Closed Bug 812319 Opened 9 years ago Closed 5 years ago

crash in js::ShapeTable::search

Categories

(Core :: JavaScript Engine, defect)

17 Branch
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox17 - ---
firefox-esr45 --- affected
firefox-esr52 --- unaffected

People

(Reporter: marcia, Assigned: sfink)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-dc011938-ac09-4a59-a8c0-1117f2121115 .
============================================================= 

Windows crash seen while looking at crash stats and seems to be correlated to Yandex - see https://crash-stats.mozilla.com/report/list?signature=js::ShapeTable::search%28int,%20bool%29. This has happened in other versions as well.

71% (17/24) vs.   2% (414/18719) yasearch@yandex.ru (Yandex.Bar, https://addons.mozilla.org/addon/3495)
63% (15/24) vs.   1% (251/18719) vb@yandex.ru
21% (5/24) vs.   1% (134/18719) {B100D0FF-0001-8CE4-2790-AACE49B8AE35}
21% (5/24) vs.   1% (157/18719) {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} (WOT, https://addons.mozilla.org/addon/3456)
17% (4/24) vs.   0% (34/18719) helper@savefrom.net
17% (4/24) vs.   2% (365/18719) {37964A3C-4EE8-47b1-8321-34DE2C39BA4D}
13% (3/24) vs.   0% (6/18719) s3google@translator
13% (3/24) vs.   0% (39/18719) {fe272bd1-5f76-4ea4-8501-a05d35d823fc}
13% (3/24) vs.   0% (42/18719) dmbarff@westbyte.com
13% (3/24) vs.   0% (45/18719) dmpluginff@westbyte.com
13% (3/24) vs.   1% (158/18719) {9AA46F4F-4DC7-4c06-97AF-5035170634FE} (ImTranslator, https://addons.mozilla.org/addon/2257)
17% (4/24) vs.   5% (998/18719) wrc@avast.com
17% (4/24) vs.   6% (1073/18719) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
13% (3/24) vs.   3% (514/18719) {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}
13% (3/24) vs.   3% (598/18719) {0153E448-190B-4987-BDE1-F256CADA672F}
8% (2/24) vs.   0% (5/18719) {7760B465-F757-4443-9A87-78DA5B6C13C3}
8% (2/24) vs.   0% (9/18719) ossen@yandex.ru
8% (2/24) vs.   0% (12/18719) YouTubeVideoDownloadLinks@mattshaw.org
8% (2/24) vs.   0% (13/18719) ALone-live@ya.ru
8% (2/24) vs.   0% (14/18719) extensions@gismeteo.com
8% (2/24) vs.   0% (18/18719) pavel.sherbakov@gmail.com
8% (2/24) vs.   0% (26/18719) tabs@ticno.com
8% (2/24) vs.   0% (41/18719) dmremote@westbyte.com
8% (2/24) vs.   0% (70/18719) smarterwiki@wikiatic.com (FastestFox - Browse Faster, https://addons.mozilla.org/addon/9825)
8% (2/24) vs.   1% (94/18719) {3e0e7d2a-070f-4a47-b019-91fe5385ba79} (AddThis, https://addons.mozilla.org/addon/4076)
8% (2/24) vs.   1% (94/18719) adblockpopups@jessehakanen.net
8% (2/24) vs.   1% (171/18719) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791)
8% (2/24) vs.   2% (344/18719) OneClickDownload@OneClickDownload.com
8% (2/24) vs.   3% (622/18719) {b9db16a4-6edc-47ec-a1f4-b86292ed211d} (Video DownloadHelper, https://addons.mozilla.org/addon/3006)


Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::ShapeTable::search 	js/src/jsscope.cpp:163
1 	mozjs.dll 	js::ObjectImpl::nativeLookup 	js/src/vm/ObjectImpl.cpp:265
2 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:270
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2293
4 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:230
5 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/xpcprivate.h:3313
6 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:315
7 	xul.dll 	XPCCallContext::~XPCCallContext 	js/xpconnect/src/XPCCallContext.cpp:308
8 	xul.dll 	nsIFrame::GetPaddingRect 	layout/generic/nsFrame.cpp:968
Assignee: nobody → general
Component: Extension Compatibility → JavaScript Engine
OS: Windows NT → Windows XP
Product: Firefox → Core
We haven't been able to reproduce, so we're still trying to reach out to the Yandex Toolbar team and looping in the JS team to see if there's anything we can investigate in the meantime.
It's #9 top browser crasher in 17.0.

Here are correlations per extension version:
     89% (33/37) vs.   6% (543/8801) yasearch@yandex.ru (Yandex.Bar, https://addons.mozilla.org/addon/3495)
          3% (1/37) vs.   0% (2/8801) 7.1.1
         24% (9/37) vs.   0% (39/8801) 7.2.1
          8% (3/37) vs.   1% (45/8801) 7.2.3
          8% (3/37) vs.   0% (16/8801) 7.2.5
         46% (17/37) vs.   5% (427/8801) 7.2.6
     86% (32/37) vs.   6% (525/8801) vb@yandex.ru
          3% (1/37) vs.   0% (9/8801) 1.1
         35% (13/37) vs.   2% (209/8801) 1.3
          5% (2/37) vs.   1% (112/8801) 1.4
          3% (1/37) vs.   0% (13/8801) 2.0
         41% (15/37) vs.   2% (146/8801) 2.0.1
Keywords: topcrash
OS: Windows XP → Windows 7
Yandex has pushed an update: in bug 770238 comment 26 so let's see if we get any decrease in crash volume here if they are related issues.
This signature is pretty low on 18.0b3 (#115) but remains #8 on release.

As the Yandex Bar add-on is completely JS-based (no binary code), any crash it triggers is very probably a problem in our code and we should investigate that, esp. with how much-used this add-on is in Russia.

sfink, you have done work with debugging crashes with this add-on in bug 770238, can you help here as well?
Assignee: general → sphink
It looks like we don't have an STR or a regression range for this crash. I don't think there's much that we can do.
It's #111 top browser crasher in 18.0.2 and #88 in 19.0b5 so no longer a top crasher.

There are no extension correlations in 18.0.2.
Keywords: topcrash
Summary: crash in js::ShapeTable::search (correlated to Yandex Bar) → crash in js::ShapeTable::search
Interestingly, there are still spikes for some build dates, but it's usually low. I don't know what that means--whether it's affecting some very small set of Nightly users, or what.
Crash Signature: [@ js::ShapeTable::search(int, bool)] → [@ js::ShapeTable::search(int, bool)] [@ js::ShapeTable::search(__int64, bool)]
Hardware: x86 → All
Blocks: 842097
Crash Signature: [@ js::ShapeTable::search(int, bool)] [@ js::ShapeTable::search(__int64, bool)] → [@ js::ShapeTable::search(int, bool)] [@ js::ShapeTable::search(__int64, bool)] [@ js::ShapeTable::search]
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) in Firefox (except some obsolete Fx <46, no crashes starting since Fx 46).
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.