875757 - crash in js::ion::DoTypeUpdateFallback

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

There are about 20 crashes per hour.
It first showed up in 24.0a1/20130524. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=00b264c7cced&tochange=df526497d949
It might be a regression from bug 874687.

The stack traces are various:
Frame 	Module 	Signature 	Source
0 	libxul.so 	js::ion::DoTypeUpdateFallback 	js/src/vm/String.h:493
1 	libxul.so 	EnterBaseline 	js/src/ion/BaselineJIT.cpp:154

Frame 	Module 	Signature 	Source
0 	libxul.so 	js::ion::DoTypeUpdateFallback 	js/src/vm/String.h:493
1 	dalvik-heap (deleted) 	dalvik-heap @0x7d7fe

Frame 	Module 	Signature 	Source
0 	libxul.so 	js::ion::DoTypeUpdateFallback 	js/src/vm/String.h:493
1 	libcrypto.so 	ERR_load_X509V3_strings 	
2 	libcrypto.so 	ERR_load_X509V3_strings 	
3 	libcrypto.so 	ERR_load_X509V3_strings 	
4 	dalvik-heap (deleted) 	dalvik-heap @0x30efe

Frame 	Module 	Signature 	Source
0 	libxul.so 	js::ion::DoTypeUpdateFallback 	js/src/vm/String.h:493
1 	libskia.so 	libskia.so@0x2ffe 	
2 	libskia.so 	libskia.so@0x2ffe 	
3 	libskia.so 	libskia.so@0x2ffe 	
4 	dalvik-bitmap-2 (deleted) 	dalvik-bitmap-2 @0x3511e

and so on

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3ADoTypeUpdateFallback

Comment 1

[Scoobidiver (away)]

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AAddTypePropertyId%28JSContext*%2C+JSObject*%2C+long%2C+JS%3A%3AValue+const%26%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId%28int%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId%28long%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId

Comment 2

[Bill Gianopoulos [:WG9s]]

I have not had a crash since setting javascript.options.baselinejit.content;false.  The page where I had the most crashes is this one http://www.crash.net/f1/news/191532/1/williams_to_mercedes_caterham_eyeing_renault_exit.html , but even this does not crash every time. It seems related to the code to launch ePlayer.  Disabling the flash plug-in did not avoid the crash, in fact if anything it made it more likely to crash.

Comment 3

[Ben Turner (not reading bugmail, use the needinfo flag!)]

I've crashed here twice in less that fifteen minutes this morning...

bp-9eeac86d-50b1-44b8-af24-8faed2130524
bp-906e51d7-69e9-4d61-afe3-265b82130524

Comment 4

[Scoobidiver (away)]

Loading the ref. URL crashes Firefox: bp-ddcd73de-0ad8-4232-8285-f85b02130524.

Comment 5

[Alice0775 White]

bp-eb13af91-815f-4e3a-86c2-b5ec02130524

Crashed 
http://hg.mozilla.org/mozilla-central/rev/97aa3da59001
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130524 Firefox/24.0 ID:20130524050555

STR
1. Open http://sports.yahoo.com/
2. Click YAHOO! SPORTS Logo at the top-right

Comment 6

[Kannan Vijayan [:djvj]]

Can someone verify if this happens with SPS profiler turned off?  I can't take an immediate look at this but the answer will help determine whether bug 874687's fix is responsible for this.

Comment 7

[Alice0775 White]

Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/22bb671d4982
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523115653
Crash:
http://hg.mozilla.org/mozilla-central/rev/53bfd38cbc8c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523210626
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bb671d4982&tochange=53bfd38cbc8c


Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/96b964d758c8
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523044733
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/b9beff192aa2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523050033
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=96b964d758c8&tochange=b9beff192aa2

Triggered by:
b9beff192aa2	Brian Hackett — Bug 864218 - Improve performance when accessing variables defined in run-once closures, r=luke,jandem.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> Triggered by:
> b9beff192aa2	Brian Hackett — Bug 864218 - Improve performance when accessing
> variables defined in run-once closures, r=luke,jandem.

Setting needinfo for Brian.

Comment 9

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I got a r=luke in-person to back bug 864218 out so the backout can make tomorrow's nightly, bhackett wasn't online on IRC.

Comment 10

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Bug 864218 has been backed out in:

https://hg.mozilla.org/mozilla-central/rev/7a2f7a45819a

Comment 12

[Alon Zakai (:azakai)]

I see this crash 100% of the time a few seconds after loading

http://www.csmonitor.com/Science/2013/0524/Why-did-our-ancestors-start-walking-upright-Ancient-terrain-may-hold-clue

Comment 13

[alex_mayorga]

Couple of Fennec Nigtly crashes FWIW:

Report ID 	Date Submitted
bp-2a0432b5-c2d6-44e9-8011-f791a2130525	05/25/13	03:31
bp-c672e9f9-2d2f-4990-827a-ae54c2130525	05/25/13	03:30

Comment 14

[timbugzilla]

Clicking on any tv review link on the AV Club website seems to trigger this.

http://www.avclub.com/

Comment 15

[Scoobidiver (away)]

Closing per comment 10.

Comment 17

[Lukas Blakk [:lsblakk] use ?needinfo]

This crash is still #1 (and #3, #6) for 24.0a1 - the backout does not appear to have moved the needle.

Comment 18

[Lukas Blakk [:lsblakk] use ?needinfo]

I'm sorry, I misinterpreted the results - there have been no more crashes with build ids since 5/24 builds, so this only remains since the volume was so high.

Comment 19

[Naveed Ihsanullah [:naveed]]

Assigning to bhackett because it appears patch on Bug 864218 was the culprit and tracking bugs need owners.

Comment 20

[Ada [:adalucinet]]

Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:26.0) Gecko/20100101 Firefox/26.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0

Couldn't reproduce this issue with STR from comment 2, comment 4, comment 5, comment 14 and comment 12 on Nightly (2013-05-23).

Verified as fixed on Firefox 24 beta 4 (Build ID: 20130605070403) and latest Nightly (Build ID: 20130820030206): no crash when loading or navigating on the above URLs.

In Socorro there are some crashes with this signatures for the latest builds:
- http://goo.gl/kBlaeQ
- http://goo.gl/xomhHt
- http://goo.gl/PeZb5Y
- http://goo.gl/uxyWhI

Any thoughts?

Comment 21

[Ada [:adalucinet]]

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

Verified as fixed with FF 24 beta 8 (Build ID: 20130902131354).

Reports from Socorro:
- 1st signature: 0 crashes with beta 7 
- 2nd signature: 0 crashes with beta 7
- 3rd signature: 3 crashes with beta 7: http://goo.gl/VehHc0
- 4th signature: 0 crashes with beta 7
- 5th signature: 0 crashes with beta 7
- 6th signature: 3 crashes with beta 7: http://goo.gl/wC9VxB

Marking as verified per this results and comment 20.