Closed
Bug 810588
Opened 13 years ago
Closed 6 years ago
crash in js::ion::InvokeFunction @ js::Invoke
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: scoobidiver, Unassigned)
References
()
Details
(Keywords: crash, regression, reproducible, Whiteboard: [js:p1])
Crash Data
It spiked recently in the trunk and is reproducible with the above URL.
Signature js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) More Reports Search
UUID a358c324-e053-49fa-9dfd-b63f72121110
Date Processed 2012-11-10 14:45:16
Uptime 21
Last Crash 2.2 days before submission
Install Age 21 seconds since version was first installed.
Install Time 2012-11-10 14:45:01
Product Firefox
Version 19.0a1
Build ID 20121109030635
Release Channel nightly
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 23 stepping 10
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0xffffffffffffff87
App Notes
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 02961025, AdapterDriverVersion: 8.15.10.2555
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
EMCheckCompatibility True
Adapter Vendor ID 0x8086
Adapter Device ID 0x2a42
Total Virtual Memory 4294836224
Available Virtual Memory 3858870272
System Memory Use Percentage 55
Available Page File 6067658752
Available Physical Memory 1864028160
Bugzilla - Report this bug in Firefox, Core, Plug-Ins, or Toolkit
Crashing Thread
Frame Module Signature Source
0 mozjs.dll js::Invoke js/src/jsinterp.cpp:408
1 mozjs.dll js::ion::InvokeFunction js/src/ion/VMFunctions.cpp:63
2 @0x15b9299f
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AInvoke%28JSContext*%2C+JS%3A%3AValue+const%26%2C+JS%3A%3AValue+const%26%2C+unsigned+int%2C+JS%3A%3AValue*%2C+JS%3A%3AValue*%29
![]() |
||
Comment 1•13 years ago
|
||
bp-8c1d0a72-4406-4958-82df-145ad2121110 : Aurora18.0a2
bp-bec2d1e1-7adb-4308-a074-0bd952121110 : Nightly19.0a1
Crash Signature: [@ js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*)] → [@ js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*)]
[@ js::Invoke]
OS: Windows 7 → All
Version: 19 Branch → 18 Branch
m-c
good=2012-10-16
bad=2012-10-17
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8f145599e4bf&tochange=dac5700acf8b
tracking-firefox18:
--- → ?
tracking-firefox19:
--- → ?
![]() |
||
Comment 3•13 years ago
|
||
(In reply to Loic from comment #2)
> m-c
> good=2012-10-16
> bad=2012-10-17
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=8f145599e4bf&tochange=dac5700acf8b
non-PGO build(m-c thinderbox) crashes the above cset.
http://hg.mozilla.org/mozilla-central/rev/8f145599e4bf
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016010947
I think this is sensitive to PGO.
Regression window in non-PGO builds(m-c thinderbox/m-i thinderbox)
Regression window(m-c nightly linux, so non-PGO)
Good:
http://hg.mozilla.org/mozilla-central/rev/c09a0c022b2e
Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18 Firefox/18.0a1 ID:20120929030624
Crash:
http://hg.mozilla.org/mozilla-central/rev/85f561c755f6
Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18 Firefox/18.0a1 ID:20120929191424
Pushlog;
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c09a0c022b2e&tochange=85f561c755f6
Regression window(m-c thinderbox Windows)
Good:
http://hg.mozilla.org/mozilla-central/rev/c09a0c022b2e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120928221119
Crash:
http://hg.mozilla.org/mozilla-central/rev/879cce846c1e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120929093223
Pushlog;
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c09a0c022b2e&tochange=879cce846c1e
Regression window(m-i thinderbox Windows)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/68c4c30ff6f0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120928223118
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/b56f7cb51b1f
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120929000618
Pushlog;
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=68c4c30ff6f0&tochange=b56f7cb51b1f
Triggered by:
59665618b6c9 Nicolas B. Pierron — Backout 44465ef545e3 (Bug 786126) - Are we fast yet regression.
![]() |
||
Comment 4•13 years ago
|
||
non-PGO builds seemed to be fixed by Bug 793577.
However, PGO builds seemed to start to crash instead.
non-PGO progression window (m-c)
Crash:
http://hg.mozilla.org/mozilla-central/rev/044d1b974385
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016172205
Not crash:
http://hg.mozilla.org/mozilla-central/rev/dac5700acf8b
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016185305
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=044d1b974385&tochange=dac5700acf8b
non-PGO progression window (m-i)
Crash
http://hg.mozilla.org/integration/mozilla-inbound/rev/71eacb57041d
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016092304
Not crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/741fb7f8e5cb
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016101706
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=71eacb57041d&tochange=741fb7f8e5cb
non-PGO fixed by:
741fb7f8e5cb Terrence Cole — Bug 793577 - Implement Return<T> for direct returns of unrooted GC pointers; r=billm r=njn Return<T> wraps GC things that are returned from accessor methods. The wrapper helps to ensure correct rooting of the returned pointer and safe access while unrooted.
![]() |
||
Comment 5•13 years ago
|
||
(In reply to Alice0775 White from comment #4)
> non-PGO builds seemed to be fixed by Bug 793577.
non-PGO builds seemed to be fixed by Bug 793577 for winodows only. Linux build still crashes.
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
Keywords: regressionwindow-wanted
Comment 6•13 years ago
|
||
Terrence passing on this top-crasher to you as Bug 793577 is the suspected regressing bug.Can you please look at it ? Thanks !
Comment 7•13 years ago
|
||
Sorry, I must have missed this before.
IonMonkey appears to be entering the interpreter with a busted stack. I'd be very surprised if the change in bug 793577 caused this directly. I think :dvander is currently looking at several other PGO failures that are probably related. I'll coordinate with him to see if the fix he's working on works for this too.
Comment 8•13 years ago
|
||
We're no longer seeing this on the FF18 top crash list. If I'm misreading that, please re-nominate.
The BOM link still reliably crashes the most recent nightly build
See crash signature
https://crash-stats.mozilla.com/report/index/bp-2f58f620-a371-45b2-8324-50dd92121129
Comment 10•13 years ago
|
||
@akeybl did you test the given link before you changed flags?
Reporter | ||
Comment 11•13 years ago
|
||
(In reply to M** A**** from comment #10)
> @akeybl did you test the given link before you changed flags?
We track for release top crashers not reproducible low crashers. Indeed, it's now #172 top browser crasher in 18.0b1 and #100 in 19.0a2.
Keywords: topcrash
Updated•13 years ago
|
Whiteboard: [js:p1]
Updated•13 years ago
|
Comment 12•13 years ago
|
||
The BOM site no longer crashes in the latest Firefox Nightly builds.
Comment 14•12 years ago
|
||
BOM site crashes again
https://crash-stats.mozilla.com/report/index/bp-2ee249c5-34d5-40af-a329-a7ed52130119
This is a new install of windows 7 64 bit
Comment 17•6 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•