Closed Bug 779447 Opened 9 years ago Closed 3 years ago

crash in js::types::TypeObject::getFromPrototypes @ js::types::TypeObject::addProperty


(Core :: JavaScript Engine, defect)

15 Branch
Not set



Tracking Status
firefox15 - ---


(Reporter: scoobidiver, Unassigned)


(Keywords: crash, Whiteboard: [js:inv])

Crash Data

It's #1 top browser crasher in 15.0b1 and b2 on Mac OS X.

Signature 	js::types::TypeObject::addProperty More Reports Search
UUID	8ce647f7-0611-448d-a094-fc8c22120801
Date Processed	2012-08-01 09:07:25
Uptime	46
Last Crash	11.5 hours before submission
Install Age	2.7 days since version was first installed.
Install Time	2012-07-29 17:22:44
Product	Firefox
Version	15.0
Build ID	20120724191344
Release Channel	beta
OS Version	10.6.8 10K549
Build Architecture	amd64
Build Architecture Info	family 6 model 15 stepping 10
Crash Address	0x8
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9583GL Context? GL Context+ GL Layers? GL Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9583

Frame 	Module 	Signature 	Source
0 	XUL 	js::types::TypeObject::addProperty 	js/src/gc/Barrier.h:499
1 	XUL 	js::types::TypeObject::getFromPrototypes 	js/src/jsinferinlines.h:1248
2 	XUL 	TypeConstraintProp::newType 	js/src/jsinfer.cpp:989
3 	XUL 	js::types::TypeSet::add 	js/src/jsinferinlines.h:810
4 	XUL 	js::analyze::ScriptAnalysis::analyzeTypesBytecode 	js/src/jsinfer.cpp:543
5 	XUL 	js::analyze::ScriptAnalysis::analyzeTypes 	js/src/jsinfer.cpp:4140
6 	XUL 	js::mjit::Compiler::checkAnalysis 	js/src/jsinferinlines.h:1454
7 	XUL 	js::mjit::Compiler::performCompilation 	js/src/methodjit/Compiler.cpp:503
8 	XUL 	js::mjit::Compiler::compile 	js/src/methodjit/Compiler.cpp:112
9 	XUL 	js::mjit::CanMethodJIT 	js/src/methodjit/Compiler.cpp:978
10 	XUL 	js::Interpret 	js/src/jsinterp.cpp:1558
11 	XUL 	js::RunScript 	js/src/jsinterp.cpp:266
12 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:329

Here are some correlations per extension:
  js::types::TypeObject::addProperty|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (49 crashes)
     14% (7/49) vs.   5% (30/636) personas@christopher.beard (Personas,
     10% (5/49) vs.   1% (7/636) FFToolbar@upromise
     10% (5/49) vs.   2% (12/636) {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} (Forecastfox,

More reports at:
Hmmm, Mac-only, and showed up only in Beta. So I guess we don't get a regression range. It looks like mostly NPEs.
98.148 % of these crashes are on amd64 architecture - does that provoke any ideas?
(In reply to David Mandelin [:dmandelin] from comment #1)
> Hmmm, Mac-only, and showed up only in Beta. So I guess we don't get a
> regression range.
They first appeared on July 26 at 17H34 UTC, even on Android, so it's an external cause. Flash 11.3.300.268 was released this day (see
Keywords: needURLs
(In reply to Lukas Blakk [:lsblakk] from comment #2)
> 98.148 % of these crashes are on amd64 architecture - does that provoke any
> ideas?

I noticed that too, but I'm not sure what to make of it. I think it might be some crash that just happens to show a different signature on x86 vs x64.
Crash Signature: [@ js::types::TypeObject::addProperty] → [@ js::types::TypeObject::addProperty] [@ js::types::TypeObject::getFromPrototypes]
removing topcrash from keywords as these signatures have dropped off the topcrashers for 15.
Whiteboard: [js:inv]
It still happens at a low volume:
* 139 crashes in 22.0
* 4 in 23.0b9

More reports at:*%2C+int%2C+js%3A%3Atypes%3A%3ATypeSet*%2C+bool%29*%2C+int%2C+js%3A%3Atypes%3A%3AProperty**%29
Crash Signature: [@ js::types::TypeObject::addProperty] [@ js::types::TypeObject::getFromPrototypes] → [@ js::types::TypeObject::addProperty] [@ js::types::TypeObject::addProperty(JSContext*, int, js::types::Property**) ] [@ js::types::TypeObject::getFromPrototypes] [@ js::types::TypeObject::getFromPrototypes(JSContext*, int, js::types::TypeSet*, bool) ]
Assignee: general → nobody
Closing because no crash reported since 12 weeks.
Closed: 3 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.