865584 - crash in js::ion::IonBuilder::createThisScriptedSingleton @ js::types::TypeSet::hasType

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

With the stack trace below, it first showed up in 23.0a1/20130424 and is currently #8 crasher in this build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=acf388eaf9e9&tochange=fef5f202b2dc
It might be a regression from bug 861439.

Signature 	js::types::TypeSet::hasType(js::types::Type) More Reports Search
UUID	2d58a6db-9562-45ea-bb46-6122e2130425
Date Processed	2013-04-25 05:08:38
Uptime	14876
Last Crash	4.5 weeks before submission
Install Age	4.1 hours since version was first installed.
Install Time	2013-04-25 01:00:14
Product	Firefox
Version	23.0a1
Build ID	20130424030917
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x48
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.15.10.1749
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
Processor Notes 	sp-processor01.phx1.mozilla.com_5380:2012
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x2a42
Total Virtual Memory	4294836224
Available Virtual Memory	3242848256
System Memory Use Percentage	73
Available Page File	1456336896
Available Physical Memory	525234176

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:1382
1 	mozjs.dll 	js::ion::IonBuilder::createThisScriptedSingleton 	js/src/ion/IonBuilder.cpp:4271
2 	mozjs.dll 	js::ion::IonBuilder::createThis 	js/src/ion/IonBuilder.cpp:4309
3 	mozjs.dll 	js::ion::IonBuilder::makeCallHelper 	js/src/ion/IonBuilder.cpp:4731
4 	mozjs.dll 	js::ion::IonBuilder::makeCall 	js/src/ion/IonBuilder.cpp:4796
5 	mozjs.dll 	js::ion::IonBuilder::inlineGenericFallback 	js/src/ion/IonBuilder.cpp:3796
6 	mozjs.dll 	js::ion::IonBuilder::inlineCalls 	js/src/ion/IonBuilder.cpp:4101
7 	mozjs.dll 	js::ion::IonBuilder::inlineCallsite 	js/src/ion/IonBuilder.cpp:3771
8 	mozjs.dll 	js::ion::IonBuilder::jsop_call 	js/src/ion/IonBuilder.cpp:4566
9 	mozjs.dll 	js::ion::IonBuilder::inspectOpcode 	js/src/ion/IonBuilder.cpp:1213
10 	mozjs.dll 	js::ion::IonBuilder::traverseBytecode 	js/src/ion/IonBuilder.cpp:962
11 	mozjs.dll 	js::ion::IonBuilder::build 	js/src/ion/IonBuilder.cpp:509
12 	mozjs.dll 	js::ion::SequentialCompileContext::compile 	js/src/ion/Ion.cpp:1380
13 	mozjs.dll 	js::ion::IonCompile<js::ion::SequentialCompileContext> 	js/src/ion/Ion.cpp:1342
14 	mozjs.dll 	js::ion::Compile<js::ion::SequentialCompileContext> 	js/src/ion/Ion.cpp:1574
15 	mozjs.dll 	js::ion::CompileFunctionForBaseline 	js/src/ion/Ion.cpp:1710
16 	mozjs.dll 	js::ion::EnsureCanEnterIon 	js/src/ion/BaselineIC.cpp:661
17 	mozjs.dll 	js::ion::DoUseCountFallback 	js/src/ion/BaselineIC.cpp:844
18 	mozjs.dll 	str_indexOf 	js/src/jsstr.cpp:1219
19 		@0x282 	

More reports at:
https://crash-stats.mozilla.com/report/list?version=Firefox:23.0a1&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29+const

Comment 1

[Phil Ringnalda (:philor)]

My best STR: open GMail, with a ton of uninteresting bugmail, and quickly (that seems to be key) alternate between hitting Enter to open a message and hitting E to archive it.

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

This looks like a pre-existing bug, I don't know why it started showing up recently.

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7b54ccf30884

Comment 4

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/7b54ccf30884

Comment 5

[Mihai Morar, (:MihaiMorar)]

I confirm the fix is verified on FF 23b1 on Windows 7, Mac OS 10.8 and Ubuntu 14.04.
Build Id: 20130625125232

Comment 6

[Mihai Morar, (:MihaiMorar)]

Sorry for the mistake in Comment 5. I meant I am not able to reproduce the issue on FF 23b1 but it looks like this is not fixed yet based on Soccoro stats. 

There are still about 10k crashes in last 4 weeks with this signature: 
[@ js::types::TypeSet::hasType(js::types::Type) ]

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29&reason_type=contains&date=06%2F26%2F2013%2012%3A11%3A36&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29

Comment 7

[u279076]

Looking at the data closer it I'm seeing several crashes for all versions up to and including Firefox 22, no crashes for Firefox 23, then it returns for Firefox 24. I could be reading the data wrong though.

Scoobidiver, can you please have a look?

Comment 8

[Scoobidiver (away)]

(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #7)
> Scoobidiver, can you please have a look?
There are 6 bugs for this crash signature so I can't verify this bug is fixed.

Comment 9

[u279076]

(In reply to Scoobidiver from comment #8)
> (In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #7)
> > Scoobidiver, can you please have a look?
> There are 6 bugs for this crash signature so I can't verify this bug is
> fixed.

Thanks Scoobidiver. I'm going to mark this [qa-] given your comment 8. Take it for what it's worth but Mihai was unable to reproduce this crash in Firefox 23b1.