frontend/Parser.cpp:5770
...

More crash reports at:
https://crash-stats.mozilla.com/report/list?signature=js_ValueToBoolean%28JS%3A%3AValue+const%26%29
It's #6 top crasher in 14.0a1 over the last 3 days.
Keywords: topcrash
This is probably bug 737447 which has a reproducible url.
Depends on: 737447
Crash Signature: [@ js_ValueToBoolean(JS::Value const&)] → [@ js_ValueToBoolean(JS::Value const&)] [@ js_ValueToBoolean]
OS: Windows 7 → All
Hardware: x86_64 → All
I agree with comment 2.  The fix is on m-c and should be in the next nightly, so let's see if this spike goes down.
Dropped off to almost nothing following 3/22. What do we do with these when they go away? Do we close WFM? Take off tracking? Mark as dup?
The latest crash in the trunk happened in 14.0a1/20120322. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5c13fce74f83&tochange=ab2ff3b5611f
It was fixed by bug 737388, a dupe of bug 737447.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to David Mandelin from comment #4)
> Dropped off to almost nothing following 3/22. What do we do with these when
> they go away? Do we close WFM? Take off tracking? Mark as dup?

I'd usually go WFM if we don't know what fixed it, DUPE to the fix if we know what it was.


(In reply to Scoobidiver from comment #5)
> It was fixed by bug 737388, a dupe of bug 737447.

In that case, for correctness, it would have made sense to mark it as a dupe of the bug that contains the patch that landed and fixed this. I won't change around this one though, no need for bugspamming, the important fact is that it's RESOLVED. :)
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #6) 
> In that case, for correctness, it would have made sense to mark it as a dupe
> of the bug that contains the patch that landed and fixed this.
I would have done it but you can't do that for security sensitive bugs.
Target Milestone: --- → mozilla14
(In reply to Scoobidiver from comment #0)
> More crash reports at:
> https://crash-stats.mozilla.com/report/
> list?signature=js_ValueToBoolean%28JS%3A%3AValue+const%26%29

33 crashes in b6
23 in b7

Low volume of crashes - marking as verified for 14 based on crash stats.
You need to log in before you can comment on or make changes to this bug.