Crash in js_AtomizeChars

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
7 years ago
5 years ago

People

(Reporter: scoobidiver, Unassigned)

Tracking

({crash, regression})

14 Branch
All
Windows 7
crash, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [native-crash][startupcrash], crash signature)

(Reporter)

Description

7 years ago
It first appeared in 14.0a1/20120330. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1965a2c89d61&tochange=92fe907ddac8
It's less frequent after 14.0a1/20120402.

Signature 	js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior) More Reports Search
UUID	d7491098-fac7-43ca-b6ba-42be72120411
Date Processed	2012-04-11 08:32:35
Uptime	0
Last Crash	3 seconds before submission
Install Age	5.6 hours since version was first installed.
Install Time	2012-04-11 02:56:31
Product	Firefox
Version	14.0a1
Build ID	20120410075652
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	amd64
Build Architecture Info	family 6 model 37 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x848f000
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0ca3, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.17.12.9573
D2D? D2D+ DWrite? DWrite+ 
EMCheckCompatibility	True	
Total Virtual Memory	8796092891136
Available Virtual Memory	8795821010944
System Memory Use Percentage	18
Available Page File	23664754688
Available Physical Memory	6881722368

Frame 	Module 	Signature 	Source
0 	xul.dll 	js_AtomizeChars 	js/src/jsatom.cpp:459
1 	xul.dll 	js::XDRAtom<1> 	js/src/jsatom.cpp:685
2 	xul.dll 	js::XDRScript<1> 	js/src/jsscript.cpp:679

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js_AtomizeChars%28JSContext*%2C+wchar_t+const*%2C+unsigned+__int64%2C+js%3A%3AInternBehavior%29
(Reporter)

Comment 1

7 years ago
I found the related 32-bit crash signature that has stopped spiking after 14.0a1/20120402:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Adetail%3A%3AHashTable%3Cjs%3A%3AAtomStateEntry+const%2C+js%3A%3AHashSet%3Cjs%3A%3AAtomStateEntry%2C+js%3A%3AAtomHasher%2C+js%3A%3ASystemAllocPolicy%3E%3A%3ASetOps%2C+js%3A%3ASystemAllocPolicy%3E%3A%3AlookupForAdd%28js%3A%3AAtomHasher%3A%3ALookup+const%26%29
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps js::SystemAllocPolicy>::lookupForAdd(j…
Hardware: x86_64 → All
Summary: 64-bit crash in js_AtomizeChars → Crash in js_AtomizeChars
This crash seems not to be too common any more. Is that correct?

Initial investigation: It's crashing because js::XDRAtom<1> tries to atomize a bad char array. This ultimately crashes when a hash table tries to hash the chars. It looks like XDR is reading outside of its buffer. Not sure if that would be because of OOM or because of a malformed XDR file. Many of these are on startup, which makes me lean toward the latter, but it's kind of weak evidence.
(Reporter)

Comment 3

7 years ago
Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to this bug?
(In reply to Scoobidiver from comment #3)
> Is bp-c9b21de5-63a2-40ad-a6cd-e73b12120426 on FennecAndroid is related to
> this bug?

Looks like it probably is the same bug.
(Reporter)

Updated

7 years ago
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps js::SystemAllocPolicy>::lookupForAdd(j… → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps js::SystemAllocPolicy>::lookupForAdd(j…
Whiteboard: [startupcrash] → [native-crash][startupcrash]
(Reporter)

Comment 5

5 years ago
There have been no crashes for the last four weeks after 18.0.2.
Status: NEW → RESOLVED
Crash Signature: [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookupForAdd(… → [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned __int64, js::InternBehavior)] [@ js_AtomizeChars(JSContext*, wchar_t const*, unsigned int, js::InternBehavior) ] [@ js_AtomizeChars ] [@ js::detail::HashTable<js::AtomStateEntry const, js::HashSet…
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.