851807 - crash in js::JSONParser::createFinishedObject @ JSObject::setLastProperty

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

It first showed up in 22.0a1/20130316 and is currently #1 top crasher in this build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0f7261e288f2&tochange=8f5b1f9f5804
It's likely a regression from bug 836968.

Signature 	JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>) More Reports Search
UUID	be259c48-7f27-41ce-8dd7-d66e82130316
Date Processed	2013-03-16 15:03:47
Uptime	79
Install Age	3.6 minutes since version was first installed.
Install Time	2013-03-16 14:59:30
Product	Firefox
Version	22.0a1
Build ID	20130316030854
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadada
User Comments	Browsing Facebook,, and crashed randomly.
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0126, AdapterSubsysID: 049a1028, AdapterDriverVersion: 8.15.10.2418
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor05.phx1.mozilla.com_18282:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x0126
Total Virtual Memory	4294836224
Available Virtual Memory	3690528768
System Memory Use Percentage	41
Available Page File	6229270528
Available Physical Memory	2446860288
Accessibility	Active

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JSObject::setLastProperty 	js/src/jsobj.cpp:2320
1 	mozjs.dll 	js::types::TypeCompartment::newTypedObject 	js/src/jsinfer.cpp:3492
2 	mozjs.dll 	js::JSONParser::createFinishedObject 	js/src/jsonparser.cpp:529
3 	mozjs.dll 	js::JSONParser::parse 	js/src/jsonparser.cpp:622
4 	mozjs.dll 	js::ParseJSONWithReviver 	js/src/json.cpp:863
5 	mozjs.dll 	js_json_parse 	js/src/json.cpp:76
6 	mozjs.dll 	js::mjit::CallCompiler::generateNativeStub 	js/src/methodjit/MonoIC.cpp:1062
7 	mozjs.dll 	js::mjit::ic::NativeCall 	js/src/methodjit/MonoIC.cpp:1373
8 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1118
9 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2418
10 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:332
11 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:396
12 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:491
13 	mozjs.dll 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:1276
14 	mozjs.dll 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1359
15 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1042
16 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:337
17 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:397
18 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:135
19 	mozjs.dll 	js_fun_call 	js/src/jsfun.cpp:859
20 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:383
21 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2361
22 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:332
23 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:331
24 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:491
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AsetLastProperty%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cjs%3A%3AShape*%3E%29

Comment 1

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Three in a row with 3/16, two of them with this signature instead -- still in a related area: [@ EnumerateNativeProperties]

https://crash-stats.mozilla.com/report/index/bp-b1d208bf-8683-47f7-ad3c-afcd82130316

Comment 2

[Brian Hackett [Laid off!]]

This is almost certainly bug 851635, which can cause JSON objects to be assigned dead shapes and cause crashes with these signatures.  I'll be pushing a fix for that once inbound opens.

Comment 3

[Takanori MATSUURA]

Crash Report: bp-90257c14-f263-45dc-a2db-4f9ac2130317

Comment 4

[Bill Gianopoulos [:WG9s]]

I set this as blocking bug 637512 as I have encountered this crash several times, and each time it was either while "liking" a post on my Facebook timeline, or scrolling my timeline that seemed to trigger it.  I have not experienced any such crashes on any other site.

Comment 5

[Alex Keybl [:akeybl]]

(In reply to Brian Hackett (:bhackett) from comment #2)
> This is almost certainly bug 851635, which can cause JSON objects to be
> assigned dead shapes and cause crashes with these signatures.  I'll be
> pushing a fix for that once inbound opens.

This is the #1 top crash on Nightly - if we don't have a forward fix, we should be instead be backing out bug 851635 asap

Comment 6

[Alex Keybl [:akeybl]]

I see https://bugzilla.mozilla.org/show_bug.cgi?id=851635#c11 now. Let's assume this is fixed for now.

Comment 7

[Andrew McCreight [:mccr8]]

This crash is a regression from bug 836968.  Bug 851635 is a testcase that was found that causes the same crash, not a patch that caused this crash.  Bug 836968 was backed out by bhackett on 3-16 (first showing up in the 3-17 Nightly), then relanded with a fix for bug 851635 on 3-17.  I don't see any crashes on the 3-17 or later builds.