crash in js::NameOperation

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
6 years ago
4 years ago

People

(Reporter: marcia, Unassigned)

Tracking

({crash, regression})

15 Branch
x86
Windows NT
crash, regression
Points:
---

Firefox Tracking Flags

(firefox15+)

Details

(Whiteboard: [js:waitingforinfo][js:p3], crash signature)

(Reporter)

Description

6 years ago
This bug was filed from the Socorro interface and is 
report bp-af20eb0c-2066-43ff-86c5-17cc42120614 .
============================================================= 

Seen while looking at crash stats. https://crash-stats.mozilla.com/report/list?signature=js::NameOperation%28JSContext*,%20unsigned%20char*,%20JS::Value*%29

Crashes started showing up using the 2012060704 build . Crashes exist on other branches but the volume is higher on Aurora. Not sure if this is another morphing JS signature.

Here are some correlations on Aurora:
js::NameOperation(JSContext*, unsigned char*, JS::Value*)|EXCEPTION_ACCESS_VIOLATION_EXEC (29 crashes)
     38% (11/29) vs.  12% (749/6231) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
     14% (4/29) vs.   1% (34/6231) {B17C1C5A-04B1-11DB-9804-B622A1EF5492} (Password Exporter, https://addons.mozilla.org/addon/2848)
     14% (4/29) vs.   3% (164/6231) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791)
     10% (3/29) vs.   0% (4/6231) keefox@chris.tomlinson
     10% (3/29) vs.   0% (5/6231) csscoverage@spaghetticoder.org (CSS Usage, https://addons.mozilla.org/addon/10704)
     10% (3/29) vs.   0% (6/6231) pl@dictionaries.addons.mozilla.org (Polish Spellchecker Dictionary, https://addons.mozilla.org/addon/3052)
     10% (3/29) vs.   0% (7/6231) {11483926-db67-4190-91b1-ef20fcec5f33} (FxIF, https://addons.mozilla.org/addon/5673)
     10% (3/29) vs.   0% (11/6231) optout@google.com
     10% (3/29) vs.   0% (13/6231) player@vividas.com
     10% (3/29) vs.   0% (13/6231) {aff87fa2-a58e-4edd-b852-0a20203c1e17} (gTranslate, https://addons.mozilla.org/addon/918)
     10% (3/29) vs.   0% (15/6231) fiddlerhook@fiddler2.com
     10% (3/29) vs.   0% (20/6231) yslow@yahoo-inc.com (YSlow, https://addons.mozilla.org/addon/5369)
     10% (3/29) vs.   0% (21/6231) jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack
     10% (3/29) vs.   0% (27/6231) {e3f6c2cc-d8db-498c-af6c-499fb211db97}
     10% (3/29) vs.   0% (28/6231) {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} (Live HTTP Headers, https://addons.mozilla.org/addon/3829)
     10% (3/29) vs.   1% (34/6231) rainbow@colors.org (Rainbow, https://addons.mozilla.org/addon/14328)
     10% (3/29) vs.   1% (43/6231) autopager@mozilla.org (AutoPager, https://addons.mozilla.org/addon/4925)
     10% (3/29) vs.   1% (58/6231) {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
     10% (3/29) vs.   1% (77/6231) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60)
     10% (3/29) vs.   1% (82/6231) {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} (Stylish, https://addons.mozilla.org/addon/2108)
     10% (3/29) vs.   3% (195/6231) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
      7% (2/29) vs.   0% (5/6231) IplextoALL@ALLPlayer.org
     10% (3/29) vs.   4% (270/6231) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748)
      7% (2/29) vs.   2% (100/6231) {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} (Easy YouTube Video Downloader, https://addons.mozilla.org/addon/10137)
     86% (25/29) vs.  81% (5044/6231) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
    100% (29/29) vs.  95% (5919/6231) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150)


Frame 	Module 	Signature 	Source
0 		@0x12a55dfc 	
1 	mozjs.dll 	js::NameOperation 	js/src/jsinterpinlines.h:374
2 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2556
3 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:326
4 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:358
5 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5515
6 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1899
7 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:9161
8 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:9549
9 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:473
10 	nspr4.dll 	nspr4.dll@0x8c2f 	
11 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:556
12 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:624
13 	xul.dll 	mozilla::ipc::RPCChannel::DequeueTask::`scalar deleting destructor' 	
14 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:276
15 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
16 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
17 	xul.dll 	nsAttrAndChildArray::RemoveAttrAt 	content/base/src/nsAttrAndChildArray.cpp:431
18 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
19 		@0xd8b13f

Comment 1

6 years ago
It stopped spiking after 16.0a1/20120605. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917
Hoping the fix will land in Aurora.

Updated

6 years ago
Keywords: regression

Updated

6 years ago
tracking-firefox13: --- → ?

Comment 2

6 years ago
It's #627 top browser crasher in 13.0, #566 in 14.0b6, #28 in 15.0a2, #306 in 16.0a1.

It started spiking around 15.0a1/20120601. The regression range for the spike might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3aa566994890&tochange=73783bf75c4c
tracking-firefox15: --- → ?

Updated

6 years ago
tracking-firefox13: ? → ---
tracking-firefox15: ? → +
Looks like it might be scope chain stuff. Luke, could you have a look at this?
Whiteboard: [js:inv:p2]

Comment 4

6 years ago
(In reply to David Mandelin from comment #3)
Perhaps.  The scope chain stuff was in the fixed range which would suggest that it might have fixed a bug introduced by a previous scope patch, but there were none in the range where the spike started.

The crash seems to be a corrupted fp->scopeChain (multiple crash addresses) which could have any number of causes.  I tried clicking on various URLs in Aurora but no immediate crashes.  I'm not sure how to proceed without STR or some way to bisect.
Thanks, Luke. Alex, what do you think--it's fixed in 16, and Luke's saying we'd have to look at many potential causes to figure anything out, so I'm inclined to take it off the list.

Updated

6 years ago
status-firefox16: --- → unaffected
Whiteboard: [js:inv:p2] → [js:waitingforinfo][js:p3]

Comment 6

6 years ago
I add a new signature that appeared in 16.0a1/20120629 with the following regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bf8f2961d0cc&tochange=4a8e0d5fc954

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+JSScript*%2C+unsigned+char*%2C+JS%3A%3AValue*%29
Crash Signature: [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] → [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, JSScript*, unsigned char*, JS::Value*)]
status-firefox16: unaffected → ---

Comment 7

6 years ago
It's #24 top browser crasher in 15.0a2.
Keywords: topcrash

Comment 8

6 years ago
(In reply to David Mandelin [:dmandelin] from comment #5)
> Thanks, Luke. Alex, what do you think--it's fixed in 16, and Luke's saying
> we'd have to look at many potential causes to figure anything out, so I'm
> inclined to take it off the list.

Sorry for the delayed response. I've added needURLs and qawanted for QA to try to reproduce on XP with some of the add-ons listed above.

Dave/Luke - is the JS code changed in 15 (regression) & 16 (fix) too large to do code inspection for likely causes? If so, we could speculatively back out early in the beta cycle.
Keywords: needURLs, qawanted

Comment 9

6 years ago
I don't think we know what the regressing JS code change is.
(Reporter)

Updated

6 years ago
Keywords: needURLs
This has risen to #17 on the top crash list now. Can we try to reproduce this crash in QA?
(Reporter)

Updated

6 years ago
QA Contact: mozillamarcia.knous
(Reporter)

Comment 12

6 years ago
Here is some more information relating to OS/Version for js::NameOperation(JSContext*, unsigned char*, JS::Value*) which has ~1300 crashes in the last week across all versions:

Operating System 	Percentage 	Number Of Crashes
Windows XP 	        56.933 %	698
Windows 7 	        37.031 %	454
Windows Vista 	         5.057 %	62
Windows 8 	         0.571 %	7
Windows Unknown 	 0.408 %	5 

Product 	Version 	Percentage 	Number Of Crashes
Firefox 	15.0b1 	         52.773 %	647
Firefox 	15.0a2 	         19.250 %	236
Firefox 	13.0.1 	         10.196 %	125
Firefox 	14.0.1 	          7.259 %	89
Firefox 	14.0b12 	  6.444 %	79 

http://wiadomosci.onet.pl/ is probably the most represented URL but so far I have not been able to crash yet. Also looking for addon/module correlations.
(In reply to Alex Keybl [:akeybl] from comment #11)
> This has risen to #17 on the top crash list now. Can we try to reproduce
> this crash in QA?

I looked at the reports more closely, and now I see that the crashes are actually in jitcode, so this is really a dup of EnterMethodJIT/JaegerShot. I think the address of NameOperation is just appearing on the stack sometimes and confusing the stackwalker.
Based upon Dave's comment 13, we need to focus on getting steps to reproduce here. Perhaps somebody familiar with Polish on Windows will have more luck. 

Marcoos/Leszek - would you mind trying to reproduce, or shooting this out to others to see if they can reproduce?
Blocks: 595351
(Reporter)

Comment 15

6 years ago
A few of the comments such as this one mention Fireshot:

https://crash-stats.mozilla.com/report/index/4d2e74fe-1126-4904-9739-102982120802

"trying to copy a big web page with embedded video to PDF via Fireshot"

I will look at manual correlations to see if that bears any fruit.
(Reporter)

Comment 16

6 years ago
Updated correlations from various branches:

From Beta:
js::NameOperation(JSContext*, unsigned char*, JS::Value*)|EXCEPTION_ACCESS_VIOLATION_EXEC (119 crashes)
     32% (38/119) vs.   7% (4241/59062) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
      8% (10/119) vs.   0% (105/59062) IplextoALL@ALLPlayer.org

From 14.0.1:

js::NameOperation(JSContext*, unsigned char*, JS::Value*)|EXCEPTION_ACCESS_VIOLATION_READ (32 crashes)
     22% (7/32) vs.   4% (7342/174847) {b9db16a4-6edc-47ec-a1f4-b86292ed211d} (Video DownloadHelper, https://addons.mozilla.org/addon/3006)
     22% (7/32) vs.   8% (13572/174847) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
     13% (4/32) vs.   1% (1829/174847) {DDC359D1-844A-42a7-9AA1-88A850A938A8} (DownThemAll!, https://addons.mozilla.org/addon/201)
      9% (3/32) vs.   0% (354/174847) {0b457cAA-602d-484a-8fe7-c1d894a011ba} (FireShot, https://addons.mozilla.org/addon/5648)
      9% (3/32) vs.   0% (681/174847) {77b819fa-95ad-4f2c-ac7c-486b356188a9} (IE Tab, https://addons.mozilla.org/addon/1419)
      9% (3/32) vs.   1% (1126/174847) foxmarks@kei.com (Xmarks (formerly Foxmarks), https://addons.mozilla.org/addon/2410)
      9% (3/32) vs.   1% (1720/174847) mozilla_cc@internetdownloadmanager.com (IDM CC, https://addons.mozilla.org/addon/6973)
      9% (3/32) vs.   1% (1888/174847) ffxtlbra@softonic.com
      9% (3/32) vs.   2% (3689/174847) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748)
     13% (4/32) vs.   5% (9165/174847) ffxtlbr@babylon.com
      9% (3/32) vs.   3% (4645/174847) ffxtlbr@funmoods.com
      6% (2/32) vs.   0% (131/174847) newtaburl@sogame.cat (NewTabURL, https://addons.mozilla.org/addon/2221)
      6% (2/32) vs.   0% (176/174847) 57ffxtbr@MarineAquarium3Free_57.com
      6% (2/32) vs.   0% (186/174847) {8e5025c2-8ea3-430d-80b8-a14151068a6d}
      6% (2/32) vs.   0% (368/174847) {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} (Image Zoom, https://addons.mozilla.org/addon/139)
      6% (2/32) vs.   0% (455/174847) {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}
      9% (3/32) vs.   4% (6505/174847) plugin@yontoo.com
      6% (2/32) vs.   1% (1075/174847) LogMeInClient@logmein.com
      6% (2/32) vs.   1% (2083/174847) {99079a25-328f-4bd4-be04-00955acaa0a7}
(Reporter)

Comment 17

6 years ago
One of the comments mentions "flash is causing the crash." This maps to some of the URLs in question relating to this signature. If we could figure out which version of flash this is, we would likely have an easier time reproducing it if in fact flash is actually causing or helping to cause the issue.

[blank] 	99.849 % 	2651
11.3.300.270 	0.075 % 	2
11.1.102.55 	0.038 % 	1
11.3.300.257 	0.038 % 	1

Comment 18

5 years ago
It's a low volume crash in 17.0 and above:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+JSScript*%2C+unsigned+char*%2C+JS%3A%3AValue*%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+unsigned+char*%2C+JS%3A%3AMutableHandle%3CJS%3A%3AValue%3E%29
Crash Signature: [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, JSScript*, unsigned char*, JS::Value*)] → [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, JSScript*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, unsigned char*, JS::MutableHandle<JS::Value>)]
Keywords: topcrash
(In reply to Scoobidiver from comment #18)
> It's a low volume crash in 17.0 and above:

I think it's still present even on latest versions of Beta, Aurora and Nightly:

https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+unsigned+char*%2C+JS%3A%3AMutableHandle%3CJS%3A%3AValue%3E%29
Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20131007004003

I couldn't reproduce the crash on the latest Aurora 26.0a2 - I installed all the add-ons that I could found mentioned in the Description and in Comments 15 and 16 and I followed all the suggestions from Comments 12, 15 and 17.

I couldn't find any crash reports in Socorro for the latest release (Firefox 24), Beta (Firefox 25), Aurora (Firefox 26) and Nightly (Firefox 27) for any of the signatures that are related with this Bug.

Based on the above, I'm setting the status of this bug to Resolved Worksforme.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Keywords: qawanted
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.