Closed Bug 790473 Opened 12 years ago Closed 11 years ago

IonMonkey: Crash @ JSObject::defaultValue

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
18 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox18 - affected
firefox19 - affected

People

(Reporter: speciesx, Assigned: dvander)

References

(
URL
)

Details

(Keywords: crash, regression, Whiteboard: [ion:p1])

Crash Data

Potentially related to Bug 786465, which reproduces in the shell but not in the browser.
On Nightly: bp-fd66a30a-e9ae-445c-8c23-8fbee2120912
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ JSObject::defaultValue(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>)]
Ever confirmed: true
Keywords: crash, regression, reproducible
Hardware: x86_64 → All
Summary: IonMonkey: Crash @ xul.dll@0x98bc7 | xul.dll@0x17f3e8 | xul.dll@0x16af0d | xul.dll@0xfa4d1f | xul.dll@0xfa4d1f | xul.dll@0x635352 → IonMonkey: Crash @ JSObject::defaultValue
Version: Trunk → 18 Branch
Whiteboard: [ion:p1:fx18]
For the life of me, I can't reproduce this on Linux x86_64. It appears to be Win64-exclusive.
Yes, this is a Windows x64 only crash.
Hardware: All → x86_64
Whiteboard: [ion:p1:fx18] → [ion:p2:fx18]
I reproduced this earlier today. Will try to look at this tomorrow.
Interesting side note, if I remove Java 7 Update 7 (x64) completely, the crash goes away.
bp-c2c520a0-2c1c-4c46-82eb-200d92120925
bp-c6816b33-b5e2-4a1b-95b3-2dcd82120925

I can reproduce on the 32bit Nightly.

1. Go to maps.google.com
2. Enable MapsGL
3. Scroll/Zoom in a few times.

Then it crashes with either this signature or the signature in bug 791999
(In reply to Brian Carpenter [:geeknik] from comment #7)
> Interesting side note, if I remove Java 7 Update 7 (x64) completely, the
> crash goes away.

Win64 build compiled with VS2012 also not crash.
Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/5ecff3e46ed5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121026030606

bp-b708e109-70a4-438d-bd87-1fe0e2121026

Reproducible: always

Steps to reproduce:
1. Open http://live.nicovideo.jp/ (This is most popular video site in Japan).
2. Stay for about 1min30sec

Actual results:
Crash

Expected results:
not crash
Keywords: topcrash
STR in comment #8 reproduces a crash for me.
Assignee: general → dvander
Status: NEW → ASSIGNED
Whiteboard: [ion:p2:fx18] → [ion:p1]
Hrm, I'm having trouble reproducing this today. John or Alice, are you able to reproduce this with non-PGO Win32 builds?
I cannot reproduce the problem in hourly tinderbox build even if changeset is same as Nightly nightly build.
And I cannot reproduce the crash with str of Comment#10 in recent Nightly,

Crash:
http://hg.mozilla.org/mozilla-central/rev/5ecff3e46ed5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121026030606

Not crash:
http://hg.mozilla.org/mozilla-central/rev/5c82f5a5e90d
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121025030620
http://hg.mozilla.org/mozilla-central/rev/f9acc2e4d4e3
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121027030611
http://hg.mozilla.org/mozilla-central/rev/3621795c03e1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121028030617
http://hg.mozilla.org/mozilla-central/rev/e069342dc665
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121029030553
http://hg.mozilla.org/mozilla-central/rev/e19e170d2f6d
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121030030633
http://hg.mozilla.org/mozilla-central/rev/bed18790882f
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121031030750
removing the "reproducible" keyword and adding qawanted to see if QA can try reproducing this.
Keywords: reproducibleqawanted
QA Contact: jbecerra
In Aurora, I'm not able to crash with this signature, but I do get a crash with the steps in comment #8 (after a little while, a minute or so of toggling the zoom):

http://crash-stats.mozilla.com/report/index/bp-54621095-8af0-4b3b-b725-6beca2121108
(In reply to David Anderson [:dvander] from comment #12)
> Hrm, I'm having trouble reproducing this today. John or Alice, are you able
> to reproduce this with non-PGO Win32 builds?

:Juanb is able to reproduce this as per comment 16 as of a few days back.
I was also able to reproduce the crash with this signature with Nightly and Aurora builds by navigating on google maps WebGL enabled:
- Nightly: https://crash-stats.mozilla.com/report/index/bp-b741fe9c-c371-4a3f-8c94-8ef9b2121109
- Aurora: https://crash-stats.mozilla.com/report/index/bp-77b298a0-e466-40a3-ae7e-1ed382121109
More details in bug #791999 comment #9.
(In reply to bhavana bajaj [:bajaj] from comment #17)
> (In reply to David Anderson [:dvander] from comment #12)
> > Hrm, I'm having trouble reproducing this today. John or Alice, are you able
> > to reproduce this with non-PGO Win32 builds?
> 
> :Juanb is able to reproduce this as per comment 16 as of a few days back.

Juan's crash is different, but Mihaela is able to repro. Ball's in David's court now to sync up with Mihaela and investigate further.
On the Oct 11th build and prior, the browser hangs. On Oct 13th, the browser crashes. (The Oct 12th builds do not start for me.) On Oct 10th we landed a fix for an infinite loop in the JS engine. 

These may or may not be related, so it's worth testing that. Mihaela, could you try the following build when available?

http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/danderson@mozilla.com-acce34a97d57

If it doesn't crash, then the bug is probably related to IonMonkey. If it does crash, then these two problems were unrelated.
David, any thoughts on the crashes in comment 21?
No longer a top crash in 18.0b1 - no need to track for release.
tracking-firefox18: +-
tracking-firefox19: +-
(In reply to Mihaela Velimiroviciu [QA] (:mihaela) from comment #21)
> I installed the suggested build on Win 7 x64 and crashes, but with other
> signature.

That build apparently doesn't have symbols up on our servers, so unfortunately the signature does looks different. Still, it looks like it it still crashes.

David, does that answer enough for you to investigate this further? Even if it's not a topcrash at this moment, I fear that something could trigger it at any time and make it explode on us, as it's reproducible.
Dropping qawanted since this is being untracked and we need feedback from David before continuing. Please re-add when there's something QA can follow-up on.
Keywords: qawanted
It's #33 top browser crasher w/o hangs in 18.0b1 and #29 in 19.0a2 so no longer a top crasher (arbitrary restricted to the top 20).
Keywords: topcrash
Same signature, but different STR, and the stacks don't look all that similar to the others in this bug (but a lot more complete, FWIW).

STR: Run sunspider http://www.webkit.org/perf/sunspider-0.9.1/sunspider-0.9.1/driver.html
Result: Immediate crash.
Reproducible: At will.

Windows 7.

Dirty profile:
https://crash-stats.mozilla.com/report/index/bp-bfeb266f-5af0-4151-b842-7c5bd2121204

Fresh profile:
https://crash-stats.mozilla.com/report/index/bp-e70f199f-9dd7-47b6-893e-4e4042121204

Related, or separate issue?
(In reply to bomfog from comment #27)
> Same signature, but different STR, and the stacks don't look all that
> similar to the others in this bug (but a lot more complete, FWIW).
> 
> STR: Run sunspider
> http://www.webkit.org/perf/sunspider-0.9.1/sunspider-0.9.1/driver.html
> Result: Immediate crash.
> Reproducible: At will.
> 
> Windows 7.
> 
> Dirty profile:
> https://crash-stats.mozilla.com/report/index/bp-bfeb266f-5af0-4151-b842-
> 7c5bd2121204
> 
> Fresh profile:
> https://crash-stats.mozilla.com/report/index/bp-e70f199f-9dd7-47b6-893e-
> 4e4042121204
> 
> Related, or separate issue?

Separate issue :) it looks like you're on the IonMonkey channel where baseline compiler development work is happening. I would expect it to be very unstable until at least we get tests passing there. If you're still on that branch from the original IonMonkey development cycle, you might consider switching over to mainline nightlies.
(In reply to David Anderson [:dvander] from comment #28)
> (In reply to bomfog from comment #27)
[...] 
> If you're still on
> that branch from the original IonMonkey development cycle, you might
> consider switching over to mainline nightlies.

I just check out the current IM build occasionally, when inbound gets dull, to see how it's working. This time it wasn't :)
It has begun to crash with STR of comment #10 since 12/04 Nightly again :(
bp-32b24f0b-721b-49f3-aed3-cf1a62121205

http://hg.mozilla.org/mozilla-central/rev/6fa6e55a93b2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121204 Firefox/20.0 ID:20121204030754
None of the STR work for me any more. David says he thinks it's a dup of one of the PGO bugs that went by. Please reopen and renominate if it comes back.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.