Closed
Bug 875757
Opened 11 years ago
Closed 11 years ago
crash in js::ion::DoTypeUpdateFallback
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | verified |
People
(Reporter: scoobidiver, Assigned: bhackett1024)
References
()
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
There are about 20 crashes per hour. It first showed up in 24.0a1/20130524. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=00b264c7cced&tochange=df526497d949 It might be a regression from bug 874687. The stack traces are various: Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 libxul.so EnterBaseline js/src/ion/BaselineJIT.cpp:154 Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 dalvik-heap (deleted) dalvik-heap @0x7d7fe Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 libcrypto.so ERR_load_X509V3_strings 2 libcrypto.so ERR_load_X509V3_strings 3 libcrypto.so ERR_load_X509V3_strings 4 dalvik-heap (deleted) dalvik-heap @0x30efe Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 libskia.so libskia.so@0x2ffe 2 libskia.so libskia.so@0x2ffe 3 libskia.so libskia.so@0x2ffe 4 dalvik-bitmap-2 (deleted) dalvik-bitmap-2 @0x3511e and so on More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3ADoTypeUpdateFallback
Reporter | ||
Comment 1•11 years ago
|
||
More reports also at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AAddTypePropertyId%28JSContext*%2C+JSObject*%2C+long%2C+JS%3A%3AValue+const%26%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId%28int%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId%28long%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId
Crash Signature: [@ js::ion::DoTypeUpdateFallback] → [@ js::ion::DoTypeUpdateFallback]
[@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ]
[@ js::types::IdToTypeId(int) ]
[@ js::types::IdToTypeId(long) ]
[@ js::types::IdToTypeId ]
OS: Android → All
Hardware: ARM → All
Whiteboard: [native-crash]
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::ion::DoTypeUpdateFallback]
[@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ]
[@ js::types::IdToTypeId(int) ]
[@ js::types::IdToTypeId(long) ]
[@ js::types::IdToTypeId ] → [@ js::ion::DoTypeUpdateFallback]
[@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ]
[@ js::types::IdToTypeId(int) ]
[@ js::types::IdToTypeId(long) ]
[@ js::types::IdToTypeId ]
[@ JSScript::getName(unsigned char*) ]
Comment 2•11 years ago
|
||
I have not had a crash since setting javascript.options.baselinejit.content;false. The page where I had the most crashes is this one http://www.crash.net/f1/news/191532/1/williams_to_mercedes_caterham_eyeing_renault_exit.html , but even this does not crash every time. It seems related to the code to launch ePlayer. Disabling the flash plug-in did not avoid the crash, in fact if anything it made it more likely to crash.
I've crashed here twice in less that fifteen minutes this morning... bp-9eeac86d-50b1-44b8-af24-8faed2130524 bp-906e51d7-69e9-4d61-afe3-265b82130524
Reporter | ||
Comment 4•11 years ago
|
||
Loading the ref. URL crashes Firefox: bp-ddcd73de-0ad8-4232-8285-f85b02130524.
Keywords: reproducible
Comment 5•11 years ago
|
||
bp-eb13af91-815f-4e3a-86c2-b5ec02130524 Crashed http://hg.mozilla.org/mozilla-central/rev/97aa3da59001 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130524 Firefox/24.0 ID:20130524050555 STR 1. Open http://sports.yahoo.com/ 2. Click YAHOO! SPORTS Logo at the top-right
Comment 6•11 years ago
|
||
Can someone verify if this happens with SPS profiler turned off? I can't take an immediate look at this but the answer will help determine whether bug 874687's fix is responsible for this.
Comment 7•11 years ago
|
||
Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/22bb671d4982 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523115653 Crash: http://hg.mozilla.org/mozilla-central/rev/53bfd38cbc8c Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523210626 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bb671d4982&tochange=53bfd38cbc8c Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/96b964d758c8 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523044733 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/b9beff192aa2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523050033 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=96b964d758c8&tochange=b9beff192aa2 Triggered by: b9beff192aa2 Brian Hackett — Bug 864218 - Improve performance when accessing variables defined in run-once closures, r=luke,jandem.
Comment 8•11 years ago
|
||
> Triggered by:
> b9beff192aa2 Brian Hackett — Bug 864218 - Improve performance when accessing
> variables defined in run-once closures, r=luke,jandem.
Setting needinfo for Brian.
Flags: needinfo?(bhackett1024)
Updated•11 years ago
|
Comment 9•11 years ago
|
||
I got a r=luke in-person to back bug 864218 out so the backout can make tomorrow's nightly, bhackett wasn't online on IRC.
Flags: needinfo?(bhackett1024)
Comment 10•11 years ago
|
||
Bug 864218 has been backed out in: https://hg.mozilla.org/mozilla-central/rev/7a2f7a45819a
Comment 12•11 years ago
|
||
I see this crash 100% of the time a few seconds after loading http://www.csmonitor.com/Science/2013/0524/Why-did-our-ancestors-start-walking-upright-Ancient-terrain-may-hold-clue
Comment 13•11 years ago
|
||
Couple of Fennec Nigtly crashes FWIW: Report ID Date Submitted bp-2a0432b5-c2d6-44e9-8011-f791a2130525 05/25/13 03:31 bp-c672e9f9-2d2f-4990-827a-ae54c2130525 05/25/13 03:30
Comment 14•11 years ago
|
||
Clicking on any tv review link on the AV Club website seems to trigger this. http://www.avclub.com/
Reporter | ||
Comment 15•11 years ago
|
||
Closing per comment 10.
Status: NEW → RESOLVED
tracking-fennec: ? → ---
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Comment 17•11 years ago
|
||
This crash is still #1 (and #3, #6) for 24.0a1 - the backout does not appear to have moved the needle.
Status: RESOLVED → REOPENED
Flags: needinfo?(nihsanullah)
Resolution: FIXED → ---
Comment 18•11 years ago
|
||
I'm sorry, I misinterpreted the results - there have been no more crashes with build ids since 5/24 builds, so this only remains since the volume was so high.
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Flags: needinfo?(nihsanullah)
Resolution: --- → FIXED
Comment 19•11 years ago
|
||
Assigning to bhackett because it appears patch on Bug 864218 was the culprit and tracking bugs need owners.
Assignee: general → bhackett1024
Comment 20•11 years ago
|
||
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:26.0) Gecko/20100101 Firefox/26.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0 Couldn't reproduce this issue with STR from comment 2, comment 4, comment 5, comment 14 and comment 12 on Nightly (2013-05-23). Verified as fixed on Firefox 24 beta 4 (Build ID: 20130605070403) and latest Nightly (Build ID: 20130820030206): no crash when loading or navigating on the above URLs. In Socorro there are some crashes with this signatures for the latest builds: - http://goo.gl/kBlaeQ - http://goo.gl/xomhHt - http://goo.gl/PeZb5Y - http://goo.gl/uxyWhI Any thoughts?
Updated•11 years ago
|
Flags: needinfo?
Comment 21•11 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Verified as fixed with FF 24 beta 8 (Build ID: 20130902131354). Reports from Socorro: - 1st signature: 0 crashes with beta 7 - 2nd signature: 0 crashes with beta 7 - 3rd signature: 3 crashes with beta 7: http://goo.gl/VehHc0 - 4th signature: 0 crashes with beta 7 - 5th signature: 0 crashes with beta 7 - 6th signature: 3 crashes with beta 7: http://goo.gl/wC9VxB Marking as verified per this results and comment 20.
You need to log in
before you can comment on or make changes to this bug.
Description
•