Closed
Bug 864511
Opened 11 years ago
Closed 11 years ago
crash in mozilla::dom::DocumentFragmentBinding::Wrap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox22 | --- | unaffected |
firefox23 | --- | unaffected |
People
(Reporter: scoobidiver, Unassigned)
References
()
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
226.66 KB,
image/png
|
Details |
It first showed up in 23.0a1/20130422030937 and is currently #1 top crasher in that build. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0d50cb959c46&tochange=50d25e083421 Signature mozilla::dom::DocumentFragmentBinding::Wrap<mozilla::dom::DocumentFragment>(JSContext*, JSObject*, mozilla::dom::DocumentFragment*) More Reports Search UUID 3cb609eb-461f-41f9-a829-213be2130422 Date Processed 2013-04-22 15:45:14 Uptime 2932 Last Crash 1.2 days before submission Install Age 50.5 minutes since version was first installed. Install Time 2013-04-22 14:48:10 Product Firefox Version 23.0a1 Build ID 20130422030937 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info AuthenticAMD family 16 model 4 stepping 3 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 User Comments Most recent Nightly crashed while viewing the Comodo Security forums and streaming audio on Bandcamp. The crash occured approximately thirty seconds into the first stream. App Notes AdapterVendorID: 0x1002, AdapterDeviceID: 0x68f9, AdapterSubsysID: 21311462, AdapterDriverVersion: 8.960.11.1000 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ D3D10 Layers- D3D9 Layers? D3D9 Layers- Processor Notes sp-processor08.phx1.mozilla.com_10173:2012; exploitability tool failed: 127 EMCheckCompatibility True Adapter Vendor ID 0x1002 Adapter Device ID 0x68f9 Total Virtual Memory 4294836224 Available Virtual Memory 3531239424 System Memory Use Percentage 21 Available Page File 15137030144 Available Physical Memory 6718390272 Frame Module Signature Source 0 @0x4481529 1 xul.dll mozilla::dom::DocumentFragmentBinding::Wrap<mozilla::dom::DocumentFragment> obj-firefox/dist/include/mozilla/dom/DocumentFragmentBinding.h:110 2 xul.dll mozilla::dom::DocumentFragment::WrapNode content/base/src/DocumentFragment.cpp:27 3 xul.dll nsINode::WrapObject content/base/src/nsINode.cpp:2410 4 xul.dll mozilla::dom::DocumentBinding::genericMethod obj-firefox/dom/bindings/DocumentBinding.cpp:7650 5 @0xffffff87 6 mozjs.dll js::ion::DoCallNativeGetter js/src/ion/BaselineIC.cpp:5608 7 @0x20feb060 More reports at: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3ADocumentFragmentBinding%3A%3AWrap%3Cmozilla%3A%3Adom%3A%3ADocumentFragment%3E%28JSContext*%2C+JSObject*%2C+mozilla%3A%3Adom%3A%3ADocumentFragment*%29 https://crash-stats.mozilla.com/report/list?signature=JS_NewObject%28JSContext*%2C+JSClass*%2C+JSObject*%2C+JSObject*%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aarray_push%28JSContext*%2C+unsigned+int%2C+JS%3A%3AValue*%29 https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3ADocumentFragmentBinding%3A%3AWrap%28JSContext*%2C+JSObject*%2C+mozilla%3A%3Adom%3A%3ADocumentFragment*%2C+nsWrapperCache*%29 https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3ADocumentFragment%3A%3AWrapNode%28JSContext*%2C+JSObject*%29 https://crash-stats.mozilla.com/report/list?signature=nsINode%3A%3AWrapObject%28JSContext*%2C+JSObject*%29 https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3ADocumentBinding%3A%3AgenericMethod
Comment 1•11 years ago
|
||
This is weird... All the crashes are on Windows, none of the changesets seem all that relevant... I wonder whether backing out the JS arguments stuff helps this?
Comment 2•11 years ago
|
||
Loading http://www.att.com crashes 100% for me using: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130422 Firefox/23.0
Comment 3•11 years ago
|
||
(In reply to Stephen Donner [:stephend] from comment #2) > Loading http://www.att.com crashes 100% for me using: > > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130422 Firefox/23.0 https://crash-stats.mozilla.com/report/index/bp-9b8ae3ba-35cf-4e89-acb2-f136e2130423
Comment 4•11 years ago
|
||
That url worksforme in the Apr 22 nightly on Mac and in a Mac debug build... So definitely looks Windows-only? :(
(In reply to Stephen Donner [:stephend] from comment #2) > Loading http://www.att.com crashes 100% for me using: > > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130422 Firefox/23.0 I can reproduce that.
Reporter | ||
Comment 6•11 years ago
|
||
For me with the STR of comment 2: bp-60a0cd4c-216e-47ff-bd74-b1f422130423
URL: http://www.att.com/
Keywords: reproducible
I no longer crash on att.com after flipping javascript.options.ion.content and javascript.options.ion.parallel_compilation to false, then restarting Nightly, fwiw.
Comment 8•11 years ago
|
||
I can reproduce this on Windows with the Nightly build from here: https://tbpl.mozilla.org/?rev=1150403342b2 The opt and pgo builds from that same revision don't crash. The Nightly build also has problems displaying the menu on that page (when it doesn't crash, see attachment) while the pgo and opt builds don't have that problem.
Comment 9•11 years ago
|
||
Can reproduce on Win7, visiting the url in comment 2 and moving through the top dropdown menu, though this way I also reproduced bug 864125...
Comment 10•11 years ago
|
||
Got https://crash-stats.mozilla.com/report/index/bp-4f56364b-5ec0-479d-b41f-e4bce2130423 (which directed me here) after visiting http://www.keye.pl/games/product/id/7804/EVE-Online-Prepaid-30-Dni from bug 864125
Comment 11•11 years ago
|
||
Several crashes that points here from http://www.tapuz.co.il/forums2008/forumpage.aspx?forumId=394 On Win7 x64.
Reporter | ||
Updated•11 years ago
|
Whiteboard: [native-crash]
Reporter | ||
Updated•11 years ago
|
Crash Signature: , JSObject*) ]
[@ mozilla::dom::DocumentBinding::genericMethod ] → , JSObject*) ]
[@ mozilla::dom::DocumentBinding::genericMethod]
[@ ToLowerCaseHelper ]
Comment 12•11 years ago
|
||
Does comment 7 mean this could be an IonMonkey bug?
Comment 13•11 years ago
|
||
My comment 8 was not entirely correct, while that PGO build didn't crash for me, it does show the cyan numbers in the webpage menu. I can reproduce the issue on AT&T website with Windows PGO builds going back to: https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=503a5fb6d530 I tried three inbound PGO builds before that revision, which all worked OK, and three inbound PGO builds just after that, which all showed the problem. The issue only happens with PGO builds, I was not able to reproduce it with an opt build. Disabling ionmonkey did prevent this issue from occuring for me. Not all of the builds resulted in a crash on the AT&T website, but all of them showed at least one cyan number on http://www.att.com/shop/ It looks like this could be a PGO only issue caused by one of the javascript changes in this range: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6f68b9e02ffc&tochange=503a5fb6d530 Bug 860145 doesn't seem to be the cause, the crashes occur on builds where it was backed out, e.g: https://tbpl.mozilla.org/?jobname=WINNT%205.2%20mozilla-central%20nightly&rev=1150403342b2
Updated•11 years ago
|
Assignee: nobody → general
Component: DOM → JavaScript Engine
Comment 14•11 years ago
|
||
Can reproduce this on the web.airdroid.com site when connected to my phone and trying to access it's camera.
Comment 15•11 years ago
|
||
See bug 866339 for a similar crash signature (mozilla::dom::DocumentBinding::createDocumentFragment).
Reporter | ||
Comment 16•11 years ago
|
||
There have been no crashes since 23.0a1/20130428 that matches the backout of bug 861596.
Comment 17•11 years ago
|
||
Looks like this is back on Aurora for Firefox 28, currently #2 at 4.35%: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-12-17&signature=mozilla%3A%3Adom%3A%3ADocumentBinding%3A%3AgenericMethod&version=Firefox%3A28.0a2
Comment 18•11 years ago
|
||
(In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #17) > Looks like this is back on Aurora for Firefox 28, currently #2 at 4.35%: > https://crash-stats.mozilla.com/report/ > list?product=Firefox&range_value=7&range_unit=days&date=2013-12- > 17&signature=mozilla%3A%3Adom%3A%3ADocumentBinding%3A%3AgenericMethod&version > =Firefox%3A28.0a2 Should I reopen or file a new bug?
Comment 20•11 years ago
|
||
Anthony, I think it's best to open a new bug as the cause is likely to be different - esp. as bug 861596 re-landed with a fix.
Flags: needinfo?(kairo)
Comment 21•11 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #20) > Anthony, I think it's best to open a new bug as the cause is likely to be > different - esp. as bug 861596 re-landed with a fix. Thanks KaiRo, filed bug 952321.
You need to log in
before you can comment on or make changes to this bug.
Description
•