Closed Bug 816378 Opened 12 years ago Closed 12 years ago

Crash on startup in Javascript

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: hub, Assigned: hub)

References

Details

(Keywords: crash, Whiteboard: [startupcrash])

mozilla inbound @ 7ec460e1bd87 (this afternoon) #0 0x00007ffff52dd927 in js::types::HashSetLookup<long, js::types::Property, js::types::Property> (values= 0x75db85f675105fb1, count=<optimized out>, key=4) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1260 #1 0x00007ffff52dd98a in maybeGetProperty (id=4, this=0x7ffff4a3bb2c, cx=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1573 #2 ObjectStateChange (cx=0x7fffb01a35f0, object=0x7ffff4a3bb2c, markingUnknown=false, force=true) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:1746 #3 0x00007ffff52e744c in AddPendingRecompile (script=..., cx=0x7fffb01a35f0, pc=<optimized out>, kind=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:2081 #4 TypeConstraintFreezeStack::newType (this=<optimized out>, cx=0x7fffb01a35f0, source=<optimized out>, type=...) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:2107 #5 0x00007ffff52dd406 in js::types::TypeCompartment::resolvePending (this=0x7fffadb25cc0, cx=cx@entry= 0x7fffb01a35f0) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1093 #6 0x00007ffff52e0ba4 in addType (cx=0x7fffb01a35f0, this=<optimized out>, type=...) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1412 #7 js::types::TypeSet::addType (this=0x7fffca300030, cx=0x7fffb01a35f0, type=...) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1331 #8 0x00007ffff532f83e in SetThis (type=..., script=..., cx=0x7fffb01a35f0) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:982 #9 js_CreateThisForFunctionWithProto (cx=0x7fffb01a35f0, callee=..., proto=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsobj.cpp:2370 #10 0x00007fffdc76aafa in ?? () Kanan told me it was a concurrency issue / race condition
This crash happen on startup when I restore the tabs from my session. I can reproduce all the time.
at revision 4f7114a9d050 I get a different crash, from pdf.js, shortly after startup. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff52dd7d8 in LocalSlot (local=0, script=0x7fffd35a3560) at /home/hub/source/mozilla/src/js/src/jsanalyze.h:363 363 return 2 + (script->function() ? script->function()->nargs : 0) + local; Missing separate debuginfos, use: debuginfo-install ORBit2-2.14.19-3.fc17.x86_64 at-spi2-atk-2.4.0-2.fc17.x86_64 at-spi2-core-2.4.2-1.fc17.x86_64 avahi-glib-0.6.31-5.fc17.x86_64 avahi-libs-0.6.31-5.fc17.x86_64 dconf-0.12.1-1.fc17.x86_64 expat-2.1.0-1.fc17.x86_64 gnome-vfs2-2.24.4-7.fc17.x86_64 gtk2-2.24.13-1.fc17.x86_64 gtk2-engines-2.20.2-4.fc17.x86_64 gvfs-1.12.3-1.fc17.x86_64 keyutils-libs-1.5.5-2.fc17.x86_64 krb5-libs-1.10.2-6.fc17.x86_64 libXau-1.0.6-3.fc17.x86_64 libXcursor-1.1.13-1.fc17.x86_64 libXi-1.6.1-1.fc17.x86_64 libXinerama-1.1.2-1.fc17.x86_64 libXrandr-1.3.1-3.fc17.x86_64 libXrender-0.9.7-1.fc17.x86_64 libXt-1.1.2-2.fc17.x86_64 libart_lgpl-2.3.21-3.fc17.x86_64 libbluray-0.2.3-1.fc17.x86_64 libbonobo-2.32.1-2.fc17.x86_64 libbonoboui-2.24.5-3.fc17.x86_64 libcom_err-1.42.3-3.fc17.x86_64 libgcrypt-1.5.0-3.fc17.x86_64 libgnome-2.32.1-3.fc17.x86_64 libgnomecanvas-2.30.3-4.fc17.x86_64 libgnomeui-2.24.5-4.fc17.x86_64 libgpg-error-1.10-2.fc17.x86_64 libogg-1.3.0-1.fc17.x86_64 libselinux-2.1.10-3.fc17.x86_64 libuuid-2.21.2-2.fc17.x86_64 libvorbis-1.3.3-1.fc17.x86_64 nss-mdns-0.10-10.fc17.x86_64 nss-myhostname-0.3-2.fc17.x86_64 openssl-1.0.0j-2.fc17.x86_64 pixman-0.24.4-2.fc17.x86_64 popt-1.13-10.fc17.x86_64 (gdb) where #0 0x00007ffff52dd7d8 in LocalSlot (local=0, script=0x7fffd35a3560) at /home/hub/source/mozilla/src/js/src/jsanalyze.h:363 #1 TotalSlots (script=0x7fffd35a3560) at /home/hub/source/mozilla/src/js/src/jsanalyze.h:366 #2 NumTypeSets (script=0x7fffd35a3560) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:737 #3 JSScript::makeTypes (this=this@entry=0x7fffd35a3560, cx=cx@entry=0x7fffc58fb3a0) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:5486 #4 0x00007ffff52ddb9d in ensureHasTypes (cx=0x7fffc58fb3a0, this=0x7fffd35a3560) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1706 #5 ensureHasTypes (cx=0x7fffc58fb3a0, this=0x7fffd35a3560) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1710 #6 JSScript::ensureRanAnalysis (this=0x7fffd35a3560, cx=0x7fffc58fb3a0) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:1715 #7 0x00007ffff52f0bfd in AnalyzeNewScriptProperties (cx=cx@entry=0x7fffc58fb3a0, type=0x7fffb15a4100, fun=fun@entry=0x7fffad3c7580, pbaseobj=..., pbaseobj@entry=..., initializerList=initializerList@entry= 0x7fffffff7920) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:4654 #8 0x00007ffff52f0fd1 in CheckNewScriptProperties (cx=cx@entry=0x7fffc58fb3a0, type=type@entry=..., fun=fun@entry= 0x7fffad3c7580) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:4964 #9 0x00007ffff52ed0df in JSCompartment::getNewType (this=0x7fffb2084000, cx=0x7fffc58fb3a0, proto_=..., fun_= 0x7fffad3c7580, isDOM=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:5888 #10 0x00007ffff52ed1ea in JSObject::getNewType (this=<optimized out>, cx=<optimized out>, fun_=<optimized out>, isDOM=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsinfer.cpp:5914 #11 0x00007ffff532cefd in js_CreateThisForFunctionWithProto (cx=0x7fffc58fb3a0, callee=..., proto=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsobj.cpp:2359 #12 0x00007fffdaf33eba in ?? () #13 0x00007ffff65e9260 in ?? () from /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dist/bin/libxul.so #14 0x00007fffffff7b08 in ?? () #15 0xfffbffffad3a0f20 in ?? () #16 0x00007ffff65e8a60 in ?? () from /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dist/bin/libxul.so #17 0x00007fffc4a4c998 in ?? () #18 0x00007fffcca29594 in ?? ()
Looks like bug 816368. I reverted rev 5158d648702e and it works.
Severity: normal → critical
Keywords: crash
Whiteboard: [startupcrash]
https://hg.mozilla.org/mozilla-central/rev/6b4e13b0d1e4
Blocks: 813773
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Hub thanks for jumping on this.
Assignee: general → hub
You need to log in before you can comment on or make changes to this bug.