Closed Bug 875757 Opened 12 years ago Closed 12 years ago

crash in js::ion::DoTypeUpdateFallback

Categories

(Core :: JavaScript Engine, defect)

24 Branch
defect
Not set
blocker

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 + verified

People

(Reporter: scoobidiver, Assigned: bhackett1024)

References

()

Details

(4 keywords, Whiteboard: [native-crash])

Crash Data

There are about 20 crashes per hour. It first showed up in 24.0a1/20130524. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=00b264c7cced&tochange=df526497d949 It might be a regression from bug 874687. The stack traces are various: Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 libxul.so EnterBaseline js/src/ion/BaselineJIT.cpp:154 Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 dalvik-heap (deleted) dalvik-heap @0x7d7fe Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 libcrypto.so ERR_load_X509V3_strings 2 libcrypto.so ERR_load_X509V3_strings 3 libcrypto.so ERR_load_X509V3_strings 4 dalvik-heap (deleted) dalvik-heap @0x30efe Frame Module Signature Source 0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493 1 libskia.so libskia.so@0x2ffe 2 libskia.so libskia.so@0x2ffe 3 libskia.so libskia.so@0x2ffe 4 dalvik-bitmap-2 (deleted) dalvik-bitmap-2 @0x3511e and so on More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3ADoTypeUpdateFallback
Crash Signature: [@ js::ion::DoTypeUpdateFallback] → [@ js::ion::DoTypeUpdateFallback] [@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ] [@ js::types::IdToTypeId(int) ] [@ js::types::IdToTypeId(long) ] [@ js::types::IdToTypeId ]
OS: Android → All
Hardware: ARM → All
Whiteboard: [native-crash]
Crash Signature: [@ js::ion::DoTypeUpdateFallback] [@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ] [@ js::types::IdToTypeId(int) ] [@ js::types::IdToTypeId(long) ] [@ js::types::IdToTypeId ] → [@ js::ion::DoTypeUpdateFallback] [@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ] [@ js::types::IdToTypeId(int) ] [@ js::types::IdToTypeId(long) ] [@ js::types::IdToTypeId ] [@ JSScript::getName(unsigned char*) ]
I have not had a crash since setting javascript.options.baselinejit.content;false. The page where I had the most crashes is this one http://www.crash.net/f1/news/191532/1/williams_to_mercedes_caterham_eyeing_renault_exit.html , but even this does not crash every time. It seems related to the code to launch ePlayer. Disabling the flash plug-in did not avoid the crash, in fact if anything it made it more likely to crash.
Loading the ref. URL crashes Firefox: bp-ddcd73de-0ad8-4232-8285-f85b02130524.
bp-eb13af91-815f-4e3a-86c2-b5ec02130524 Crashed http://hg.mozilla.org/mozilla-central/rev/97aa3da59001 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130524 Firefox/24.0 ID:20130524050555 STR 1. Open http://sports.yahoo.com/ 2. Click YAHOO! SPORTS Logo at the top-right
Can someone verify if this happens with SPS profiler turned off? I can't take an immediate look at this but the answer will help determine whether bug 874687's fix is responsible for this.
Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/22bb671d4982 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523115653 Crash: http://hg.mozilla.org/mozilla-central/rev/53bfd38cbc8c Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523210626 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bb671d4982&tochange=53bfd38cbc8c Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/96b964d758c8 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523044733 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/b9beff192aa2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523050033 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=96b964d758c8&tochange=b9beff192aa2 Triggered by: b9beff192aa2 Brian Hackett — Bug 864218 - Improve performance when accessing variables defined in run-once closures, r=luke,jandem.
Blocks: 864218
> Triggered by: > b9beff192aa2 Brian Hackett — Bug 864218 - Improve performance when accessing > variables defined in run-once closures, r=luke,jandem. Setting needinfo for Brian.
Flags: needinfo?(bhackett1024)
I got a r=luke in-person to back bug 864218 out so the backout can make tomorrow's nightly, bhackett wasn't online on IRC.
Flags: needinfo?(bhackett1024)
Couple of Fennec Nigtly crashes FWIW: Report ID Date Submitted bp-2a0432b5-c2d6-44e9-8011-f791a2130525 05/25/13 03:31 bp-c672e9f9-2d2f-4990-827a-ae54c2130525 05/25/13 03:30
Clicking on any tv review link on the AV Club website seems to trigger this. http://www.avclub.com/
Closing per comment 10.
Status: NEW → RESOLVED
tracking-fennec: ? → ---
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
This crash is still #1 (and #3, #6) for 24.0a1 - the backout does not appear to have moved the needle.
Status: RESOLVED → REOPENED
Flags: needinfo?(nihsanullah)
Resolution: FIXED → ---
I'm sorry, I misinterpreted the results - there have been no more crashes with build ids since 5/24 builds, so this only remains since the volume was so high.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Flags: needinfo?(nihsanullah)
Resolution: --- → FIXED
Assigning to bhackett because it appears patch on Bug 864218 was the culprit and tracking bugs need owners.
Assignee: general → bhackett1024
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:26.0) Gecko/20100101 Firefox/26.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0 Couldn't reproduce this issue with STR from comment 2, comment 4, comment 5, comment 14 and comment 12 on Nightly (2013-05-23). Verified as fixed on Firefox 24 beta 4 (Build ID: 20130605070403) and latest Nightly (Build ID: 20130820030206): no crash when loading or navigating on the above URLs. In Socorro there are some crashes with this signatures for the latest builds: - http://goo.gl/kBlaeQ - http://goo.gl/xomhHt - http://goo.gl/PeZb5Y - http://goo.gl/uxyWhI Any thoughts?
Flags: needinfo?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Verified as fixed with FF 24 beta 8 (Build ID: 20130902131354). Reports from Socorro: - 1st signature: 0 crashes with beta 7 - 2nd signature: 0 crashes with beta 7 - 3rd signature: 3 crashes with beta 7: http://goo.gl/VehHc0 - 4th signature: 0 crashes with beta 7 - 5th signature: 0 crashes with beta 7 - 6th signature: 3 crashes with beta 7: http://goo.gl/wC9VxB Marking as verified per this results and comment 20.
Status: RESOLVED → VERIFIED
Flags: needinfo?
You need to log in before you can comment on or make changes to this bug.