858923 - startup crash in js::MutableValueOperations (BaselineCompiler)

Status: RESOLVED DUPLICATE of bug 858566

(Core :: JavaScript Engine, defect)

Description

[Philip Chee]

I'm building SeaMonkey from mozilla-central + comm-central daily. The last few days I've been having a startup crash:

Disassembly is:

6E49D0E5  jge         js::MutableValueOperations<JS::Rooted<JS::Value> >::setNumber+1Dh (6E49D0EDh) 
6E49D0E7  fadd        qword ptr [__real@41f0000000000000 (6E66FF10h)] 
6E49D0ED  fstp        qword ptr [ecx] 
6E49D0EF  xor         al,al 
6E49D0F1  ret         4    
6E49D0F4  mov         edx,0FFFFFF81h 
6E49D0F9  mov         dword ptr [ecx],eax 
6E49D0FB  mov         dword ptr [ecx+4],edx 
6E49D0FE  mov         al,1 
6E49D100  ret         4

Stack is:

>	mozjs.dll!js::MutableValueOperations<JS::Rooted<JS::Value> >::setNumber(unsigned int ui=0)  Line 1481 + 0x29 bytes	C++
 	mozjs.dll!js::ion::DoBinaryArithFallback(JSContext * cx=0x07ac6fc0, js::ion::BaselineFrame * frame=0x003dde3c, js::ion::ICBinaryArith_Fallback * stub=0x0a1aca80, JS::Handle<JS::Value> lhs={...}, JS::Handle<JS::Value> rhs={...}, JS::MutableHandle<JS::Value> ret={...})  Line 2395 + 0x1a3 bytes	C++
 	007d95dc()	
 	mozjs.dll!EnterBaseline(JSContext * cx=0x00000000, js::StackFrame * fp=0x00000000, void * jitcode=0x007df500, bool osr=false)  Line 154 + 0x31 bytes	C++
 	mozjs.dll!js::ion::EnterBaselineMethod(JSContext * cx=0x07ac6fc0, js::StackFrame * fp=0x047a0128)  Line 182 + 0xc bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx=0x07ac6fc0, js::StackFrame * fp=0x047a0128)  Line 341 + 0x7 bytes	C++
 	mozjs.dll!js::InvokeKernel(JSContext * cx=0x07ac6fc0, JS::CallArgs args={...}, js::MaybeConstruct construct=NO_CONSTRUCT)  Line 425	C++
 	mozjs.dll!js::Interpret(JSContext * cx=0x07ac6fc0, js::StackFrame * entryFrame=0x047a0058, js::InterpMode interpMode=JSINTERP_NORMAL, bool useNewType=false)  Line 2393 + 0x11 bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx=0x07ac6fc0, js::StackFrame * fp=0x047a0058)  Line 365 + 0x9 bytes	C++
 	mozjs.dll!js::InvokeKernel(JSContext * cx=0x07ac6fc0, JS::CallArgs args={...}, js::MaybeConstruct construct=NO_CONSTRUCT)  Line 425	C++
 	mozjs.dll!js::Invoke(JSContext * cx=0x0958bc40, const JS::Value & thisv={...}, const JS::Value & fval={...}, unsigned int argc=6, JS::Value * argv=0x003dea68, JS::Value * rval=0x003de94c)  Line 455 + 0x12 bytes	C++
 	mozjs.dll!JS_CallFunctionValue(JSContext * cx=0x07ac6fc0, JSObject * objArg=0x0958bc40, JS::Value fval={...}, unsigned int argc=6, JS::Value * argv=0x003dea68, JS::Value * rval=0x003de94c)  Line 5854 + 0x46 bytes	C++
 	xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x0a8c7bc0, unsigned short methodIndex=4, const XPTMethodDescriptor * info_=0x021ff0bc, nsXPTCMiniVariant * nativeParams=0x003deb34)  Line 1435	C++
 	xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=4, const XPTMethodDescriptor * info=0x021ff0bc, nsXPTCMiniVariant * params=0x003deb34)  Line 578 + 0x13 bytes	C++
 	xul.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x0a7da5f0, unsigned int methodIndex=4, unsigned int * args=0x003debec, unsigned int * stackBytesToPop=0x003debdc)  Line 85 + 0x15 bytes	C++
 	xul.dll!SharedStub()  Line 113	C++
 	xul.dll!nsBrowserStatusFilter::MaybeSendProgress()  Line 312 + 0x16 bytes	C++
 	xul.dll!nsBrowserStatusFilter::OnProgressChange(nsIWebProgress * aWebProgress=0x00000000, nsIRequest * aRequest=0x00000000, int aCurSelfProgress=0, int aMaxSelfProgress=0, int aCurTotalProgress=1, int aMaxTotalProgress=2)  Line 182	C++
 	xul.dll!nsBrowserStatusFilter::OnStateChange(nsIWebProgress * aWebProgress=0x0a796c14, nsIRequest * aRequest=0x0a82de28, unsigned int aStateFlags=65552, tag_nsresult aStatus=NS_OK)  Line 143	C++
 	xul.dll!nsDocLoader::DoFireOnStateChange(nsIWebProgress * const aProgress=0x0a796c14, nsIRequest * const aRequest=0x0a82de28, int & aStateFlags=65552, tag_nsresult aStatus=NS_OK)  Line 1290 + 0x14 bytes	C++
 	xul.dll!nsDocLoader::FireOnStateChange(nsIWebProgress * aProgress=0x0a796c14, nsIRequest * aRequest=0x0a82de28, int aStateFlags=65552, tag_nsresult aStatus=NS_OK)  Line 1227 + 0x15 bytes	C++
 	xul.dll!nsDocLoader::doStopURLLoad(nsIRequest * request=0x0a82de28, tag_nsresult aStatus=NS_OK)  Line 835	C++
 	xul.dll!nsDocLoader::OnStopRequest(nsIRequest * aRequest=0x0a82de28, nsISupports * aCtxt=0x00000000, tag_nsresult aStatus=NS_OK)  Line 637	C++
 	xul.dll!nsLoadGroup::RemoveRequest(nsIRequest * request=0x0a82de28, nsISupports * ctxt=0x00000000, tag_nsresult aStatus=NS_OK)  Line 676 + 0xf bytes	C++
 	xul.dll!nsDocument::SetScriptGlobalObject(nsIScriptGlobalObject * aScriptGlobalObject=0x00000000)  Line 4096	C++
 	xul.dll!nsDocumentViewer::Close(nsISHEntry * aSHEntry=0x00000000)  Line 1449	C++
 	xul.dll!nsDocShell::SetupNewViewer(nsIContentViewer * aNewViewer=0x0940a050)  Line 8265	C++
 	xul.dll!nsDocShell::Embed(nsIContentViewer * aContentViewer=0x0940a050, const char * aCommand=0x6b38614b, nsISupports * aExtraInfo=0x00000000)  Line 6354	C++
 	xul.dll!nsDocShell::CreateContentViewer(const char * aContentType=0x00000000, nsIRequest * request=0x09628c2c, nsIStreamListener * * aContentHandler=0x01667b5c)  Line 8076 + 0x15 bytes	C++
 	xul.dll!nsDSURIContentListener::DoContent(const char * aContentType=0x09667af8, bool aIsContentPreferred=false, nsIRequest * request=0x00710000, nsIStreamListener * * aContentHandler=0x09667b5c, bool * aAbortProcess=0x003df067)  Line 125	C++
 	xul.dll!nsDocumentOpenInfo::TryContentListener(nsIURIContentListener * aListener=0x008367e0, nsIChannel * aChannel=0x09667b5c)  Line 661	C++
 	xul.dll!nsDocumentOpenInfo::DispatchContent(nsIRequest * request=0x09628c2c, nsISupports * aCtxt=0x00000000)  Line 360 + 0x12 bytes	C++
 	xul.dll!nsDocumentOpenInfo::OnStartRequest(nsIRequest * request=0x00000000, nsISupports * aCtxt=0x00000000)  Line 252 + 0xe bytes	C++
 	xul.dll!nsBaseChannel::OnStartRequest(nsIRequest * request=0x09668330, nsISupports * ctxt=0x00000000)  Line 720 + 0x19 bytes	C++
 	xul.dll!nsInputStreamPump::OnStateStart()  Line 422	C++
 	xul.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x094ae6a8)  Line 383	C++
 	xul.dll!nsOutputStreamReadyEvent::Run()  Line 83	C++
 	xul.dll!nsThread::ProcessNextEvent(bool mayWait=true, bool * result=0x003df217)  Line 627 + 0x6 bytes	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * thread=0x01119160, bool mayWait=true)  Line 238 + 0xd bytes	C++
 	xul.dll!nsThread::Shutdown()  Line 474 + 0xa bytes	C++
 	xul.dll!nsRunnableMethodImpl<enum tag_nsresult (__stdcall nsIUrlClassifierDBServiceWorker::*)(void),1>::Run()  Line 351	C++
 	xul.dll!nsThread::ProcessNextEvent(bool mayWait=true, bool * result=0x003df287)  Line 627 + 0x6 bytes	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * thread=0x01119160, bool mayWait=true)  Line 238 + 0xd bytes	C++
 	xul.dll!nsThread::Shutdown()  Line 474 + 0xa bytes	C++
 	xul.dll!nsRunnableMethodImpl<enum tag_nsresult (__stdcall nsIUrlClassifierDBServiceWorker::*)(void),1>::Run()  Line 351	C++
 	xul.dll!nsThread::ProcessNextEvent(bool mayWait=true, bool * result=0x003df2f7)  Line 627 + 0x6 bytes	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * thread=0x01119160, bool mayWait=true)  Line 238 + 0xd bytes	C++
 	xul.dll!nsThread::Shutdown()  Line 474 + 0xa bytes	C++
 	xul.dll!nsRunnableMethodImpl<enum tag_nsresult (__stdcall nsIUrlClassifierDBServiceWorker::*)(void),1>::Run()  Line 351	C++
 	xul.dll!nsThread::ProcessNextEvent(bool mayWait=true, bool * result=0x003df367)  Line 627 + 0x6 bytes	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * thread=0x01119160, bool mayWait=true)  Line 238 + 0xd bytes	C++
 	xul.dll!nsThread::Shutdown()  Line 474 + 0xa bytes	C++
 	xul.dll!nsRunnableMethodImpl<enum tag_nsresult (__stdcall nsIUrlClassifierDBServiceWorker::*)(void),1>::Run()  Line 351	C++
 	xul.dll!nsThread::ProcessNextEvent(bool mayWait=true, bool * result=0x003df3d7)  Line 627 + 0x6 bytes	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * thread=0x01119160, bool mayWait=true)  Line 238 + 0xd bytes	C++
 	xul.dll!nsThread::Shutdown()  Line 474 + 0xa bytes	C++
 	xul.dll!nsRunnableMethodImpl<enum tag_nsresult (__stdcall nsIUrlClassifierDBServiceWorker::*)(void),1>::Run()  Line 351	C++
 	xul.dll!nsThread::ProcessNextEvent(bool mayWait=false, bool * result=0x003df447)  Line 627 + 0x6 bytes	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * thread=0x01119160, bool mayWait=false)  Line 238 + 0xd bytes	C++
 	xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate=0x01126030)  Line 82 + 0xa bytes	C++
 	xul.dll!MessageLoop::RunInternal()  Line 217	C++
 	xul.dll!MessageLoop::RunHandler()  Line 210	C++
 	xul.dll!MessageLoop::Run()  Line 184	C++
 	xul.dll!nsBaseAppShell::Run()  Line 165	C++
 	xul.dll!nsAppShell::Run()  Line 113 + 0x9 bytes	C++
 	xul.dll!nsAppStartup::Run()  Line 289	C++
 	xul.dll!XREMain::XRE_mainRun()  Line 3881	C++
 	xul.dll!XREMain::XRE_main(int argc=4, char * * argv=0x01e81b40, const nsXREAppData * aAppData=0x001b32c8)  Line 3947 + 0x7 bytes	C++
 	xul.dll!XRE_main(int argc=4, char * * argv=0x01e81b40, const nsXREAppData * aAppData=0x001b32c8, unsigned int aFlags=0)  Line 4152 + 0x12 bytes	C++
 	seamonkey.exe!do_main(const char * exePath=0x003df8a0, int argc=4, char * * argv=0x00000000)  Line 184 + 0x13 bytes	C++
 	seamonkey.exe!NS_internal_main(int argc=4, char * * argv=0x01e81b40)  Line 272 + 0x12 bytes	C++
 	seamonkey.exe!wmain(int argc=31988544, wchar_t * * argv=0x01e81a88)  Line 112	C++
 	seamonkey.exe!__tmainCRTStartup()  Line 583 + 0x17 bytes	C
 	kernel32.dll!76913677() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	
 	ntdll.dll!76fe9f42() 	
 	ntdll.dll!76fe9f15()

Comment 1

[Philip Chee]

P.S. turning off turning off javascript.options.baselinejit.chrome and javascript.options.baselinejit.content stops SeaMonkey from crashing