crash in js::ion::InvokeFunction @ js::Invoke

NEW
Unassigned

Status

()

--
critical
6 years ago
5 years ago

People

(Reporter: scoobidiver, Unassigned)

Tracking

({crash, regression, reproducible})

18 Branch
x86
All
crash, regression, reproducible
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox18-, firefox19-)

Details

(Whiteboard: [js:p1], crash signature, URL)

(Reporter)

Description

6 years ago
It spiked recently in the trunk and is reproducible with the above URL.

Signature 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) More Reports Search
UUID	a358c324-e053-49fa-9dfd-b63f72121110
Date Processed	2012-11-10 14:45:16
Uptime	21
Last Crash	2.2 days before submission
Install Age	21 seconds since version was first installed.
Install Time	2012-11-10 14:45:01
Product	Firefox
Version	19.0a1
Build ID	20121109030635
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffffffff87
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 02961025, AdapterDriverVersion: 8.15.10.2555
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x2a42
Total Virtual Memory	4294836224
Available Virtual Memory	3858870272
System Memory Use Percentage	55
Available Page File	6067658752
Available Physical Memory	1864028160

Bugzilla - Report this bug in Firefox, Core, Plug-Ins, or Toolkit
Crashing Thread
Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:408
1 	mozjs.dll 	js::ion::InvokeFunction 	js/src/ion/VMFunctions.cpp:63
2 		@0x15b9299f 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AInvoke%28JSContext*%2C+JS%3A%3AValue+const%26%2C+JS%3A%3AValue+const%26%2C+unsigned+int%2C+JS%3A%3AValue*%2C+JS%3A%3AValue*%29

Comment 1

6 years ago
bp-8c1d0a72-4406-4958-82df-145ad2121110 : Aurora18.0a2
bp-bec2d1e1-7adb-4308-a074-0bd952121110 : Nightly19.0a1
Crash Signature: [@ js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*)] → [@ js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*)] [@ js::Invoke]
OS: Windows 7 → All
Version: 19 Branch → 18 Branch

Comment 2

6 years ago
m-c
good=2012-10-16
bad=2012-10-17
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8f145599e4bf&tochange=dac5700acf8b
tracking-firefox18: --- → ?
tracking-firefox19: --- → ?

Comment 3

6 years ago
(In reply to Loic from comment #2)
> m-c
> good=2012-10-16
> bad=2012-10-17
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=8f145599e4bf&tochange=dac5700acf8b

non-PGO build(m-c thinderbox) crashes the above cset.
http://hg.mozilla.org/mozilla-central/rev/8f145599e4bf
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016010947

I think this is sensitive to PGO.


Regression window in non-PGO builds(m-c thinderbox/m-i thinderbox)
Regression window(m-c nightly linux, so non-PGO)
Good:
http://hg.mozilla.org/mozilla-central/rev/c09a0c022b2e
Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18 Firefox/18.0a1 ID:20120929030624
Crash:
http://hg.mozilla.org/mozilla-central/rev/85f561c755f6
Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/18 Firefox/18.0a1 ID:20120929191424
Pushlog;
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c09a0c022b2e&tochange=85f561c755f6

Regression window(m-c thinderbox Windows)
Good:
http://hg.mozilla.org/mozilla-central/rev/c09a0c022b2e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120928221119
Crash:
http://hg.mozilla.org/mozilla-central/rev/879cce846c1e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120929093223
Pushlog;
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c09a0c022b2e&tochange=879cce846c1e

Regression window(m-i thinderbox Windows)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/68c4c30ff6f0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120928223118
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/b56f7cb51b1f
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/18.0 Firefox/18.0 ID:20120929000618
Pushlog;
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=68c4c30ff6f0&tochange=b56f7cb51b1f

Triggered by:
	59665618b6c9	Nicolas B. Pierron — Backout 44465ef545e3 (Bug 786126) - Are we fast yet regression.

Comment 4

6 years ago
non-PGO builds seemed to be fixed by Bug 793577.
However, PGO builds seemed to start to crash instead.

non-PGO progression window (m-c)
Crash:
http://hg.mozilla.org/mozilla-central/rev/044d1b974385
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016172205
Not crash:
http://hg.mozilla.org/mozilla-central/rev/dac5700acf8b
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016185305
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=044d1b974385&tochange=dac5700acf8b


non-PGO progression window (m-i)
Crash
http://hg.mozilla.org/integration/mozilla-inbound/rev/71eacb57041d
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016092304
Not crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/741fb7f8e5cb
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/19.0 Firefox/19.0 ID:20121016101706
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=71eacb57041d&tochange=741fb7f8e5cb

non-PGO fixed by:
741fb7f8e5cb	Terrence Cole — Bug 793577 - Implement Return<T> for direct returns of unrooted GC pointers; r=billm r=njn Return<T> wraps GC things that are returned from accessor methods. The wrapper helps to ensure correct rooting of the returned pointer and safe access while unrooted.
Blocks: 793577, 786126

Comment 5

6 years ago
(In reply to Alice0775 White from comment #4)
> non-PGO builds seemed to be fixed by Bug 793577.

non-PGO builds seemed to be fixed by Bug 793577 for winodows only. Linux build still crashes.
(Reporter)

Updated

6 years ago
No longer blocks: 793577
Depends on: 793577
Keywords: topcrash
(Reporter)

Updated

6 years ago
Keywords: regressionwindow-wanted
Terrence passing on this top-crasher to you as Bug 793577 is the suspected regressing bug.Can you please look at it ? Thanks !
Assignee: general → terrence
tracking-firefox18: ? → +
tracking-firefox19: ? → +
Sorry, I must have missed this before.

IonMonkey appears to be entering the interpreter with a busted stack.  I'd be very surprised if the change in bug 793577 caused this directly.  I think :dvander is currently looking at several other PGO failures that are probably related.  I'll coordinate with him to see if the fix he's working on works for this too.

Comment 8

6 years ago
We're no longer seeing this on the FF18 top crash list. If I'm misreading that, please re-nominate.
tracking-firefox18: + → -

Comment 9

6 years ago
The BOM link still reliably crashes the most recent nightly build
See crash signature
https://crash-stats.mozilla.com/report/index/bp-2f58f620-a371-45b2-8324-50dd92121129

Comment 10

6 years ago
@akeybl did you test the given link before you changed flags?
(Reporter)

Comment 11

6 years ago
(In reply to M** A**** from comment #10)
> @akeybl did you test the given link before you changed flags?
We track for release top crashers not reproducible low crashers. Indeed, it's now #172 top browser crasher in 18.0b1 and #100 in 19.0a2.
tracking-firefox19: + → ?
Keywords: topcrash
Whiteboard: [js:p1]

Updated

6 years ago
tracking-firefox19: ? → -

Comment 12

6 years ago
The BOM site no longer crashes in the latest Firefox Nightly builds.

Updated

6 years ago
Duplicate of this bug: 826963

Comment 14

6 years ago
BOM site crashes again 
https://crash-stats.mozilla.com/report/index/bp-2ee249c5-34d5-40af-a329-a7ed52130119
This is a new install of windows 7 64 bit

Updated

6 years ago
Duplicate of this bug: 832939
I'm not actively working on this right now.
Assignee: terrence → nobody
You need to log in before you can comment on or make changes to this bug.