Closed Bug 736815 Opened 13 years ago Closed 13 years ago

crash in js_ValueToBoolean

Categories

(Core :: JavaScript Engine, defect)

14 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla14
Tracking Status
firefox14 + verified

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

It's a residual crash but there's a spike in crashes from 14.0a1/20120317, all in 64-bit builds. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e5f6caa40409&tochange=ecaad3ae9964 It might be a regression from bug 730497 or bug 733950. 64-bit stacks are various and probably buggy: Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:1938 2 xul.dll js::mjit::stubs::TypeBarrierHelper js/src/methodjit/StubCalls.cpp:1651 ... Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:1938 2 xul.dll nsCSSRendering::PaintBackgroundWithSC layout/base/nsCSSRendering.cpp:2359 Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:2389 2 xul.dll nsGlobalWindow::QueryInterface dom/base/nsGlobalWindow.cpp:1398 3 xul.dll SearchTable js/src/jsdhash.cpp:469 4 nspr4.dll PR_ExitMonitor nsprpub/pr/src/threads/prmon.c:132 5 xul.dll nsEventStateManager::PostHandleEvent content/events/src/nsEventStateManager.cpp:3460 Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:1938 2 nspr4.dll PR_GetCurrentThread nsprpub/pr/src/threads/prcthr.c:174 3 nspr4.dll PR_GetCurrentThread nsprpub/pr/src/threads/prcthr.c:174 4 xul.dll XPCCallContext::Init js/xpconnect/src/XPCCallContext.cpp:157 5 xul.dll XPCCallContext::~XPCCallContext js/xpconnect/src/XPCCallContext.cpp:350 6 xul.dll nsGlobalWindow::SetTimeoutOrInterval dom/base/nsGlobalWindow.cpp:9192 7 xul.dll nsXPCWrappedJSClass::DelegatedQueryInterface js/xpconnect/src/XPCWrappedJSClass.cpp:785 8 nspr4.dll PR_GetCurrentThread nsprpub/pr/src/threads/prcthr.c:174 ... Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:1938 2 KERNELBASE.dll SystemTimeToFileTime 3 nspr4.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c:347 4 xul.dll nsJSContext::ScriptEvaluated dom/base/nsJSEnvironment.cpp:2967 5 xul.dll nsRefPtr<nsIDOMEventListener>::~nsRefPtr<nsIDOMEventListener> obj-firefox/dist/include/nsAutoPtr.h:908 6 xul.dll XPCCallContext::~XPCCallContext js/xpconnect/src/XPCCallContext.cpp:350 7 xul.dll AutoScriptEvaluate::~AutoScriptEvaluate js/xpconnect/src/XPCWrappedJSClass.cpp:119 ... Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:1914 2 xul.dll XPCWrappedNative::GetWrappedNativeOfJSObject js/xpconnect/src/XPCWrappedNative.cpp:1773 3 mozglue.dll arena_run_split memory/jemalloc/jemalloc.c:3333 4 mozglue.dll choose_arena memory/jemalloc/jemalloc.c:2972 5 mozglue.dll je_malloc memory/jemalloc/jemalloc.c:6299 6 xul.dll js::TokenStream::getTokenInternal js/src/frontend/TokenStream.cpp:2143 7 mozglue.dll choose_arena memory/jemalloc/jemalloc.c:2972 8 xul.dll js_NewStringCopyN js/src/jsstr.cpp:3209 9 xul.dll js::Parser::memberExpr js/src/frontend/Parser.cpp:5770 ... Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:1914 2 xul.dll xul.dll@0xd4baf 3 mozglue.dll je_malloc memory/jemalloc/jemalloc.c:6299 4 xul.dll js::TokenStream::getTokenInternal js/src/frontend/TokenStream.cpp:2143 5 xul.dll js_NewStringCopyN js/src/jsstr.cpp:3209 6 xul.dll js::Parser::memberExpr js/src/frontend/Parser.cpp:5770 ... Frame Module Signature [Expand] Source 0 xul.dll js_ValueToBoolean js/src/jsbool.cpp:222 1 xul.dll js::Interpret js/src/jsinterp.cpp:1914 2 xul.dll nsDocShell::QueryInterface docshell/base/nsDocShell.cpp:907 3 mozglue.dll choose_arena memory/jemalloc/jemalloc.c:2972 4 xul.dll nsDocShell::FindChildWithName docshell/base/nsDocShell.cpp:3315 5 mozglue.dll je_malloc memory/jemalloc/jemalloc.c:6299 6 xul.dll js::TokenStream::getTokenInternal js/src/frontend/TokenStream.cpp:2143 7 mozglue.dll choose_arena memory/jemalloc/jemalloc.c:2972 8 xul.dll js_NewStringCopyN js/src/jsstr.cpp:3209 9 xul.dll js::Parser::memberExpr js/src/frontend/Parser.cpp:5770 ... More crash reports at: https://crash-stats.mozilla.com/report/list?signature=js_ValueToBoolean%28JS%3A%3AValue+const%26%29
It's #6 top crasher in 14.0a1 over the last 3 days.
Keywords: topcrash
This is probably bug 737447 which has a reproducible url.
Depends on: 737447
Crash Signature: [@ js_ValueToBoolean(JS::Value const&)] → [@ js_ValueToBoolean(JS::Value const&)] [@ js_ValueToBoolean]
OS: Windows 7 → All
Hardware: x86_64 → All
I agree with comment 2. The fix is on m-c and should be in the next nightly, so let's see if this spike goes down.
Dropped off to almost nothing following 3/22. What do we do with these when they go away? Do we close WFM? Take off tracking? Mark as dup?
The latest crash in the trunk happened in 14.0a1/20120322. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5c13fce74f83&tochange=ab2ff3b5611f It was fixed by bug 737388, a dupe of bug 737447.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
(In reply to David Mandelin from comment #4) > Dropped off to almost nothing following 3/22. What do we do with these when > they go away? Do we close WFM? Take off tracking? Mark as dup? I'd usually go WFM if we don't know what fixed it, DUPE to the fix if we know what it was. (In reply to Scoobidiver from comment #5) > It was fixed by bug 737388, a dupe of bug 737447. In that case, for correctness, it would have made sense to mark it as a dupe of the bug that contains the patch that landed and fixed this. I won't change around this one though, no need for bugspamming, the important fact is that it's RESOLVED. :)
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #6) > In that case, for correctness, it would have made sense to mark it as a dupe > of the bug that contains the patch that landed and fixed this. I would have done it but you can't do that for security sensitive bugs.
Target Milestone: --- → mozilla14
(In reply to Scoobidiver from comment #0) > More crash reports at: > https://crash-stats.mozilla.com/report/ > list?signature=js_ValueToBoolean%28JS%3A%3AValue+const%26%29 33 crashes in b6 23 in b7 Low volume of crashes - marking as verified for 14 based on crash stats.
You need to log in before you can comment on or make changes to this bug.