Last Comment Bug 756796 - crash in TypeConstraintPropagateThis::newType
: crash in TypeConstraintPropagateThis::newType
Status: RESOLVED FIXED
: crash, regression, reproducible, topcrash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 15 Branch
: All All
: -- critical with 1 vote (vote)
: mozilla15
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
: 756793 756826 (view as bug list)
Depends on: 756851
Blocks: 755604
  Show dependency treegraph
 
Reported: 2012-05-19 10:28 PDT by Scoobidiver (away)
Modified: 2012-05-21 10:22 PDT (History)
22 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Scoobidiver (away) 2012-05-19 10:28:36 PDT
With 200 crashes an hour, it's #1 top crasher in today's build.
It first appeared in 15.0a1/20120519. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e794cef56df6&tochange=642d1a36702f
Almost all comments are related to Facebook.

Signature 	TypeConstraintPropagateThis::newType(JSContext*, js::types::TypeSet*, js::types::Type) More Reports Search
UUID	c9cc51e0-acfa-4ffe-8bc0-b92fa2120519
Date Processed	2012-05-19 17:07:12
Uptime	5259
Last Crash	more than 3 months before submission
Install Age	1.5 hours since version was first installed.
Install Time	2012-05-19 15:39:25
Product	Firefox
Version	15.0a1
Build ID	20120519030527
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadada
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0dc4, AdapterSubsysID: 085a10de, AdapterDriverVersion: 8.17.12.7533
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True	
Total Virtual Memory	2147352576
Available Virtual Memory	1526779904
System Memory Use Percentage	58
Available Page File	2127355904
Available Physical Memory	885227520

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	TypeConstraintPropagateThis::newType 	js/src/jsinfer.cpp:1259
1 	mozjs.dll 	js::types::TypeCompartment::resolvePending 	js/src/jsinferinlines.h:843
2 	mozjs.dll 	js::types::TypeSet::add 	js/src/jsinfer.cpp:429
3 	mozjs.dll 	js::types::TypeSet::addPropagateThis 	js/src/jsinfer.cpp:752
4 	mozjs.dll 	js::analyze::ScriptAnalysis::analyzeTypesBytecode 	js/src/jsinfer.cpp:3564
5 	mozjs.dll 	js::analyze::ScriptAnalysis::analyzeTypes 	js/src/jsinfer.cpp:4151
6 	mozjs.dll 	JSScript::ensureRanInference 	js/src/jsinferinlines.h:1485
7 	mozjs.dll 	js::mjit::Compiler::checkAnalysis 	js/src/methodjit/Compiler.cpp:178
8 	mozjs.dll 	js::mjit::Compiler::performCompilation 	js/src/methodjit/Compiler.cpp:535
9 	mozjs.dll 	js::mjit::Compiler::compile 	js/src/methodjit/Compiler.cpp:146
10 	mozjs.dll 	js::mjit::CanMethodJIT 	js/src/methodjit/Compiler.cpp:1000
11 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:291
12 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:359
13 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:391
14 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5473
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=TypeConstraintPropagateThis%3A%3AnewType%28JSContext*%2C+js%3A%3Atypes%3A%3ATypeSet*%2C+js%3A%3Atypes%3A%3AType%29
https://crash-stats.mozilla.com/report/list?signature=TypeConstraintPropagateThis%3A%3AnewType
Comment 1 Scoobidiver (away) 2012-05-19 10:29:46 PDT
*** Bug 756793 has been marked as a duplicate of this bug. ***
Comment 2 Marcia Knous [:marcia - use ni] 2012-05-19 12:12:51 PDT
I can reproduce this using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/15.0 Firefox/15.0a1.

STR:
1. Load maps.google.com and enable WebGL
2. Map out a set of directions
3. Go to street view and pan around

I was able to crash following these steps but I crashed in other instances as well. You will find it is not that hard to crash on that site. https://crash-stats.mozilla.com/report/index/bp-7327e7fd-07d7-49e3-91d9-ced552120519
Comment 3 Matthias Versen [:Matti] 2012-05-19 16:36:11 PDT
*** Bug 756826 has been marked as a duplicate of this bug. ***
Comment 4 liyc_oliver 2012-05-19 23:13:19 PDT
Appears very frequently and consistently. This bug is also very annoying. Recommend you change the importance to Blocker. Hope a fix is under way. I don't want this bug to last for more than a day or I'll really be disappointed. Thanks.
Comment 5 Scoobidiver (away) 2012-05-20 02:33:35 PDT
liyc_oliver, developers are on week end. Please use the stable version of Firefox you can download from http://www.mozilla.org/firefox
Comment 6 liyc_oliver 2012-05-20 05:37:55 PDT
Pardon me, but for such a critical bug, there is definitely one developer in the whole world willing to sacrifice their weekend to fix it right? If I had enough coding experience, I would definitely sacrifice my weekend to fix it. Especially when so many f-words are coming out in the crash signatures comment tab. :#
Comment 7 Robert Kaiser 2012-05-20 06:26:12 PDT
Would be helpful to derive the exact changeset that caused this by using mozilla-inbound builds.

Also, I believe that bug 756797 with its signatures is the same thing, probably all caused by a single thing that landed in the JS engine on Friday.
Comment 8 :Ms2ger (⌚ UTC+1/+2) 2012-05-20 06:34:17 PDT
I'd expect it to come from <http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9dab33fa5ff4&tochange=642d1a36702f>, so one of luke's patches seems likely.
Comment 9 Andrew McCreight [:mccr8] 2012-05-20 06:40:27 PDT
Bug 755604 is also a possibility.
Comment 10 Wesley W. Garland 2012-05-20 06:45:13 PDT
liyc_oliver: It does not take a lot of coding experience to compile Firefox from source code (almost none, in fact).  If you can compile it from source code, you can run 'hg bisect'.

Once you run hg bisect for a few hours, you will have identified the regressing changeset.

Once the regressing changeset has been identified, the sheriff can consider backing it out, and the JS team will be able to focus on fixing the bug rather than hunting for the regressing changest.
Comment 11 Alice0775 White 2012-05-20 09:31:40 PDT
Regression window(m-i)
Not crash
http://hg.mozilla.org/integration/mozilla-inbound/rev/b72c41ab1bd3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120518095652
Crashes:
http://hg.mozilla.org/integration/mozilla-inbound/rev/1e18c991b40c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120518103652
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b72c41ab1bd3&tochange=1e18c991b40c


Syspected:
5232403e7b8f	Till Schneidereit — Bug 755604 - Incrementalize JSCompartment::markTypes. r=billm
Comment 12 Till Schneidereit [till] (pto until Dec 5) 2012-05-20 10:24:18 PDT
This seems to be caused by bug 755604 indeed - sorry!

A likely fix is in bug 756851. I'm re-building now to verify and will post an update afterwards.
Comment 13 Till Schneidereit [till] (pto until Dec 5) 2012-05-20 10:35:37 PDT
The likely fix is now compiling on the try servers: https://tbpl.mozilla.org/?tree=Try&rev=786e061ae7f3
Comment 14 Till Schneidereit [till] (pto until Dec 5) 2012-05-20 11:53:46 PDT
My testing confirms the fix and try server looks green so far.

If anyone's interested, here are try builds containing the fix: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/tschneidereit@gmail.com-786e061ae7f3/
Comment 15 Marcia Knous [:marcia - use ni] 2012-05-20 13:15:02 PDT
I cannot reproduce the crash using that build on my Mac following my STR in Comment 2.

(In reply to Till Schneidereit [:till] from comment #14)
> My testing confirms the fix and try server looks green so far.
> 
> If anyone's interested, here are try builds containing the fix:
> http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/
> tschneidereit@gmail.com-786e061ae7f3/
Comment 16 liyc_oliver 2012-05-21 07:13:20 PDT
Bug seems fixed in version 21/5/2012 Nightly. Great job guys!
Comment 17 Till Schneidereit [till] (pto until Dec 5) 2012-05-21 09:51:47 PDT
This is indeed fixed by http://hg.mozilla.org/mozilla-central/rev/fb3036d9b9e6

Note You need to log in before you can comment on or make changes to this bug.