Closed Bug 756796 Opened 13 years ago Closed 13 years ago

crash in TypeConstraintPropagateThis::newType

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
15 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: scoobidiver, Unassigned)

References

Details

(4 keywords)

Crash Data

With 200 crashes an hour, it's #1 top crasher in today's build. It first appeared in 15.0a1/20120519. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e794cef56df6&tochange=642d1a36702f Almost all comments are related to Facebook. Signature TypeConstraintPropagateThis::newType(JSContext*, js::types::TypeSet*, js::types::Type) More Reports Search UUID c9cc51e0-acfa-4ffe-8bc0-b92fa2120519 Date Processed 2012-05-19 17:07:12 Uptime 5259 Last Crash more than 3 months before submission Install Age 1.5 hours since version was first installed. Install Time 2012-05-19 15:39:25 Product Firefox Version 15.0a1 Build ID 20120519030527 Release Channel nightly OS Windows NT OS Version 6.1.7600 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xffffffffdadadada App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0dc4, AdapterSubsysID: 085a10de, AdapterDriverVersion: 8.17.12.7533 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Total Virtual Memory 2147352576 Available Virtual Memory 1526779904 System Memory Use Percentage 58 Available Page File 2127355904 Available Physical Memory 885227520 Frame Module Signature Source 0 mozjs.dll TypeConstraintPropagateThis::newType js/src/jsinfer.cpp:1259 1 mozjs.dll js::types::TypeCompartment::resolvePending js/src/jsinferinlines.h:843 2 mozjs.dll js::types::TypeSet::add js/src/jsinfer.cpp:429 3 mozjs.dll js::types::TypeSet::addPropagateThis js/src/jsinfer.cpp:752 4 mozjs.dll js::analyze::ScriptAnalysis::analyzeTypesBytecode js/src/jsinfer.cpp:3564 5 mozjs.dll js::analyze::ScriptAnalysis::analyzeTypes js/src/jsinfer.cpp:4151 6 mozjs.dll JSScript::ensureRanInference js/src/jsinferinlines.h:1485 7 mozjs.dll js::mjit::Compiler::checkAnalysis js/src/methodjit/Compiler.cpp:178 8 mozjs.dll js::mjit::Compiler::performCompilation js/src/methodjit/Compiler.cpp:535 9 mozjs.dll js::mjit::Compiler::compile js/src/methodjit/Compiler.cpp:146 10 mozjs.dll js::mjit::CanMethodJIT js/src/methodjit/Compiler.cpp:1000 11 mozjs.dll js::RunScript js/src/jsinterp.cpp:291 12 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:359 13 mozjs.dll js::Invoke js/src/jsinterp.cpp:391 14 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5473 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=TypeConstraintPropagateThis%3A%3AnewType%28JSContext*%2C+js%3A%3Atypes%3A%3ATypeSet*%2C+js%3A%3Atypes%3A%3AType%29 https://crash-stats.mozilla.com/report/list?signature=TypeConstraintPropagateThis%3A%3AnewType
I can reproduce this using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/15.0 Firefox/15.0a1. STR: 1. Load maps.google.com and enable WebGL 2. Map out a set of directions 3. Go to street view and pan around I was able to crash following these steps but I crashed in other instances as well. You will find it is not that hard to crash on that site. https://crash-stats.mozilla.com/report/index/bp-7327e7fd-07d7-49e3-91d9-ced552120519
Keywords: reproducible
Appears very frequently and consistently. This bug is also very annoying. Recommend you change the importance to Blocker. Hope a fix is under way. I don't want this bug to last for more than a day or I'll really be disappointed. Thanks.
liyc_oliver, developers are on week end. Please use the stable version of Firefox you can download from http://www.mozilla.org/firefox
Pardon me, but for such a critical bug, there is definitely one developer in the whole world willing to sacrifice their weekend to fix it right? If I had enough coding experience, I would definitely sacrifice my weekend to fix it. Especially when so many f-words are coming out in the crash signatures comment tab. :#
Would be helpful to derive the exact changeset that caused this by using mozilla-inbound builds. Also, I believe that bug 756797 with its signatures is the same thing, probably all caused by a single thing that landed in the JS engine on Friday.
Bug 755604 is also a possibility.
liyc_oliver: It does not take a lot of coding experience to compile Firefox from source code (almost none, in fact). If you can compile it from source code, you can run 'hg bisect'. Once you run hg bisect for a few hours, you will have identified the regressing changeset. Once the regressing changeset has been identified, the sheriff can consider backing it out, and the JS team will be able to focus on fixing the bug rather than hunting for the regressing changest.
Regression window(m-i) Not crash http://hg.mozilla.org/integration/mozilla-inbound/rev/b72c41ab1bd3 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120518095652 Crashes: http://hg.mozilla.org/integration/mozilla-inbound/rev/1e18c991b40c Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120518103652 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b72c41ab1bd3&tochange=1e18c991b40c Syspected: 5232403e7b8f Till Schneidereit — Bug 755604 - Incrementalize JSCompartment::markTypes. r=billm
Blocks: 755604
This seems to be caused by bug 755604 indeed - sorry! A likely fix is in bug 756851. I'm re-building now to verify and will post an update afterwards.
The likely fix is now compiling on the try servers: https://tbpl.mozilla.org/?tree=Try&rev=786e061ae7f3
My testing confirms the fix and try server looks green so far. If anyone's interested, here are try builds containing the fix: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/tschneidereit@gmail.com-786e061ae7f3/
I cannot reproduce the crash using that build on my Mac following my STR in Comment 2. (In reply to Till Schneidereit [:till] from comment #14) > My testing confirms the fix and try server looks green so far. > > If anyone's interested, here are try builds containing the fix: > http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/ > tschneidereit@gmail.com-786e061ae7f3/
Depends on: 756851
Bug seems fixed in version 21/5/2012 Nightly. Great job guys!
This is indeed fixed by http://hg.mozilla.org/mozilla-central/rev/fb3036d9b9e6
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
tracking-firefox15: ? → ---
Target Milestone: --- → mozilla15
You need to log in before you can comment on or make changes to this bug.