Closed Bug 810588 Opened 13 years ago Closed 6 years ago

crash in js::ion::InvokeFunction @ js::Invoke

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
18 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox18 - ---
firefox19 - ---

People

(Reporter: scoobidiver, Unassigned)

References

(
URL
)

Details

(Keywords: crash, regression, reproducible, Whiteboard: [js:p1])

Crash Data

It spiked recently in the trunk and is reproducible with the above URL. Signature js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) More Reports Search UUID a358c324-e053-49fa-9dfd-b63f72121110 Date Processed 2012-11-10 14:45:16 Uptime 21 Last Crash 2.2 days before submission Install Age 21 seconds since version was first installed. Install Time 2012-11-10 14:45:01 Product Firefox Version 19.0a1 Build ID 20121109030635 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xffffffffffffff87 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 02961025, AdapterDriverVersion: 8.15.10.2555 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x2a42 Total Virtual Memory 4294836224 Available Virtual Memory 3858870272 System Memory Use Percentage 55 Available Page File 6067658752 Available Physical Memory 1864028160 Bugzilla - Report this bug in Firefox, Core, Plug-Ins, or Toolkit Crashing Thread Frame Module Signature Source 0 mozjs.dll js::Invoke js/src/jsinterp.cpp:408 1 mozjs.dll js::ion::InvokeFunction js/src/ion/VMFunctions.cpp:63 2 @0x15b9299f More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AInvoke%28JSContext*%2C+JS%3A%3AValue+const%26%2C+JS%3A%3AValue+const%26%2C+unsigned+int%2C+JS%3A%3AValue*%2C+JS%3A%3AValue*%29
bp-8c1d0a72-4406-4958-82df-145ad2121110 : Aurora18.0a2 bp-bec2d1e1-7adb-4308-a074-0bd952121110 : Nightly19.0a1
Crash Signature: [@ js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*)] → [@ js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*)] [@ js::Invoke]
OS: Windows 7 → All
Version: 19 Branch → 18 Branch
(In reply to Loic from comment #2) > m-c > good=2012-10-16 > bad=2012-10-17 > http://hg.mozilla.org/mozilla-central/ > pushloghtml?fromchange=8f145599e4bf&tochange=dac5700acf8b non-PGO build(m-c thinderbox) crashes the above cset. http://hg.mozilla.org/mozilla-central/rev/8f145599e4bf Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016010947 I think this is sensitive to PGO. Regression window in non-PGO builds(m-c thinderbox/m-i thinderbox) Regression window(m-c nightly linux, so non-PGO) Good: http://hg.mozilla.org/mozilla-central/rev/c09a0c022b2e Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18 Firefox/18.0a1 ID:20120929030624 Crash: http://hg.mozilla.org/mozilla-central/rev/85f561c755f6 Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18 Firefox/18.0a1 ID:20120929191424 Pushlog; http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c09a0c022b2e&tochange=85f561c755f6 Regression window(m-c thinderbox Windows) Good: http://hg.mozilla.org/mozilla-central/rev/c09a0c022b2e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120928221119 Crash: http://hg.mozilla.org/mozilla-central/rev/879cce846c1e Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120929093223 Pushlog; http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c09a0c022b2e&tochange=879cce846c1e Regression window(m-i thinderbox Windows) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/68c4c30ff6f0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120928223118 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/b56f7cb51b1f Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120929000618 Pushlog; http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=68c4c30ff6f0&tochange=b56f7cb51b1f Triggered by: 59665618b6c9 Nicolas B. Pierron — Backout 44465ef545e3 (Bug 786126) - Are we fast yet regression.
non-PGO builds seemed to be fixed by Bug 793577. However, PGO builds seemed to start to crash instead. non-PGO progression window (m-c) Crash: http://hg.mozilla.org/mozilla-central/rev/044d1b974385 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016172205 Not crash: http://hg.mozilla.org/mozilla-central/rev/dac5700acf8b Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016185305 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=044d1b974385&tochange=dac5700acf8b non-PGO progression window (m-i) Crash http://hg.mozilla.org/integration/mozilla-inbound/rev/71eacb57041d Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016092304 Not crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/741fb7f8e5cb Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016101706 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=71eacb57041d&tochange=741fb7f8e5cb non-PGO fixed by: 741fb7f8e5cb Terrence Cole — Bug 793577 - Implement Return<T> for direct returns of unrooted GC pointers; r=billm r=njn Return<T> wraps GC things that are returned from accessor methods. The wrapper helps to ensure correct rooting of the returned pointer and safe access while unrooted.
Blocks: 793577, 786126
(In reply to Alice0775 White from comment #4) > non-PGO builds seemed to be fixed by Bug 793577. non-PGO builds seemed to be fixed by Bug 793577 for winodows only. Linux build still crashes.
No longer blocks: 793577
Depends on: 793577
Keywords: topcrash
Keywords: regressionwindow-wanted
Terrence passing on this top-crasher to you as Bug 793577 is the suspected regressing bug.Can you please look at it ? Thanks !
Assignee: general → terrence
tracking-firefox18: ?+
tracking-firefox19: ?+
Sorry, I must have missed this before. IonMonkey appears to be entering the interpreter with a busted stack. I'd be very surprised if the change in bug 793577 caused this directly. I think :dvander is currently looking at several other PGO failures that are probably related. I'll coordinate with him to see if the fix he's working on works for this too.
We're no longer seeing this on the FF18 top crash list. If I'm misreading that, please re-nominate.
tracking-firefox18: +-
The BOM link still reliably crashes the most recent nightly build See crash signature https://crash-stats.mozilla.com/report/index/bp-2f58f620-a371-45b2-8324-50dd92121129
@akeybl did you test the given link before you changed flags?
(In reply to M** A**** from comment #10) > @akeybl did you test the given link before you changed flags? We track for release top crashers not reproducible low crashers. Indeed, it's now #172 top browser crasher in 18.0b1 and #100 in 19.0a2.
tracking-firefox19: +?
Keywords: topcrash
Whiteboard: [js:p1]
The BOM site no longer crashes in the latest Firefox Nightly builds.
BOM site crashes again https://crash-stats.mozilla.com/report/index/bp-2ee249c5-34d5-40af-a329-a7ed52130119 This is a new install of windows 7 64 bit
I'm not actively working on this right now.
Assignee: terrence → nobody

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.