crash in js::types::TypeObject::getFromPrototypes @ js::types::TypeObject::addProperty

RESOLVED WONTFIX

Status

()

--
critical
RESOLVED WONTFIX
6 years ago
17 days ago

People

(Reporter: scoobidiver, Unassigned)

Tracking

({crash})

15 Branch
x86_64
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(firefox15-)

Details

(Whiteboard: [js:inv], crash signature)

(Reporter)

Description

6 years ago
It's #1 top browser crasher in 15.0b1 and b2 on Mac OS X.

Signature 	js::types::TypeObject::addProperty More Reports Search
UUID	8ce647f7-0611-448d-a094-fc8c22120801
Date Processed	2012-08-01 09:07:25
Uptime	46
Last Crash	11.5 hours before submission
Install Age	2.7 days since version was first installed.
Install Time	2012-07-29 17:22:44
Product	Firefox
Version	15.0
Build ID	20120724191344
Release Channel	beta
OS	Mac OS X
OS Version	10.6.8 10K549
Build Architecture	amd64
Build Architecture Info	family 6 model 15 stepping 10
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x8
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9583GL Context? GL Context+ GL Layers? GL Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9583

Frame 	Module 	Signature 	Source
0 	XUL 	js::types::TypeObject::addProperty 	js/src/gc/Barrier.h:499
1 	XUL 	js::types::TypeObject::getFromPrototypes 	js/src/jsinferinlines.h:1248
2 	XUL 	TypeConstraintProp::newType 	js/src/jsinfer.cpp:989
3 	XUL 	js::types::TypeSet::add 	js/src/jsinferinlines.h:810
4 	XUL 	js::analyze::ScriptAnalysis::analyzeTypesBytecode 	js/src/jsinfer.cpp:543
5 	XUL 	js::analyze::ScriptAnalysis::analyzeTypes 	js/src/jsinfer.cpp:4140
6 	XUL 	js::mjit::Compiler::checkAnalysis 	js/src/jsinferinlines.h:1454
7 	XUL 	js::mjit::Compiler::performCompilation 	js/src/methodjit/Compiler.cpp:503
8 	XUL 	js::mjit::Compiler::compile 	js/src/methodjit/Compiler.cpp:112
9 	XUL 	js::mjit::CanMethodJIT 	js/src/methodjit/Compiler.cpp:978
10 	XUL 	js::Interpret 	js/src/jsinterp.cpp:1558
11 	XUL 	js::RunScript 	js/src/jsinterp.cpp:266
12 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:329
...

Here are some correlations per extension:
  js::types::TypeObject::addProperty|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (49 crashes)
     14% (7/49) vs.   5% (30/636) personas@christopher.beard (Personas, https://addons.mozilla.org/addon/10900)
     10% (5/49) vs.   1% (7/636) FFToolbar@upromise
     10% (5/49) vs.   2% (12/636) {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} (Forecastfox, https://addons.mozilla.org/addon/398)

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeObject%3A%3AaddProperty
Hmmm, Mac-only, and showed up only in Beta. So I guess we don't get a regression range. It looks like mostly NPEs.
98.148 % of these crashes are on amd64 architecture - does that provoke any ideas?
tracking-firefox15: ? → +
(Reporter)

Comment 3

6 years ago
(In reply to David Mandelin [:dmandelin] from comment #1)
> Hmmm, Mac-only, and showed up only in Beta. So I guess we don't get a
> regression range.
They first appeared on July 26 at 17H34 UTC, even on Android, so it's an external cause. Flash 11.3.300.268 was released this day (see http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html).
Keywords: needURLs
(In reply to Lukas Blakk [:lsblakk] from comment #2)
> 98.148 % of these crashes are on amd64 architecture - does that provoke any
> ideas?

I noticed that too, but I'm not sure what to make of it. I think it might be some crash that just happens to show a different signature on x86 vs x64.
Crash Signature: [@ js::types::TypeObject::addProperty] → [@ js::types::TypeObject::addProperty] [@ js::types::TypeObject::getFromPrototypes]
removing topcrash from keywords as these signatures have dropped off the topcrashers for 15.
tracking-firefox15: + → -
Keywords: topcrash
Whiteboard: [js:inv]
(Reporter)

Comment 7

5 years ago
It still happens at a low volume:
* 139 crashes in 22.0
* 4 in 23.0b9

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3Atypes%3A%3ATypeObject%3A%3AgetFromPrototypes%28JSContext*%2C+int%2C+js%3A%3Atypes%3A%3ATypeSet*%2C+bool%29
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3Atypes%3A%3ATypeObject%3A%3AaddProperty%28JSContext*%2C+int%2C+js%3A%3Atypes%3A%3AProperty**%29
Crash Signature: [@ js::types::TypeObject::addProperty] [@ js::types::TypeObject::getFromPrototypes] → [@ js::types::TypeObject::addProperty] [@ js::types::TypeObject::addProperty(JSContext*, int, js::types::Property**) ] [@ js::types::TypeObject::getFromPrototypes] [@ js::types::TypeObject::getFromPrototypes(JSContext*, int, js::types::TypeSet*, bool) ]
(Assignee)

Updated

4 years ago
Assignee: general → nobody
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Last Resolved: 17 days ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.