Closed Bug 744986 Opened 13 years ago Closed 12 years ago

Crash in js_AtomizeChars

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
14 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression, Whiteboard: [native-crash][startupcrash])

Crash Data

It first appeared in 14.0a1/20120330. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1965a2c89d61&tochange=92fe907ddac8 It's less frequent after 14.0a1/20120402. Signature js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior) More Reports Search UUID d7491098-fac7-43ca-b6ba-42be72120411 Date Processed 2012-04-11 08:32:35 Uptime 0 Last Crash 3 seconds before submission Install Age 5.6 hours since version was first installed. Install Time 2012-04-11 02:56:31 Product Firefox Version 14.0a1 Build ID 20120410075652 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture amd64 Build Architecture Info family 6 model 37 stepping 5 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x848f000 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0ca3, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.17.12.9573 D2D? D2D+ DWrite? DWrite+ EMCheckCompatibility True Total Virtual Memory 8796092891136 Available Virtual Memory 8795821010944 System Memory Use Percentage 18 Available Page File 23664754688 Available Physical Memory 6881722368 Frame Module Signature Source 0 xul.dll js_AtomizeChars js/src/jsatom.cpp:459 1 xul.dll js::XDRAtom<1> js/src/jsatom.cpp:685 2 xul.dll js::XDRScript<1> js/src/jsscript.cpp:679 More reports at: https://crash-stats.mozilla.com/report/list?signature=js_AtomizeChars%28JSContext*%2C+wchar_t+const*%2C+unsigned+__int64%2C+js%3A%3AInternBehavior%29
I found the related 32-bit crash signature that has stopped spiking after 14.0a1/20120402: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Adetail%3A%3AHashTable%3Cjs%3A%3AAtomStateEntry+const%2C+js%3A%3AHashSet%3Cjs%3A%3AAtomStateEntry%2C+js%3A%3AAtomHasher%2C+js%3A%3ASystemAllocPolicy%3E%3A%3ASetOps%2C+js%3A%3ASystemAllocPolicy%3E%3A%3AlookupForAdd%28js%3A%3AAtomHasher%3A%3ALookup+const%26%29
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps js::SystemAllocPolicy>::lookupForAdd(j…
Hardware: x86_64 → All
Summary: 64-bit crash in js_AtomizeChars → Crash in js_AtomizeChars
This crash seems not to be too common any more. Is that correct? Initial investigation: It's crashing because js::XDRAtom<1> tries to atomize a bad char array. This ultimately crashes when a hash table tries to hash the chars. It looks like XDR is reading outside of its buffer. Not sure if that would be because of OOM or because of a malformed XDR file. Many of these are on startup, which makes me lean toward the latter, but it's kind of weak evidence.
Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to this bug?
(In reply to Scoobidiver from comment #3) > Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to > this bug? Looks like it probably is the same bug.
Crash Signature: js::SystemAllocPolicy>::lookupForAdd(js::AtomHasher::Lookup const&)] → js::SystemAllocPolicy>::lookupForAdd(js::AtomHasher::Lookup const&)] [@ js::XDRAtom<(js::XDRMode)1u>]
Whiteboard: [startupcrash] → [native-crash][startupcrash]
There have been no crashes for the last four weeks after 18.0.2.
Status: NEW → RESOLVED
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookupForAdd(… → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned int, js::InternBehavior) ] [@ js_AtomizeChars ] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet…
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.