Closed Bug 810659 Opened 7 years ago Closed 3 years ago

crash in js::frontend::FoldConstants

Categories

(Core :: JavaScript Engine, defect, critical)

17 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox17 --- wontfix
firefox18 --- wontfix
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- wontfix
firefox22 --- wontfix
firefox23 --- wontfix
firefox24 --- wontfix
firefox48 --- wontfix
firefox49 --- fix-optional
firefox50 --- fix-optional
firefox51 --- fix-optional

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression, Whiteboard: [js:p2])

Crash Data

It's #28 top browser crasher w/o hangs in 17.0b5 and #119 in 18.0a2.
It first showed up in 17.0a1/20120722. The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=446b788ab99d&tochange=462106f027af

Signature 	js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode*, js::frontend::Parser*, bool, bool) More Reports Search
UUID	46318ba8-09ec-448b-a24d-8170b2121111
Date Processed	2012-11-11 04:00:27
Uptime	31
Last Crash	31.2 minutes before submission
Install Age	1.7 days since version was first installed.
Install Time	2012-11-09 10:01:47
Product	Firefox
Version	17.0
Build ID	20121106195758
Release Channel	beta
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffff803a4760
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0a65, AdapterSubsysID: 35251458, AdapterDriverVersion: 8.17.11.9646
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x0a65
Total Virtual Memory	2147352576
Available Virtual Memory	1758089216
System Memory Use Percentage	40
Available Page File	4978884608
Available Physical Memory	1893294080

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::frontend::FoldConstants 	js/src/frontend/FoldConstants.cpp:408
1 	mozjs.dll 	js::frontend::FoldConstants 	js/src/frontend/FoldConstants.cpp:426
2 	mozjs.dll 	js::frontend::FoldConstants 	js/src/frontend/FoldConstants.cpp:410
3 	mozjs.dll 	js::frontend::FoldConstants 	js/src/frontend/FoldConstants.cpp:426
4 	mozjs.dll 	js::frontend::CompileScript 	js/src/frontend/BytecodeCompiler.cpp:193
5 	mozjs.dll 	JS::Evaluate 	js/src/jsapi.cpp:5659
6 	xul.dll 	xpc_EvalInSandbox 	js/xpconnect/src/XPCComponents.cpp:3923
7 	xul.dll 	nsXPCComponents_Utils::EvalInSandbox 	js/xpconnect/src/XPCComponents.cpp:3834
8 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
9 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2406
10 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1478
11 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:352
12 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2414
....

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Afrontend%3A%3AFoldConstants%28JSContext*%2C+js%3A%3Afrontend%3A%3AParseNode*%2C+js%3A%3Afrontend%3A%3AParser*%2C+bool%2C+bool%29
Marcia is going to pull URLs and correlation reports for us to try to reproduce, although this isn't strictly a topcrash as of today.
Keywords: needURLs, qawanted
QA Contact: mozillamarcia.knous
here are some manual correlations from the 6th when there was a higher volume of crashes - for addons the only one showing on the radar is Internet Download Manager, and there isn't a strong correlation to one version.

js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode*, js::frontend::Parser*, bool, bool)|EXCEPTION_ACCESS_VIOLATION_READ (22 crashes)
     14% (3/22) vs.   2% (1311/54226) mozilla_cc@internetdownloadmanager.com (IDM CC, https://addons.mozilla.org/addon/6973)
     91% (20/22) vs.  82% (44447/54226) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
    100% (22/22) vs.  94% (50778/54226) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150)

14% (3/22) vs.   2% (1311/54226) mozilla_cc@internetdownloadmanager.com (IDM CC, https://addons.mozilla.org/addon/6973)
          0% (0/22) vs.   0% (8/54226) 7.3.25
          5% (1/22) vs.   1% (289/54226) 7.3.28
          9% (2/22) vs.   2% (1014/54226) 7.3.29

js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode*, js::frontend::Parser*, bool, bool)|EXCEPTION_ACCESS_VIOLATION_READ (22 crashes)
     77% (17/22) vs.  29% (15990/54226) lz32.dll
     77% (17/22) vs.  31% (16670/54226) xpsp2res.dll
     95% (21/22) vs.  50% (26935/54226) t2embed.dll
     77% (17/22) vs.  34% (18237/54226) wshtcpip.dll
     77% (17/22) vs.  34% (18249/54226) hnetcfg.dll
     68% (15/22) vs.  25% (13742/54226) cryptui.dll
     77% (17/22) vs.  37% (20041/54226) comres.dll
     77% (17/22) vs.  38% (20374/54226) ws2help.dll
     77% (17/22) vs.  38% (20418/54226) iphlpapi.dll
     68% (15/22) vs.  29% (15811/54226) wldap32.dll
    100% (22/22) vs.  64% (34972/54226) browsercomps.dll
     59% (13/22) vs.  24% (12961/54226) MSCTF.dll
    100% (22/22) vs.  65% (35260/54226) firefox.exe
    100% (22/22) vs.  65% (35297/54226) xpcom.dll
    100% (22/22) vs.  66% (35542/54226) dbghelp.dll
     82% (18/22) vs.  48% (25916/54226) imagehlp.dll
     91% (20/22) vs.  59% (31919/54226) nssckbi.dll
     91% (20/22) vs.  60% (32687/54226) freebl3.dll
     91% (20/22) vs.  60% (32687/54226) nssdbm3.dll
     91% (20/22) vs.  60% (32690/54226) softokn3.dll
     68% (15/22) vs.  39% (20905/54226) netapi32.dll
     86% (19/22) vs.  57% (30783/54226) shdocvw.dll
     91% (20/22) vs.  62% (33576/54226) feclient.dll
     91% (20/22) vs.  62% (33593/54226) winrnr.dll
    100% (22/22) vs.  72% (39261/54226) mswsock.dll
     91% (20/22) vs.  63% (34393/54226) rasadhlp.dll
    100% (22/22) vs.  73% (39790/54226) wintrust.dll
     68% (15/22) vs.  44% (23987/54226) mpr.dll
     91% (20/22) vs.  69% (37428/54226) dnsapi.dll
     27% (6/22) vs.   8% (4388/54226) idmmkb.dll
     77% (17/22) vs.  58% (31616/54226) rsaenh.dll
     36% (8/22) vs.  19% (10353/54226) d3d8thk.dll
     36% (8/22) vs.  19% (10479/54226) d3d9.dll
     32% (7/22) vs.  16% (8534/54226) MSCTFIME.IME
     14% (3/22) vs.   2% (936/54226) idmcchandler2.dll
     14% (3/22) vs.   2% (937/54226) idmmzcc.dll
     23% (5/22) vs.  11% (6018/54226) activeds.dll
     23% (5/22) vs.  11% (6019/54226) adsldpc.dll
     23% (5/22) vs.  11% (6082/54226) mprapi.dll
     36% (8/22) vs.  27% (14588/54226) samlib.dll
      9% (2/22) vs.   0% (53/54226) idle.dll
     23% (5/22) vs.  14% (7574/54226) atl.dll
      9% (2/22) vs.   0% (195/54226) ffdshowmngr.dll
     18% (4/22) vs.  10% (5414/54226) wmi.dll
     18% (4/22) vs.  10% (5414/54226) wzcsvc.dll
     18% (4/22) vs.  10% (5424/54226) esent.dll
     18% (4/22) vs.  10% (5426/54226) netman.dll
     18% (4/22) vs.  10% (5439/54226) wzcsapi.dll
     18% (4/22) vs.  10% (5522/54226) credui.dll
     18% (4/22) vs.  10% (5585/54226) netshell.dll
      9% (2/22) vs.   2% (926/54226) mslbui.dll
     41% (9/22) vs.  34% (18320/54226) msacm32.drv
     41% (9/22) vs.  34% (18361/54226) midimap.dll
     41% (9/22) vs.  34% (18460/54226) wdmaud.drv
     41% (9/22) vs.  35% (18894/54226) msacm32.dll
     18% (4/22) vs.  13% (6787/54226) tapi32.dll
     14% (3/22) vs.   8% (4439/54226) rpchrome150browserrecordhelper.dll

26 	http://www.facebook.com/
16 	about:blank
15 	https://www.facebook.com/
10 	about:sessionrestore
7 	about:home
6 	about:newtab
5 	http://www.google.co.in/
4 	https://www.facebook.com/login.php?login_attempt=1
3 	https://mail.google.com/mail/u/0/?shva=1#inbox
3 	https://mail.google.com/mail/?shva=1#inbox
2 	https://www.facebook.com/denise.brioschi.7/posts/4769139107178?comment_id=549611
2 	http://www.softpedia.com/get/Office-tools/Office-suites/Microsoft-Office.shtml
2 	http://www.facebook.com/groups/189359094450913/
2 	http://www.odnoklassniki.ru/
2 	http://www.searchnu.com/406
2 	https://mail.google.com/mail/?shva=1
1 	http://www.google.com.vn/#hl=vi&gs_nf=3&cp=14&gs_id=l9&xhr=t&q=prince+henry+the+
1 	http://video.mthai.com/player.php?id=18M1239664650M0
1 	https://mail.google.com/mail/?shva=1#inbox/
1 	http://www.yandex.ru/
1 	http://forum.index.hu/Article/showArticle?t=9068948
1 	http://www.timesjobs.com/timesjobs/zicom/careers.html
1 	http://www.xatcomtv.biz/assista-fazenda-de-verao-ao-vivo
1 	http://www.tomshardware.com/forum/9368-63-realtek-ethernet-controller-detected
1 	http://vnexpress.net/
1 	https://www.google.co.id/search?q=Pengertian+pergaulan+remaja&ie=utf-8&oe=utf-8&
1 	http://www.facebook.com/groups/yahoo.amr/
1 	http://www.youtube.com/watch?v=fLexgOxsZu0
1 	http://gawker.com/5929581/the-whole-worlds-a-sex-dungeon-for-kristen-stewart-and
1 	http://topphimhay.com/xem-phim-theo-buoc-ram-bo-2/m67469.html
1 	http://www.youtube.com/watch?v=xVtJ11BkNls&feature=youtu.be
1 	http://www.telechargement-rapide.net/page33
1 	http://www.youtube.com/watch?v=25smiUtfAXg
1 	http://www.youtube.com/watch?NR=1&v=mAuWb3Joxt8&feature=endscreen
1 	http://www.dankek.com/tutticasa/salud/bienestar
1 	http://id36.fm-p.jp/41/oneone11/index.php?module=viewbk&action=ppg&stid=3&bkid=4
1 	http://www.avclub.com/articles/neil-gaiman-to-return-to-doctor-who-cybermen-and-
1 	http://www.facebook.com/recover/initiate
1 	http://www.bt.dk/udland/bygget-med-falske-certifikater-nu-slaar-atomkraftvaerk-r
1 	https://plusone.google.com/_/+1/fastbutton?bsv=m&lang=&size=small&hl=en-US&origi
1 	about:addons
1 	http://www.ebay.in/sch/i.html?_nkw=hp+8gb+dds2&_sacat=0&LH_BIN=1&_odkw=8gb+dds2&
1 	http://www.alan4.com/video/8818/watch.html
1 	http://s.cafef.vn/hastc/PVC-tong-cong-ty-dung-dich-khoan-va-hoa-pham-dau-khictcp
1 	http://js.wlxrs.com/3xaTP4tWZOroge1dGlMz7w2-XuLliqg3SQbWEm6z7RtmtO7tkBiQU9XROIlp
1 	http://xe.mg40.mail.yahoo.com/neo/launch?.rand=53sl40t6fdjd6
1 	http://www.mysearchresults.com/?c=3507&t=07
1 	http://www.google.co.in/imghp?hl=en&tab=wi
1 	https://www.facebook.com/dialog/feed
1 	http://ph.yahoo.com/
1 	http://202.160.163.222/24online/webpages/waitrequest.jsp?url=www.d2visp.com
1 	http://medicina.ua/diagnosdiseases/diseases/2815/5308/
1 	http://www.natabanu.com/serija/izgubljena-cast/8453-izgubljena-cast-epizoda-76.h
1 	https://www.google.fr/
1 	http://ul.to/eaknmc2g
1 	http://www.allfordrama.com/4/category/2005/1.html
1 	https://www.google.com/search?q=facebook&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:
1 	http://www.youtube.com/
1 	http://www.vipbrother.bg/?module=video&video=1397
1 	http://www.comecclub.com/%d9%88%d8%a7%d8%ad%d8%af-%d8%b9%d8%af%d9%89-%d8%b9%d9%8
1 	http://www.programme-tv.net/cinema/32435-les-autres/
1 	https://apis.google.com/u/0/_/streamwidgets/hovercard?origin=https%3A%2F%2Fmail.
1 	http://www.yahoomail.com/
1 	http://th.v9.com/th?utm_source=b&utm_medium=fft
Keywords: needURLs
Changeset http://hg.mozilla.org/mozilla-central/rev/28711b9f49cd seems suspicious considering the stack. Tom can you take a look?
Assignee: general → evilpies
Whiteboard: [js:p2]
I took a very short peek at this. Sadly I have no real experience with crash-stats stuff. I don't really thinking my stuff is to blame here, considering that the crash is coming from
>4 	mozjs.dll 	js::frontend::CompileScript 	js/src/frontend/BytecodeCompiler.cpp:193
and not Parser.cpp.

I also looked at a few more crash reports and I think they are not coming from my stuff.

I am sorry, but I can't help you :/.
Assignee: evilpies → general
evilpie, do you have another suggestion in the regression range? The regression range seems pretty solid (we could look one day earlier if necessary). Given the wide range of URLs and lack of other correlations, this is likely to be some kind of memory corruption or unexpected state, and so it's reasonably likely that the location of the crash stack doesn't directly relate to the regressing bug.

Patches in the range which touch js/src:

$ hg log -r "1dbd25c0205e::462106f027af" js/src
changeset:   100008:1dbd25c0205e
parent:      100002:045c11dd41a6
user:        Luke Wagner <luke@mozilla.com>
date:        Fri Jul 20 17:16:14 2012 -0700
summary:     Bug 775807 - Don't disassemble partially-compiled scripts (r=jimb)

changeset:   100015:62d352e6a480
user:        Gary Kwong <gary@rumblingedge.com>
date:        Fri Jul 20 19:10:15 2012 -0700
summary:     Add test for bug 770952.

changeset:   100016:16dd72527ae1
user:        Gary Kwong <gary@rumblingedge.com>
date:        Fri Jul 20 19:54:58 2012 -0700
summary:     Backed out changeset 62d352e6a480 for breakage.

changeset:   100017:f97fffdd56c0
user:        Gary Kwong <gary@rumblingedge.com>
date:        Fri Jul 20 19:10:15 2012 -0700
summary:     Add test for bug 770952, take two.

changeset:   100018:3bca687c261c
user:        Gary Kwong <gary@rumblingedge.com>
date:        Fri Jul 20 23:03:56 2012 -0700
summary:     Bug 632778 - Update tests to use test metalines instead, since they are in jit-test.

changeset:   100025:e9e2767a4275
user:        Gary Kwong <gary@rumblingedge.com>
date:        Fri Jul 20 22:53:17 2012 -0700
summary:     Bug 633828 - Remove bogus assert. r=luke

changeset:   100033:28711b9f49cd
user:        Tom Schuster <evilpies@gmail.com>
date:        Sat Jul 21 13:05:07 2012 +0200
summary:     Bug 646599 - Constant folding should happen before deciding whether to turn obj[A] into obj.A. r=Waldo

changeset:   100034:60b949c0eaef
user:        Tom Schuster <evilpies@gmail.com>
date:        Sat Jul 21 13:06:37 2012 +0200
summary:     Bug 775166 - Remove some ugly optimization in jsarray. r=bhackett
Okay I think we could just back out my patch, considering we don't usually use the decompiler anymore.
More reports also at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Afrontend%3A%3AFoldConstants%28JSContext*%2C+js%3A%3Afrontend%3A%3AParseNode**%2C+js%3A%3Afrontend%3A%3AParser*%2C+bool%2C+bool%29
Crash Signature: [@ js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode*, js::frontend::Parser*, bool, bool)] → [@ js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode*, js::frontend::Parser*, bool, bool)] [@ js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode**, js::frontend::Parser*, bool, bool)]
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Afrontend%3A%3AFoldConstants%3Cjs%3A%3Afrontend%3A%3AFullParseHandler%3E%28JSContext*%2C+js%3A%3Afrontend%3A%3AParseNode**%2C+js%3A%3Afrontend%3A%3AParser%3Cjs%3A%3Afrontend%3A%3AFullParseHandler%3E*%2C+bool%2C+bool%29
Crash Signature: [@ js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode*, js::frontend::Parser*, bool, bool)] [@ js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode**, js::frontend::Parser*, bool, bool)] → [@ js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode*, js::frontend::Parser*, bool, bool)] [@ js::frontend::FoldConstants(JSContext*, js::frontend::ParseNode**, js::frontend::Parser*, bool, bool)] [@ js::frontend::FoldConstants<js::fronten…
Removing qawanted since the request was fulfilled in comment 2.
Keywords: qawanted
Assignee: general → nobody
Crash Signature: , bool)] [@ js::frontend::FoldConstants<js::frontend::FullParseHandler>(JSContext*, js::frontend::ParseNode**, js::frontend::Parser<js::frontend::FullParseHandler>*, bool, bool)] → , bool)] [@ js::frontend::FoldConstants<js::frontend::FullParseHandler>(JSContext*, js::frontend::ParseNode**, js::frontend::Parser<js::frontend::FullParseHandler>*, bool, bool)] [@ js::frontend::FoldConstants] [@ js::frontend::FoldConstants<T>]
Crash volume for signature 'js::frontend::FoldConstants':
 - nightly (version 50): 0 crashes from 2016-06-06.
 - aurora  (version 49): 0 crashes from 2016-06-07.
 - beta    (version 48): 3 crashes from 2016-06-06.
 - release (version 47): 34 crashes from 2016-05-31.
 - esr     (version 45): 0 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       0       0       0
 - aurora        0       0       0       0       0       0       0
 - beta          0       0       0       0       1       1       1
 - release       0       0       2      12       5      12       3
 - esr           0       0       0       0       0       0       0

Affected platforms: Windows, Mac OS X, Linux
The current rate of crashes compared to comment 0 suggests something has since been resolved.  (or the signature has changed)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.