Closed Bug 851807 Opened 12 years ago Closed 12 years ago

crash in js::JSONParser::createFinishedObject @ JSObject::setLastProperty

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
22 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 + fixed

People

(Reporter: scoobidiver, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [metro-crash])

Crash Data

It first showed up in 22.0a1/20130316 and is currently #1 top crasher in this build. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0f7261e288f2&tochange=8f5b1f9f5804 It's likely a regression from bug 836968. Signature JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>) More Reports Search UUID be259c48-7f27-41ce-8dd7-d66e82130316 Date Processed 2013-03-16 15:03:47 Uptime 79 Install Age 3.6 minutes since version was first installed. Install Time 2013-03-16 14:59:30 Product Firefox Version 22.0a1 Build ID 20130316030854 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xffffffffdadadada User Comments Browsing Facebook,, and crashed randomly. App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0126, AdapterSubsysID: 049a1028, AdapterDriverVersion: 8.15.10.2418 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Processor Notes sp-processor05.phx1.mozilla.com_18282:2008 EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x0126 Total Virtual Memory 4294836224 Available Virtual Memory 3690528768 System Memory Use Percentage 41 Available Page File 6229270528 Available Physical Memory 2446860288 Accessibility Active Frame Module Signature Source 0 mozjs.dll JSObject::setLastProperty js/src/jsobj.cpp:2320 1 mozjs.dll js::types::TypeCompartment::newTypedObject js/src/jsinfer.cpp:3492 2 mozjs.dll js::JSONParser::createFinishedObject js/src/jsonparser.cpp:529 3 mozjs.dll js::JSONParser::parse js/src/jsonparser.cpp:622 4 mozjs.dll js::ParseJSONWithReviver js/src/json.cpp:863 5 mozjs.dll js_json_parse js/src/json.cpp:76 6 mozjs.dll js::mjit::CallCompiler::generateNativeStub js/src/methodjit/MonoIC.cpp:1062 7 mozjs.dll js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:1373 8 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:1118 9 mozjs.dll js::Interpret js/src/jsinterp.cpp:2418 10 mozjs.dll js::RunScript js/src/jsinterp.cpp:332 11 mozjs.dll UncachedInlineCall js/src/methodjit/InvokeHelpers.cpp:396 12 mozjs.dll js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:491 13 mozjs.dll js::mjit::CallCompiler::update js/src/methodjit/MonoIC.cpp:1276 14 mozjs.dll js::mjit::ic::Call js/src/methodjit/MonoIC.cpp:1359 15 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1042 16 mozjs.dll js::RunScript js/src/jsinterp.cpp:337 17 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:397 18 mozjs.dll js::Invoke js/src/jsinterp.h:135 19 mozjs.dll js_fun_call js/src/jsfun.cpp:859 20 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:383 21 mozjs.dll js::Interpret js/src/jsinterp.cpp:2361 22 mozjs.dll js::RunScript js/src/jsinterp.cpp:332 23 mozjs.dll UncachedInlineCall js/src/methodjit/InvokeHelpers.cpp:331 24 mozjs.dll js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:491 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AsetLastProperty%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cjs%3A%3AShape*%3E%29
Three in a row with 3/16, two of them with this signature instead -- still in a related area: [@ EnumerateNativeProperties] https://crash-stats.mozilla.com/report/index/bp-b1d208bf-8683-47f7-ad3c-afcd82130316
Crash Signature: [@ JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>)] → [@ JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>)] [@ js::types::TypeCompartment::newTypedObject(JSContext*, js::IdValuePair*, unsigned __int64)] [@ js::types::TypeCompartment::newTypedObject(JSContext*, js::IdValue…
Crash Signature: , js::IdValuePair*, unsigned int)] [@ ScanShape ] [@ js::Shape::slotSpan() ] → , js::IdValuePair*, unsigned int)] [@ ScanShape ] [@ js::Shape::slotSpan() ] [@ PushMarkStack ]
This is almost certainly bug 851635, which can cause JSON objects to be assigned dead shapes and cause crashes with these signatures. I'll be pushing a fix for that once inbound opens.
Crash Signature: , js::IdValuePair*, unsigned int)] [@ ScanShape ] [@ js::Shape::slotSpan() ] [@ PushMarkStack ] → , js::IdValuePair*, unsigned int)] [@ js::types::TypeCompartment::newTypedObject(JSContext*, js::IdValuePair*, unsigned long) ] [@ ScanShape ] [@ ScanBaseShape ] [@ js::Shape::slotSpan() ] [@ PushMarkStack ]
Blocks: 637512
I set this as blocking bug 637512 as I have encountered this crash several times, and each time it was either while "liking" a post on my Facebook timeline, or scrolling my timeline that seemed to trigger it. I have not experienced any such crashes on any other site.
Whiteboard: [metro-crash]
(In reply to Brian Hackett (:bhackett) from comment #2) > This is almost certainly bug 851635, which can cause JSON objects to be > assigned dead shapes and cause crashes with these signatures. I'll be > pushing a fix for that once inbound opens. This is the #1 top crash on Nightly - if we don't have a forward fix, we should be instead be backing out bug 851635 asap
Assignee: general → bhackett1024
tracking-firefox22: ?+
I see https://bugzilla.mozilla.org/show_bug.cgi?id=851635#c11 now. Let's assume this is fixed for now.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox22: affectedfixed
Resolution: --- → FIXED
This crash is a regression from bug 836968. Bug 851635 is a testcase that was found that causes the same crash, not a patch that caused this crash. Bug 836968 was backed out by bhackett on 3-16 (first showing up in the 3-17 Nightly), then relanded with a fix for bug 851635 on 3-17. I don't see any crashes on the 3-17 or later builds.
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.