Closed Bug 764888 Opened 13 years ago Closed 12 years ago

crash in js::NameOperation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
15 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox15 + ---

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [js:waitingforinfo][js:p3])

Crash Data

This bug was filed from the Socorro interface and is report bp-af20eb0c-2066-43ff-86c5-17cc42120614 . ============================================================= Seen while looking at crash stats. https://crash-stats.mozilla.com/report/list?signature=js::NameOperation%28JSContext*,%20unsigned%20char*,%20JS::Value*%29 Crashes started showing up using the 2012060704 build . Crashes exist on other branches but the volume is higher on Aurora. Not sure if this is another morphing JS signature. Here are some correlations on Aurora: js::NameOperation(JSContext*, unsigned char*, JS::Value*)|EXCEPTION_ACCESS_VIOLATION_EXEC (29 crashes) 38% (11/29) vs. 12% (749/6231) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865) 14% (4/29) vs. 1% (34/6231) {B17C1C5A-04B1-11DB-9804-B622A1EF5492} (Password Exporter, https://addons.mozilla.org/addon/2848) 14% (4/29) vs. 3% (164/6231) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791) 10% (3/29) vs. 0% (4/6231) keefox@chris.tomlinson 10% (3/29) vs. 0% (5/6231) csscoverage@spaghetticoder.org (CSS Usage, https://addons.mozilla.org/addon/10704) 10% (3/29) vs. 0% (6/6231) pl@dictionaries.addons.mozilla.org (Polish Spellchecker Dictionary, https://addons.mozilla.org/addon/3052) 10% (3/29) vs. 0% (7/6231) {11483926-db67-4190-91b1-ef20fcec5f33} (FxIF, https://addons.mozilla.org/addon/5673) 10% (3/29) vs. 0% (11/6231) optout@google.com 10% (3/29) vs. 0% (13/6231) player@vividas.com 10% (3/29) vs. 0% (13/6231) {aff87fa2-a58e-4edd-b852-0a20203c1e17} (gTranslate, https://addons.mozilla.org/addon/918) 10% (3/29) vs. 0% (15/6231) fiddlerhook@fiddler2.com 10% (3/29) vs. 0% (20/6231) yslow@yahoo-inc.com (YSlow, https://addons.mozilla.org/addon/5369) 10% (3/29) vs. 0% (21/6231) jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack 10% (3/29) vs. 0% (27/6231) {e3f6c2cc-d8db-498c-af6c-499fb211db97} 10% (3/29) vs. 0% (28/6231) {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} (Live HTTP Headers, https://addons.mozilla.org/addon/3829) 10% (3/29) vs. 1% (34/6231) rainbow@colors.org (Rainbow, https://addons.mozilla.org/addon/14328) 10% (3/29) vs. 1% (43/6231) autopager@mozilla.org (AutoPager, https://addons.mozilla.org/addon/4925) 10% (3/29) vs. 1% (58/6231) {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} 10% (3/29) vs. 1% (77/6231) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60) 10% (3/29) vs. 1% (82/6231) {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} (Stylish, https://addons.mozilla.org/addon/2108) 10% (3/29) vs. 3% (195/6231) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 7% (2/29) vs. 0% (5/6231) IplextoALL@ALLPlayer.org 10% (3/29) vs. 4% (270/6231) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748) 7% (2/29) vs. 2% (100/6231) {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} (Easy YouTube Video Downloader, https://addons.mozilla.org/addon/10137) 86% (25/29) vs. 81% (5044/6231) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661) 100% (29/29) vs. 95% (5919/6231) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150) Frame Module Signature Source 0 @0x12a55dfc 1 mozjs.dll js::NameOperation js/src/jsinterpinlines.h:374 2 mozjs.dll js::Interpret js/src/jsinterp.cpp:2556 3 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:326 4 mozjs.dll js::Invoke js/src/jsinterp.cpp:358 5 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5515 6 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:1899 7 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:9161 8 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:9549 9 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:473 10 nspr4.dll nspr4.dll@0x8c2f 11 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:556 12 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:624 13 xul.dll mozilla::ipc::RPCChannel::DequeueTask::`scalar deleting destructor' 14 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:276 15 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 16 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 17 xul.dll nsAttrAndChildArray::RemoveAttrAt content/base/src/nsAttrAndChildArray.cpp:431 18 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 19 @0xd8b13f
It stopped spiking after 16.0a1/20120605. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917 Hoping the fix will land in Aurora.
Keywords: regression
It's #627 top browser crasher in 13.0, #566 in 14.0b6, #28 in 15.0a2, #306 in 16.0a1. It started spiking around 15.0a1/20120601. The regression range for the spike might be: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3aa566994890&tochange=73783bf75c4c
tracking-firefox15: --- → ?
Looks like it might be scope chain stuff. Luke, could you have a look at this?
Whiteboard: [js:inv:p2]
(In reply to David Mandelin from comment #3) Perhaps. The scope chain stuff was in the fixed range which would suggest that it might have fixed a bug introduced by a previous scope patch, but there were none in the range where the spike started. The crash seems to be a corrupted fp->scopeChain (multiple crash addresses) which could have any number of causes. I tried clicking on various URLs in Aurora but no immediate crashes. I'm not sure how to proceed without STR or some way to bisect.
Thanks, Luke. Alex, what do you think--it's fixed in 16, and Luke's saying we'd have to look at many potential causes to figure anything out, so I'm inclined to take it off the list.
Whiteboard: [js:inv:p2] → [js:waitingforinfo][js:p3]
I add a new signature that appeared in 16.0a1/20120629 with the following regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bf8f2961d0cc&tochange=4a8e0d5fc954 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+JSScript*%2C+unsigned+char*%2C+JS%3A%3AValue*%29
Crash Signature: [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] → [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, JSScript*, unsigned char*, JS::Value*)]
status-firefox16: unaffected → ---
It's #24 top browser crasher in 15.0a2.
Keywords: topcrash
(In reply to David Mandelin [:dmandelin] from comment #5) > Thanks, Luke. Alex, what do you think--it's fixed in 16, and Luke's saying > we'd have to look at many potential causes to figure anything out, so I'm > inclined to take it off the list. Sorry for the delayed response. I've added needURLs and qawanted for QA to try to reproduce on XP with some of the add-ons listed above. Dave/Luke - is the JS code changed in 15 (regression) & 16 (fix) too large to do code inspection for likely causes? If so, we could speculatively back out early in the beta cycle.
Keywords: needURLs, qawanted
I don't think we know what the regressing JS code change is.
Keywords: needURLs
This has risen to #17 on the top crash list now. Can we try to reproduce this crash in QA?
QA Contact: mozillamarcia.knous
Here is some more information relating to OS/Version for js::NameOperation(JSContext*, unsigned char*, JS::Value*) which has ~1300 crashes in the last week across all versions: Operating System Percentage Number Of Crashes Windows XP 56.933 % 698 Windows 7 37.031 % 454 Windows Vista 5.057 % 62 Windows 8 0.571 % 7 Windows Unknown 0.408 % 5 Product Version Percentage Number Of Crashes Firefox 15.0b1 52.773 % 647 Firefox 15.0a2 19.250 % 236 Firefox 13.0.1 10.196 % 125 Firefox 14.0.1 7.259 % 89 Firefox 14.0b12 6.444 % 79 http://wiadomosci.onet.pl/ is probably the most represented URL but so far I have not been able to crash yet. Also looking for addon/module correlations.
(In reply to Alex Keybl [:akeybl] from comment #11) > This has risen to #17 on the top crash list now. Can we try to reproduce > this crash in QA? I looked at the reports more closely, and now I see that the crashes are actually in jitcode, so this is really a dup of EnterMethodJIT/JaegerShot. I think the address of NameOperation is just appearing on the stack sometimes and confusing the stackwalker.
Based upon Dave's comment 13, we need to focus on getting steps to reproduce here. Perhaps somebody familiar with Polish on Windows will have more luck. Marcoos/Leszek - would you mind trying to reproduce, or shooting this out to others to see if they can reproduce?
Blocks: SadJägerMonkey
A few of the comments such as this one mention Fireshot: https://crash-stats.mozilla.com/report/index/4d2e74fe-1126-4904-9739-102982120802 "trying to copy a big web page with embedded video to PDF via Fireshot" I will look at manual correlations to see if that bears any fruit.
Updated correlations from various branches: From Beta: js::NameOperation(JSContext*, unsigned char*, JS::Value*)|EXCEPTION_ACCESS_VIOLATION_EXEC (119 crashes) 32% (38/119) vs. 7% (4241/59062) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865) 8% (10/119) vs. 0% (105/59062) IplextoALL@ALLPlayer.org From 14.0.1: js::NameOperation(JSContext*, unsigned char*, JS::Value*)|EXCEPTION_ACCESS_VIOLATION_READ (32 crashes) 22% (7/32) vs. 4% (7342/174847) {b9db16a4-6edc-47ec-a1f4-b86292ed211d} (Video DownloadHelper, https://addons.mozilla.org/addon/3006) 22% (7/32) vs. 8% (13572/174847) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865) 13% (4/32) vs. 1% (1829/174847) {DDC359D1-844A-42a7-9AA1-88A850A938A8} (DownThemAll!, https://addons.mozilla.org/addon/201) 9% (3/32) vs. 0% (354/174847) {0b457cAA-602d-484a-8fe7-c1d894a011ba} (FireShot, https://addons.mozilla.org/addon/5648) 9% (3/32) vs. 0% (681/174847) {77b819fa-95ad-4f2c-ac7c-486b356188a9} (IE Tab, https://addons.mozilla.org/addon/1419) 9% (3/32) vs. 1% (1126/174847) foxmarks@kei.com (Xmarks (formerly Foxmarks), https://addons.mozilla.org/addon/2410) 9% (3/32) vs. 1% (1720/174847) mozilla_cc@internetdownloadmanager.com (IDM CC, https://addons.mozilla.org/addon/6973) 9% (3/32) vs. 1% (1888/174847) ffxtlbra@softonic.com 9% (3/32) vs. 2% (3689/174847) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748) 13% (4/32) vs. 5% (9165/174847) ffxtlbr@babylon.com 9% (3/32) vs. 3% (4645/174847) ffxtlbr@funmoods.com 6% (2/32) vs. 0% (131/174847) newtaburl@sogame.cat (NewTabURL, https://addons.mozilla.org/addon/2221) 6% (2/32) vs. 0% (176/174847) 57ffxtbr@MarineAquarium3Free_57.com 6% (2/32) vs. 0% (186/174847) {8e5025c2-8ea3-430d-80b8-a14151068a6d} 6% (2/32) vs. 0% (368/174847) {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} (Image Zoom, https://addons.mozilla.org/addon/139) 6% (2/32) vs. 0% (455/174847) {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} 9% (3/32) vs. 4% (6505/174847) plugin@yontoo.com 6% (2/32) vs. 1% (1075/174847) LogMeInClient@logmein.com 6% (2/32) vs. 1% (2083/174847) {99079a25-328f-4bd4-be04-00955acaa0a7}
One of the comments mentions "flash is causing the crash." This maps to some of the URLs in question relating to this signature. If we could figure out which version of flash this is, we would likely have an easier time reproducing it if in fact flash is actually causing or helping to cause the issue. [blank] 99.849 % 2651 11.3.300.270 0.075 % 2 11.1.102.55 0.038 % 1 11.3.300.257 0.038 % 1
It's a low volume crash in 17.0 and above: https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+JSScript*%2C+unsigned+char*%2C+JS%3A%3AValue*%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+unsigned+char*%2C+JS%3A%3AMutableHandle%3CJS%3A%3AValue%3E%29
Crash Signature: [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, JSScript*, unsigned char*, JS::Value*)] → [@ js::NameOperation(JSContext*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, JSScript*, unsigned char*, JS::Value*)] [@ js::NameOperation(JSContext*, unsigned char*, JS::MutableHandle<JS::Value>)]
Keywords: topcrash
(In reply to Scoobidiver from comment #18) > It's a low volume crash in 17.0 and above: I think it's still present even on latest versions of Beta, Aurora and Nightly: https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANameOperation%28JSContext*%2C+unsigned+char*%2C+JS%3A%3AMutableHandle%3CJS%3A%3AValue%3E%29
Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0 Build ID: 20131007004003 I couldn't reproduce the crash on the latest Aurora 26.0a2 - I installed all the add-ons that I could found mentioned in the Description and in Comments 15 and 16 and I followed all the suggestions from Comments 12, 15 and 17. I couldn't find any crash reports in Socorro for the latest release (Firefox 24), Beta (Firefox 25), Aurora (Firefox 26) and Nightly (Firefox 27) for any of the signatures that are related with this Bug. Based on the above, I'm setting the status of this bug to Resolved Worksforme.
Status: NEW → RESOLVED
Closed: 12 years ago
Keywords: qawanted
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.